Overview
overview
10Static
static
8197f0e170f...2a.exe
windows7_x64
9197f0e170f...2a.exe
windows10_x64
9302d77c6ec...56.exe
windows7_x64
8302d77c6ec...56.exe
windows10_x64
8466d872ddb...0d.exe
windows7_x64
8466d872ddb...0d.exe
windows10_x64
106d13a07022...f4.exe
windows7_x64
86d13a07022...f4.exe
windows10_x64
88c1d1de824...ef.exe
windows7_x64
18c1d1de824...ef.exe
windows10_x64
1a31f1894f1...b8.exe
windows7_x64
8a31f1894f1...b8.exe
windows10_x64
9a3802c3a05...6d.exe
windows7_x64
10a3802c3a05...6d.exe
windows10_x64
10Android APK
android_x86_64
10c6c0d4969a...36.exe
windows7_x64
1c6c0d4969a...36.exe
windows10_x64
1d92ef7281e...1a.exe
windows7_x64
1d92ef7281e...1a.exe
windows10_x64
1dffb2eaccb...3a.exe
windows7_x64
8dffb2eaccb...3a.exe
windows10_x64
8e247b061c8...b1.exe
windows7_x64
8e247b061c8...b1.exe
windows10_x64
8Analysis
-
max time kernel
58s -
max time network
145s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
24-11-2020 02:32
Static task
static1
Behavioral task
behavioral1
Sample
197f0e170fac2b8c5f1b79d1865ce25f95f4b1a45408b091b5741710a3d9e32a.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
197f0e170fac2b8c5f1b79d1865ce25f95f4b1a45408b091b5741710a3d9e32a.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
302d77c6ec68c07741be2ae0d0c26bc88c85f525c8e3766ebf23dba34802f956.exe
Resource
win7v20201028
Behavioral task
behavioral4
Sample
302d77c6ec68c07741be2ae0d0c26bc88c85f525c8e3766ebf23dba34802f956.exe
Resource
win10v20201028
Behavioral task
behavioral5
Sample
466d872ddb9f8ce7db8d16d171b9ba398f99c98c79e63396760cda7426d9460d.exe
Resource
win7v20201028
Behavioral task
behavioral6
Sample
466d872ddb9f8ce7db8d16d171b9ba398f99c98c79e63396760cda7426d9460d.exe
Resource
win10v20201028
Behavioral task
behavioral7
Sample
6d13a07022cd549f981cc929795c9c1b18c424a0faff27c1faa8990ca843c6f4.exe
Resource
win7v20201028
Behavioral task
behavioral8
Sample
6d13a07022cd549f981cc929795c9c1b18c424a0faff27c1faa8990ca843c6f4.exe
Resource
win10v20201028
Behavioral task
behavioral9
Sample
8c1d1de824c079bfec155f05b5f24fd4e1c64c015286ac417b3a587124d743ef.exe
Resource
win7v20201028
Behavioral task
behavioral10
Sample
8c1d1de824c079bfec155f05b5f24fd4e1c64c015286ac417b3a587124d743ef.exe
Resource
win10v20201028
Behavioral task
behavioral11
Sample
a31f1894f161f1005c00ad43235500691a4fd0cb7bd83945d47f16dbd7f62ab8.exe
Resource
win7v20201028
Behavioral task
behavioral12
Sample
a31f1894f161f1005c00ad43235500691a4fd0cb7bd83945d47f16dbd7f62ab8.exe
Resource
win10v20201028
Behavioral task
behavioral13
Sample
a3802c3a0538d8b24b8a43144c51e742b0041e3b983b654ee19639359c42b06d.exe
Resource
win7v20201028
Behavioral task
behavioral14
Sample
a3802c3a0538d8b24b8a43144c51e742b0041e3b983b654ee19639359c42b06d.exe
Resource
win10v20201028
Behavioral task
behavioral15
Sample
af82bed2c58c403908faf323310cf6a65a7e3bfe098cc930eb5ac4bfe9315ef4.apk
Resource
android-x86_64
Behavioral task
behavioral16
Sample
c6c0d4969ac74cdc574fae3ace12a4ad64858ec5ab292733ae78fd3d04696536.exe
Resource
win7v20201028
Behavioral task
behavioral17
Sample
c6c0d4969ac74cdc574fae3ace12a4ad64858ec5ab292733ae78fd3d04696536.exe
Resource
win10v20201028
Behavioral task
behavioral18
Sample
d92ef7281e3b5145835ffa17ff869c5569011ffb9ad327eeecfddebe31cdc31a.exe
Resource
win7v20201028
Behavioral task
behavioral19
Sample
d92ef7281e3b5145835ffa17ff869c5569011ffb9ad327eeecfddebe31cdc31a.exe
Resource
win10v20201028
Behavioral task
behavioral20
Sample
dffb2eaccbbfd1077d7679ecba62bb75de32259c70e28a84b32750fdfb17e13a.exe
Resource
win7v20201028
Behavioral task
behavioral21
Sample
dffb2eaccbbfd1077d7679ecba62bb75de32259c70e28a84b32750fdfb17e13a.exe
Resource
win10v20201028
Behavioral task
behavioral22
Sample
e247b061c89190fa7fec3ce419b3ed58e088db8a58fa40fc208d3995b149adb1.exe
Resource
win7v20201028
Behavioral task
behavioral23
Sample
e247b061c89190fa7fec3ce419b3ed58e088db8a58fa40fc208d3995b149adb1.exe
Resource
win10v20201028
General
-
Target
a31f1894f161f1005c00ad43235500691a4fd0cb7bd83945d47f16dbd7f62ab8.exe
-
Size
1.1MB
-
MD5
0d2152118cc580db3dce7244c9ba9663
-
SHA1
8163955d3a9eb5e8be460da5b0a3b0d1fe8a3191
-
SHA256
a31f1894f161f1005c00ad43235500691a4fd0cb7bd83945d47f16dbd7f62ab8
-
SHA512
a8eb6ad994e9a1e26a37303cfee1ebd1ad58996909c12819daed19529d1c00c31e5c391362d48a9d4f10bec52c601326b4c0b06d7986cd2bc6bbe29b4abf0e5a
Malware Config
Signatures
-
ServiceHost packer 8 IoCs
Detects ServiceHost packer used for .NET malware
Processes:
resource yara_rule behavioral12/memory/876-28-0x000000000041CF3C-mapping.dmp servicehost behavioral12/memory/876-29-0x000000000041CF3C-mapping.dmp servicehost behavioral12/memory/876-30-0x000000000041CF3C-mapping.dmp servicehost behavioral12/memory/876-32-0x000000000041CF3C-mapping.dmp servicehost behavioral12/memory/876-33-0x000000000041CF3C-mapping.dmp servicehost behavioral12/memory/876-34-0x000000000041CF3C-mapping.dmp servicehost behavioral12/memory/876-35-0x000000000041CF3C-mapping.dmp servicehost behavioral12/memory/876-31-0x000000000041CF3C-mapping.dmp servicehost -
Executes dropped EXE 3 IoCs
Processes:
NisSrv.comNisSrv.comnslookup.exepid process 3436 NisSrv.com 4428 NisSrv.com 876 nslookup.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
NisSrv.comdescription pid process target process PID 4428 set thread context of 876 4428 NisSrv.com nslookup.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4664 876 WerFault.exe nslookup.exe -
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 4664 WerFault.exe 4664 WerFault.exe 4664 WerFault.exe 4664 WerFault.exe 4664 WerFault.exe 4664 WerFault.exe 4664 WerFault.exe 4664 WerFault.exe 4664 WerFault.exe 4664 WerFault.exe 4664 WerFault.exe 4664 WerFault.exe 4664 WerFault.exe 4664 WerFault.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
NisSrv.compid process 4428 NisSrv.com -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 4664 WerFault.exe Token: SeBackupPrivilege 4664 WerFault.exe Token: SeDebugPrivilege 4664 WerFault.exe -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
a31f1894f161f1005c00ad43235500691a4fd0cb7bd83945d47f16dbd7f62ab8.execmd.execmd.exeNisSrv.comNisSrv.comdescription pid process target process PID 4768 wrote to memory of 320 4768 a31f1894f161f1005c00ad43235500691a4fd0cb7bd83945d47f16dbd7f62ab8.exe cmd.exe PID 4768 wrote to memory of 320 4768 a31f1894f161f1005c00ad43235500691a4fd0cb7bd83945d47f16dbd7f62ab8.exe cmd.exe PID 4768 wrote to memory of 320 4768 a31f1894f161f1005c00ad43235500691a4fd0cb7bd83945d47f16dbd7f62ab8.exe cmd.exe PID 4768 wrote to memory of 4228 4768 a31f1894f161f1005c00ad43235500691a4fd0cb7bd83945d47f16dbd7f62ab8.exe cmd.exe PID 4768 wrote to memory of 4228 4768 a31f1894f161f1005c00ad43235500691a4fd0cb7bd83945d47f16dbd7f62ab8.exe cmd.exe PID 4768 wrote to memory of 4228 4768 a31f1894f161f1005c00ad43235500691a4fd0cb7bd83945d47f16dbd7f62ab8.exe cmd.exe PID 4228 wrote to memory of 4300 4228 cmd.exe cmd.exe PID 4228 wrote to memory of 4300 4228 cmd.exe cmd.exe PID 4228 wrote to memory of 4300 4228 cmd.exe cmd.exe PID 4300 wrote to memory of 4188 4300 cmd.exe PING.EXE PID 4300 wrote to memory of 4188 4300 cmd.exe PING.EXE PID 4300 wrote to memory of 4188 4300 cmd.exe PING.EXE PID 4300 wrote to memory of 3744 4300 cmd.exe certutil.exe PID 4300 wrote to memory of 3744 4300 cmd.exe certutil.exe PID 4300 wrote to memory of 3744 4300 cmd.exe certutil.exe PID 4300 wrote to memory of 3436 4300 cmd.exe NisSrv.com PID 4300 wrote to memory of 3436 4300 cmd.exe NisSrv.com PID 4300 wrote to memory of 3436 4300 cmd.exe NisSrv.com PID 4300 wrote to memory of 1664 4300 cmd.exe PING.EXE PID 4300 wrote to memory of 1664 4300 cmd.exe PING.EXE PID 4300 wrote to memory of 1664 4300 cmd.exe PING.EXE PID 3436 wrote to memory of 4428 3436 NisSrv.com NisSrv.com PID 3436 wrote to memory of 4428 3436 NisSrv.com NisSrv.com PID 3436 wrote to memory of 4428 3436 NisSrv.com NisSrv.com PID 4768 wrote to memory of 4512 4768 a31f1894f161f1005c00ad43235500691a4fd0cb7bd83945d47f16dbd7f62ab8.exe cmd.exe PID 4768 wrote to memory of 4512 4768 a31f1894f161f1005c00ad43235500691a4fd0cb7bd83945d47f16dbd7f62ab8.exe cmd.exe PID 4768 wrote to memory of 4512 4768 a31f1894f161f1005c00ad43235500691a4fd0cb7bd83945d47f16dbd7f62ab8.exe cmd.exe PID 4428 wrote to memory of 876 4428 NisSrv.com nslookup.exe PID 4428 wrote to memory of 876 4428 NisSrv.com nslookup.exe PID 4428 wrote to memory of 876 4428 NisSrv.com nslookup.exe PID 4428 wrote to memory of 876 4428 NisSrv.com nslookup.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a31f1894f161f1005c00ad43235500691a4fd0cb7bd83945d47f16dbd7f62ab8.exe"C:\Users\Admin\AppData\Local\Temp\a31f1894f161f1005c00ad43235500691a4fd0cb7bd83945d47f16dbd7f62ab8.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo qjRuHoTvG2⤵PID:320
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < pzoyjuWNTGixxnxHcGRQMVppcO.jEUBHZbtIgfCMSKASTkwzjfKYjkmhlZKbsKpYtmcWxL2⤵
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Windows\SysWOW64\cmd.execmd3⤵
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Windows\SysWOW64\PING.EXEping -n 1 NovDIn.ElaU4⤵
- Runs ping.exe
PID:4188
-
-
C:\Windows\SysWOW64\certutil.execertutil -decode hoMwFZhHyUcrWnpiYMSRVzuj.BWsHdkYEUyeLlWDXiAKiMtRBkGFNgjUwA hX4⤵PID:3744
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\NisSrv.comNisSrv.com hX4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3436 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\NisSrv.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\NisSrv.com hX5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4428 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\nslookup.exeC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\nslookup.exe6⤵
- Executes dropped EXE
PID:876 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 10487⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4664
-
-
-
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 34⤵
- Runs ping.exe
PID:1664
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "2⤵PID:4512
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
bde38c090196fdf5c78ab632f5abcd79
SHA15f84042605b52416ed5633a3d02878f3116ae9d1
SHA25667160ea89e16732088c8d352b83d9fa13c10ca5103c7e634c771ab76a1a7922b
SHA512973277614aff26364ba7afb178e3addd7cb3a0458f48ee4ad4c4b970bfbbbb3c6b7029a26e750dc346b0148ec84e23f322f75c6f38171837acd902d4e6aed311
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\NSVDFZoORZNAuHaoGGPTcOpkqszynoQeWUhoDFdzCZF.XMQeQwWuZFaZJKDhGedIpKDkzlEwdcscphhgBdfbjJesCgn
MD5b66801f8eef442b1e664f189c16e7f78
SHA1241c92e2343630ad6b3d80daf6c96c590f60ed2d
SHA2564b99e26b74e219107c6e804d16cbfb5573fed5e1eeb7c9b6158cc0d89a8b6edd
SHA5121c4c45f2eb1b95c37b710a06f92ee63235895e6e0d2556fdb620bb1406c60f21cb34ca8c6ea2b9d802e1acc4b2566cee8a94119a3a129288727856c67302c96e
-
MD5
690df215774716b64c246e9551b5f86b
SHA1be106aa4378e9d3c3b63dd019300d135061130ee
SHA2569160e2f41e3fb7c24dabc75804da2b03d737c1a61d870ea6a016af826474d19f
SHA512065f6b47e0a7cfca9280e7052a2c6001e3d2645a1ac33a1dc37d046c5fb7eb4a4dc80220319b5a3d34858e12bc91db6c981837c6fdb069e4d51e1996505cc121
-
MD5
690df215774716b64c246e9551b5f86b
SHA1be106aa4378e9d3c3b63dd019300d135061130ee
SHA2569160e2f41e3fb7c24dabc75804da2b03d737c1a61d870ea6a016af826474d19f
SHA512065f6b47e0a7cfca9280e7052a2c6001e3d2645a1ac33a1dc37d046c5fb7eb4a4dc80220319b5a3d34858e12bc91db6c981837c6fdb069e4d51e1996505cc121
-
MD5
690df215774716b64c246e9551b5f86b
SHA1be106aa4378e9d3c3b63dd019300d135061130ee
SHA2569160e2f41e3fb7c24dabc75804da2b03d737c1a61d870ea6a016af826474d19f
SHA512065f6b47e0a7cfca9280e7052a2c6001e3d2645a1ac33a1dc37d046c5fb7eb4a4dc80220319b5a3d34858e12bc91db6c981837c6fdb069e4d51e1996505cc121
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\QDgWPcvfMfNSvAIjJyLLZhISMjBqyWHJqdSmrFnrvMfbLQA.EWVDTLVDVvlDTvlQHrSyHoptGI
MD5dee9226f2d6f8b3e4e938726dbdb7cb8
SHA1aa866f9a70d2839772fc60a95a5a3dd89965c0de
SHA256ad5b7b8f22045b3eb94d423a8fd1b756de14938034760f9148f1a58fdbcf6459
SHA512a84c2255c77ea1539b19ae9fc965921368dee50b8e6044143d1e99f976ea241a2a7d5a8e08ae2310f95da9823b47f442a39f565fb7df750d119151ed7bf246f1
-
MD5
58a29ae1ae17df05148a96da75dd806d
SHA1d3319f1637b8d48ba22deb3b9d8bd32e64468844
SHA256c0190ea9d37a80c546be0371f5f3a2b3798cc9cc72eccef4fa5b140f81bd0750
SHA51211275bf725a4563bb2598aab279a903c77598c149e2cf31b553632273ea61e67d512d2fa0a52793095ea984c1d9fa6ce824e956620d53be40572af1d2d5a149a
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\hoMwFZhHyUcrWnpiYMSRVzuj.BWsHdkYEUyeLlWDXiAKiMtRBkGFNgjUwA
MD5a693b07b8c2cd70f3f4d54180539ac71
SHA13b886a7fac5d54ce39770bab615c1c7631e7707e
SHA2564afbdc0bebded8635e1d545832efbde851518f9d5a430753b947b2e5bd6ceb30
SHA5126316c3d39c58f7e159f9e21b44615e784c3652a3c234d71ae76a33cc2ee136435d7088db97b0a02d281857e6316e5ea65c9195498b72320640850adf38155135
-
MD5
df4be7914c0ec7923e5740f44f629ff8
SHA184ec0080330f4d812755c901b01a3500874c9d36
SHA256c375b41006ca84f7a3ba98e4284f714c48d98b5fba5010034825bf4713ab76fa
SHA512e2c92f6b9df16431c8f83e96ae8f2a1761857248b9189e76fd1a1d2cbbfe3e46ffed7fcb7c972533245c44d77f0cefeef951442f17d3eb5e4373e838f3a86fc5
-
MD5
df4be7914c0ec7923e5740f44f629ff8
SHA184ec0080330f4d812755c901b01a3500874c9d36
SHA256c375b41006ca84f7a3ba98e4284f714c48d98b5fba5010034825bf4713ab76fa
SHA512e2c92f6b9df16431c8f83e96ae8f2a1761857248b9189e76fd1a1d2cbbfe3e46ffed7fcb7c972533245c44d77f0cefeef951442f17d3eb5e4373e838f3a86fc5
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\pzoyjuWNTGixxnxHcGRQMVppcO.jEUBHZbtIgfCMSKASTkwzjfKYjkmhlZKbsKpYtmcWxL
MD5e835b806e6e4ea78eb3c33c0570f8bdd
SHA1f72ac0e5e16cabbf7b9461fa7e8b1e0e1ec1fc58
SHA2563a50f979d31e29db83d8cf012e43b12ca9cafd36c171284cf68f4d5b46297c60
SHA51259abca6ca21610c9e9fac5a09bad394d1f293040b28e1446f5c4b4319c122d717ddbaeba46a50cce10cd4724de3f1679f3d56a6e6701438e2bb33bcb33c637d4