Analysis Overview
SHA256
253e0b008b6b3bead81d9c5348c15767e8a55b5363742d697c85e84ec641b18e
Threat Level: Likely malicious
The file 253e0b008b6b3bead81d9c5348c15767e8a55b5363742d697c85e84ec641b18eN.exe was found to be: Likely malicious.
Malicious Activity Summary
Blocklisted process makes network request
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Deletes itself
Adds Run key to start application
Writes to the Master Boot Record (MBR)
Enumerates connected drives
System Network Configuration Discovery: Internet Connection Discovery
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Checks processor information in registry
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 15:37
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 15:37
Reported
2024-11-13 15:40
Platform
win7-20240903-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\ggrag.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\ggrag.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\kmgsm\\zipruwt.dll\",init" | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\m: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\s: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\a: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\h: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\k: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\l: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\o: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\t: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\g: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\e: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\i: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\j: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\n: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\p: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\q: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\y: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\b: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\z: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\u: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\v: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\w: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\x: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\r: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PHYSICALDRIVE0 | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\253e0b008b6b3bead81d9c5348c15767e8a55b5363742d697c85e84ec641b18eN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\ggrag.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\253e0b008b6b3bead81d9c5348c15767e8a55b5363742d697c85e84ec641b18eN.exe | N/A |
| N/A | N/A | \??\c:\ggrag.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\253e0b008b6b3bead81d9c5348c15767e8a55b5363742d697c85e84ec641b18eN.exe
"C:\Users\Admin\AppData\Local\Temp\253e0b008b6b3bead81d9c5348c15767e8a55b5363742d697c85e84ec641b18eN.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 127.0.0.1 -n 2&c:\ggrag.exe "C:\Users\Admin\AppData\Local\Temp\253e0b008b6b3bead81d9c5348c15767e8a55b5363742d697c85e84ec641b18eN.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 2
\??\c:\ggrag.exe
c:\ggrag.exe "C:\Users\Admin\AppData\Local\Temp\253e0b008b6b3bead81d9c5348c15767e8a55b5363742d697c85e84ec641b18eN.exe"
\??\c:\windows\SysWOW64\rundll32.exe
c:\windows\system32\rundll32.exe "c:\kmgsm\zipruwt.dll",init c:\ggrag.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | krnaver.com | udp |
| US | 107.163.241.232:12354 | tcp | |
| US | 107.163.241.232:12354 | tcp | |
| US | 107.163.241.232:12354 | tcp |
Files
memory/1940-0-0x0000000000400000-0x0000000000425000-memory.dmp
memory/1940-1-0x00000000002E0000-0x00000000002E1000-memory.dmp
memory/1940-3-0x0000000000400000-0x0000000000425000-memory.dmp
\??\c:\ggrag.exe
| MD5 | 7feb466d0cb5395f8acc6f677b931d77 |
| SHA1 | 3542a65e4d74f556eaa66fa12d04a8e4399c63dd |
| SHA256 | d23c95d24d8487d1025c7974cd048fe3ade16963114bb82f792fe26e45fd7a54 |
| SHA512 | 80f585c14df0f3283042460cbcaf8140b80f8083225c187768920b6c2ae8a66181f8c0dc4168d877705071d538232a3c80c03f61f96feaf3e67daf21349040a2 |
memory/2440-5-0x0000000000370000-0x0000000000395000-memory.dmp
memory/1424-8-0x0000000000260000-0x0000000000261000-memory.dmp
memory/2440-7-0x0000000000370000-0x0000000000395000-memory.dmp
memory/1424-10-0x0000000000400000-0x0000000000425000-memory.dmp
\??\c:\kmgsm\zipruwt.dll
| MD5 | 36e3fb5964d663272cf1169e1e1ca478 |
| SHA1 | 58115e08b49505bcbbb5c88a28a86222ba18d5d4 |
| SHA256 | c7c41689de030df0f78f471422fa2a6383b36e77c94e7f6f124a96feb3e27ed7 |
| SHA512 | daff53b11aa400437a06287707a334a09661c1ef7d0fd8beaf1a874c79c16fe45bd1188343d0623e839d3ead5ea2dd90896e37ccf3b252c7220c74989a9ba442 |
memory/2688-17-0x0000000010000000-0x000000001002E000-memory.dmp
memory/2688-18-0x0000000010000000-0x000000001002E000-memory.dmp
memory/2688-16-0x0000000010000000-0x000000001002E000-memory.dmp
memory/2688-20-0x0000000010000000-0x000000001002E000-memory.dmp
memory/2688-19-0x0000000010021000-0x0000000010022000-memory.dmp
memory/2688-21-0x0000000010000000-0x000000001002E000-memory.dmp
memory/2688-22-0x0000000010000000-0x000000001002E000-memory.dmp
memory/2688-23-0x0000000010000000-0x000000001002E000-memory.dmp
memory/2688-24-0x0000000010021000-0x0000000010022000-memory.dmp
memory/2688-25-0x0000000010000000-0x000000001002E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 15:37
Reported
2024-11-13 15:40
Platform
win10v2004-20241007-en
Max time kernel
115s
Max time network
116s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\kpwcy.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\kpwcy.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\fxtqxrk\\srfvdr.dll\",init" | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\l: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\m: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\q: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\u: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\w: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\y: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\n: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\s: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\v: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\e: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\g: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\i: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\j: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\o: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\r: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\x: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\z: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\a: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\b: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\h: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\k: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\p: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\t: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PHYSICALDRIVE0 | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\kpwcy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\253e0b008b6b3bead81d9c5348c15767e8a55b5363742d697c85e84ec641b18eN.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\253e0b008b6b3bead81d9c5348c15767e8a55b5363742d697c85e84ec641b18eN.exe | N/A |
| N/A | N/A | \??\c:\kpwcy.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\253e0b008b6b3bead81d9c5348c15767e8a55b5363742d697c85e84ec641b18eN.exe
"C:\Users\Admin\AppData\Local\Temp\253e0b008b6b3bead81d9c5348c15767e8a55b5363742d697c85e84ec641b18eN.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 127.0.0.1 -n 2&c:\kpwcy.exe "C:\Users\Admin\AppData\Local\Temp\253e0b008b6b3bead81d9c5348c15767e8a55b5363742d697c85e84ec641b18eN.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 2
\??\c:\kpwcy.exe
c:\kpwcy.exe "C:\Users\Admin\AppData\Local\Temp\253e0b008b6b3bead81d9c5348c15767e8a55b5363742d697c85e84ec641b18eN.exe"
\??\c:\windows\SysWOW64\rundll32.exe
c:\windows\system32\rundll32.exe "c:\fxtqxrk\srfvdr.dll",init c:\kpwcy.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | krnaver.com | udp |
| US | 107.163.241.232:12354 | tcp | |
| US | 107.163.241.232:12354 | tcp | |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | krnaver.com | udp |
| US | 107.163.241.232:12354 | tcp | |
| US | 8.8.8.8:53 | krnaver.com | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | krnaver.com | udp |
| US | 8.8.8.8:53 | 232.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | krnaver.com | udp |
| US | 8.8.8.8:53 | krnaver.com | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | krnaver.com | udp |
| US | 8.8.8.8:53 | krnaver.com | udp |
| US | 8.8.8.8:53 | krnaver.com | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | krnaver.com | udp |
| US | 8.8.8.8:53 | krnaver.com | udp |
| US | 8.8.8.8:53 | krnaver.com | udp |
Files
memory/940-0-0x0000000000400000-0x0000000000425000-memory.dmp
memory/940-1-0x0000000000A70000-0x0000000000A71000-memory.dmp
memory/940-3-0x0000000000400000-0x0000000000425000-memory.dmp
C:\kpwcy.exe
| MD5 | 03c1064f5c03913ea30f0ddf8f2e49fb |
| SHA1 | bb5ba35a8d743b50906d86215149e6bd5294bc3f |
| SHA256 | b99011220449a96ee38b4360e96234bdf3a30b0113fc930ff3208f5616532bc3 |
| SHA512 | 4b16ce7d88aac1d25192813da5df2167dd67a9cfaebd1f06c9610791062408763a20fc249c84aa10bc6b0664dd450d2b64ec65a354a777b706f0dcb2ae1221a9 |
memory/3016-8-0x0000000000490000-0x0000000000491000-memory.dmp
memory/3016-7-0x0000000000400000-0x0000000000425000-memory.dmp
memory/3016-10-0x0000000000400000-0x0000000000425000-memory.dmp
\??\c:\fxtqxrk\srfvdr.dll
| MD5 | 36e3fb5964d663272cf1169e1e1ca478 |
| SHA1 | 58115e08b49505bcbbb5c88a28a86222ba18d5d4 |
| SHA256 | c7c41689de030df0f78f471422fa2a6383b36e77c94e7f6f124a96feb3e27ed7 |
| SHA512 | daff53b11aa400437a06287707a334a09661c1ef7d0fd8beaf1a874c79c16fe45bd1188343d0623e839d3ead5ea2dd90896e37ccf3b252c7220c74989a9ba442 |
memory/3020-13-0x0000000010000000-0x000000001002E000-memory.dmp
memory/3020-14-0x0000000000890000-0x0000000000891000-memory.dmp
memory/3020-15-0x0000000010000000-0x000000001002E000-memory.dmp
memory/3020-16-0x0000000010000000-0x000000001002E000-memory.dmp
memory/3020-17-0x0000000000890000-0x0000000000891000-memory.dmp