Resubmissions
25-11-2022 11:39
221125-nslmxseb32 8Analysis
-
max time kernel
108s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 11:39
Behavioral task
behavioral1
Sample
eOWDJmB3Qt.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
eOWDJmB3Qt.exe
Resource
win10v2004-20220901-en
General
-
Target
eOWDJmB3Qt.exe
-
Size
3.4MB
-
MD5
a198d2e7ddac7c3d381da9b2e5446142
-
SHA1
61aff012de5ac9eb5247f182320b1df434a22c93
-
SHA256
f432910b309b296e4cf2e662092657060f0e24222ccf1239a67c69b9db8daf68
-
SHA512
6e661c2c46ea0f57dc0dafe0e01bc32258d740d9938bec27b7558ae020ff51cdfd41351df52b06da86f25dc59c318fa37660b7da51ad34dd69b0f8bcbcb6b44a
-
SSDEEP
98304:ZBvIB2CVEqzsJGwUv6Fvx6KW2wBBJIdnjjgI8D:ZekJGwUi1WMjjW
Malware Config
Signatures
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
eOWDJmB3Qt.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\qUeSUfsbYwSpEUecdPw\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\VEaqWtfGPBuyfAMrSwU" eOWDJmB3Qt.exe -
Processes:
resource yara_rule behavioral2/memory/2128-132-0x0000000000400000-0x0000000000B45000-memory.dmp vmprotect behavioral2/memory/2128-136-0x0000000000400000-0x0000000000B45000-memory.dmp vmprotect behavioral2/memory/2128-137-0x0000000000400000-0x0000000000B45000-memory.dmp vmprotect -
Loads dropped DLL 1 IoCs
Processes:
eOWDJmB3Qt.exepid process 2128 eOWDJmB3Qt.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
eOWDJmB3Qt.exepid process 2128 eOWDJmB3Qt.exe 2128 eOWDJmB3Qt.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
eOWDJmB3Qt.exepid process 2128 eOWDJmB3Qt.exe 2128 eOWDJmB3Qt.exe 2128 eOWDJmB3Qt.exe 2128 eOWDJmB3Qt.exe 2128 eOWDJmB3Qt.exe 2128 eOWDJmB3Qt.exe 2128 eOWDJmB3Qt.exe 2128 eOWDJmB3Qt.exe 2128 eOWDJmB3Qt.exe 2128 eOWDJmB3Qt.exe 2128 eOWDJmB3Qt.exe 2128 eOWDJmB3Qt.exe 2128 eOWDJmB3Qt.exe 2128 eOWDJmB3Qt.exe 2128 eOWDJmB3Qt.exe 2128 eOWDJmB3Qt.exe 2128 eOWDJmB3Qt.exe 2128 eOWDJmB3Qt.exe 2128 eOWDJmB3Qt.exe 2128 eOWDJmB3Qt.exe 2128 eOWDJmB3Qt.exe 2128 eOWDJmB3Qt.exe 2128 eOWDJmB3Qt.exe 2128 eOWDJmB3Qt.exe 2128 eOWDJmB3Qt.exe 2128 eOWDJmB3Qt.exe 2128 eOWDJmB3Qt.exe 2128 eOWDJmB3Qt.exe 2128 eOWDJmB3Qt.exe 2128 eOWDJmB3Qt.exe 2128 eOWDJmB3Qt.exe 2128 eOWDJmB3Qt.exe 2128 eOWDJmB3Qt.exe 2128 eOWDJmB3Qt.exe 2128 eOWDJmB3Qt.exe 2128 eOWDJmB3Qt.exe 2128 eOWDJmB3Qt.exe 2128 eOWDJmB3Qt.exe 2128 eOWDJmB3Qt.exe 2128 eOWDJmB3Qt.exe 2128 eOWDJmB3Qt.exe 2128 eOWDJmB3Qt.exe 2128 eOWDJmB3Qt.exe 2128 eOWDJmB3Qt.exe 2128 eOWDJmB3Qt.exe 2128 eOWDJmB3Qt.exe 2128 eOWDJmB3Qt.exe 2128 eOWDJmB3Qt.exe 2128 eOWDJmB3Qt.exe 2128 eOWDJmB3Qt.exe 2128 eOWDJmB3Qt.exe 2128 eOWDJmB3Qt.exe 2128 eOWDJmB3Qt.exe 2128 eOWDJmB3Qt.exe 2128 eOWDJmB3Qt.exe 2128 eOWDJmB3Qt.exe 2128 eOWDJmB3Qt.exe 2128 eOWDJmB3Qt.exe 2128 eOWDJmB3Qt.exe 2128 eOWDJmB3Qt.exe 2128 eOWDJmB3Qt.exe 2128 eOWDJmB3Qt.exe 2128 eOWDJmB3Qt.exe 2128 eOWDJmB3Qt.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
eOWDJmB3Qt.exepid process 2128 eOWDJmB3Qt.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
eOWDJmB3Qt.exetaskmgr.exedescription pid process Token: SeDebugPrivilege 2128 eOWDJmB3Qt.exe Token: SeLoadDriverPrivilege 2128 eOWDJmB3Qt.exe Token: SeDebugPrivilege 2100 taskmgr.exe Token: SeSystemProfilePrivilege 2100 taskmgr.exe Token: SeCreateGlobalPrivilege 2100 taskmgr.exe Token: 33 2100 taskmgr.exe Token: SeIncBasePriorityPrivilege 2100 taskmgr.exe -
Suspicious use of FindShellTrayWindow 38 IoCs
Processes:
taskmgr.exepid process 2100 taskmgr.exe 2100 taskmgr.exe 2100 taskmgr.exe 2100 taskmgr.exe 2100 taskmgr.exe 2100 taskmgr.exe 2100 taskmgr.exe 2100 taskmgr.exe 2100 taskmgr.exe 2100 taskmgr.exe 2100 taskmgr.exe 2100 taskmgr.exe 2100 taskmgr.exe 2100 taskmgr.exe 2100 taskmgr.exe 2100 taskmgr.exe 2100 taskmgr.exe 2100 taskmgr.exe 2100 taskmgr.exe 2100 taskmgr.exe 2100 taskmgr.exe 2100 taskmgr.exe 2100 taskmgr.exe 2100 taskmgr.exe 2100 taskmgr.exe 2100 taskmgr.exe 2100 taskmgr.exe 2100 taskmgr.exe 2100 taskmgr.exe 2100 taskmgr.exe 2100 taskmgr.exe 2100 taskmgr.exe 2100 taskmgr.exe 2100 taskmgr.exe 2100 taskmgr.exe 2100 taskmgr.exe 2100 taskmgr.exe 2100 taskmgr.exe -
Suspicious use of SendNotifyMessage 38 IoCs
Processes:
taskmgr.exepid process 2100 taskmgr.exe 2100 taskmgr.exe 2100 taskmgr.exe 2100 taskmgr.exe 2100 taskmgr.exe 2100 taskmgr.exe 2100 taskmgr.exe 2100 taskmgr.exe 2100 taskmgr.exe 2100 taskmgr.exe 2100 taskmgr.exe 2100 taskmgr.exe 2100 taskmgr.exe 2100 taskmgr.exe 2100 taskmgr.exe 2100 taskmgr.exe 2100 taskmgr.exe 2100 taskmgr.exe 2100 taskmgr.exe 2100 taskmgr.exe 2100 taskmgr.exe 2100 taskmgr.exe 2100 taskmgr.exe 2100 taskmgr.exe 2100 taskmgr.exe 2100 taskmgr.exe 2100 taskmgr.exe 2100 taskmgr.exe 2100 taskmgr.exe 2100 taskmgr.exe 2100 taskmgr.exe 2100 taskmgr.exe 2100 taskmgr.exe 2100 taskmgr.exe 2100 taskmgr.exe 2100 taskmgr.exe 2100 taskmgr.exe 2100 taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\eOWDJmB3Qt.exe"C:\Users\Admin\AppData\Local\Temp\eOWDJmB3Qt.exe"1⤵
- Sets service image path in registry
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\VEaqWtfGPBuyfAMrSwUMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/2128-132-0x0000000000400000-0x0000000000B45000-memory.dmpFilesize
7.3MB
-
memory/2128-136-0x0000000000400000-0x0000000000B45000-memory.dmpFilesize
7.3MB
-
memory/2128-137-0x0000000000400000-0x0000000000B45000-memory.dmpFilesize
7.3MB