Analysis
-
max time kernel
150s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2024 03:25
Static task
static1
Behavioral task
behavioral1
Sample
ed098393d48d7d8c2e6695ae9d944d5b887b1019cb78676af0628ed4f59dad11.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
ed098393d48d7d8c2e6695ae9d944d5b887b1019cb78676af0628ed4f59dad11.exe
Resource
win10v2004-20240611-en
General
-
Target
ed098393d48d7d8c2e6695ae9d944d5b887b1019cb78676af0628ed4f59dad11.exe
-
Size
407KB
-
MD5
4e0ecdbbb0ca79a4ba3126a0ed1f758b
-
SHA1
6cec01679a4bc1f0f5226e2938fc9ffc6cad5ec7
-
SHA256
ed098393d48d7d8c2e6695ae9d944d5b887b1019cb78676af0628ed4f59dad11
-
SHA512
9ca38c25c6541017e8a9ab70a1e30d30a2b968aa4806fa29b5564ed51a48555c48a9702b1d8a848d0250d12c702a8ded6b2bec77cfb2613edbd83605479803a0
-
SSDEEP
6144:3w9D91dOrcN3ZGXNYFNmIkYvUIelVjjVtGRyFH4j:gtRfJcNYFNm8UhlZGsej
Malware Config
Signatures
-
Blocklisted process makes network request 8 IoCs
Processes:
rundll32.exeflow pid process 28 4060 rundll32.exe 37 4060 rundll32.exe 38 4060 rundll32.exe 39 4060 rundll32.exe 53 4060 rundll32.exe 57 4060 rundll32.exe 66 4060 rundll32.exe 79 4060 rundll32.exe -
Deletes itself 1 IoCs
Processes:
abrzmm.exepid process 4732 abrzmm.exe -
Executes dropped EXE 1 IoCs
Processes:
abrzmm.exepid process 4732 abrzmm.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 4060 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dotx = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\Program Files\\giqmqkgx\\kzqnmkz.dll\",Verify" rundll32.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\j: rundll32.exe File opened (read-only) \??\l: rundll32.exe File opened (read-only) \??\n: rundll32.exe File opened (read-only) \??\p: rundll32.exe File opened (read-only) \??\q: rundll32.exe File opened (read-only) \??\r: rundll32.exe File opened (read-only) \??\b: rundll32.exe File opened (read-only) \??\i: rundll32.exe File opened (read-only) \??\u: rundll32.exe File opened (read-only) \??\x: rundll32.exe File opened (read-only) \??\w: rundll32.exe File opened (read-only) \??\y: rundll32.exe File opened (read-only) \??\z: rundll32.exe File opened (read-only) \??\h: rundll32.exe File opened (read-only) \??\k: rundll32.exe File opened (read-only) \??\s: rundll32.exe File opened (read-only) \??\t: rundll32.exe File opened (read-only) \??\v: rundll32.exe File opened (read-only) \??\a: rundll32.exe File opened (read-only) \??\e: rundll32.exe File opened (read-only) \??\o: rundll32.exe File opened (read-only) \??\g: rundll32.exe File opened (read-only) \??\m: rundll32.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
rundll32.exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 rundll32.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
rundll32.exepid process 4060 rundll32.exe -
Drops file in Program Files directory 2 IoCs
Processes:
abrzmm.exedescription ioc process File created \??\c:\Program Files\giqmqkgx\kzqnmkz.dll abrzmm.exe File opened for modification \??\c:\Program Files\giqmqkgx abrzmm.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe 4060 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rundll32.exedescription pid process Token: SeDebugPrivilege 4060 rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
ed098393d48d7d8c2e6695ae9d944d5b887b1019cb78676af0628ed4f59dad11.exeabrzmm.exepid process 3064 ed098393d48d7d8c2e6695ae9d944d5b887b1019cb78676af0628ed4f59dad11.exe 4732 abrzmm.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
ed098393d48d7d8c2e6695ae9d944d5b887b1019cb78676af0628ed4f59dad11.execmd.exeabrzmm.exedescription pid process target process PID 3064 wrote to memory of 4784 3064 ed098393d48d7d8c2e6695ae9d944d5b887b1019cb78676af0628ed4f59dad11.exe cmd.exe PID 3064 wrote to memory of 4784 3064 ed098393d48d7d8c2e6695ae9d944d5b887b1019cb78676af0628ed4f59dad11.exe cmd.exe PID 3064 wrote to memory of 4784 3064 ed098393d48d7d8c2e6695ae9d944d5b887b1019cb78676af0628ed4f59dad11.exe cmd.exe PID 4784 wrote to memory of 1176 4784 cmd.exe PING.EXE PID 4784 wrote to memory of 1176 4784 cmd.exe PING.EXE PID 4784 wrote to memory of 1176 4784 cmd.exe PING.EXE PID 4784 wrote to memory of 4732 4784 cmd.exe abrzmm.exe PID 4784 wrote to memory of 4732 4784 cmd.exe abrzmm.exe PID 4784 wrote to memory of 4732 4784 cmd.exe abrzmm.exe PID 4732 wrote to memory of 4060 4732 abrzmm.exe rundll32.exe PID 4732 wrote to memory of 4060 4732 abrzmm.exe rundll32.exe PID 4732 wrote to memory of 4060 4732 abrzmm.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ed098393d48d7d8c2e6695ae9d944d5b887b1019cb78676af0628ed4f59dad11.exe"C:\Users\Admin\AppData\Local\Temp\ed098393d48d7d8c2e6695ae9d944d5b887b1019cb78676af0628ed4f59dad11.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\abrzmm.exe "C:\Users\Admin\AppData\Local\Temp\ed098393d48d7d8c2e6695ae9d944d5b887b1019cb78676af0628ed4f59dad11.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\abrzmm.exeC:\Users\Admin\AppData\Local\Temp\\abrzmm.exe "C:\Users\Admin\AppData\Local\Temp\ed098393d48d7d8c2e6695ae9d944d5b887b1019cb78676af0628ed4f59dad11.exe"3⤵
- Deletes itself
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\rundll32.exec:\windows\system32\rundll32.exe "c:\Program Files\giqmqkgx\kzqnmkz.dll",Verify C:\Users\Admin\AppData\Local\Temp\abrzmm.exe4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4064,i,3595107284059830391,18018199024659337217,262144 --variations-seed-version --mojo-platform-channel-handle=4308 /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\abrzmm.exeFilesize
407KB
MD5b715e714f3138cfead92c5fd4fd84fd9
SHA19ca91b6559886857dc07ed62f73bd95414ec2465
SHA256f352b306ac53091e4627e87a95697d41476fab0ccc701ad940f6ba144e5c194e
SHA51275ff14a4c5d239fef02c2d5f06b996020b6e6011dfaa655e23700a3dd2d5d2d73f0cff4ba0281b74777e1efd09be882b174449f37c818e465fe5cb33d5b69c27
-
\??\c:\Program Files\giqmqkgx\kzqnmkz.dllFilesize
228KB
MD545aa111a78dbdf77ec0215e4aa1eb23f
SHA1e0dac8ada6379fb449007109a0465f0fcff10743
SHA25662f37214c0b0801a8165b08fcfab3756a0ec43bdc43e1215083293f1a382f0e1
SHA5123b389ae328674695ce06e6dd965d7e3ca463dcd993815167dd514ac23968e0b76d3ab38c0a53d59b2335495fbedd4c41ba338fb2d27901450e35a664b3afc036
-
memory/3064-0-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/3064-2-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/4060-10-0x0000000010000000-0x0000000010080000-memory.dmpFilesize
512KB
-
memory/4060-12-0x0000000010000000-0x0000000010080000-memory.dmpFilesize
512KB
-
memory/4060-13-0x0000000010000000-0x0000000010080000-memory.dmpFilesize
512KB
-
memory/4732-7-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB