328449250e95af61e5e92254665d4c1a43d835482cd2d159c1e8a08a1ad8c725

Analysis

max time kernel
62s
max time network
58s
platform
windows7_x64
resource
win7v20201028
submitted
24-11-2020 02:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a31f1894f161f1005c00ad43235500691a4fd0cb7bd83945d47f16dbd7f62ab8.exe
Size

1.1MB
MD5

0d2152118cc580db3dce7244c9ba9663
SHA1

8163955d3a9eb5e8be460da5b0a3b0d1fe8a3191
SHA256

a31f1894f161f1005c00ad43235500691a4fd0cb7bd83945d47f16dbd7f62ab8
SHA512

a8eb6ad994e9a1e26a37303cfee1ebd1ad58996909c12819daed19529d1c00c31e5c391362d48a9d4f10bec52c601326b4c0b06d7986cd2bc6bbe29b4abf0e5a

Score

8^/10

discovery spyware

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

NisSrv.comNisSrv.comnslookup.exe

pid process

1744 NisSrv.com
240 NisSrv.com
1436 nslookup.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1004 cmd.exe
Loads dropped DLL 3 IoCs

Processes:

cmd.exeNisSrv.comNisSrv.com

pid process

1124 cmd.exe
1744 NisSrv.com
240 NisSrv.com
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

NisSrv.com

description pid process target process

PID 240 set thread context of 1436 240 NisSrv.com nslookup.exe
Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

1668 PING.EXE
1452 PING.EXE
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

NisSrv.com

pid process

240 NisSrv.com

pid	process
1744	NisSrv.com
240	NisSrv.com
1436	nslookup.exe

pid	process
1004	cmd.exe

pid	process
1124	cmd.exe
1744	NisSrv.com
240	NisSrv.com

description	pid	process	target process
PID 240 set thread context of 1436	240	NisSrv.com	nslookup.exe

pid	process
1668	PING.EXE
1452	PING.EXE

pid	process
240	NisSrv.com

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

a31f1894f161f1005c00ad43235500691a4fd0cb7bd83945d47f16dbd7f62ab8.execmd.execmd.exeNisSrv.comNisSrv.com

description	pid	process	target process
PID 844 wrote to memory of 1256	844	a31f1894f161f1005c00ad43235500691a4fd0cb7bd83945d47f16dbd7f62ab8.exe	cmd.exe
PID 844 wrote to memory of 1256	844	a31f1894f161f1005c00ad43235500691a4fd0cb7bd83945d47f16dbd7f62ab8.exe	cmd.exe
PID 844 wrote to memory of 1256	844	a31f1894f161f1005c00ad43235500691a4fd0cb7bd83945d47f16dbd7f62ab8.exe	cmd.exe
PID 844 wrote to memory of 1256	844	a31f1894f161f1005c00ad43235500691a4fd0cb7bd83945d47f16dbd7f62ab8.exe	cmd.exe
PID 844 wrote to memory of 580	844	a31f1894f161f1005c00ad43235500691a4fd0cb7bd83945d47f16dbd7f62ab8.exe	cmd.exe
PID 844 wrote to memory of 580	844	a31f1894f161f1005c00ad43235500691a4fd0cb7bd83945d47f16dbd7f62ab8.exe	cmd.exe
PID 844 wrote to memory of 580	844	a31f1894f161f1005c00ad43235500691a4fd0cb7bd83945d47f16dbd7f62ab8.exe	cmd.exe
PID 844 wrote to memory of 580	844	a31f1894f161f1005c00ad43235500691a4fd0cb7bd83945d47f16dbd7f62ab8.exe	cmd.exe
PID 580 wrote to memory of 1124	580	cmd.exe	cmd.exe
PID 580 wrote to memory of 1124	580	cmd.exe	cmd.exe
PID 580 wrote to memory of 1124	580	cmd.exe	cmd.exe
PID 580 wrote to memory of 1124	580	cmd.exe	cmd.exe
PID 1124 wrote to memory of 1452	1124	cmd.exe	PING.EXE
PID 1124 wrote to memory of 1452	1124	cmd.exe	PING.EXE
PID 1124 wrote to memory of 1452	1124	cmd.exe	PING.EXE
PID 1124 wrote to memory of 1452	1124	cmd.exe	PING.EXE
PID 1124 wrote to memory of 564	1124	cmd.exe	certutil.exe
PID 1124 wrote to memory of 564	1124	cmd.exe	certutil.exe
PID 1124 wrote to memory of 564	1124	cmd.exe	certutil.exe
PID 1124 wrote to memory of 564	1124	cmd.exe	certutil.exe
PID 1124 wrote to memory of 1744	1124	cmd.exe	NisSrv.com
PID 1124 wrote to memory of 1744	1124	cmd.exe	NisSrv.com
PID 1124 wrote to memory of 1744	1124	cmd.exe	NisSrv.com
PID 1124 wrote to memory of 1744	1124	cmd.exe	NisSrv.com
PID 1124 wrote to memory of 1668	1124	cmd.exe	PING.EXE
PID 1124 wrote to memory of 1668	1124	cmd.exe	PING.EXE
PID 1124 wrote to memory of 1668	1124	cmd.exe	PING.EXE
PID 1124 wrote to memory of 1668	1124	cmd.exe	PING.EXE
PID 1744 wrote to memory of 240	1744	NisSrv.com	NisSrv.com
PID 1744 wrote to memory of 240	1744	NisSrv.com	NisSrv.com
PID 1744 wrote to memory of 240	1744	NisSrv.com	NisSrv.com
PID 1744 wrote to memory of 240	1744	NisSrv.com	NisSrv.com
PID 844 wrote to memory of 1004	844	a31f1894f161f1005c00ad43235500691a4fd0cb7bd83945d47f16dbd7f62ab8.exe	cmd.exe
PID 844 wrote to memory of 1004	844	a31f1894f161f1005c00ad43235500691a4fd0cb7bd83945d47f16dbd7f62ab8.exe	cmd.exe
PID 844 wrote to memory of 1004	844	a31f1894f161f1005c00ad43235500691a4fd0cb7bd83945d47f16dbd7f62ab8.exe	cmd.exe
PID 844 wrote to memory of 1004	844	a31f1894f161f1005c00ad43235500691a4fd0cb7bd83945d47f16dbd7f62ab8.exe	cmd.exe
PID 240 wrote to memory of 1436	240	NisSrv.com	nslookup.exe
PID 240 wrote to memory of 1436	240	NisSrv.com	nslookup.exe
PID 240 wrote to memory of 1436	240	NisSrv.com	nslookup.exe
PID 240 wrote to memory of 1436	240	NisSrv.com	nslookup.exe
PID 240 wrote to memory of 1436	240	NisSrv.com	nslookup.exe

C:\Users\Admin\AppData\Local\Temp\a31f1894f161f1005c00ad43235500691a4fd0cb7bd83945d47f16dbd7f62ab8.exe
"C:\Users\Admin\AppData\Local\Temp\a31f1894f161f1005c00ad43235500691a4fd0cb7bd83945d47f16dbd7f62ab8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:844
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo qjRuHoTvG
  2⤵
  PID:1256
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cmd < pzoyjuWNTGixxnxHcGRQMVppcO.jEUBHZbtIgfCMSKASTkwzjfKYjkmhlZKbsKpYtmcWxL
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:580
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1124
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 NovDIn.ElaU
      4⤵
      Runs ping.exe
      PID:1452
  - - C:\Windows\SysWOW64\certutil.exe
      certutil -decode hoMwFZhHyUcrWnpiYMSRVzuj.BWsHdkYEUyeLlWDXiAKiMtRBkGFNgjUwA hX
      4⤵
      PID:564
  - - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\NisSrv.com
      NisSrv.com hX
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1744
    - - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\NisSrv.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\NisSrv.com hX
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:240
      - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\nslookup.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\nslookup.exe
        6⤵
        Executes dropped EXE
        
        PID:1436
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 3
      4⤵
      Runs ping.exe
      PID:1668
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
  2⤵
  - Deletes itself
  PID:1004

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd

MD5
bde38c090196fdf5c78ab632f5abcd79

SHA1
5f84042605b52416ed5633a3d02878f3116ae9d1

SHA256
67160ea89e16732088c8d352b83d9fa13c10ca5103c7e634c771ab76a1a7922b

SHA512
973277614aff26364ba7afb178e3addd7cb3a0458f48ee4ad4c4b970bfbbbb3c6b7029a26e750dc346b0148ec84e23f322f75c6f38171837acd902d4e6aed311

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\NSVDFZoORZNAuHaoGGPTcOpkqszynoQeWUhoDFdzCZF.XMQeQwWuZFaZJKDhGedIpKDkzlEwdcscphhgBdfbjJesCgn

MD5
b66801f8eef442b1e664f189c16e7f78

SHA1
241c92e2343630ad6b3d80daf6c96c590f60ed2d

SHA256
4b99e26b74e219107c6e804d16cbfb5573fed5e1eeb7c9b6158cc0d89a8b6edd

SHA512
1c4c45f2eb1b95c37b710a06f92ee63235895e6e0d2556fdb620bb1406c60f21cb34ca8c6ea2b9d802e1acc4b2566cee8a94119a3a129288727856c67302c96e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\NisSrv.com

MD5
690df215774716b64c246e9551b5f86b

SHA1
be106aa4378e9d3c3b63dd019300d135061130ee

SHA256
9160e2f41e3fb7c24dabc75804da2b03d737c1a61d870ea6a016af826474d19f

SHA512
065f6b47e0a7cfca9280e7052a2c6001e3d2645a1ac33a1dc37d046c5fb7eb4a4dc80220319b5a3d34858e12bc91db6c981837c6fdb069e4d51e1996505cc121

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\NisSrv.com

MD5
690df215774716b64c246e9551b5f86b

SHA1
be106aa4378e9d3c3b63dd019300d135061130ee

SHA256
9160e2f41e3fb7c24dabc75804da2b03d737c1a61d870ea6a016af826474d19f

SHA512
065f6b47e0a7cfca9280e7052a2c6001e3d2645a1ac33a1dc37d046c5fb7eb4a4dc80220319b5a3d34858e12bc91db6c981837c6fdb069e4d51e1996505cc121

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\NisSrv.com

MD5
690df215774716b64c246e9551b5f86b

SHA1
be106aa4378e9d3c3b63dd019300d135061130ee

SHA256
9160e2f41e3fb7c24dabc75804da2b03d737c1a61d870ea6a016af826474d19f

SHA512
065f6b47e0a7cfca9280e7052a2c6001e3d2645a1ac33a1dc37d046c5fb7eb4a4dc80220319b5a3d34858e12bc91db6c981837c6fdb069e4d51e1996505cc121

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\QDgWPcvfMfNSvAIjJyLLZhISMjBqyWHJqdSmrFnrvMfbLQA.EWVDTLVDVvlDTvlQHrSyHoptGI

MD5
dee9226f2d6f8b3e4e938726dbdb7cb8

SHA1
aa866f9a70d2839772fc60a95a5a3dd89965c0de

SHA256
ad5b7b8f22045b3eb94d423a8fd1b756de14938034760f9148f1a58fdbcf6459

SHA512
a84c2255c77ea1539b19ae9fc965921368dee50b8e6044143d1e99f976ea241a2a7d5a8e08ae2310f95da9823b47f442a39f565fb7df750d119151ed7bf246f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\hX

MD5
58a29ae1ae17df05148a96da75dd806d

SHA1
d3319f1637b8d48ba22deb3b9d8bd32e64468844

SHA256
c0190ea9d37a80c546be0371f5f3a2b3798cc9cc72eccef4fa5b140f81bd0750

SHA512
11275bf725a4563bb2598aab279a903c77598c149e2cf31b553632273ea61e67d512d2fa0a52793095ea984c1d9fa6ce824e956620d53be40572af1d2d5a149a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\hoMwFZhHyUcrWnpiYMSRVzuj.BWsHdkYEUyeLlWDXiAKiMtRBkGFNgjUwA

MD5
a693b07b8c2cd70f3f4d54180539ac71

SHA1
3b886a7fac5d54ce39770bab615c1c7631e7707e

SHA256
4afbdc0bebded8635e1d545832efbde851518f9d5a430753b947b2e5bd6ceb30

SHA512
6316c3d39c58f7e159f9e21b44615e784c3652a3c234d71ae76a33cc2ee136435d7088db97b0a02d281857e6316e5ea65c9195498b72320640850adf38155135

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\nslookup.exe

MD5
5e3830ee3282a53920e00784fec44cfd

SHA1
3e43d4ac8ea7efdf5921ad123f4eabd5648778ab

SHA256
4a35c36f3f41f977fe1f0174d43c8cb9bd25a823b5f2a1970e501d839e1f8276

SHA512
ad87e4db060630f5a85d4ba25e53ca81da163c7888c2b4beddba8433dbbccd3979679e5385e40a931830e3c34c0d1b8715146b5d300d7edbb554cb7cae43f775

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\pzoyjuWNTGixxnxHcGRQMVppcO.jEUBHZbtIgfCMSKASTkwzjfKYjkmhlZKbsKpYtmcWxL

MD5
e835b806e6e4ea78eb3c33c0570f8bdd

SHA1
f72ac0e5e16cabbf7b9461fa7e8b1e0e1ec1fc58

SHA256
3a50f979d31e29db83d8cf012e43b12ca9cafd36c171284cf68f4d5b46297c60

SHA512
59abca6ca21610c9e9fac5a09bad394d1f293040b28e1446f5c4b4319c122d717ddbaeba46a50cce10cd4724de3f1679f3d56a6e6701438e2bb33bcb33c637d4

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\NisSrv.com

MD5
690df215774716b64c246e9551b5f86b

SHA1
be106aa4378e9d3c3b63dd019300d135061130ee

SHA256
9160e2f41e3fb7c24dabc75804da2b03d737c1a61d870ea6a016af826474d19f

SHA512
065f6b47e0a7cfca9280e7052a2c6001e3d2645a1ac33a1dc37d046c5fb7eb4a4dc80220319b5a3d34858e12bc91db6c981837c6fdb069e4d51e1996505cc121

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\NisSrv.com

MD5
690df215774716b64c246e9551b5f86b

SHA1
be106aa4378e9d3c3b63dd019300d135061130ee

SHA256
9160e2f41e3fb7c24dabc75804da2b03d737c1a61d870ea6a016af826474d19f

SHA512
065f6b47e0a7cfca9280e7052a2c6001e3d2645a1ac33a1dc37d046c5fb7eb4a4dc80220319b5a3d34858e12bc91db6c981837c6fdb069e4d51e1996505cc121

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\nslookup.exe

MD5
5e3830ee3282a53920e00784fec44cfd

SHA1
3e43d4ac8ea7efdf5921ad123f4eabd5648778ab

SHA256
4a35c36f3f41f977fe1f0174d43c8cb9bd25a823b5f2a1970e501d839e1f8276

SHA512
ad87e4db060630f5a85d4ba25e53ca81da163c7888c2b4beddba8433dbbccd3979679e5385e40a931830e3c34c0d1b8715146b5d300d7edbb554cb7cae43f775

Download Submit
memory/240-15-0x0000000000000000-mapping.dmp

Download
memory/564-6-0x0000000000000000-mapping.dmp

Download
memory/580-1-0x0000000000000000-mapping.dmp

Download
memory/1004-18-0x0000000000000000-mapping.dmp

Download
memory/1124-3-0x0000000000000000-mapping.dmp

Download
memory/1256-0-0x0000000000000000-mapping.dmp

Download
memory/1404-25-0x000007FEF81B0000-0x000007FEF842A000-memory.dmp

Filesize
2.5MB

Download
memory/1436-21-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1436-22-0x000000000041CF3C-mapping.dmp

Download
memory/1436-24-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1452-4-0x0000000000000000-mapping.dmp

Download
memory/1668-11-0x0000000000000000-mapping.dmp

Download
memory/1744-9-0x0000000000000000-mapping.dmp

Download