Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
01-07-2024 03:25
Static task
static1
Behavioral task
behavioral1
Sample
ed098393d48d7d8c2e6695ae9d944d5b887b1019cb78676af0628ed4f59dad11.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
ed098393d48d7d8c2e6695ae9d944d5b887b1019cb78676af0628ed4f59dad11.exe
Resource
win10v2004-20240611-en
General
-
Target
ed098393d48d7d8c2e6695ae9d944d5b887b1019cb78676af0628ed4f59dad11.exe
-
Size
407KB
-
MD5
4e0ecdbbb0ca79a4ba3126a0ed1f758b
-
SHA1
6cec01679a4bc1f0f5226e2938fc9ffc6cad5ec7
-
SHA256
ed098393d48d7d8c2e6695ae9d944d5b887b1019cb78676af0628ed4f59dad11
-
SHA512
9ca38c25c6541017e8a9ab70a1e30d30a2b968aa4806fa29b5564ed51a48555c48a9702b1d8a848d0250d12c702a8ded6b2bec77cfb2613edbd83605479803a0
-
SSDEEP
6144:3w9D91dOrcN3ZGXNYFNmIkYvUIelVjjVtGRyFH4j:gtRfJcNYFNm8UhlZGsej
Malware Config
Signatures
-
Blocklisted process makes network request 10 IoCs
Processes:
rundll32.exeflow pid process 3 2884 rundll32.exe 7 2884 rundll32.exe 8 2884 rundll32.exe 9 2884 rundll32.exe 10 2884 rundll32.exe 13 2884 rundll32.exe 14 2884 rundll32.exe 15 2884 rundll32.exe 17 2884 rundll32.exe 18 2884 rundll32.exe -
Deletes itself 1 IoCs
Processes:
euqcchylw.exepid process 2396 euqcchylw.exe -
Executes dropped EXE 1 IoCs
Processes:
euqcchylw.exepid process 2396 euqcchylw.exe -
Loads dropped DLL 6 IoCs
Processes:
cmd.exerundll32.exepid process 2856 cmd.exe 2856 cmd.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\Dotx = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\Program Files\\lcgzs\\oqpjbsny.dll\",Verify" rundll32.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\p: rundll32.exe File opened (read-only) \??\b: rundll32.exe File opened (read-only) \??\e: rundll32.exe File opened (read-only) \??\h: rundll32.exe File opened (read-only) \??\j: rundll32.exe File opened (read-only) \??\k: rundll32.exe File opened (read-only) \??\m: rundll32.exe File opened (read-only) \??\n: rundll32.exe File opened (read-only) \??\r: rundll32.exe File opened (read-only) \??\s: rundll32.exe File opened (read-only) \??\u: rundll32.exe File opened (read-only) \??\g: rundll32.exe File opened (read-only) \??\l: rundll32.exe File opened (read-only) \??\o: rundll32.exe File opened (read-only) \??\a: rundll32.exe File opened (read-only) \??\x: rundll32.exe File opened (read-only) \??\i: rundll32.exe File opened (read-only) \??\q: rundll32.exe File opened (read-only) \??\t: rundll32.exe File opened (read-only) \??\v: rundll32.exe File opened (read-only) \??\w: rundll32.exe File opened (read-only) \??\y: rundll32.exe File opened (read-only) \??\z: rundll32.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
rundll32.exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 rundll32.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
rundll32.exepid process 2884 rundll32.exe -
Drops file in Program Files directory 2 IoCs
Processes:
euqcchylw.exedescription ioc process File opened for modification \??\c:\Program Files\lcgzs euqcchylw.exe File created \??\c:\Program Files\lcgzs\oqpjbsny.dll euqcchylw.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe 2884 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rundll32.exedescription pid process Token: SeDebugPrivilege 2884 rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
ed098393d48d7d8c2e6695ae9d944d5b887b1019cb78676af0628ed4f59dad11.exeeuqcchylw.exepid process 2024 ed098393d48d7d8c2e6695ae9d944d5b887b1019cb78676af0628ed4f59dad11.exe 2396 euqcchylw.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
ed098393d48d7d8c2e6695ae9d944d5b887b1019cb78676af0628ed4f59dad11.execmd.exeeuqcchylw.exedescription pid process target process PID 2024 wrote to memory of 2856 2024 ed098393d48d7d8c2e6695ae9d944d5b887b1019cb78676af0628ed4f59dad11.exe cmd.exe PID 2024 wrote to memory of 2856 2024 ed098393d48d7d8c2e6695ae9d944d5b887b1019cb78676af0628ed4f59dad11.exe cmd.exe PID 2024 wrote to memory of 2856 2024 ed098393d48d7d8c2e6695ae9d944d5b887b1019cb78676af0628ed4f59dad11.exe cmd.exe PID 2024 wrote to memory of 2856 2024 ed098393d48d7d8c2e6695ae9d944d5b887b1019cb78676af0628ed4f59dad11.exe cmd.exe PID 2856 wrote to memory of 2904 2856 cmd.exe PING.EXE PID 2856 wrote to memory of 2904 2856 cmd.exe PING.EXE PID 2856 wrote to memory of 2904 2856 cmd.exe PING.EXE PID 2856 wrote to memory of 2904 2856 cmd.exe PING.EXE PID 2856 wrote to memory of 2396 2856 cmd.exe euqcchylw.exe PID 2856 wrote to memory of 2396 2856 cmd.exe euqcchylw.exe PID 2856 wrote to memory of 2396 2856 cmd.exe euqcchylw.exe PID 2856 wrote to memory of 2396 2856 cmd.exe euqcchylw.exe PID 2396 wrote to memory of 2884 2396 euqcchylw.exe rundll32.exe PID 2396 wrote to memory of 2884 2396 euqcchylw.exe rundll32.exe PID 2396 wrote to memory of 2884 2396 euqcchylw.exe rundll32.exe PID 2396 wrote to memory of 2884 2396 euqcchylw.exe rundll32.exe PID 2396 wrote to memory of 2884 2396 euqcchylw.exe rundll32.exe PID 2396 wrote to memory of 2884 2396 euqcchylw.exe rundll32.exe PID 2396 wrote to memory of 2884 2396 euqcchylw.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ed098393d48d7d8c2e6695ae9d944d5b887b1019cb78676af0628ed4f59dad11.exe"C:\Users\Admin\AppData\Local\Temp\ed098393d48d7d8c2e6695ae9d944d5b887b1019cb78676af0628ed4f59dad11.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\euqcchylw.exe "C:\Users\Admin\AppData\Local\Temp\ed098393d48d7d8c2e6695ae9d944d5b887b1019cb78676af0628ed4f59dad11.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\euqcchylw.exeC:\Users\Admin\AppData\Local\Temp\\euqcchylw.exe "C:\Users\Admin\AppData\Local\Temp\ed098393d48d7d8c2e6695ae9d944d5b887b1019cb78676af0628ed4f59dad11.exe"3⤵
- Deletes itself
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\rundll32.exec:\windows\system32\rundll32.exe "c:\Program Files\lcgzs\oqpjbsny.dll",Verify C:\Users\Admin\AppData\Local\Temp\euqcchylw.exe4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
\??\c:\Program Files\lcgzs\oqpjbsny.dllFilesize
228KB
MD5eba3ebc87c0c6a30b696b26f9ad41d55
SHA152ef05ddba47d1e1161ac9cb08694cdac5ed3116
SHA2562022437c9b1947da474d93f9d34393a372746bdad2c43e23d1be891b2a8ae4fa
SHA51230ce4550c149c7b52312d04005c0590a8d004a3e2703eba26b5c8ff60a590eefeaa4da92d87289d6ccb9471e1079050879a6bf47217161bea2e797ab5b08bf72
-
\Users\Admin\AppData\Local\Temp\euqcchylw.exeFilesize
407KB
MD5fa1b56c474464d6e35293d93808a5de0
SHA1309309095b65067f530b68e9f7ea8cfefce84bea
SHA256027552d067e64e2e4afe50c9ba15a60d1de8522dd28e77a5669d478ba31b70bb
SHA51286c2ecc5852ad08ffe6b49be6cd2168941bf4c3e53d48b16f96ac2058b64a5c8e776ef340cb092b7cb251200790a29c974af7139977acee4d5055f3def6dc059
-
memory/2024-0-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/2024-2-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/2396-9-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/2396-11-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/2856-8-0x00000000022D0000-0x0000000002334000-memory.dmpFilesize
400KB
-
memory/2856-7-0x00000000022D0000-0x0000000002334000-memory.dmpFilesize
400KB
-
memory/2884-17-0x0000000010000000-0x0000000010080000-memory.dmpFilesize
512KB
-
memory/2884-18-0x0000000010000000-0x0000000010080000-memory.dmpFilesize
512KB
-
memory/2884-20-0x0000000010000000-0x0000000010080000-memory.dmpFilesize
512KB