328449250e95af61e5e92254665d4c1a43d835482cd2d159c1e8a08a1ad8c725

Analysis

max time kernel
58s
max time network
145s
platform
windows10_x64
resource
win10v20201028
submitted
24-11-2020 02:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a31f1894f161f1005c00ad43235500691a4fd0cb7bd83945d47f16dbd7f62ab8.exe
Size

1.1MB
MD5

0d2152118cc580db3dce7244c9ba9663
SHA1

8163955d3a9eb5e8be460da5b0a3b0d1fe8a3191
SHA256

a31f1894f161f1005c00ad43235500691a4fd0cb7bd83945d47f16dbd7f62ab8
SHA512

a8eb6ad994e9a1e26a37303cfee1ebd1ad58996909c12819daed19529d1c00c31e5c391362d48a9d4f10bec52c601326b4c0b06d7986cd2bc6bbe29b4abf0e5a

Score

9^/10

discovery spyware

Malware Config

Signatures

ServiceHost packer 8 IoCs

Detects ServiceHost packer used for .NET malware

Processes:

resource	yara_rule
behavioral12/memory/876-28-0x000000000041CF3C-mapping.dmp	servicehost
behavioral12/memory/876-29-0x000000000041CF3C-mapping.dmp	servicehost
behavioral12/memory/876-30-0x000000000041CF3C-mapping.dmp	servicehost
behavioral12/memory/876-32-0x000000000041CF3C-mapping.dmp	servicehost
behavioral12/memory/876-33-0x000000000041CF3C-mapping.dmp	servicehost
behavioral12/memory/876-34-0x000000000041CF3C-mapping.dmp	servicehost
behavioral12/memory/876-35-0x000000000041CF3C-mapping.dmp	servicehost
behavioral12/memory/876-31-0x000000000041CF3C-mapping.dmp	servicehost

Executes dropped EXE 3 IoCs

Processes:

NisSrv.comNisSrv.comnslookup.exe

pid process

3436 NisSrv.com
4428 NisSrv.com
876 nslookup.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

NisSrv.com

description pid process target process

PID 4428 set thread context of 876 4428 NisSrv.com nslookup.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4664 876 WerFault.exe nslookup.exe
Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

1664 PING.EXE
4188 PING.EXE

pid	process
3436	NisSrv.com
4428	NisSrv.com
876	nslookup.exe

description	pid	process	target process
PID 4428 set thread context of 876	4428	NisSrv.com	nslookup.exe

pid	pid_target	process	target process
4664	876	WerFault.exe	nslookup.exe

pid	process
1664	PING.EXE
4188	PING.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
4664	WerFault.exe
4664	WerFault.exe
4664	WerFault.exe
4664	WerFault.exe
4664	WerFault.exe
4664	WerFault.exe
4664	WerFault.exe
4664	WerFault.exe
4664	WerFault.exe
4664	WerFault.exe
4664	WerFault.exe
4664	WerFault.exe
4664	WerFault.exe
4664	WerFault.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

NisSrv.com

pid process

4428 NisSrv.com
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 4664 WerFault.exe
Token: SeBackupPrivilege 4664 WerFault.exe
Token: SeDebugPrivilege 4664 WerFault.exe

pid	process
4428	NisSrv.com

description	pid	process
Token: SeRestorePrivilege	4664	WerFault.exe
Token: SeBackupPrivilege	4664	WerFault.exe
Token: SeDebugPrivilege	4664	WerFault.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

a31f1894f161f1005c00ad43235500691a4fd0cb7bd83945d47f16dbd7f62ab8.execmd.execmd.exeNisSrv.comNisSrv.com

description	pid	process	target process
PID 4768 wrote to memory of 320	4768	a31f1894f161f1005c00ad43235500691a4fd0cb7bd83945d47f16dbd7f62ab8.exe	cmd.exe
PID 4768 wrote to memory of 320	4768	a31f1894f161f1005c00ad43235500691a4fd0cb7bd83945d47f16dbd7f62ab8.exe	cmd.exe
PID 4768 wrote to memory of 320	4768	a31f1894f161f1005c00ad43235500691a4fd0cb7bd83945d47f16dbd7f62ab8.exe	cmd.exe
PID 4768 wrote to memory of 4228	4768	a31f1894f161f1005c00ad43235500691a4fd0cb7bd83945d47f16dbd7f62ab8.exe	cmd.exe
PID 4768 wrote to memory of 4228	4768	a31f1894f161f1005c00ad43235500691a4fd0cb7bd83945d47f16dbd7f62ab8.exe	cmd.exe
PID 4768 wrote to memory of 4228	4768	a31f1894f161f1005c00ad43235500691a4fd0cb7bd83945d47f16dbd7f62ab8.exe	cmd.exe
PID 4228 wrote to memory of 4300	4228	cmd.exe	cmd.exe
PID 4228 wrote to memory of 4300	4228	cmd.exe	cmd.exe
PID 4228 wrote to memory of 4300	4228	cmd.exe	cmd.exe
PID 4300 wrote to memory of 4188	4300	cmd.exe	PING.EXE
PID 4300 wrote to memory of 4188	4300	cmd.exe	PING.EXE
PID 4300 wrote to memory of 4188	4300	cmd.exe	PING.EXE
PID 4300 wrote to memory of 3744	4300	cmd.exe	certutil.exe
PID 4300 wrote to memory of 3744	4300	cmd.exe	certutil.exe
PID 4300 wrote to memory of 3744	4300	cmd.exe	certutil.exe
PID 4300 wrote to memory of 3436	4300	cmd.exe	NisSrv.com
PID 4300 wrote to memory of 3436	4300	cmd.exe	NisSrv.com
PID 4300 wrote to memory of 3436	4300	cmd.exe	NisSrv.com
PID 4300 wrote to memory of 1664	4300	cmd.exe	PING.EXE
PID 4300 wrote to memory of 1664	4300	cmd.exe	PING.EXE
PID 4300 wrote to memory of 1664	4300	cmd.exe	PING.EXE
PID 3436 wrote to memory of 4428	3436	NisSrv.com	NisSrv.com
PID 3436 wrote to memory of 4428	3436	NisSrv.com	NisSrv.com
PID 3436 wrote to memory of 4428	3436	NisSrv.com	NisSrv.com
PID 4768 wrote to memory of 4512	4768	a31f1894f161f1005c00ad43235500691a4fd0cb7bd83945d47f16dbd7f62ab8.exe	cmd.exe
PID 4768 wrote to memory of 4512	4768	a31f1894f161f1005c00ad43235500691a4fd0cb7bd83945d47f16dbd7f62ab8.exe	cmd.exe
PID 4768 wrote to memory of 4512	4768	a31f1894f161f1005c00ad43235500691a4fd0cb7bd83945d47f16dbd7f62ab8.exe	cmd.exe
PID 4428 wrote to memory of 876	4428	NisSrv.com	nslookup.exe
PID 4428 wrote to memory of 876	4428	NisSrv.com	nslookup.exe
PID 4428 wrote to memory of 876	4428	NisSrv.com	nslookup.exe
PID 4428 wrote to memory of 876	4428	NisSrv.com	nslookup.exe

C:\Users\Admin\AppData\Local\Temp\a31f1894f161f1005c00ad43235500691a4fd0cb7bd83945d47f16dbd7f62ab8.exe
"C:\Users\Admin\AppData\Local\Temp\a31f1894f161f1005c00ad43235500691a4fd0cb7bd83945d47f16dbd7f62ab8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4768

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo qjRuHoTvG
2⤵
PID:320

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < pzoyjuWNTGixxnxHcGRQMVppcO.jEUBHZbtIgfCMSKASTkwzjfKYjkmhlZKbsKpYtmcWxL
2⤵
- Suspicious use of WriteProcessMemory
PID:4228

C:\Windows\SysWOW64\cmd.exe
cmd
3⤵
- Suspicious use of WriteProcessMemory
PID:4300

C:\Windows\SysWOW64\PING.EXE
ping -n 1 NovDIn.ElaU
4⤵
- Runs ping.exe
PID:4188

C:\Windows\SysWOW64\certutil.exe
certutil -decode hoMwFZhHyUcrWnpiYMSRVzuj.BWsHdkYEUyeLlWDXiAKiMtRBkGFNgjUwA hX
4⤵
PID:3744

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\NisSrv.com
NisSrv.com hX
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3436

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\NisSrv.com
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\NisSrv.com hX
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4428

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\nslookup.exe
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\nslookup.exe
6⤵
- Executes dropped EXE
PID:876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 1048
7⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4664

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
4⤵
- Runs ping.exe
PID:1664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
2⤵
PID:4512

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd
MD5
bde38c090196fdf5c78ab632f5abcd79

SHA1
5f84042605b52416ed5633a3d02878f3116ae9d1

SHA256
67160ea89e16732088c8d352b83d9fa13c10ca5103c7e634c771ab76a1a7922b

SHA512
973277614aff26364ba7afb178e3addd7cb3a0458f48ee4ad4c4b970bfbbbb3c6b7029a26e750dc346b0148ec84e23f322f75c6f38171837acd902d4e6aed311

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\NSVDFZoORZNAuHaoGGPTcOpkqszynoQeWUhoDFdzCZF.XMQeQwWuZFaZJKDhGedIpKDkzlEwdcscphhgBdfbjJesCgn
MD5
b66801f8eef442b1e664f189c16e7f78

SHA1
241c92e2343630ad6b3d80daf6c96c590f60ed2d

SHA256
4b99e26b74e219107c6e804d16cbfb5573fed5e1eeb7c9b6158cc0d89a8b6edd

SHA512
1c4c45f2eb1b95c37b710a06f92ee63235895e6e0d2556fdb620bb1406c60f21cb34ca8c6ea2b9d802e1acc4b2566cee8a94119a3a129288727856c67302c96e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\NisSrv.com
MD5
690df215774716b64c246e9551b5f86b

SHA1
be106aa4378e9d3c3b63dd019300d135061130ee

SHA256
9160e2f41e3fb7c24dabc75804da2b03d737c1a61d870ea6a016af826474d19f

SHA512
065f6b47e0a7cfca9280e7052a2c6001e3d2645a1ac33a1dc37d046c5fb7eb4a4dc80220319b5a3d34858e12bc91db6c981837c6fdb069e4d51e1996505cc121

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\NisSrv.com
MD5
690df215774716b64c246e9551b5f86b

SHA1
be106aa4378e9d3c3b63dd019300d135061130ee

SHA256
9160e2f41e3fb7c24dabc75804da2b03d737c1a61d870ea6a016af826474d19f

SHA512
065f6b47e0a7cfca9280e7052a2c6001e3d2645a1ac33a1dc37d046c5fb7eb4a4dc80220319b5a3d34858e12bc91db6c981837c6fdb069e4d51e1996505cc121

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\NisSrv.com
MD5
690df215774716b64c246e9551b5f86b

SHA1
be106aa4378e9d3c3b63dd019300d135061130ee

SHA256
9160e2f41e3fb7c24dabc75804da2b03d737c1a61d870ea6a016af826474d19f

SHA512
065f6b47e0a7cfca9280e7052a2c6001e3d2645a1ac33a1dc37d046c5fb7eb4a4dc80220319b5a3d34858e12bc91db6c981837c6fdb069e4d51e1996505cc121

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\QDgWPcvfMfNSvAIjJyLLZhISMjBqyWHJqdSmrFnrvMfbLQA.EWVDTLVDVvlDTvlQHrSyHoptGI
MD5
dee9226f2d6f8b3e4e938726dbdb7cb8

SHA1
aa866f9a70d2839772fc60a95a5a3dd89965c0de

SHA256
ad5b7b8f22045b3eb94d423a8fd1b756de14938034760f9148f1a58fdbcf6459

SHA512
a84c2255c77ea1539b19ae9fc965921368dee50b8e6044143d1e99f976ea241a2a7d5a8e08ae2310f95da9823b47f442a39f565fb7df750d119151ed7bf246f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\hX
MD5
58a29ae1ae17df05148a96da75dd806d

SHA1
d3319f1637b8d48ba22deb3b9d8bd32e64468844

SHA256
c0190ea9d37a80c546be0371f5f3a2b3798cc9cc72eccef4fa5b140f81bd0750

SHA512
11275bf725a4563bb2598aab279a903c77598c149e2cf31b553632273ea61e67d512d2fa0a52793095ea984c1d9fa6ce824e956620d53be40572af1d2d5a149a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\hoMwFZhHyUcrWnpiYMSRVzuj.BWsHdkYEUyeLlWDXiAKiMtRBkGFNgjUwA
MD5
a693b07b8c2cd70f3f4d54180539ac71

SHA1
3b886a7fac5d54ce39770bab615c1c7631e7707e

SHA256
4afbdc0bebded8635e1d545832efbde851518f9d5a430753b947b2e5bd6ceb30

SHA512
6316c3d39c58f7e159f9e21b44615e784c3652a3c234d71ae76a33cc2ee136435d7088db97b0a02d281857e6316e5ea65c9195498b72320640850adf38155135

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\nslookup.exe
MD5
df4be7914c0ec7923e5740f44f629ff8

SHA1
84ec0080330f4d812755c901b01a3500874c9d36

SHA256
c375b41006ca84f7a3ba98e4284f714c48d98b5fba5010034825bf4713ab76fa

SHA512
e2c92f6b9df16431c8f83e96ae8f2a1761857248b9189e76fd1a1d2cbbfe3e46ffed7fcb7c972533245c44d77f0cefeef951442f17d3eb5e4373e838f3a86fc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\nslookup.exe
MD5
df4be7914c0ec7923e5740f44f629ff8

SHA1
84ec0080330f4d812755c901b01a3500874c9d36

SHA256
c375b41006ca84f7a3ba98e4284f714c48d98b5fba5010034825bf4713ab76fa

SHA512
e2c92f6b9df16431c8f83e96ae8f2a1761857248b9189e76fd1a1d2cbbfe3e46ffed7fcb7c972533245c44d77f0cefeef951442f17d3eb5e4373e838f3a86fc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\pzoyjuWNTGixxnxHcGRQMVppcO.jEUBHZbtIgfCMSKASTkwzjfKYjkmhlZKbsKpYtmcWxL
MD5
e835b806e6e4ea78eb3c33c0570f8bdd

SHA1
f72ac0e5e16cabbf7b9461fa7e8b1e0e1ec1fc58

SHA256
3a50f979d31e29db83d8cf012e43b12ca9cafd36c171284cf68f4d5b46297c60

SHA512
59abca6ca21610c9e9fac5a09bad394d1f293040b28e1446f5c4b4319c122d717ddbaeba46a50cce10cd4724de3f1679f3d56a6e6701438e2bb33bcb33c637d4

Download Submit
memory/320-0-0x0000000000000000-mapping.dmp

Download
memory/876-18-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/876-28-0x000000000041CF3C-mapping.dmp

Download
memory/876-33-0x000000000041CF3C-mapping.dmp

Download
memory/876-32-0x000000000041CF3C-mapping.dmp

Download
memory/876-30-0x000000000041CF3C-mapping.dmp

Download
memory/876-29-0x000000000041CF3C-mapping.dmp

Download
memory/876-34-0x000000000041CF3C-mapping.dmp

Download
memory/876-35-0x000000000041CF3C-mapping.dmp

Download
memory/876-19-0x000000000041CF3C-mapping.dmp

Download
memory/876-21-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/876-31-0x000000000041CF3C-mapping.dmp

Download
memory/1664-10-0x0000000000000000-mapping.dmp

Download
memory/3436-8-0x0000000000000000-mapping.dmp

Download
memory/3744-6-0x0000000000000000-mapping.dmp

Download
memory/4188-4-0x0000000000000000-mapping.dmp

Download
memory/4228-1-0x0000000000000000-mapping.dmp

Download
memory/4300-3-0x0000000000000000-mapping.dmp

Download
memory/4428-12-0x0000000000000000-mapping.dmp

Download
memory/4512-16-0x0000000000000000-mapping.dmp

Download
memory/4664-27-0x0000000004680000-0x0000000004681000-memory.dmp

Filesize
4KB

Download
memory/4664-25-0x0000000004680000-0x0000000004681000-memory.dmp

Filesize
4KB

Download
memory/4664-36-0x0000000004B30000-0x0000000004B31000-memory.dmp

Filesize
4KB

Download