Overview

overview

7

Static

static

3

2760f58df5...28.exe

windows7-x64

7

2760f58df5...28.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    147s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    21/11/2024, 06:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2760f58df5fad0a726bf0a04f3f930c47869fc7acdc07f0995c7e7fed3d78328.exe

  • Size

    201KB

  • MD5

    1c2fd8db1f9b0f63b24751f8aefa1409

  • SHA1

    734711e434b9cb02ed10e36a3f7b694eca2a596d

  • SHA256

    2760f58df5fad0a726bf0a04f3f930c47869fc7acdc07f0995c7e7fed3d78328

  • SHA512

    212b6dcff737a4394cfd0d50dc26d124f5fd83570ebf8ee5122572f7880778a15b38af44efd56e5afdb413721c228dea58e10cf213f3b363ed78059250eb555d

  • SSDEEP

    3072:fP5gvNVLIfHQja1RfmLQADwSKkhU+tLgT5lODbiC8r1PkT:X2vnSwjaOcADw9cUeCOf

Score
7/10
bootkitdiscoverypersistencespywarestealer

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 7 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in Program Files directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2760f58df5fad0a726bf0a04f3f930c47869fc7acdc07f0995c7e7fed3d78328.exe
    "C:\Users\Admin\AppData\Local\Temp\2760f58df5fad0a726bf0a04f3f930c47869fc7acdc07f0995c7e7fed3d78328.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2248
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\rtslx.exe "C:\Users\Admin\AppData\Local\Temp\2760f58df5fad0a726bf0a04f3f930c47869fc7acdc07f0995c7e7fed3d78328.exe"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:2464
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 2
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:1716
      • C:\Users\Admin\AppData\Local\Temp\rtslx.exe
        C:\Users\Admin\AppData\Local\Temp\\rtslx.exe "C:\Users\Admin\AppData\Local\Temp\2760f58df5fad0a726bf0a04f3f930c47869fc7acdc07f0995c7e7fed3d78328.exe"
        3⤵
        • Deletes itself
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1872
        • \??\c:\Program Files\awxnvdgf\cqxwv.exe
          "c:\Program Files\awxnvdgf\cqxwv.exe" "c:\Program Files\awxnvdgf\cqxwv.dll",Compliance C:\Users\Admin\AppData\Local\Temp\rtslx.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Enumerates connected drives
          • Writes to the Master Boot Record (MBR)
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

2
T1012

Remote System Discovery

1
T1018

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • \??\c:\Program Files\awxnvdgf\cqxwv.dll
    Filesize

    141KB

    MD5

    d1fb6ec8c407a19679a6fbc38591a285

    SHA1

    738dd4c58072dbf2dc694f605b8f93618ea9a6b1

    SHA256

    0635b90694968ff16e7d4f051c510153eb7bd4cf0160924660633b888a796b89

    SHA512

    0014259c9110f271bc3e1c193a33e4e6a98d854e1345c738036abc44a6018c0aee726fc4fa3c0f8796b642f3c5cdb3b8d1a357f1f1bb1bcad1a55dd5a9968644

    Download Submit

  • \Program Files\awxnvdgf\cqxwv.exe
    Filesize

    43KB

    MD5

    51138beea3e2c21ec44d0932c71762a8

    SHA1

    8939cf35447b22dd2c6e6f443446acc1bf986d58

    SHA256

    5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

    SHA512

    794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

    Download Submit

  • \Users\Admin\AppData\Local\Temp\rtslx.exe
    Filesize

    201KB

    MD5

    2cccf29d2f064b927a71eb84e43d8292

    SHA1

    ca9f799e601b03df17d602bd7892f1348a1114c7

    SHA256

    ee115f698958bbe8ab588e02afb98df1c11700d1d4c8852e1625efeea44fc216

    SHA512

    c3e2f9de6d678b5d96597722a930d700bd87627d07570f8a53f39d4a25c40f4af71b290dd054d255fb43618119f3be75e3944b781ef952006a9dc2907a0f92d1

    Download Submit

  • memory/1872-12-0x0000000000400000-0x000000000044901D-memory.dmp

    Filesize

    292KB

    Download

  • memory/1872-10-0x0000000000400000-0x000000000044901D-memory.dmp

    Filesize

    292KB

    Download

  • memory/1872-11-0x0000000000400000-0x000000000044901D-memory.dmp

    Filesize

    292KB

    Download

  • memory/1872-20-0x0000000000400000-0x000000000044901D-memory.dmp

    Filesize

    292KB

    Download

  • memory/2248-4-0x0000000000400000-0x000000000044901D-memory.dmp

    Filesize

    292KB

    Download

  • memory/2248-0-0x0000000000400000-0x000000000044901D-memory.dmp

    Filesize

    292KB

    Download

  • memory/2248-2-0x0000000000400000-0x000000000044901D-memory.dmp

    Filesize

    292KB

    Download

  • memory/2248-1-0x0000000000400000-0x000000000044901D-memory.dmp

    Filesize

    292KB

    Download

  • memory/2464-7-0x0000000000330000-0x000000000037A000-memory.dmp

    Filesize

    296KB

    Download

  • memory/2792-27-0x0000000010000000-0x000000001004E000-memory.dmp

    Filesize

    312KB

    Download

  • memory/2792-28-0x0000000010000000-0x000000001004E000-memory.dmp

    Filesize

    312KB

    Download

  • memory/2792-29-0x0000000010000000-0x000000001004E000-memory.dmp

    Filesize

    312KB

    Download

  • memory/2792-32-0x0000000010000000-0x000000001004E000-memory.dmp

    Filesize

    312KB

    Download