Overview
overview
10Static
static
6AES-NI.exe
windows10-2004-x64
10Abrechnung.exe
windows10-2004-x64
8Box (2).exe
windows10-2004-x64
3Box.exe
windows10-2004-x64
3a66dde2298...43.exe
windows10-2004-x64
9a7768f4973...e0.exe
windows10-2004-x64
10aa7ff3bc28...1e.exe
windows10-2004-x64
7aace43af8d...99.exe
windows10-2004-x64
8ad3cc219a8...ws.dll
windows10-2004-x64
10aee03626b8...b1.exe
windows10-2004-x64
6afd3b729cf...2e.exe
windows10-2004-x64
10b56c4569d6...ss.exe
windows10-2004-x64
30.84762379...67.exe
windows10-2004-x64
3zsgblrbrum...ke.exe
windows10-2004-x64
3b7d9f11c16...b0.exe
windows10-2004-x64
5b8f60c64c7...af.exe
windows10-2004-x64
10Saldo.Pdf_...__.exe
windows10-2004-x64
bc557a7bfe...8f.exe
windows10-2004-x64
7bd2d4d4300...17.vbs
windows10-2004-x64
1be03e43db0...5F.exe
windows10-2004-x64
10be03e43db0...8A.exe
windows10-2004-x64
3be514549a2...1f.exe
windows10-2004-x64
9bfb8f7f6cb...-0.dll
windows10-2004-x64
8bldjad.ex1.exe
windows10-2004-x64
3bldjad.exe
windows10-2004-x64
3bldjad2.exe
windows10-2004-x64
5c145a26dd6...a0.exe
windows10-2004-x64
3c325092750...db.apk
windows10-2004-x64
3c36c46f4de...6e.exe
windows10-2004-x64
3c3dd2e3cf0...04.exe
windows10-2004-x64
3c71c26bf89...3_.exe
windows10-2004-x64
7c846282987...fd.exe
windows10-2004-x64
5Resubmissions
22-11-2024 22:54
241122-2vh7gaxmfl 1022-11-2024 03:27
241122-dzqkcatmht 1022-11-2024 03:16
241122-dsgc4atlgs 10Analysis
-
max time kernel
144s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-11-2024 22:54
Behavioral task
behavioral1
Sample
AES-NI.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral2
Sample
Abrechnung.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Box (2).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral4
Sample
Box.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
a66dde22983583da6d3b1e5b9eb1e8fb019f5157eda508305942292c0d10fa43.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral6
Sample
a7768f4973ad7cf8217212a4d12dbae0.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
aa7ff3bc285bcb4ec48bf2f361f0ad0a1d9fc8f17b7323d2f0615ade68973c1e.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral8
Sample
aace43af8d0932a7b01c5b8fb71c8199.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
ad3cc219a818047d6d3c38a8e4662e21dfedc858578cb2bde2c127d66dfeb7de_PonyNews.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral10
Sample
aee03626b83a88b71b06899116cb7ce4b8092365103d69792b0c2d7153f24cb1.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
afd3b729cf99fb9ea441f42862a4835d1d6eeb36ee535f9b206e3a00382c972e.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral12
Sample
b56c4569d639e8ce104d9e52dffeba6d18813c058887a3404350904811f32d54_not_packed_maybe_useless.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
0.8476237917779167.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral14
Sample
zsgblrbrumorwxfizuke.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
b7d9f11c166fa1a4ceef446dd9c8561c77115cb3ce4910a056dd6a361338a2b0.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral16
Sample
b8f60c64c70f03c263bf9e9261aa157a73864aaf.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
Saldo.Pdf______________________________________________________________.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral18
Sample
bc557a7bfec430aab3a1b326f35c8d6c1d2de0532263df872b2280af65f32b8f.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
bd2d4d43009623941f49554f5932188154fc9d16d820e00db1281d057468b017.vbs
Resource
win10v2004-20241007-en
Behavioral task
behavioral20
Sample
be03e43db0b190b879c893102a76183231ea39ec51206d25651a3cacffa8d81d_Dumped_TDS=4F8C315F.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
be03e43db0b190b879c893102a76183231ea39ec51206d25651a3cacffa8d81d_TDS=4F90A68A.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral22
Sample
be514549a2e654706aeeaa15c8cffce504f0e271c904fe07d865f3999ebaa61f.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
bfb8f7f6cbe24330a310e5c7cbe99ed4_api-ms-win-system-wer-l1-1-0.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral24
Sample
bldjad.ex1.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
bldjad.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral26
Sample
bldjad2.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
c145a26dd6d200080c16300456e7c0bc95f2b71f56d94136619e239e466a04a0.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral28
Sample
c325092750dd55898c47be7ec8a7622c3bf8d1a79c40b160ef7901c2ef18f5db.apk
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
c36c46f4de045ef332decc006694db6e.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral30
Sample
c3dd2e3cf0ebeec7a6c280e187a044a32b54b369a78aaaa89c600a0767b49704.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
c71c26bf894feb5dbedb2cf2477258f3edf3133a3c22c68ab378ba65ecf251d3_.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral32
Sample
c8462829871b7bdb005f4dd881d253aa255a1b2f6f3d89edb1d609b51f5d04fd.exe
Resource
win10v2004-20241007-en
General
-
Target
bfb8f7f6cbe24330a310e5c7cbe99ed4_api-ms-win-system-wer-l1-1-0.dll
-
Size
440KB
-
MD5
bfb8f7f6cbe24330a310e5c7cbe99ed4
-
SHA1
cfb97a66c90bff92b5d72eb9e81b2e9d8013b66d
-
SHA256
a4e9c151a50595b59e787dd3b361ac53d02dd7f212d6b22639dc01776c886d05
-
SHA512
f8a4c341b50a37b15c8a11979d8b0ce82c33fb4fd6a9749b4c561db84627e850f8fc23778f78d085b218ea40cdecf05864e68b73f5cc606d7ef30a0454c09550
-
SSDEEP
6144:muStbEUJp4qjMO3QZW+PeT9JiPZCL/qrS9spyM:dStbJaE+NCLEnp
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 22 3836 rundll32.exe 41 3836 rundll32.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\Y: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\J: rundll32.exe -
Drops file in Program Files directory 3 IoCs
Processes:
rundll32.exerundll32.exedescription ioc process File created C:\PROGRA~3\RUNDLL32.EXE-1192.txt rundll32.exe File created C:\PROGRA~3\RUNDLL32.EXE-3836.txt rundll32.exe File created C:\PROGRA~3\3EB10C382B31.dat rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
rundll32.exerundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
rundll32.exerundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
rundll32.exerundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVendor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVendor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4220 wrote to memory of 1192 4220 rundll32.exe rundll32.exe PID 4220 wrote to memory of 1192 4220 rundll32.exe rundll32.exe PID 4220 wrote to memory of 1192 4220 rundll32.exe rundll32.exe PID 1192 wrote to memory of 3836 1192 rundll32.exe rundll32.exe PID 1192 wrote to memory of 3836 1192 rundll32.exe rundll32.exe PID 1192 wrote to memory of 3836 1192 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\bfb8f7f6cbe24330a310e5c7cbe99ed4_api-ms-win-system-wer-l1-1-0.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4220 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\bfb8f7f6cbe24330a310e5c7cbe99ed4_api-ms-win-system-wer-l1-1-0.dll,#12⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\bfb8f7f6cbe24330a310e5c7cbe99ed4_api-ms-win-system-wer-l1-1-0.dll,AccessToken3⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
PID:3836
-
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1