Analysis
-
max time kernel
301s -
max time network
284s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
21-10-2021 12:43
Static task
static1
Behavioral task
behavioral1
Sample
OQfFxsl.exe
Resource
win7-ja-20210920
Behavioral task
behavioral2
Sample
OQfFxsl.exe
Resource
win7-en-20211014
Behavioral task
behavioral3
Sample
OQfFxsl.exe
Resource
win7-de-20210920
Behavioral task
behavioral4
Sample
OQfFxsl.exe
Resource
win11
Behavioral task
behavioral5
Sample
OQfFxsl.exe
Resource
win10-ja-20211014
Behavioral task
behavioral6
Sample
OQfFxsl.exe
Resource
win10-en-20210920
Behavioral task
behavioral7
Sample
OQfFxsl.exe
Resource
win10-de-20211014
General
-
Target
OQfFxsl.exe
-
Size
1.6MB
-
MD5
44150395748c027ef5f8eed812f620b0
-
SHA1
0d26c44e5e93a08da7504344498d3275ca11653e
-
SHA256
144525451ace8e714f95f6235f310b6959871e559e11f33f3164006a02832a7f
-
SHA512
5ba96935ebacd7c4e377c3171d411e7383132eed1c087ef66c3fe1a54987f826ac9221a1f43f4cc6627d184f7621dca6858b84ae692bde127bdf9d3a7bc04a4c
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
Nascondere.exe.comNascondere.exe.comRegAsm.exepid process 1408 Nascondere.exe.com 2276 Nascondere.exe.com 972 RegAsm.exe -
Drops startup file 1 IoCs
Processes:
Nascondere.exe.comdescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LMDUbsNmfa.url Nascondere.exe.com -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
OQfFxsl.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce OQfFxsl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" OQfFxsl.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Nascondere.exe.comdescription pid process target process PID 2276 set thread context of 972 2276 Nascondere.exe.com RegAsm.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
RegAsm.exepid process 972 RegAsm.exe 972 RegAsm.exe 972 RegAsm.exe 972 RegAsm.exe 972 RegAsm.exe 972 RegAsm.exe 972 RegAsm.exe 972 RegAsm.exe 972 RegAsm.exe 972 RegAsm.exe 972 RegAsm.exe 972 RegAsm.exe 972 RegAsm.exe 972 RegAsm.exe 972 RegAsm.exe 972 RegAsm.exe 972 RegAsm.exe 972 RegAsm.exe 972 RegAsm.exe 972 RegAsm.exe 972 RegAsm.exe 972 RegAsm.exe 972 RegAsm.exe 972 RegAsm.exe 972 RegAsm.exe 972 RegAsm.exe 972 RegAsm.exe 972 RegAsm.exe 972 RegAsm.exe 972 RegAsm.exe 972 RegAsm.exe 972 RegAsm.exe 972 RegAsm.exe 972 RegAsm.exe 972 RegAsm.exe 972 RegAsm.exe 972 RegAsm.exe 972 RegAsm.exe 972 RegAsm.exe 972 RegAsm.exe 972 RegAsm.exe 972 RegAsm.exe 972 RegAsm.exe 972 RegAsm.exe 972 RegAsm.exe 972 RegAsm.exe 972 RegAsm.exe 972 RegAsm.exe 972 RegAsm.exe 972 RegAsm.exe 972 RegAsm.exe 972 RegAsm.exe 972 RegAsm.exe 972 RegAsm.exe 972 RegAsm.exe 972 RegAsm.exe 972 RegAsm.exe 972 RegAsm.exe 972 RegAsm.exe 972 RegAsm.exe 972 RegAsm.exe 972 RegAsm.exe 972 RegAsm.exe 972 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegAsm.exedescription pid process Token: SeDebugPrivilege 972 RegAsm.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
OQfFxsl.execmd.execmd.exeNascondere.exe.comNascondere.exe.comdescription pid process target process PID 2592 wrote to memory of 2940 2592 OQfFxsl.exe dllhost.exe PID 2592 wrote to memory of 2940 2592 OQfFxsl.exe dllhost.exe PID 2592 wrote to memory of 2940 2592 OQfFxsl.exe dllhost.exe PID 2592 wrote to memory of 3264 2592 OQfFxsl.exe cmd.exe PID 2592 wrote to memory of 3264 2592 OQfFxsl.exe cmd.exe PID 2592 wrote to memory of 3264 2592 OQfFxsl.exe cmd.exe PID 3264 wrote to memory of 1268 3264 cmd.exe cmd.exe PID 3264 wrote to memory of 1268 3264 cmd.exe cmd.exe PID 3264 wrote to memory of 1268 3264 cmd.exe cmd.exe PID 1268 wrote to memory of 1100 1268 cmd.exe findstr.exe PID 1268 wrote to memory of 1100 1268 cmd.exe findstr.exe PID 1268 wrote to memory of 1100 1268 cmd.exe findstr.exe PID 1268 wrote to memory of 1408 1268 cmd.exe Nascondere.exe.com PID 1268 wrote to memory of 1408 1268 cmd.exe Nascondere.exe.com PID 1268 wrote to memory of 1408 1268 cmd.exe Nascondere.exe.com PID 1268 wrote to memory of 964 1268 cmd.exe PING.EXE PID 1268 wrote to memory of 964 1268 cmd.exe PING.EXE PID 1268 wrote to memory of 964 1268 cmd.exe PING.EXE PID 1408 wrote to memory of 2276 1408 Nascondere.exe.com Nascondere.exe.com PID 1408 wrote to memory of 2276 1408 Nascondere.exe.com Nascondere.exe.com PID 1408 wrote to memory of 2276 1408 Nascondere.exe.com Nascondere.exe.com PID 2276 wrote to memory of 972 2276 Nascondere.exe.com RegAsm.exe PID 2276 wrote to memory of 972 2276 Nascondere.exe.com RegAsm.exe PID 2276 wrote to memory of 972 2276 Nascondere.exe.com RegAsm.exe PID 2276 wrote to memory of 972 2276 Nascondere.exe.com RegAsm.exe PID 2276 wrote to memory of 972 2276 Nascondere.exe.com RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\OQfFxsl.exe"C:\Users\Admin\AppData\Local\Temp\OQfFxsl.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\dllhost.exedllhost.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cmd < Starne.mid2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^kXhUbWhdyiSzQwKWBBZJjppRDRvuTjJfOgrsoBnWshULiZzcvfBNflRwOcsFmuvSnDFCYzOqeeaZfbKDnwKEL$" Sorte.mid4⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nascondere.exe.comNascondere.exe.com W4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nascondere.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nascondere.exe.com W5⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exe6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\PING.EXEping localhost4⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ambo.midMD5
e44fd575c6528190adc21c41297c7f0f
SHA14a834789bb3ddeea37cd30861a4c0bb639eeafed
SHA2569ae0b37e4b26a6684eed731f3c3958e3661a3da9a89759825b97efebfe183547
SHA512443f8aff20c51f236b16eba5dbe3890d157f85909ab36b1d084142836a343e6acb97e752d18819bec62e1458a038d9b24c609602dc3cbef87d959e597e0af19f
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ami.midMD5
c2a501f010bf7b1c7a9777c3b93e19ef
SHA1d00adfeb88b435786f32cf7f45c1aae141690600
SHA256312d9b0380e5d8fd0bbee92b5d7f22a09b9278cbd7457777a08e2df5a859aff9
SHA5122850ad61312adc4d059e62c7dfaebabaa74ac280773e24920b746a56884d8c490b1d5c6637d56c966ca284a9cd515330d38faff55cfe77a1bd11f54f2c82f6fd
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nascondere.exe.comMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nascondere.exe.comMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nascondere.exe.comMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exeMD5
b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exeMD5
b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sorte.midMD5
ca6c6b8893411108280a0daf1a4d7d61
SHA1b791c3cdec5711baafa7be643d2d9a0a10ae0835
SHA25661b5e21e9798a8bf59a1c2e284d78d86706b4dc9bd6bef46bce54af95886bb46
SHA512c0f8c6e6c08a96d6bc9b77af1f300d45b011faa606c85b6220b89d890692d200230c16a206fa6c94a5f9e1568eb10181199a0d6b80b94f80706a5cd00f4fdbcf
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Starne.midMD5
603011f56db8309b2d5c4ea0a1c57a47
SHA191ffdd8dbc6c5935c954f2764bec480ae32a1432
SHA2565e4c34d70260f9bc2ce9f44b8fdef503667493f8d7c9d13b659da3b270a053f0
SHA512b1d53112fb89fc755e3933e88bcabd1ce2a2aa0032c948530769d96d06ca066d106fcdf2127348e618c7aac8b24b21ddbbdbdfd5113a641dbcd2da217d9ebdbe
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WMD5
e44fd575c6528190adc21c41297c7f0f
SHA14a834789bb3ddeea37cd30861a4c0bb639eeafed
SHA2569ae0b37e4b26a6684eed731f3c3958e3661a3da9a89759825b97efebfe183547
SHA512443f8aff20c51f236b16eba5dbe3890d157f85909ab36b1d084142836a343e6acb97e752d18819bec62e1458a038d9b24c609602dc3cbef87d959e597e0af19f
-
memory/964-124-0x0000000000000000-mapping.dmp
-
memory/972-139-0x0000000005840000-0x0000000005841000-memory.dmpFilesize
4KB
-
memory/972-138-0x00000000058E0000-0x00000000058E1000-memory.dmpFilesize
4KB
-
memory/972-145-0x0000000006B20000-0x0000000006B21000-memory.dmpFilesize
4KB
-
memory/972-144-0x0000000006670000-0x0000000006671000-memory.dmpFilesize
4KB
-
memory/972-143-0x00000000065F0000-0x00000000065F1000-memory.dmpFilesize
4KB
-
memory/972-131-0x0000000001310000-0x00000000013C2000-memory.dmpFilesize
712KB
-
memory/972-142-0x0000000006710000-0x0000000006711000-memory.dmpFilesize
4KB
-
memory/972-141-0x0000000005820000-0x0000000005821000-memory.dmpFilesize
4KB
-
memory/972-137-0x0000000005D40000-0x0000000005D41000-memory.dmpFilesize
4KB
-
memory/972-140-0x00000000059F0000-0x00000000059F1000-memory.dmpFilesize
4KB
-
memory/1100-119-0x0000000000000000-mapping.dmp
-
memory/1268-118-0x0000000000000000-mapping.dmp
-
memory/1408-122-0x0000000000000000-mapping.dmp
-
memory/2276-126-0x0000000000000000-mapping.dmp
-
memory/2276-130-0x0000000000EB0000-0x0000000000EB1000-memory.dmpFilesize
4KB
-
memory/2940-115-0x0000000000000000-mapping.dmp
-
memory/3264-116-0x0000000000000000-mapping.dmp