de644e637da7cd117517b1bb96ee0f58131515013a322366d680f613afa31bc4

Resubmissions

20-10-2021 15:46

211020-s7r6gahcc5 10

20-10-2021 15:32

211020-sy5p7shca9 10

Analysis

max time kernel
300s
max time network
314s
platform
windows7_x64
resource
win7-ja-20211014
submitted
20-10-2021 15:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OpenSea-App_v2.1-setup.exe
Size

116.4MB
MD5

b188206887e0f25a50c50e1955413442
SHA1

3f4fcd1debd12586f712d694218339a7fd40c50b
SHA256

de644e637da7cd117517b1bb96ee0f58131515013a322366d680f613afa31bc4
SHA512

94391442364c2e6a16a2fd0bd2384d0f21a56cd5a67faa7998511ebb55feb3e5a7915c603c2caaa8da79f8bdfc1490eb2a8f559546193977b239a2d133bf3624

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

OpenSea-App_v2.1-setup.tmpOpenSea-App_v2.1-setup.tmpuniconverter.exe

pid process

1412 OpenSea-App_v2.1-setup.tmp
1292 OpenSea-App_v2.1-setup.tmp
840 uniconverter.exe
Loads dropped DLL 5 IoCs

Processes:

OpenSea-App_v2.1-setup.exeOpenSea-App_v2.1-setup.exeOpenSea-App_v2.1-setup.tmpuniconverter.exe

pid process

948 OpenSea-App_v2.1-setup.exe
1684 OpenSea-App_v2.1-setup.exe
1292 OpenSea-App_v2.1-setup.tmp
1292 OpenSea-App_v2.1-setup.tmp
840 uniconverter.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

uniconverter.exe

pid process

840 uniconverter.exe
840 uniconverter.exe
840 uniconverter.exe
840 uniconverter.exe
840 uniconverter.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

964 timeout.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

OpenSea-App_v2.1-setup.tmp

pid process

1292 OpenSea-App_v2.1-setup.tmp
1292 OpenSea-App_v2.1-setup.tmp
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

uniconverter.exe

description pid process

Token: SeDebugPrivilege 840 uniconverter.exe
Token: SeShutdownPrivilege 840 uniconverter.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

OpenSea-App_v2.1-setup.tmp

pid process

1292 OpenSea-App_v2.1-setup.tmp
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

uniconverter.exe

pid process

840 uniconverter.exe
840 uniconverter.exe

pid	process
1412	OpenSea-App_v2.1-setup.tmp
1292	OpenSea-App_v2.1-setup.tmp
840	uniconverter.exe

pid	process
948	OpenSea-App_v2.1-setup.exe
1684	OpenSea-App_v2.1-setup.exe
1292	OpenSea-App_v2.1-setup.tmp
1292	OpenSea-App_v2.1-setup.tmp
840	uniconverter.exe

pid	process
840	uniconverter.exe
840	uniconverter.exe
840	uniconverter.exe
840	uniconverter.exe
840	uniconverter.exe

pid	process
964	timeout.exe

pid	process
1292	OpenSea-App_v2.1-setup.tmp
1292	OpenSea-App_v2.1-setup.tmp

description	pid	process
Token: SeDebugPrivilege	840	uniconverter.exe
Token: SeShutdownPrivilege	840	uniconverter.exe

pid	process
1292	OpenSea-App_v2.1-setup.tmp

pid	process
840	uniconverter.exe
840	uniconverter.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

OpenSea-App_v2.1-setup.exeOpenSea-App_v2.1-setup.tmpOpenSea-App_v2.1-setup.exeOpenSea-App_v2.1-setup.tmpuniconverter.execmd.exe

description	pid	process	target process
PID 948 wrote to memory of 1412	948	OpenSea-App_v2.1-setup.exe	OpenSea-App_v2.1-setup.tmp
PID 948 wrote to memory of 1412	948	OpenSea-App_v2.1-setup.exe	OpenSea-App_v2.1-setup.tmp
PID 948 wrote to memory of 1412	948	OpenSea-App_v2.1-setup.exe	OpenSea-App_v2.1-setup.tmp
PID 948 wrote to memory of 1412	948	OpenSea-App_v2.1-setup.exe	OpenSea-App_v2.1-setup.tmp
PID 948 wrote to memory of 1412	948	OpenSea-App_v2.1-setup.exe	OpenSea-App_v2.1-setup.tmp
PID 948 wrote to memory of 1412	948	OpenSea-App_v2.1-setup.exe	OpenSea-App_v2.1-setup.tmp
PID 948 wrote to memory of 1412	948	OpenSea-App_v2.1-setup.exe	OpenSea-App_v2.1-setup.tmp
PID 1412 wrote to memory of 1684	1412	OpenSea-App_v2.1-setup.tmp	OpenSea-App_v2.1-setup.exe
PID 1412 wrote to memory of 1684	1412	OpenSea-App_v2.1-setup.tmp	OpenSea-App_v2.1-setup.exe
PID 1412 wrote to memory of 1684	1412	OpenSea-App_v2.1-setup.tmp	OpenSea-App_v2.1-setup.exe
PID 1412 wrote to memory of 1684	1412	OpenSea-App_v2.1-setup.tmp	OpenSea-App_v2.1-setup.exe
PID 1412 wrote to memory of 1684	1412	OpenSea-App_v2.1-setup.tmp	OpenSea-App_v2.1-setup.exe
PID 1412 wrote to memory of 1684	1412	OpenSea-App_v2.1-setup.tmp	OpenSea-App_v2.1-setup.exe
PID 1412 wrote to memory of 1684	1412	OpenSea-App_v2.1-setup.tmp	OpenSea-App_v2.1-setup.exe
PID 1684 wrote to memory of 1292	1684	OpenSea-App_v2.1-setup.exe	OpenSea-App_v2.1-setup.tmp
PID 1684 wrote to memory of 1292	1684	OpenSea-App_v2.1-setup.exe	OpenSea-App_v2.1-setup.tmp
PID 1684 wrote to memory of 1292	1684	OpenSea-App_v2.1-setup.exe	OpenSea-App_v2.1-setup.tmp
PID 1684 wrote to memory of 1292	1684	OpenSea-App_v2.1-setup.exe	OpenSea-App_v2.1-setup.tmp
PID 1684 wrote to memory of 1292	1684	OpenSea-App_v2.1-setup.exe	OpenSea-App_v2.1-setup.tmp
PID 1684 wrote to memory of 1292	1684	OpenSea-App_v2.1-setup.exe	OpenSea-App_v2.1-setup.tmp
PID 1684 wrote to memory of 1292	1684	OpenSea-App_v2.1-setup.exe	OpenSea-App_v2.1-setup.tmp
PID 1292 wrote to memory of 840	1292	OpenSea-App_v2.1-setup.tmp	uniconverter.exe
PID 1292 wrote to memory of 840	1292	OpenSea-App_v2.1-setup.tmp	uniconverter.exe
PID 1292 wrote to memory of 840	1292	OpenSea-App_v2.1-setup.tmp	uniconverter.exe
PID 1292 wrote to memory of 840	1292	OpenSea-App_v2.1-setup.tmp	uniconverter.exe
PID 1292 wrote to memory of 840	1292	OpenSea-App_v2.1-setup.tmp	uniconverter.exe
PID 1292 wrote to memory of 840	1292	OpenSea-App_v2.1-setup.tmp	uniconverter.exe
PID 1292 wrote to memory of 840	1292	OpenSea-App_v2.1-setup.tmp	uniconverter.exe
PID 840 wrote to memory of 800	840	uniconverter.exe	cmd.exe
PID 840 wrote to memory of 800	840	uniconverter.exe	cmd.exe
PID 840 wrote to memory of 800	840	uniconverter.exe	cmd.exe
PID 840 wrote to memory of 800	840	uniconverter.exe	cmd.exe
PID 800 wrote to memory of 964	800	cmd.exe	timeout.exe
PID 800 wrote to memory of 964	800	cmd.exe	timeout.exe
PID 800 wrote to memory of 964	800	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\OpenSea-App_v2.1-setup.exe
"C:\Users\Admin\AppData\Local\Temp\OpenSea-App_v2.1-setup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:948
- C:\Users\Admin\AppData\Local\Temp\is-3HO9F.tmp\OpenSea-App_v2.1-setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-3HO9F.tmp\OpenSea-App_v2.1-setup.tmp" /SL5="$70152,121164526,934400,C:\Users\Admin\AppData\Local\Temp\OpenSea-App_v2.1-setup.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1412
- - C:\Users\Admin\AppData\Local\Temp\OpenSea-App_v2.1-setup.exe
    "C:\Users\Admin\AppData\Local\Temp\OpenSea-App_v2.1-setup.exe" /VERYSILENT /NORESTART
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1684
  - - C:\Users\Admin\AppData\Local\Temp\is-KF4MU.tmp\OpenSea-App_v2.1-setup.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-KF4MU.tmp\OpenSea-App_v2.1-setup.tmp" /SL5="$80152,121164526,934400,C:\Users\Admin\AppData\Local\Temp\OpenSea-App_v2.1-setup.exe" /VERYSILENT /NORESTART
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:1292
    - - C:\Users\Admin\AppData\Roaming\Network UniConverter Management 13\uniconverter.exe
        
        "C:\Users\Admin\AppData\Roaming\Network UniConverter Management 13\uniconverter.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:840
      - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\K5opD3dA.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:800
        
        C:\Windows\system32\timeout.exe
        
        timeout /t 5 /nobreak
        7⤵
        Delays execution with timeout.exe
        
        PID:964

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\K5opD3dA.bat

MD5
072735f5b499e69feff16f121e3ff473

SHA1
1972508696b47beb5309739195f850ed24d52667

SHA256
29eca0c747f202add7bf06ce7ca70ff8bc4a073b233ee5ea6976cd19ad0bebda

SHA512
9c39e920eed6da2fedfc68b0fdb1ac705ed57563f091b7c1ceb0bf2b2995dca8fcd704e02fe3d0030e0b20e560c2c07e993057951f30e4647b7cfb373fd095e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-3HO9F.tmp\OpenSea-App_v2.1-setup.tmp

MD5
1d58a53221a0e00ae086d5727f5e97a8

SHA1
425d12467917bb82dd3f67f43e0c7178b0993aa3

SHA256
3865953f354379ea7e66e28ae265915deffcda296048430027e0e6931ffa657d

SHA512
8afd7f6f114125d32a3724f0a0a51b9b7a7eae12f8844b59d74a61bde886055c7db5f043ed33263521adb0847f8523f1b2b183fd848b098c57d7ad328fe818e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KF4MU.tmp\OpenSea-App_v2.1-setup.tmp

MD5
1d58a53221a0e00ae086d5727f5e97a8

SHA1
425d12467917bb82dd3f67f43e0c7178b0993aa3

SHA256
3865953f354379ea7e66e28ae265915deffcda296048430027e0e6931ffa657d

SHA512
8afd7f6f114125d32a3724f0a0a51b9b7a7eae12f8844b59d74a61bde886055c7db5f043ed33263521adb0847f8523f1b2b183fd848b098c57d7ad328fe818e8

Download Submit
C:\Users\Admin\AppData\Roaming\Network UniConverter Management 13\JdbcOdbc.dll

MD5
791791c0e466eb0a6af462a265074c9d

SHA1
db4e66209bd211ddc0378c0f62e644eb466cde0e

SHA256
187d0a87805102aaacfdb0e18ea84a90af1540529e92430f84e3f46736383fc7

SHA512
badbe604c1e99b848dbb184a1d081560a31749a89573a4c6202abec1c6aa670ca248a0e5cd9330a7c3fc90193f3f95cde6a9d44c881568ca1a9b3b063da68566

Download Submit
C:\Users\Admin\AppData\Roaming\Network UniConverter Management 13\men

MD5
a6448d8d59e1745612001ce13359bb30

SHA1
40715399ee65505ae77adf615cc8ea0921e44956

SHA256
2739158b312b0c2185c3481586d3e9498cf1f9440ad8144deae3ffad9a491e85

SHA512
3eb5cadf18f31c059cb3335c7a7e07eda947760d37b424c60ea296c05c57e285caed879773d9ab901eaab48e3732a58bb9acb627d26d79a7e32836cb1078acc7

Download Submit
C:\Users\Admin\AppData\Roaming\Network UniConverter Management 13\uniconverter.exe

MD5
7c874ddc2e0689786d7635aa25326b4c

SHA1
f7654000b1d39b8f88d4b98159c54e124cbb00d6

SHA256
445c90f61dd0d7897475a7675d213b5d2819487f7bf665751fd4d352ba4a8752

SHA512
bd4a786a1b4f9fa552991e90ce0bfcb0951a01bbecd5c0b579c0b6804a978e4285695cbad48975979f9b8cdb56e2b28fb5d27a3aa21760aa9bd09c23fa2b64f3

Download Submit
C:\Users\Admin\AppData\Roaming\Network UniConverter Management 13\uniconverter.exe

MD5
7c874ddc2e0689786d7635aa25326b4c

SHA1
f7654000b1d39b8f88d4b98159c54e124cbb00d6

SHA256
445c90f61dd0d7897475a7675d213b5d2819487f7bf665751fd4d352ba4a8752

SHA512
bd4a786a1b4f9fa552991e90ce0bfcb0951a01bbecd5c0b579c0b6804a978e4285695cbad48975979f9b8cdb56e2b28fb5d27a3aa21760aa9bd09c23fa2b64f3

Download Submit
\Users\Admin\AppData\Local\Temp\is-3HO9F.tmp\OpenSea-App_v2.1-setup.tmp

MD5
1d58a53221a0e00ae086d5727f5e97a8

SHA1
425d12467917bb82dd3f67f43e0c7178b0993aa3

SHA256
3865953f354379ea7e66e28ae265915deffcda296048430027e0e6931ffa657d

SHA512
8afd7f6f114125d32a3724f0a0a51b9b7a7eae12f8844b59d74a61bde886055c7db5f043ed33263521adb0847f8523f1b2b183fd848b098c57d7ad328fe818e8

Download Submit
\Users\Admin\AppData\Local\Temp\is-KF4MU.tmp\OpenSea-App_v2.1-setup.tmp

MD5
1d58a53221a0e00ae086d5727f5e97a8

SHA1
425d12467917bb82dd3f67f43e0c7178b0993aa3

SHA256
3865953f354379ea7e66e28ae265915deffcda296048430027e0e6931ffa657d

SHA512
8afd7f6f114125d32a3724f0a0a51b9b7a7eae12f8844b59d74a61bde886055c7db5f043ed33263521adb0847f8523f1b2b183fd848b098c57d7ad328fe818e8

Download Submit
\Users\Admin\AppData\Roaming\Network UniConverter Management 13\JdbcOdbc.dll

MD5
791791c0e466eb0a6af462a265074c9d

SHA1
db4e66209bd211ddc0378c0f62e644eb466cde0e

SHA256
187d0a87805102aaacfdb0e18ea84a90af1540529e92430f84e3f46736383fc7

SHA512
badbe604c1e99b848dbb184a1d081560a31749a89573a4c6202abec1c6aa670ca248a0e5cd9330a7c3fc90193f3f95cde6a9d44c881568ca1a9b3b063da68566

Download Submit
\Users\Admin\AppData\Roaming\Network UniConverter Management 13\uniconverter.exe

MD5
7c874ddc2e0689786d7635aa25326b4c

SHA1
f7654000b1d39b8f88d4b98159c54e124cbb00d6

SHA256
445c90f61dd0d7897475a7675d213b5d2819487f7bf665751fd4d352ba4a8752

SHA512
bd4a786a1b4f9fa552991e90ce0bfcb0951a01bbecd5c0b579c0b6804a978e4285695cbad48975979f9b8cdb56e2b28fb5d27a3aa21760aa9bd09c23fa2b64f3

Download Submit
\Users\Admin\AppData\Roaming\Network UniConverter Management 13\uniconverter.exe

MD5
7c874ddc2e0689786d7635aa25326b4c

SHA1
f7654000b1d39b8f88d4b98159c54e124cbb00d6

SHA256
445c90f61dd0d7897475a7675d213b5d2819487f7bf665751fd4d352ba4a8752

SHA512
bd4a786a1b4f9fa552991e90ce0bfcb0951a01bbecd5c0b579c0b6804a978e4285695cbad48975979f9b8cdb56e2b28fb5d27a3aa21760aa9bd09c23fa2b64f3

Download Submit
memory/800-84-0x0000000000000000-mapping.dmp

Download
memory/840-77-0x0000000000000000-mapping.dmp

Download
memory/948-55-0x0000000076AA1000-0x0000000076AA3000-memory.dmp

Filesize
8KB

Download
memory/948-58-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/964-86-0x0000000000000000-mapping.dmp

Download
memory/1292-74-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/1292-73-0x0000000074EA1000-0x0000000074EA3000-memory.dmp

Filesize
8KB

Download
memory/1292-69-0x0000000000000000-mapping.dmp

Download
memory/1412-63-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1412-60-0x0000000000000000-mapping.dmp

Download
memory/1684-72-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/1684-64-0x0000000000000000-mapping.dmp

Download