Overview

overview

10

Static

static

OpenSea-Ap...up.exe

windows7_x64

8

OpenSea-Ap...up.exe

windows7_x64

8

OpenSea-Ap...up.exe

windows7_x64

8

OpenSea-Ap...up.exe

windows11_x64

8

OpenSea-Ap...up.exe

windows10_x64

10

OpenSea-Ap...up.exe

windows10_x64

8

OpenSea-Ap...up.exe

windows10_x64

10

Resubmissions

20-10-2021 15:46

211020-s7r6gahcc5 10

20-10-2021 15:32

211020-sy5p7shca9 10

Analysis

  • max time kernel
    1046s
  • max time network
    1588s
  • platform
    windows11_x64
  • resource
    win11
  • submitted
    20-10-2021 15:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    OpenSea-App_v2.1-setup.exe

  • Size

    116.4MB

  • MD5

    b188206887e0f25a50c50e1955413442

  • SHA1

    3f4fcd1debd12586f712d694218339a7fd40c50b

  • SHA256

    de644e637da7cd117517b1bb96ee0f58131515013a322366d680f613afa31bc4

  • SHA512

    94391442364c2e6a16a2fd0bd2384d0f21a56cd5a67faa7998511ebb55feb3e5a7915c603c2caaa8da79f8bdfc1490eb2a8f559546193977b239a2d133bf3624

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Drops startup file 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\OpenSea-App_v2.1-setup.exe
    "C:\Users\Admin\AppData\Local\Temp\OpenSea-App_v2.1-setup.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4724
    • C:\Users\Admin\AppData\Local\Temp\is-B39LJ.tmp\OpenSea-App_v2.1-setup.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-B39LJ.tmp\OpenSea-App_v2.1-setup.tmp" /SL5="$200F6,121164526,934400,C:\Users\Admin\AppData\Local\Temp\OpenSea-App_v2.1-setup.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4340
      • C:\Users\Admin\AppData\Local\Temp\OpenSea-App_v2.1-setup.exe
        "C:\Users\Admin\AppData\Local\Temp\OpenSea-App_v2.1-setup.exe" /VERYSILENT /NORESTART
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2412
        • C:\Users\Admin\AppData\Local\Temp\is-21LIC.tmp\OpenSea-App_v2.1-setup.tmp
          "C:\Users\Admin\AppData\Local\Temp\is-21LIC.tmp\OpenSea-App_v2.1-setup.tmp" /SL5="$300F6,121164526,934400,C:\Users\Admin\AppData\Local\Temp\OpenSea-App_v2.1-setup.exe" /VERYSILENT /NORESTART
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:936
          • C:\Users\Admin\AppData\Roaming\Network UniConverter Management 13\uniconverter.exe
            "C:\Users\Admin\AppData\Roaming\Network UniConverter Management 13\uniconverter.exe"
            5⤵
            • Executes dropped EXE
            • Drops startup file
            • Loads dropped DLL
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2960
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BEUNNA5e.bat" "
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:552
              • C:\Windows\system32\timeout.exe
                timeout /t 5 /nobreak
                7⤵
                • Delays execution with timeout.exe
                PID:4188
  • C:\Windows\System32\Upfc.exe
    C:\Windows\System32\Upfc.exe /launchtype periodic /cv cnVPGGA1wkm9Dcji0e+mIg.0
    1⤵
      PID:4556
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalService -s W32Time
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4512
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
      1⤵
      • Modifies data under HKEY_USERS
      PID:4360
    • C:\Windows\System32\sihclient.exe
      C:\Windows\System32\sihclient.exe /cv IwFUuwLsCkyB0/KXtpP4hQ.0.2
      1⤵
      • Modifies data under HKEY_USERS
      PID:668
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
      1⤵
        PID:2284
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
        1⤵
        • Drops file in Windows directory
        • Modifies data under HKEY_USERS
        • Suspicious use of AdjustPrivilegeToken
        PID:4172
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
        1⤵
        • Checks processor information in registry
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1664
        • C:\Windows\uus\AMD64\MoUsoCoreWorker.exe
          C:\Windows\uus\AMD64\MoUsoCoreWorker.exe
          2⤵
            PID:2472
          • C:\Windows\uus\AMD64\MoUsoCoreWorker.exe
            C:\Windows\uus\AMD64\MoUsoCoreWorker.exe
            2⤵
              PID:5004
          • C:\Windows\System32\WaaSMedicAgent.exe
            C:\Windows\System32\WaaSMedicAgent.exe 087d6ab36490a1f334ab02d857c11204 IwFUuwLsCkyB0/KXtpP4hQ.0.1.0.3.0
            1⤵
            • Modifies data under HKEY_USERS
            PID:4808

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          Privilege Escalation

          Defense Evasion

          Credential Access

          Discovery

          System Information Discovery

          2
          T1082

          Query Registry

          1
          T1012

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\BEUNNA5e.bat
            MD5

            b0c01e5d9df9f5e42305199ad95cf147

            SHA1

            cf3535caab4ab6f92b732f16545b60e0aaf04ef6

            SHA256

            2b0fcacf9d67ae68c93f5fe1b0aa4015cb9bb5df3830595a87e3f15f80b08aea

            SHA512

            3a1bdec69003682652fa19305c69103893e97c538587266cc2d7e63a8b75860c49034f41eb90799f0c76a80cf0cadda48a5dbca101bfb1381d904806296f8c9d

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\is-21LIC.tmp\OpenSea-App_v2.1-setup.tmp
            MD5

            1d58a53221a0e00ae086d5727f5e97a8

            SHA1

            425d12467917bb82dd3f67f43e0c7178b0993aa3

            SHA256

            3865953f354379ea7e66e28ae265915deffcda296048430027e0e6931ffa657d

            SHA512

            8afd7f6f114125d32a3724f0a0a51b9b7a7eae12f8844b59d74a61bde886055c7db5f043ed33263521adb0847f8523f1b2b183fd848b098c57d7ad328fe818e8

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\is-B39LJ.tmp\OpenSea-App_v2.1-setup.tmp
            MD5

            1d58a53221a0e00ae086d5727f5e97a8

            SHA1

            425d12467917bb82dd3f67f43e0c7178b0993aa3

            SHA256

            3865953f354379ea7e66e28ae265915deffcda296048430027e0e6931ffa657d

            SHA512

            8afd7f6f114125d32a3724f0a0a51b9b7a7eae12f8844b59d74a61bde886055c7db5f043ed33263521adb0847f8523f1b2b183fd848b098c57d7ad328fe818e8

            Download Submit
          • C:\Users\Admin\AppData\Roaming\Network UniConverter Management 13\JdbcOdbc.dll
            MD5

            791791c0e466eb0a6af462a265074c9d

            SHA1

            db4e66209bd211ddc0378c0f62e644eb466cde0e

            SHA256

            187d0a87805102aaacfdb0e18ea84a90af1540529e92430f84e3f46736383fc7

            SHA512

            badbe604c1e99b848dbb184a1d081560a31749a89573a4c6202abec1c6aa670ca248a0e5cd9330a7c3fc90193f3f95cde6a9d44c881568ca1a9b3b063da68566

            Download Submit
          • C:\Users\Admin\AppData\Roaming\Network UniConverter Management 13\JdbcOdbc.dll
            MD5

            791791c0e466eb0a6af462a265074c9d

            SHA1

            db4e66209bd211ddc0378c0f62e644eb466cde0e

            SHA256

            187d0a87805102aaacfdb0e18ea84a90af1540529e92430f84e3f46736383fc7

            SHA512

            badbe604c1e99b848dbb184a1d081560a31749a89573a4c6202abec1c6aa670ca248a0e5cd9330a7c3fc90193f3f95cde6a9d44c881568ca1a9b3b063da68566

            Download Submit
          • C:\Users\Admin\AppData\Roaming\Network UniConverter Management 13\libtfs2.0.dll
            MD5

            f551e738c23336e2f614b6e21f1627cf

            SHA1

            1c4832665ad7f203b6ab13e02cb2f64805a6c269

            SHA256

            38b13d85f93f4c0e1283bc55d8e54244fa01d6d60aaa00b7bfb49f489333b1e6

            SHA512

            bca914e0bb7f3dc18019b4457bc870f94dcb5afdf13b7f463e506c2c30fc99f2b22392c69e3c626b8bea7d248ef26d534a06f03c27340744040efe476c53db01

            Download Submit
          • C:\Users\Admin\AppData\Roaming\Network UniConverter Management 13\libtfs2.0.dll
            MD5

            f551e738c23336e2f614b6e21f1627cf

            SHA1

            1c4832665ad7f203b6ab13e02cb2f64805a6c269

            SHA256

            38b13d85f93f4c0e1283bc55d8e54244fa01d6d60aaa00b7bfb49f489333b1e6

            SHA512

            bca914e0bb7f3dc18019b4457bc870f94dcb5afdf13b7f463e506c2c30fc99f2b22392c69e3c626b8bea7d248ef26d534a06f03c27340744040efe476c53db01

            Download Submit
          • C:\Users\Admin\AppData\Roaming\Network UniConverter Management 13\men
            MD5

            a6448d8d59e1745612001ce13359bb30

            SHA1

            40715399ee65505ae77adf615cc8ea0921e44956

            SHA256

            2739158b312b0c2185c3481586d3e9498cf1f9440ad8144deae3ffad9a491e85

            SHA512

            3eb5cadf18f31c059cb3335c7a7e07eda947760d37b424c60ea296c05c57e285caed879773d9ab901eaab48e3732a58bb9acb627d26d79a7e32836cb1078acc7

            Download Submit
          • C:\Users\Admin\AppData\Roaming\Network UniConverter Management 13\uniconverter.exe
            MD5

            7c874ddc2e0689786d7635aa25326b4c

            SHA1

            f7654000b1d39b8f88d4b98159c54e124cbb00d6

            SHA256

            445c90f61dd0d7897475a7675d213b5d2819487f7bf665751fd4d352ba4a8752

            SHA512

            bd4a786a1b4f9fa552991e90ce0bfcb0951a01bbecd5c0b579c0b6804a978e4285695cbad48975979f9b8cdb56e2b28fb5d27a3aa21760aa9bd09c23fa2b64f3

            Download Submit
          • C:\Users\Admin\AppData\Roaming\Network UniConverter Management 13\uniconverter.exe
            MD5

            7c874ddc2e0689786d7635aa25326b4c

            SHA1

            f7654000b1d39b8f88d4b98159c54e124cbb00d6

            SHA256

            445c90f61dd0d7897475a7675d213b5d2819487f7bf665751fd4d352ba4a8752

            SHA512

            bd4a786a1b4f9fa552991e90ce0bfcb0951a01bbecd5c0b579c0b6804a978e4285695cbad48975979f9b8cdb56e2b28fb5d27a3aa21760aa9bd09c23fa2b64f3

            Download Submit
          • memory/552-180-0x0000000000000000-mapping.dmp
            Download
          • memory/936-162-0x0000000000000000-mapping.dmp
            Download
          • memory/936-165-0x00000000026C0000-0x00000000026C1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/2412-158-0x0000000000000000-mapping.dmp
            Download
          • memory/2412-164-0x0000000000400000-0x00000000004F1000-memory.dmp
            Filesize

            964KB

            Download
          • memory/2472-160-0x0000000000000000-mapping.dmp
            Download
          • memory/2960-166-0x0000000000000000-mapping.dmp
            Download
          • memory/4172-187-0x000001AB446B0000-0x000001AB446B1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/4172-156-0x000001AB447B0000-0x000001AB447B4000-memory.dmp
            Filesize

            16KB

            Download
          • memory/4172-185-0x000001AB446F0000-0x000001AB446F1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/4172-184-0x000001AB447D0000-0x000001AB447D4000-memory.dmp
            Filesize

            16KB

            Download
          • memory/4188-182-0x0000000000000000-mapping.dmp
            Download
          • memory/4340-157-0x00000000026F0000-0x00000000026F1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/4340-151-0x0000000000000000-mapping.dmp
            Download
          • memory/4360-176-0x000001EF0C9A0000-0x000001EF0C9A4000-memory.dmp
            Filesize

            16KB

            Download
          • memory/4360-177-0x000001EF0C990000-0x000001EF0C991000-memory.dmp
            Filesize

            4KB

            Download
          • memory/4360-178-0x000001EF0C990000-0x000001EF0C994000-memory.dmp
            Filesize

            16KB

            Download
          • memory/4360-179-0x000001EF0C870000-0x000001EF0C871000-memory.dmp
            Filesize

            4KB

            Download
          • memory/4360-150-0x000001EF0C5E0000-0x000001EF0C5F0000-memory.dmp
            Filesize

            64KB

            Download
          • memory/4360-149-0x000001EF0C560000-0x000001EF0C570000-memory.dmp
            Filesize

            64KB

            Download
          • memory/4360-175-0x000001EF0EE20000-0x000001EF0EE21000-memory.dmp
            Filesize

            4KB

            Download
          • memory/4360-174-0x000001EF0EE60000-0x000001EF0EE64000-memory.dmp
            Filesize

            16KB

            Download
          • memory/4360-155-0x000001EF0C970000-0x000001EF0C974000-memory.dmp
            Filesize

            16KB

            Download
          • memory/4724-148-0x0000000000400000-0x00000000004F1000-memory.dmp
            Filesize

            964KB

            Download
          • memory/5004-183-0x0000000000000000-mapping.dmp
            Download