Overview

overview

10

Static

static

OpenSea-Ap...up.exe

windows7_x64

8

OpenSea-Ap...up.exe

windows7_x64

8

OpenSea-Ap...up.exe

windows7_x64

8

OpenSea-Ap...up.exe

windows11_x64

8

OpenSea-Ap...up.exe

windows10_x64

10

OpenSea-Ap...up.exe

windows10_x64

8

OpenSea-Ap...up.exe

windows10_x64

10

Resubmissions

20-10-2021 15:46

211020-s7r6gahcc5 10

20-10-2021 15:32

211020-sy5p7shca9 10

Analysis

  • max time kernel
    2302s
  • max time network
    2720s
  • platform
    windows10_x64
  • resource
    win10-ja-20211014
  • submitted
    20-10-2021 15:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    OpenSea-App_v2.1-setup.exe

  • Size

    116.4MB

  • MD5

    b188206887e0f25a50c50e1955413442

  • SHA1

    3f4fcd1debd12586f712d694218339a7fd40c50b

  • SHA256

    de644e637da7cd117517b1bb96ee0f58131515013a322366d680f613afa31bc4

  • SHA512

    94391442364c2e6a16a2fd0bd2384d0f21a56cd5a67faa7998511ebb55feb3e5a7915c603c2caaa8da79f8bdfc1490eb2a8f559546193977b239a2d133bf3624

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • Registers COM server for autorun 1 TTPs
    persistence
  • Executes dropped EXE 3 IoCs
  • Drops startup file 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops file in System32 directory 8 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies data under HKEY_USERS 46 IoCs
  • Modifies registry class 46 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\OpenSea-App_v2.1-setup.exe
    "C:\Users\Admin\AppData\Local\Temp\OpenSea-App_v2.1-setup.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4452
    • C:\Users\Admin\AppData\Local\Temp\is-H941B.tmp\OpenSea-App_v2.1-setup.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-H941B.tmp\OpenSea-App_v2.1-setup.tmp" /SL5="$201BE,121164526,934400,C:\Users\Admin\AppData\Local\Temp\OpenSea-App_v2.1-setup.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4768
      • C:\Users\Admin\AppData\Local\Temp\OpenSea-App_v2.1-setup.exe
        "C:\Users\Admin\AppData\Local\Temp\OpenSea-App_v2.1-setup.exe" /VERYSILENT /NORESTART
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4876
        • C:\Users\Admin\AppData\Local\Temp\is-HVUSO.tmp\OpenSea-App_v2.1-setup.tmp
          "C:\Users\Admin\AppData\Local\Temp\is-HVUSO.tmp\OpenSea-App_v2.1-setup.tmp" /SL5="$A0058,121164526,934400,C:\Users\Admin\AppData\Local\Temp\OpenSea-App_v2.1-setup.exe" /VERYSILENT /NORESTART
          4⤵
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:4976
          • C:\Users\Admin\AppData\Roaming\Network UniConverter Management 13\uniconverter.exe
            "C:\Users\Admin\AppData\Roaming\Network UniConverter Management 13\uniconverter.exe"
            5⤵
            • Executes dropped EXE
            • Drops startup file
            • Loads dropped DLL
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:828
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5Q2zfz07.bat" "
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:4972
              • C:\Windows\system32\timeout.exe
                timeout /t 5 /nobreak
                7⤵
                • Delays execution with timeout.exe
                PID:5000
  • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.180.0905.0007\FileSyncConfig.exe
    "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.180.0905.0007\FileSyncConfig.exe"
    1⤵
    • Modifies registry class
    PID:1328
  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe
    "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe" /frequentupdate SCHEDULEDTASK displaylevel=False
    1⤵
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:1772
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4040
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:5100
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5100.0.1456314301\1515616280" -parentBuildID 20200403170909 -prefsHandle 1532 -prefMapHandle 1512 -prefsLen 1 -prefMapSize 219631 -appdir "C:\Program Files\Mozilla Firefox\browser" - 5100 "\\.\pipe\gecko-crash-server-pipe.5100" 1612 gpu
        3⤵
          PID:3036
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5100.3.1600024868\1322643326" -childID 1 -isForBrowser -prefsHandle 2376 -prefMapHandle 2372 -prefsLen 122 -prefMapSize 219631 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 5100 "\\.\pipe\gecko-crash-server-pipe.5100" 2232 tab
          3⤵
            PID:4324
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5100.13.1877312079\2104409712" -childID 2 -isForBrowser -prefsHandle 3376 -prefMapHandle 3372 -prefsLen 6979 -prefMapSize 219631 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 5100 "\\.\pipe\gecko-crash-server-pipe.5100" 3392 tab
            3⤵
              PID:420
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5100.20.194318521\1933619341" -childID 3 -isForBrowser -prefsHandle 4644 -prefMapHandle 4820 -prefsLen 7684 -prefMapSize 219631 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 5100 "\\.\pipe\gecko-crash-server-pipe.5100" 4216 tab
              3⤵
                PID:2004
              • C:\Program Files\Mozilla Firefox\uninstall\helper.exe
                "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /SetAsDefaultAppUser
                3⤵
                • Loads dropped DLL
                • Suspicious use of AdjustPrivilegeToken
                PID:3968
          • C:\Windows\ImmersiveControlPanel\SystemSettings.exe
            "C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel
            1⤵
            • Checks SCSI registry key(s)
            • Modifies registry class
            PID:3500
          • C:\Windows\System32\IME\SHARED\imebroker.exe
            C:\Windows\System32\IME\SHARED\imebroker.exe -Embedding
            1⤵
              PID:360
            • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe
              "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe" /frequentupdate SCHEDULEDTASK displaylevel=False
              1⤵
              • Drops file in System32 directory
              • Modifies data under HKEY_USERS
              • Suspicious use of SetWindowsHookEx
              PID:1248

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Persistence

            Registry Run Keys / Startup Folder

            1
            T1060

            Privilege Escalation

            Defense Evasion

            Credential Access

            Discovery

            System Information Discovery

            4
            T1082

            Query Registry

            2
            T1012

            Peripheral Device Discovery

            1
            T1120

            Lateral Movement

            Collection

            Exfiltration

            Command and Control

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\5Q2zfz07.bat
              MD5

              9c6bd7712c4446c29a65c92b3b57bec2

              SHA1

              0f89c24c21de2a218329de75725351337809b39e

              SHA256

              93b71a61024ebee283f4e119e31b10cde7fab59aabda55e535d55e28c38dc698

              SHA512

              d2920602df75424122883aecf815b4e12e0bb9e6879c36d0dc89b02e04d396aa3612224d93537e757a6d6f2781cd3ecc312f5abe9fdc17f74757d436c7e1cc07

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\is-H941B.tmp\OpenSea-App_v2.1-setup.tmp
              MD5

              1d58a53221a0e00ae086d5727f5e97a8

              SHA1

              425d12467917bb82dd3f67f43e0c7178b0993aa3

              SHA256

              3865953f354379ea7e66e28ae265915deffcda296048430027e0e6931ffa657d

              SHA512

              8afd7f6f114125d32a3724f0a0a51b9b7a7eae12f8844b59d74a61bde886055c7db5f043ed33263521adb0847f8523f1b2b183fd848b098c57d7ad328fe818e8

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\is-HVUSO.tmp\OpenSea-App_v2.1-setup.tmp
              MD5

              1d58a53221a0e00ae086d5727f5e97a8

              SHA1

              425d12467917bb82dd3f67f43e0c7178b0993aa3

              SHA256

              3865953f354379ea7e66e28ae265915deffcda296048430027e0e6931ffa657d

              SHA512

              8afd7f6f114125d32a3724f0a0a51b9b7a7eae12f8844b59d74a61bde886055c7db5f043ed33263521adb0847f8523f1b2b183fd848b098c57d7ad328fe818e8

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\is-HVUSO.tmp\OpenSea-App_v2.1-setup.tmp
              MD5

              1d58a53221a0e00ae086d5727f5e97a8

              SHA1

              425d12467917bb82dd3f67f43e0c7178b0993aa3

              SHA256

              3865953f354379ea7e66e28ae265915deffcda296048430027e0e6931ffa657d

              SHA512

              8afd7f6f114125d32a3724f0a0a51b9b7a7eae12f8844b59d74a61bde886055c7db5f043ed33263521adb0847f8523f1b2b183fd848b098c57d7ad328fe818e8

              Download Submit
            • C:\Users\Admin\AppData\Roaming\Network UniConverter Management 13\JdbcOdbc.dll
              MD5

              791791c0e466eb0a6af462a265074c9d

              SHA1

              db4e66209bd211ddc0378c0f62e644eb466cde0e

              SHA256

              187d0a87805102aaacfdb0e18ea84a90af1540529e92430f84e3f46736383fc7

              SHA512

              badbe604c1e99b848dbb184a1d081560a31749a89573a4c6202abec1c6aa670ca248a0e5cd9330a7c3fc90193f3f95cde6a9d44c881568ca1a9b3b063da68566

              Download Submit
            • C:\Users\Admin\AppData\Roaming\Network UniConverter Management 13\libtfs2.0.dll
              MD5

              f551e738c23336e2f614b6e21f1627cf

              SHA1

              1c4832665ad7f203b6ab13e02cb2f64805a6c269

              SHA256

              38b13d85f93f4c0e1283bc55d8e54244fa01d6d60aaa00b7bfb49f489333b1e6

              SHA512

              bca914e0bb7f3dc18019b4457bc870f94dcb5afdf13b7f463e506c2c30fc99f2b22392c69e3c626b8bea7d248ef26d534a06f03c27340744040efe476c53db01

              Download Submit
            • C:\Users\Admin\AppData\Roaming\Network UniConverter Management 13\men
              MD5

              a6448d8d59e1745612001ce13359bb30

              SHA1

              40715399ee65505ae77adf615cc8ea0921e44956

              SHA256

              2739158b312b0c2185c3481586d3e9498cf1f9440ad8144deae3ffad9a491e85

              SHA512

              3eb5cadf18f31c059cb3335c7a7e07eda947760d37b424c60ea296c05c57e285caed879773d9ab901eaab48e3732a58bb9acb627d26d79a7e32836cb1078acc7

              Download Submit
            • C:\Users\Admin\AppData\Roaming\Network UniConverter Management 13\uniconverter.exe
              MD5

              7c874ddc2e0689786d7635aa25326b4c

              SHA1

              f7654000b1d39b8f88d4b98159c54e124cbb00d6

              SHA256

              445c90f61dd0d7897475a7675d213b5d2819487f7bf665751fd4d352ba4a8752

              SHA512

              bd4a786a1b4f9fa552991e90ce0bfcb0951a01bbecd5c0b579c0b6804a978e4285695cbad48975979f9b8cdb56e2b28fb5d27a3aa21760aa9bd09c23fa2b64f3

              Download Submit
            • C:\Users\Admin\AppData\Roaming\Network UniConverter Management 13\uniconverter.exe
              MD5

              7c874ddc2e0689786d7635aa25326b4c

              SHA1

              f7654000b1d39b8f88d4b98159c54e124cbb00d6

              SHA256

              445c90f61dd0d7897475a7675d213b5d2819487f7bf665751fd4d352ba4a8752

              SHA512

              bd4a786a1b4f9fa552991e90ce0bfcb0951a01bbecd5c0b579c0b6804a978e4285695cbad48975979f9b8cdb56e2b28fb5d27a3aa21760aa9bd09c23fa2b64f3

              Download Submit
            • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officec2rclient.exe.db
              MD5

              8665de22b67e46648a5a147c1ed296ca

              SHA1

              b289a96fee9fa77dd8e045ae8fd161debd376f48

              SHA256

              b5cbae5c48721295a51896f05abd4c9566be7941cda7b8c2aecb762e6e94425f

              SHA512

              bb03ea9347d302abf3b6fece055cdae0ad2d7c074e8517f230a90233f628e5803928b9ba7ba79c343e58dacb3e7a6fc16b94690a5ab0c71303959654a18bb5da

              Download Submit
            • \Users\Admin\AppData\Local\Temp\nsh1770.tmp\CityHash.dll
              MD5

              737379945745bb94f8a0dadcc18cad8d

              SHA1

              6a1f497b4dc007f5935b66ec83b00e5a394332c6

              SHA256

              d3d7b3d7a7941d66c7f75257be90b12ac76f787af42cd58f019ce0280972598a

              SHA512

              c4a43b3ca42483cbd117758791d4333ddf38fa45eb3377f7b71ce74ec6e4d8b5ef2bfbe48c249d4eaf57ab929f4301138e53c79e0fa4be94dcbcd69c8046bc22

              Download Submit
            • \Users\Admin\AppData\Local\Temp\nsh1770.tmp\CityHash.dll
              MD5

              737379945745bb94f8a0dadcc18cad8d

              SHA1

              6a1f497b4dc007f5935b66ec83b00e5a394332c6

              SHA256

              d3d7b3d7a7941d66c7f75257be90b12ac76f787af42cd58f019ce0280972598a

              SHA512

              c4a43b3ca42483cbd117758791d4333ddf38fa45eb3377f7b71ce74ec6e4d8b5ef2bfbe48c249d4eaf57ab929f4301138e53c79e0fa4be94dcbcd69c8046bc22

              Download Submit
            • \Users\Admin\AppData\Local\Temp\nsh1770.tmp\System.dll
              MD5

              17ed1c86bd67e78ade4712be48a7d2bd

              SHA1

              1cc9fe86d6d6030b4dae45ecddce5907991c01a0

              SHA256

              bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb

              SHA512

              0cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5

              Download Submit
            • \Users\Admin\AppData\Roaming\Network UniConverter Management 13\JdbcOdbc.dll
              MD5

              791791c0e466eb0a6af462a265074c9d

              SHA1

              db4e66209bd211ddc0378c0f62e644eb466cde0e

              SHA256

              187d0a87805102aaacfdb0e18ea84a90af1540529e92430f84e3f46736383fc7

              SHA512

              badbe604c1e99b848dbb184a1d081560a31749a89573a4c6202abec1c6aa670ca248a0e5cd9330a7c3fc90193f3f95cde6a9d44c881568ca1a9b3b063da68566

              Download Submit
            • \Users\Admin\AppData\Roaming\Network UniConverter Management 13\libtfs2.0.dll
              MD5

              f551e738c23336e2f614b6e21f1627cf

              SHA1

              1c4832665ad7f203b6ab13e02cb2f64805a6c269

              SHA256

              38b13d85f93f4c0e1283bc55d8e54244fa01d6d60aaa00b7bfb49f489333b1e6

              SHA512

              bca914e0bb7f3dc18019b4457bc870f94dcb5afdf13b7f463e506c2c30fc99f2b22392c69e3c626b8bea7d248ef26d534a06f03c27340744040efe476c53db01

              Download Submit
            • memory/828-129-0x0000000000000000-mapping.dmp
              Download
            • memory/3968-144-0x0000000000630000-0x000000000063F000-memory.dmp
              Filesize

              60KB

              Download
            • memory/3968-140-0x0000000000000000-mapping.dmp
              Download
            • memory/4452-117-0x0000000000400000-0x00000000004F1000-memory.dmp
              Filesize

              964KB

              Download
            • memory/4768-120-0x0000000002660000-0x0000000002661000-memory.dmp
              Filesize

              4KB

              Download
            • memory/4768-118-0x0000000000000000-mapping.dmp
              Download
            • memory/4876-124-0x0000000000400000-0x00000000004F1000-memory.dmp
              Filesize

              964KB

              Download
            • memory/4876-121-0x0000000000000000-mapping.dmp
              Download
            • memory/4972-137-0x0000000000000000-mapping.dmp
              Download
            • memory/4976-127-0x0000000000880000-0x0000000000881000-memory.dmp
              Filesize

              4KB

              Download
            • memory/4976-125-0x0000000000000000-mapping.dmp
              Download
            • memory/5000-139-0x0000000000000000-mapping.dmp
              Download