Analysis
-
max time kernel
149s -
max time network
168s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
28-09-2021 18:58
Static task
static1
Behavioral task
behavioral1
Sample
olieki.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
olieki.exe
Resource
win10v20210408
General
-
Target
olieki.exe
-
Size
268KB
-
MD5
a63baaab947841c61e60e663c6209f80
-
SHA1
1f20c6525e42278f64303303468c13cf85ef5b4b
-
SHA256
c6a10b1d71d2aae9601572d3dba867bb8e5fbd435b41f3fa111cb89acc86774b
-
SHA512
021ec9ceebefdbc48b6ef86bc737534aae4cedbc0eff1198354bbe3cb8c7c6483e44ccf124466bd0d52931793aa114bff964b41b38ac5d773264a991c6bb9aae
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
Processes:
olieki.exeieinstal.exedescription ioc process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe olieki.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe ieinstal.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
ieinstal.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run ieinstal.exe Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\SYPHILIP = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ernringso\\olieki.exe" ieinstal.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
olieki.exeieinstal.exepid process 2024 olieki.exe 2032 ieinstal.exe 2032 ieinstal.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
olieki.exedescription pid process target process PID 2024 set thread context of 2032 2024 olieki.exe ieinstal.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1480 2032 WerFault.exe ieinstal.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
WerFault.exepid process 1480 WerFault.exe 1480 WerFault.exe 1480 WerFault.exe 1480 WerFault.exe 1480 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 1480 WerFault.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
olieki.exepid process 2024 olieki.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1480 WerFault.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
olieki.exepid process 2024 olieki.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
olieki.exeieinstal.exedescription pid process target process PID 2024 wrote to memory of 2032 2024 olieki.exe ieinstal.exe PID 2024 wrote to memory of 2032 2024 olieki.exe ieinstal.exe PID 2024 wrote to memory of 2032 2024 olieki.exe ieinstal.exe PID 2024 wrote to memory of 2032 2024 olieki.exe ieinstal.exe PID 2024 wrote to memory of 2032 2024 olieki.exe ieinstal.exe PID 2024 wrote to memory of 2032 2024 olieki.exe ieinstal.exe PID 2024 wrote to memory of 2032 2024 olieki.exe ieinstal.exe PID 2024 wrote to memory of 2032 2024 olieki.exe ieinstal.exe PID 2032 wrote to memory of 1480 2032 ieinstal.exe WerFault.exe PID 2032 wrote to memory of 1480 2032 ieinstal.exe WerFault.exe PID 2032 wrote to memory of 1480 2032 ieinstal.exe WerFault.exe PID 2032 wrote to memory of 1480 2032 ieinstal.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\olieki.exe"C:\Users\Admin\AppData\Local\Temp\olieki.exe"1⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Users\Admin\AppData\Local\Temp\olieki.exe"2⤵
- Checks QEMU agent file
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 13643⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1480-67-0x0000000000000000-mapping.dmp
-
memory/1480-68-0x0000000000290000-0x0000000000291000-memory.dmpFilesize
4KB
-
memory/2024-55-0x00000000002A0000-0x00000000002AF000-memory.dmpFilesize
60KB
-
memory/2024-57-0x0000000075821000-0x0000000075823000-memory.dmpFilesize
8KB
-
memory/2024-61-0x00000000777F0000-0x0000000077970000-memory.dmpFilesize
1.5MB
-
memory/2024-60-0x0000000077610000-0x00000000777B9000-memory.dmpFilesize
1.7MB
-
memory/2024-62-0x0000000077800000-0x00000000778D6000-memory.dmpFilesize
856KB
-
memory/2032-58-0x0000000000300000-0x0000000000400000-memory.dmpFilesize
1024KB
-
memory/2032-59-0x0000000000300000-mapping.dmp
-
memory/2032-66-0x0000000077800000-0x00000000778D6000-memory.dmpFilesize
856KB
-
memory/2032-65-0x0000000077610000-0x00000000777B9000-memory.dmpFilesize
1.7MB