Overview
overview
10Static
static
8197f0e170f...2a.exe
windows7_x64
9197f0e170f...2a.exe
windows10_x64
9302d77c6ec...56.exe
windows7_x64
8302d77c6ec...56.exe
windows10_x64
8466d872ddb...0d.exe
windows7_x64
8466d872ddb...0d.exe
windows10_x64
106d13a07022...f4.exe
windows7_x64
86d13a07022...f4.exe
windows10_x64
88c1d1de824...ef.exe
windows7_x64
18c1d1de824...ef.exe
windows10_x64
1a31f1894f1...b8.exe
windows7_x64
8a31f1894f1...b8.exe
windows10_x64
9a3802c3a05...6d.exe
windows7_x64
10a3802c3a05...6d.exe
windows10_x64
10Android APK
android_x86_64
10c6c0d4969a...36.exe
windows7_x64
1c6c0d4969a...36.exe
windows10_x64
1d92ef7281e...1a.exe
windows7_x64
1d92ef7281e...1a.exe
windows10_x64
1dffb2eaccb...3a.exe
windows7_x64
8dffb2eaccb...3a.exe
windows10_x64
8e247b061c8...b1.exe
windows7_x64
8e247b061c8...b1.exe
windows10_x64
8Analysis
-
max time kernel
62s -
max time network
58s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
24-11-2020 02:32
Static task
static1
Behavioral task
behavioral1
Sample
197f0e170fac2b8c5f1b79d1865ce25f95f4b1a45408b091b5741710a3d9e32a.exe
Resource
win7v20201028
windows7_x64
Behavioral task
behavioral2
Sample
197f0e170fac2b8c5f1b79d1865ce25f95f4b1a45408b091b5741710a3d9e32a.exe
Resource
win10v20201028
windows10_x64
Behavioral task
behavioral3
Sample
302d77c6ec68c07741be2ae0d0c26bc88c85f525c8e3766ebf23dba34802f956.exe
Resource
win7v20201028
windows7_x64
Behavioral task
behavioral4
Sample
302d77c6ec68c07741be2ae0d0c26bc88c85f525c8e3766ebf23dba34802f956.exe
Resource
win10v20201028
windows10_x64
Behavioral task
behavioral5
Sample
466d872ddb9f8ce7db8d16d171b9ba398f99c98c79e63396760cda7426d9460d.exe
Resource
win7v20201028
windows7_x64
Behavioral task
behavioral6
Sample
466d872ddb9f8ce7db8d16d171b9ba398f99c98c79e63396760cda7426d9460d.exe
Resource
win10v20201028
windows10_x64
Behavioral task
behavioral7
Sample
6d13a07022cd549f981cc929795c9c1b18c424a0faff27c1faa8990ca843c6f4.exe
Resource
win7v20201028
windows7_x64
Behavioral task
behavioral8
Sample
6d13a07022cd549f981cc929795c9c1b18c424a0faff27c1faa8990ca843c6f4.exe
Resource
win10v20201028
windows10_x64
Behavioral task
behavioral9
Sample
8c1d1de824c079bfec155f05b5f24fd4e1c64c015286ac417b3a587124d743ef.exe
Resource
win7v20201028
windows7_x64
Behavioral task
behavioral10
Sample
8c1d1de824c079bfec155f05b5f24fd4e1c64c015286ac417b3a587124d743ef.exe
Resource
win10v20201028
windows10_x64
Behavioral task
behavioral11
Sample
a31f1894f161f1005c00ad43235500691a4fd0cb7bd83945d47f16dbd7f62ab8.exe
Resource
win7v20201028
windows7_x64
Behavioral task
behavioral12
Sample
a31f1894f161f1005c00ad43235500691a4fd0cb7bd83945d47f16dbd7f62ab8.exe
Resource
win10v20201028
windows10_x64
Behavioral task
behavioral13
Sample
a3802c3a0538d8b24b8a43144c51e742b0041e3b983b654ee19639359c42b06d.exe
Resource
win7v20201028
windows7_x64
Behavioral task
behavioral14
Sample
a3802c3a0538d8b24b8a43144c51e742b0041e3b983b654ee19639359c42b06d.exe
Resource
win10v20201028
windows10_x64
Behavioral task
behavioral15
Sample
af82bed2c58c403908faf323310cf6a65a7e3bfe098cc930eb5ac4bfe9315ef4.apk
Resource
android-x86_64
android_x86_64
Behavioral task
behavioral16
Sample
c6c0d4969ac74cdc574fae3ace12a4ad64858ec5ab292733ae78fd3d04696536.exe
Resource
win7v20201028
windows7_x64
Behavioral task
behavioral17
Sample
c6c0d4969ac74cdc574fae3ace12a4ad64858ec5ab292733ae78fd3d04696536.exe
Resource
win10v20201028
windows10_x64
Behavioral task
behavioral18
Sample
d92ef7281e3b5145835ffa17ff869c5569011ffb9ad327eeecfddebe31cdc31a.exe
Resource
win7v20201028
windows7_x64
Behavioral task
behavioral19
Sample
d92ef7281e3b5145835ffa17ff869c5569011ffb9ad327eeecfddebe31cdc31a.exe
Resource
win10v20201028
windows10_x64
Behavioral task
behavioral20
Sample
dffb2eaccbbfd1077d7679ecba62bb75de32259c70e28a84b32750fdfb17e13a.exe
Resource
win7v20201028
windows7_x64
Behavioral task
behavioral21
Sample
dffb2eaccbbfd1077d7679ecba62bb75de32259c70e28a84b32750fdfb17e13a.exe
Resource
win10v20201028
windows10_x64
Behavioral task
behavioral22
Sample
e247b061c89190fa7fec3ce419b3ed58e088db8a58fa40fc208d3995b149adb1.exe
Resource
win7v20201028
windows7_x64
Behavioral task
behavioral23
Sample
e247b061c89190fa7fec3ce419b3ed58e088db8a58fa40fc208d3995b149adb1.exe
Resource
win10v20201028
windows10_x64
General
-
Target
a31f1894f161f1005c00ad43235500691a4fd0cb7bd83945d47f16dbd7f62ab8.exe
-
Size
1.1MB
-
MD5
0d2152118cc580db3dce7244c9ba9663
-
SHA1
8163955d3a9eb5e8be460da5b0a3b0d1fe8a3191
-
SHA256
a31f1894f161f1005c00ad43235500691a4fd0cb7bd83945d47f16dbd7f62ab8
-
SHA512
a8eb6ad994e9a1e26a37303cfee1ebd1ad58996909c12819daed19529d1c00c31e5c391362d48a9d4f10bec52c601326b4c0b06d7986cd2bc6bbe29b4abf0e5a
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 1744 NisSrv.com 240 NisSrv.com 1436 nslookup.exe -
Deletes itself 1 IoCs
pid Process 1004 cmd.exe -
Loads dropped DLL 3 IoCs
pid Process 1124 cmd.exe 1744 NisSrv.com 240 NisSrv.com -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 240 set thread context of 1436 240 NisSrv.com 41 -
Runs ping.exe 1 TTPs 2 IoCs
pid Process 1668 PING.EXE 1452 PING.EXE -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 240 NisSrv.com -
Suspicious use of WriteProcessMemory 41 IoCs
description pid Process procid_target PID 844 wrote to memory of 1256 844 a31f1894f161f1005c00ad43235500691a4fd0cb7bd83945d47f16dbd7f62ab8.exe 29 PID 844 wrote to memory of 1256 844 a31f1894f161f1005c00ad43235500691a4fd0cb7bd83945d47f16dbd7f62ab8.exe 29 PID 844 wrote to memory of 1256 844 a31f1894f161f1005c00ad43235500691a4fd0cb7bd83945d47f16dbd7f62ab8.exe 29 PID 844 wrote to memory of 1256 844 a31f1894f161f1005c00ad43235500691a4fd0cb7bd83945d47f16dbd7f62ab8.exe 29 PID 844 wrote to memory of 580 844 a31f1894f161f1005c00ad43235500691a4fd0cb7bd83945d47f16dbd7f62ab8.exe 31 PID 844 wrote to memory of 580 844 a31f1894f161f1005c00ad43235500691a4fd0cb7bd83945d47f16dbd7f62ab8.exe 31 PID 844 wrote to memory of 580 844 a31f1894f161f1005c00ad43235500691a4fd0cb7bd83945d47f16dbd7f62ab8.exe 31 PID 844 wrote to memory of 580 844 a31f1894f161f1005c00ad43235500691a4fd0cb7bd83945d47f16dbd7f62ab8.exe 31 PID 580 wrote to memory of 1124 580 cmd.exe 33 PID 580 wrote to memory of 1124 580 cmd.exe 33 PID 580 wrote to memory of 1124 580 cmd.exe 33 PID 580 wrote to memory of 1124 580 cmd.exe 33 PID 1124 wrote to memory of 1452 1124 cmd.exe 34 PID 1124 wrote to memory of 1452 1124 cmd.exe 34 PID 1124 wrote to memory of 1452 1124 cmd.exe 34 PID 1124 wrote to memory of 1452 1124 cmd.exe 34 PID 1124 wrote to memory of 564 1124 cmd.exe 35 PID 1124 wrote to memory of 564 1124 cmd.exe 35 PID 1124 wrote to memory of 564 1124 cmd.exe 35 PID 1124 wrote to memory of 564 1124 cmd.exe 35 PID 1124 wrote to memory of 1744 1124 cmd.exe 36 PID 1124 wrote to memory of 1744 1124 cmd.exe 36 PID 1124 wrote to memory of 1744 1124 cmd.exe 36 PID 1124 wrote to memory of 1744 1124 cmd.exe 36 PID 1124 wrote to memory of 1668 1124 cmd.exe 37 PID 1124 wrote to memory of 1668 1124 cmd.exe 37 PID 1124 wrote to memory of 1668 1124 cmd.exe 37 PID 1124 wrote to memory of 1668 1124 cmd.exe 37 PID 1744 wrote to memory of 240 1744 NisSrv.com 38 PID 1744 wrote to memory of 240 1744 NisSrv.com 38 PID 1744 wrote to memory of 240 1744 NisSrv.com 38 PID 1744 wrote to memory of 240 1744 NisSrv.com 38 PID 844 wrote to memory of 1004 844 a31f1894f161f1005c00ad43235500691a4fd0cb7bd83945d47f16dbd7f62ab8.exe 39 PID 844 wrote to memory of 1004 844 a31f1894f161f1005c00ad43235500691a4fd0cb7bd83945d47f16dbd7f62ab8.exe 39 PID 844 wrote to memory of 1004 844 a31f1894f161f1005c00ad43235500691a4fd0cb7bd83945d47f16dbd7f62ab8.exe 39 PID 844 wrote to memory of 1004 844 a31f1894f161f1005c00ad43235500691a4fd0cb7bd83945d47f16dbd7f62ab8.exe 39 PID 240 wrote to memory of 1436 240 NisSrv.com 41 PID 240 wrote to memory of 1436 240 NisSrv.com 41 PID 240 wrote to memory of 1436 240 NisSrv.com 41 PID 240 wrote to memory of 1436 240 NisSrv.com 41 PID 240 wrote to memory of 1436 240 NisSrv.com 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\a31f1894f161f1005c00ad43235500691a4fd0cb7bd83945d47f16dbd7f62ab8.exe"C:\Users\Admin\AppData\Local\Temp\a31f1894f161f1005c00ad43235500691a4fd0cb7bd83945d47f16dbd7f62ab8.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo qjRuHoTvG2⤵PID:1256
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < pzoyjuWNTGixxnxHcGRQMVppcO.jEUBHZbtIgfCMSKASTkwzjfKYjkmhlZKbsKpYtmcWxL2⤵
- Suspicious use of WriteProcessMemory
PID:580 -
C:\Windows\SysWOW64\cmd.execmd3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Windows\SysWOW64\PING.EXEping -n 1 NovDIn.ElaU4⤵
- Runs ping.exe
PID:1452
-
-
C:\Windows\SysWOW64\certutil.execertutil -decode hoMwFZhHyUcrWnpiYMSRVzuj.BWsHdkYEUyeLlWDXiAKiMtRBkGFNgjUwA hX4⤵PID:564
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\NisSrv.comNisSrv.com hX4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\NisSrv.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\NisSrv.com hX5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:240 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\nslookup.exeC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\nslookup.exe6⤵
- Executes dropped EXE
PID:1436
-
-
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 34⤵
- Runs ping.exe
PID:1668
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "2⤵
- Deletes itself
PID:1004
-