2d288f2cd6752a01360f2669959e2c61f676f8156d5cc40d4b415245ae04cf6d

Resubmissions

28-01-2022 12:16

220128-pflylaccar 10

22-01-2022 08:05

220122-jyv2bsaddr 10

Analysis

max time kernel
78s
max time network
121s
platform
windows10_x64
resource
win10-en-20211208
submitted
28-01-2022 12:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ec149660a6808f711ca6cb6b20c1dda.exe
Size

658KB
MD5

3ec149660a6808f711ca6cb6b20c1dda
SHA1

45c3d1d8dd512c01fd6c897c67b35c13c49828cb
SHA256

2d288f2cd6752a01360f2669959e2c61f676f8156d5cc40d4b415245ae04cf6d
SHA512

3a15e7bfbabeb296001086453320a133dc242ef170ccf45d459d2a7f402fadfe3329099d79b368416d565ba0c16eb051b64fe7b756c21f822ab49ec483b5649d

Score

10^/10

suricata

Malware Config

Signatures

suricata: ET MALWARE OneLouder EXE download possibly installing Zeus P2P
suricata: ET MALWARE OneLouder EXE download possibly installing Zeus P2P
suricata
suricata: ET MALWARE Probable OneLouder downloader (Zeus P2P) exe download
suricata: ET MALWARE Probable OneLouder downloader (Zeus P2P) exe download
suricata
suricata: ET MALWARE PurpleFox Backdoor/Rootkit Download Request M1
suricata: ET MALWARE PurpleFox Backdoor/Rootkit Download Request M1
suricata
suricata: ET MALWARE PurpleFox Backdoor/Rootkit Download Server Response M1
suricata: ET MALWARE PurpleFox Backdoor/Rootkit Download Server Response M1
suricata

Executes dropped EXE 4 IoCs

pid	Process
2252	7zz.exe
796	ojbkcg.exe
1060	111.exe
1796	7z.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Control Panel\International\Geo\Nation	111.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\╧╘┐¿╟²╢».lnk	7z.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\╧╘┐¿╟²╢».lnk	7z.exe

Loads dropped DLL 2 IoCs

pid	Process
796	ojbkcg.exe
1796	7z.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	ojbkcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	111.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2648	3ec149660a6808f711ca6cb6b20c1dda.exe
2648	3ec149660a6808f711ca6cb6b20c1dda.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	1796	7z.exe
Token: 35	1796	7z.exe
Token: SeSecurityPrivilege	1796	7z.exe
Token: SeSecurityPrivilege	1796	7z.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1060	111.exe
1060	111.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 2252	2648	3ec149660a6808f711ca6cb6b20c1dda.exe	68
PID 2648 wrote to memory of 2252	2648	3ec149660a6808f711ca6cb6b20c1dda.exe	68
PID 2648 wrote to memory of 2252	2648	3ec149660a6808f711ca6cb6b20c1dda.exe	68
PID 2648 wrote to memory of 796	2648	3ec149660a6808f711ca6cb6b20c1dda.exe	71
PID 2648 wrote to memory of 796	2648	3ec149660a6808f711ca6cb6b20c1dda.exe	71
PID 1060 wrote to memory of 1796	1060	111.exe	75
PID 1060 wrote to memory of 1796	1060	111.exe	75
PID 1060 wrote to memory of 1796	1060	111.exe	75

C:\Users\Admin\AppData\Local\Temp\3ec149660a6808f711ca6cb6b20c1dda.exe
"C:\Users\Admin\AppData\Local\Temp\3ec149660a6808f711ca6cb6b20c1dda.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Users\Public\Videos\1643631386\7zz.exe
  "C:\Users\Public\Videos\1643631386\7zz.exe" X -ep2 C:\Users\Public\Videos\1643631386\1.rar C:\Users\Public\Videos\1643631386
  2⤵
  - Executes dropped EXE
  PID:2252
- C:\Users\Public\Videos\1643631386\ojbkcg.exe
  "C:\Users\Public\Videos\1643631386\ojbkcg.exe" -a
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  PID:796

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3744

C:\Users\Public\Documents\auto\111.exe
"C:\Users\Public\Documents\auto\111.exe"
1⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1060
- C:\ProgramData\7z.exe
  "C:\ProgramData\7z.exe" x C:\ProgramData\bb.zip -oC:\Users\Admin\AppData\Roaming\Microsoft\Windows
  2⤵
  - Executes dropped EXE
  - Drops startup file
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:1796

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/796-193-0x0000000002AE0000-0x0000000003355000-memory.dmp

Filesize
8.5MB

Download
memory/796-188-0x0000000180000000-0x00000001808AB000-memory.dmp

Filesize
8.7MB

Download