Analysis

  • max time kernel
    134s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    11/10/2022, 07:45

General

  • Target

    55d1c26e13418119bfb2ea0d7f25b50e3e1799e21abe98408b3593d85c405a7b.exe

  • Size

    2.3MB

  • MD5

    692213b2c7610cdb5656fb1f138e181e

  • SHA1

    1581c44c08e239417d1904a4b706fa2a7a742f71

  • SHA256

    55d1c26e13418119bfb2ea0d7f25b50e3e1799e21abe98408b3593d85c405a7b

  • SHA512

    55705633ef5c769b0618dc20f2d716535846e00d71ea7f727f079969353410561a4b85f6f5eca0be8a36eeb02b71a931c56fcd1d0c4b64658ad69912f417d9ff

  • SSDEEP

    49152:OBrlCNnO0x9qk4QLH2mUrQOyH6A1retpOls:OBBoOa9UKWm0262y

Malware Config

Signatures

  • UAC bypass 3 TTPs 6 IoCs
  • Checks for common network interception software 1 TTPs

    Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

  • Enumerates VirtualBox registry keys 2 TTPs 1 IoCs
  • Blocks application from running via registry modification 18 IoCs

    Adds application to list of disallowed applications.

  • Drops file in Drivers directory 5 IoCs
  • Sets file execution options in registry 2 TTPs 64 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Loads dropped DLL 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Unexpected DNS network traffic destination 36 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Adds Run key to start application 2 TTPs 5 IoCs
  • Checks for any installed AV software in registry 1 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Checks whether UAC is enabled 1 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 11 IoCs
  • Modifies data under HKEY_USERS 6 IoCs
  • Modifies registry class 16 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\55d1c26e13418119bfb2ea0d7f25b50e3e1799e21abe98408b3593d85c405a7b.exe
    "C:\Users\Admin\AppData\Local\Temp\55d1c26e13418119bfb2ea0d7f25b50e3e1799e21abe98408b3593d85c405a7b.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1700
    • C:\Users\Admin\AppData\Local\Temp\55d1c26e13418119bfb2ea0d7f25b50e3e1799e21abe98408b3593d85c405a7b.exe
      "C:\Users\Admin\AppData\Local\Temp\55d1c26e13418119bfb2ea0d7f25b50e3e1799e21abe98408b3593d85c405a7b.exe" "C:\Users\Admin\AppData\Local\Temp\55d1c26e13418119bfb2ea0d7f25b50e3e1799e21abe98408b3593d85c405a7b.exe"
      2⤵
      • UAC bypass
      • Enumerates VirtualBox registry keys
      • Blocks application from running via registry modification
      • Drops file in Drivers directory
      • Sets file execution options in registry
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks for any installed AV software in registry
      • Checks whether UAC is enabled
      • Enumerates connected drives
      • Writes to the Master Boot Record (MBR)
      • Modifies Internet Explorer settings
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:944
      • C:\Windows\SysWOW64\Wbem\mofcomp.exe
        mofcomp "C:\Users\Admin\AppData\Local\Temp\7871.mof"
        3⤵
          PID:1272
        • C:\Windows\SysWOW64\netsh.exe
          netsh "firewall" add allowedprogram "C:\Users\Admin\AppData\Local\Temp\55d1c26e13418119bfb2ea0d7f25b50e3e1799e21abe98408b3593d85c405a7b.exe" "System Smart Security" ENABLE
          3⤵
            PID:1072
          • C:\Windows\SysWOW64\nslookup.exe
            nslookup -q=txt jj153svdksafjnqv.com 8.8.8.8
            3⤵
              PID:1940
            • C:\Windows\SysWOW64\nslookup.exe
              nslookup -q=txt jj153svdksafjnqv.net 8.8.8.8
              3⤵
                PID:2008
              • C:\Windows\SysWOW64\nslookup.exe
                nslookup -q=txt jj153svdksafjnqv.com 208.67.222.222
                3⤵
                  PID:972
                • C:\Windows\SysWOW64\nslookup.exe
                  nslookup -q=txt jj153svdksafjnqv.net 208.67.222.222
                  3⤵
                    PID:1012
                  • C:\Windows\SysWOW64\nslookup.exe
                    nslookup -q=txt jj153svdksafjnqv.com 8.8.4.4
                    3⤵
                      PID:1676
                    • C:\Windows\SysWOW64\nslookup.exe
                      nslookup -q=txt jj153svdksafjnqv.net 8.8.4.4
                      3⤵
                        PID:1980
                      • C:\Windows\SysWOW64\nslookup.exe
                        nslookup -q=txt jj153svdksafjnqv.com 208.67.220.220
                        3⤵
                          PID:1620
                        • C:\Windows\SysWOW64\nslookup.exe
                          nslookup -q=txt jj153svdksafjnqv.net 208.67.220.220
                          3⤵
                            PID:1708
                          • C:\Windows\SysWOW64\nslookup.exe
                            nslookup -q=txt eejllo680ooxggl.com 8.8.8.8
                            3⤵
                              PID:1524
                            • C:\Windows\SysWOW64\nslookup.exe
                              nslookup -q=txt eejllo680ooxggl.net 8.8.8.8
                              3⤵
                                PID:1876
                              • C:\Windows\SysWOW64\nslookup.exe
                                nslookup -q=txt eejllo680ooxggl.com 208.67.222.222
                                3⤵
                                  PID:1116
                                • C:\Windows\SysWOW64\nslookup.exe
                                  nslookup -q=txt eejllo680ooxggl.net 208.67.222.222
                                  3⤵
                                    PID:1824
                                  • C:\Windows\SysWOW64\nslookup.exe
                                    nslookup -q=txt eejllo680ooxggl.com 8.8.4.4
                                    3⤵
                                      PID:1392
                                    • C:\Windows\SysWOW64\nslookup.exe
                                      nslookup -q=txt eejllo680ooxggl.net 8.8.4.4
                                      3⤵
                                        PID:1320
                                      • C:\Windows\SysWOW64\nslookup.exe
                                        nslookup -q=txt eejllo680ooxggl.com 208.67.220.220
                                        3⤵
                                          PID:1724
                                        • C:\Windows\SysWOW64\nslookup.exe
                                          nslookup -q=txt eejllo680ooxggl.net 208.67.220.220
                                          3⤵
                                            PID:1952
                                          • C:\Windows\SysWOW64\nslookup.exe
                                            nslookup -q=txt joqzeltvzhm1615r.com 8.8.8.8
                                            3⤵
                                              PID:1364
                                            • C:\Windows\SysWOW64\nslookup.exe
                                              nslookup -q=txt joqzeltvzhm1615r.net 8.8.8.8
                                              3⤵
                                                PID:900
                                              • C:\Windows\SysWOW64\nslookup.exe
                                                nslookup -q=txt joqzeltvzhm1615r.com 208.67.222.222
                                                3⤵
                                                  PID:680
                                                • C:\Windows\SysWOW64\nslookup.exe
                                                  nslookup -q=txt joqzeltvzhm1615r.net 208.67.222.222
                                                  3⤵
                                                    PID:1060
                                                  • C:\Windows\SysWOW64\nslookup.exe
                                                    nslookup -q=txt joqzeltvzhm1615r.com 8.8.4.4
                                                    3⤵
                                                      PID:1592
                                                    • C:\Windows\SysWOW64\nslookup.exe
                                                      nslookup -q=txt joqzeltvzhm1615r.net 8.8.4.4
                                                      3⤵
                                                        PID:1548
                                                      • C:\Windows\SysWOW64\nslookup.exe
                                                        nslookup -q=txt joqzeltvzhm1615r.com 208.67.220.220
                                                        3⤵
                                                          PID:2008
                                                        • C:\Windows\SysWOW64\nslookup.exe
                                                          nslookup -q=txt joqzeltvzhm1615r.net 208.67.220.220
                                                          3⤵
                                                            PID:1820

                                                      Network

                                                      MITRE ATT&CK Enterprise v6

                                                      Replay Monitor

                                                      Loading Replay Monitor...

                                                      Downloads

                                                      • C:\Users\Admin\AppData\Local\Temp\7871.mof

                                                        Filesize

                                                        340B

                                                        MD5

                                                        5f7e430172b9f017406d3f63480893c3

                                                        SHA1

                                                        9371b41f2b9a0e83ae3177afcd6ddda91ed148ec

                                                        SHA256

                                                        9813b3cc6a02db9dec3ae3d650d819a70ed54f388e66e5fdf336dfd2ea78328d

                                                        SHA512

                                                        fe56c58fae7be1f5cf350284c0ce06a97d7c624a25523e0139914367e71434a947273b5f0b630e0f1882bb6efac6c574f6347a233afa81663bad44bee2290b45

                                                      • \ProgramData\7e910\SS7c2.exe

                                                        Filesize

                                                        2.3MB

                                                        MD5

                                                        692213b2c7610cdb5656fb1f138e181e

                                                        SHA1

                                                        1581c44c08e239417d1904a4b706fa2a7a742f71

                                                        SHA256

                                                        55d1c26e13418119bfb2ea0d7f25b50e3e1799e21abe98408b3593d85c405a7b

                                                        SHA512

                                                        55705633ef5c769b0618dc20f2d716535846e00d71ea7f727f079969353410561a4b85f6f5eca0be8a36eeb02b71a931c56fcd1d0c4b64658ad69912f417d9ff

                                                      • \ProgramData\7e910\SS7c2.exe

                                                        Filesize

                                                        2.3MB

                                                        MD5

                                                        692213b2c7610cdb5656fb1f138e181e

                                                        SHA1

                                                        1581c44c08e239417d1904a4b706fa2a7a742f71

                                                        SHA256

                                                        55d1c26e13418119bfb2ea0d7f25b50e3e1799e21abe98408b3593d85c405a7b

                                                        SHA512

                                                        55705633ef5c769b0618dc20f2d716535846e00d71ea7f727f079969353410561a4b85f6f5eca0be8a36eeb02b71a931c56fcd1d0c4b64658ad69912f417d9ff

                                                      • \ProgramData\7e910\SS7c2.exe

                                                        Filesize

                                                        2.3MB

                                                        MD5

                                                        692213b2c7610cdb5656fb1f138e181e

                                                        SHA1

                                                        1581c44c08e239417d1904a4b706fa2a7a742f71

                                                        SHA256

                                                        55d1c26e13418119bfb2ea0d7f25b50e3e1799e21abe98408b3593d85c405a7b

                                                        SHA512

                                                        55705633ef5c769b0618dc20f2d716535846e00d71ea7f727f079969353410561a4b85f6f5eca0be8a36eeb02b71a931c56fcd1d0c4b64658ad69912f417d9ff

                                                      • \ProgramData\7e910\SS7c2.exe

                                                        Filesize

                                                        2.3MB

                                                        MD5

                                                        692213b2c7610cdb5656fb1f138e181e

                                                        SHA1

                                                        1581c44c08e239417d1904a4b706fa2a7a742f71

                                                        SHA256

                                                        55d1c26e13418119bfb2ea0d7f25b50e3e1799e21abe98408b3593d85c405a7b

                                                        SHA512

                                                        55705633ef5c769b0618dc20f2d716535846e00d71ea7f727f079969353410561a4b85f6f5eca0be8a36eeb02b71a931c56fcd1d0c4b64658ad69912f417d9ff

                                                      • memory/944-59-0x0000000074E41000-0x0000000074E43000-memory.dmp

                                                        Filesize

                                                        8KB

                                                      • memory/944-60-0x0000000013140000-0x000000001372E000-memory.dmp

                                                        Filesize

                                                        5.9MB

                                                      • memory/944-61-0x0000000013140000-0x000000001372E000-memory.dmp

                                                        Filesize

                                                        5.9MB

                                                      • memory/944-62-0x0000000013140000-0x000000001372E000-memory.dmp

                                                        Filesize

                                                        5.9MB

                                                      • memory/944-56-0x0000000013140000-0x000000001372E000-memory.dmp

                                                        Filesize

                                                        5.9MB

                                                      • memory/944-63-0x0000000013140000-0x000000001372E000-memory.dmp

                                                        Filesize

                                                        5.9MB

                                                      • memory/944-96-0x0000000013140000-0x000000001372E000-memory.dmp

                                                        Filesize

                                                        5.9MB

                                                      • memory/944-54-0x0000000013140000-0x000000001372E000-memory.dmp

                                                        Filesize

                                                        5.9MB