Analysis
-
max time kernel
187s -
max time network
212s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
06-12-2022 03:34
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Gen.Variant.Nemesis.1957.29333.23781.exe
Resource
win7-20221111-en
General
-
Target
SecuriteInfo.com.Gen.Variant.Nemesis.1957.29333.23781.exe
-
Size
422KB
-
MD5
2671db3cba1e1848ec04b0dfb326fea8
-
SHA1
e78905b037becf55e0049aa3247f1bcecc379cd3
-
SHA256
93887029eda377fa78729cbf1c96c582c029a828a8f721b731d5ecdda7555fec
-
SHA512
7023a6be740c4e3ee0a1e3c12df743976130a20ab7a0cafed1f88fd5ff623587ca31a2317d727ec1c2f89adb33aa7f4c54567323a7d3b6f878124256e3baf908
-
SSDEEP
6144:qBnmeG0xkz6C2U/2aqg9JBP/W5/tuzQxgJhyESBNoliLAmtESJwx6rbs8S:OGlaKpW5/tuxJhyfB6iLA8ac/S
Malware Config
Extracted
formbook
m9ae
nWTQpX6TYm6dfT3Lcw==
7JaBLgMm8EKn2AlTy5Ksj4Jq
yWRJIhE3viQgqEpZS3o=
ES9dFo0bytF8vlvRcg==
aX/aBZn29pD+cg==
lU64sYOZV7ZVpUy1ag==
9BpOCYAPv8L8TyIFAiTp2PSqLg==
uEJ2RyQ1BcBXfFr8kT5Z1KV0
oVM42Ury9pD+cg==
0Zl3VkcuKaY+
OjZeGI8dw67Z6eWtnOoBfoI=
ytwFn9j4i+N8nKYRSgcfh3xn5LU=
xMb1+YkOyxmbxJ53JsP7Pg==
HODQpzTBS1gVoi4X0hStKQ==
fQ417ycwD+ziKt1u0hStKQ==
nsApOqE62sA8uS735uCXVP+YcrQ=
4aobG3oZ3AHqTPs=
P2LEwJatZbQZUTayTW0=
/bopO7NR6clCfT3Lcw==
bBxRRkFY01R+20pZS3o=
enylSY//R0Euo5Hc
s3hoHGn+blzIzLD2XcWsj4Jq
MvZlcWyHEnNHRGHB
qDJgM38Zlp2BriDZBnI=
JlaRDbpPJo43fT3Lcw==
aZgM/YERpLJOfT3Lcw==
dgcdTgcuKaY+
N12TQ5X0uI7/dA==
85d5Cn4gEuXNHOY=
XGyjNRUvzkzpFEb98NiZYf+YcrQ=
nUc1kamtJHlHRGHB
M+1WZ6NvT6VHRGHB
k1iSQqU6E3biHW3Ev1x/
yoeZZ9suKaY+
yiqErKzdOA==
I8FYQ4Mx9pD+cg==
e3sMggibmaRHRGHB
YBxPTjVYD4c2WVRYdfxP9f/w5W+IU0g=
A6GFXmNsA4y3ByPuEXU=
RkSck9R+79lCe5vEv1x/
c4Hf8OWx18LuWN4pPnA=
IK6UOZcpvKTL2/PbBHI=
dpbLY0FV8mxHRGHB
RoTt48Dgi/aZtJ/Ev1x/
4/FRPhpH3TPGD0uYB7Yf2PSqLg==
5A5CBZYyzanG52lgk7V7K8G4gdDu5w==
p8IpCMzdxqyj2UpZS3o=
cToa+3QRpLJOfT3Lcw==
Lat9/Yk19pD+cg==
CrjklYWQN6tXfIjEv1x/
SfQyB+TxpJSt20pZS3o=
eTEdrAOeVYJ4Cx6WSxqnYGgz01Yv7w==
NP7rnOJz7QXxQfk=
hrYdLa1V+exp20UX0hStKQ==
R+gl+MvhTQHqTPs=
CC6YqK+3hWJYpEseExvt2PSqLg==
VmybWD1f6EIreDUVP47Yw5la3rI=
Sgv5moChVKcQSZYjwYWyvbeuMw==
rtxt7QYo5mxHRGHB
cH/l/4Ecn61OfT3Lcw==
T4iddmuQEGhd1NwMviZm
cyH/sQGRb8s6e5vEv1x/
Y3DL3M3XS86ftJ7Ev1x/
U2jGyqnCYcDDJt3mAjZDxf+YcrQ=
spirituallyzen.com
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
opwovm.exeopwovm.exepid process 760 opwovm.exe 1112 opwovm.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
opwovm.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Control Panel\International\Geo\Nation opwovm.exe -
Loads dropped DLL 3 IoCs
Processes:
SecuriteInfo.com.Gen.Variant.Nemesis.1957.29333.23781.exeopwovm.exesystray.exepid process 1220 SecuriteInfo.com.Gen.Variant.Nemesis.1957.29333.23781.exe 760 opwovm.exe 1192 systray.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
opwovm.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\satytuyqndhqqq = "C:\\Users\\Admin\\AppData\\Roaming\\pugcbmf\\wnrbbehkxrwbgu.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\opwovm.exe\" C:\\Users\\Admin\\AppData\\Lo" opwovm.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
opwovm.exeopwovm.exesystray.exedescription pid process target process PID 760 set thread context of 1112 760 opwovm.exe opwovm.exe PID 1112 set thread context of 1296 1112 opwovm.exe Explorer.EXE PID 1192 set thread context of 1296 1192 systray.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
systray.exedescription ioc process Key created \Registry\User\S-1-5-21-3406023954-474543476-3319432036-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 systray.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
Processes:
opwovm.exesystray.exepid process 1112 opwovm.exe 1112 opwovm.exe 1112 opwovm.exe 1112 opwovm.exe 1192 systray.exe 1192 systray.exe 1192 systray.exe 1192 systray.exe 1192 systray.exe 1192 systray.exe 1192 systray.exe 1192 systray.exe 1192 systray.exe 1192 systray.exe 1192 systray.exe 1192 systray.exe 1192 systray.exe 1192 systray.exe 1192 systray.exe 1192 systray.exe 1192 systray.exe 1192 systray.exe 1192 systray.exe 1192 systray.exe 1192 systray.exe 1192 systray.exe 1192 systray.exe 1192 systray.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1296 Explorer.EXE -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
opwovm.exeopwovm.exesystray.exepid process 760 opwovm.exe 1112 opwovm.exe 1112 opwovm.exe 1112 opwovm.exe 1192 systray.exe 1192 systray.exe 1192 systray.exe 1192 systray.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
opwovm.exesystray.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 1112 opwovm.exe Token: SeDebugPrivilege 1192 systray.exe Token: SeShutdownPrivilege 1296 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1296 Explorer.EXE 1296 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1296 Explorer.EXE 1296 Explorer.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
SecuriteInfo.com.Gen.Variant.Nemesis.1957.29333.23781.exeopwovm.exeExplorer.EXEsystray.exedescription pid process target process PID 1220 wrote to memory of 760 1220 SecuriteInfo.com.Gen.Variant.Nemesis.1957.29333.23781.exe opwovm.exe PID 1220 wrote to memory of 760 1220 SecuriteInfo.com.Gen.Variant.Nemesis.1957.29333.23781.exe opwovm.exe PID 1220 wrote to memory of 760 1220 SecuriteInfo.com.Gen.Variant.Nemesis.1957.29333.23781.exe opwovm.exe PID 1220 wrote to memory of 760 1220 SecuriteInfo.com.Gen.Variant.Nemesis.1957.29333.23781.exe opwovm.exe PID 760 wrote to memory of 1112 760 opwovm.exe opwovm.exe PID 760 wrote to memory of 1112 760 opwovm.exe opwovm.exe PID 760 wrote to memory of 1112 760 opwovm.exe opwovm.exe PID 760 wrote to memory of 1112 760 opwovm.exe opwovm.exe PID 760 wrote to memory of 1112 760 opwovm.exe opwovm.exe PID 1296 wrote to memory of 1192 1296 Explorer.EXE systray.exe PID 1296 wrote to memory of 1192 1296 Explorer.EXE systray.exe PID 1296 wrote to memory of 1192 1296 Explorer.EXE systray.exe PID 1296 wrote to memory of 1192 1296 Explorer.EXE systray.exe PID 1192 wrote to memory of 948 1192 systray.exe Firefox.exe PID 1192 wrote to memory of 948 1192 systray.exe Firefox.exe PID 1192 wrote to memory of 948 1192 systray.exe Firefox.exe PID 1192 wrote to memory of 948 1192 systray.exe Firefox.exe PID 1192 wrote to memory of 948 1192 systray.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Gen.Variant.Nemesis.1957.29333.23781.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Gen.Variant.Nemesis.1957.29333.23781.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\opwovm.exe"C:\Users\Admin\AppData\Local\Temp\opwovm.exe" C:\Users\Admin\AppData\Local\Temp\jzacvyuruta.yv3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\opwovm.exe"C:\Users\Admin\AppData\Local\Temp\opwovm.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\systray.exe"C:\Windows\SysWOW64\systray.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\jzacvyuruta.yvFilesize
7KB
MD59a98bcbaeadc635d0612286a89c766a9
SHA105293ad929c73cde605a08682691613a8b05c4b0
SHA2561e740c732eeb938a59122b1b15e3ec15d56ac5b2a6462f1662c8b98465243181
SHA512fd62d37d09907bd390257da69a36117a305f56bf94e74dc9063924c0f30f21aedcf66f066f3824b3ee34c53637206d4a286eb81ccafdbeea079525b9941ec2cb
-
C:\Users\Admin\AppData\Local\Temp\opwovm.exeFilesize
12KB
MD56e53ec51f109b4b2f96df15d9f57b63c
SHA18c5d9586542abf5ff996a1e29dd079197c85483e
SHA2566814d2488b5dfe90c8985bf2b482655457cc44b24d58c4094e5d69a42edc8c0e
SHA51298777876611029169268b9de5cac66f33cc09d039d5f2825e0887749a0dd01107491e9d81e5185b6105f4e75e9aec0942ed3bffe27a375ac2a11530c10abdeca
-
C:\Users\Admin\AppData\Local\Temp\opwovm.exeFilesize
12KB
MD56e53ec51f109b4b2f96df15d9f57b63c
SHA18c5d9586542abf5ff996a1e29dd079197c85483e
SHA2566814d2488b5dfe90c8985bf2b482655457cc44b24d58c4094e5d69a42edc8c0e
SHA51298777876611029169268b9de5cac66f33cc09d039d5f2825e0887749a0dd01107491e9d81e5185b6105f4e75e9aec0942ed3bffe27a375ac2a11530c10abdeca
-
C:\Users\Admin\AppData\Local\Temp\opwovm.exeFilesize
12KB
MD56e53ec51f109b4b2f96df15d9f57b63c
SHA18c5d9586542abf5ff996a1e29dd079197c85483e
SHA2566814d2488b5dfe90c8985bf2b482655457cc44b24d58c4094e5d69a42edc8c0e
SHA51298777876611029169268b9de5cac66f33cc09d039d5f2825e0887749a0dd01107491e9d81e5185b6105f4e75e9aec0942ed3bffe27a375ac2a11530c10abdeca
-
C:\Users\Admin\AppData\Local\Temp\sjxwsz.gzFilesize
185KB
MD56d5c5d1fb0c5217ddaf28db7ae4e5a91
SHA12c911a84e92136f2f37ca979198b4b5ac1f3f2d7
SHA2563c483f7dfd417a90a73fb0305e3dedd0e5a91bdb2b17c8209308e4d90c2ab1ba
SHA5125e8084ab7c9001823878a8099dcbb37df11419c31b3c4200a020c46a0354226d4c31d3a247c0bfcef02c5a1b284527e86b87eaba5918e1fafa02a11f424dfc48
-
\Users\Admin\AppData\Local\Temp\opwovm.exeFilesize
12KB
MD56e53ec51f109b4b2f96df15d9f57b63c
SHA18c5d9586542abf5ff996a1e29dd079197c85483e
SHA2566814d2488b5dfe90c8985bf2b482655457cc44b24d58c4094e5d69a42edc8c0e
SHA51298777876611029169268b9de5cac66f33cc09d039d5f2825e0887749a0dd01107491e9d81e5185b6105f4e75e9aec0942ed3bffe27a375ac2a11530c10abdeca
-
\Users\Admin\AppData\Local\Temp\opwovm.exeFilesize
12KB
MD56e53ec51f109b4b2f96df15d9f57b63c
SHA18c5d9586542abf5ff996a1e29dd079197c85483e
SHA2566814d2488b5dfe90c8985bf2b482655457cc44b24d58c4094e5d69a42edc8c0e
SHA51298777876611029169268b9de5cac66f33cc09d039d5f2825e0887749a0dd01107491e9d81e5185b6105f4e75e9aec0942ed3bffe27a375ac2a11530c10abdeca
-
\Users\Admin\AppData\Local\Temp\sqlite3.dllFilesize
904KB
MD55e5ba61531d74e45b11cadb79e7394a1
SHA1677224e14aac9dd35f367d5eb1704b36e69356b8
SHA25699e91ae250c955bd403ec1a2321d6b11fcb715bdcc7cb3f63ffb46b349afde5c
SHA512712bfe419ba97ecf0ec8323a68743013e8c767da9d986f74ab94d2a395c3086cac2a5823048e0022d3bbcebb55281b9e1f8c87fdc9295c70cc5521b57850bf46
-
memory/760-56-0x0000000000000000-mapping.dmp
-
memory/1112-67-0x0000000000A60000-0x0000000000D63000-memory.dmpFilesize
3.0MB
-
memory/1112-65-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1112-66-0x0000000000401000-0x000000000042F000-memory.dmpFilesize
184KB
-
memory/1112-63-0x00000000004012B0-mapping.dmp
-
memory/1112-69-0x0000000000120000-0x0000000000130000-memory.dmpFilesize
64KB
-
memory/1112-68-0x0000000000422000-0x0000000000424000-memory.dmpFilesize
8KB
-
memory/1192-71-0x0000000000000000-mapping.dmp
-
memory/1192-72-0x0000000000DE0000-0x0000000000DE5000-memory.dmpFilesize
20KB
-
memory/1192-73-0x00000000000C0000-0x00000000000ED000-memory.dmpFilesize
180KB
-
memory/1192-74-0x00000000021F0000-0x00000000024F3000-memory.dmpFilesize
3.0MB
-
memory/1192-75-0x00000000008E0000-0x000000000096F000-memory.dmpFilesize
572KB
-
memory/1192-77-0x00000000000C0000-0x00000000000ED000-memory.dmpFilesize
180KB
-
memory/1220-54-0x0000000075BA1000-0x0000000075BA3000-memory.dmpFilesize
8KB
-
memory/1296-70-0x0000000007190000-0x0000000007336000-memory.dmpFilesize
1.6MB
-
memory/1296-76-0x0000000006540000-0x0000000006688000-memory.dmpFilesize
1.3MB
-
memory/1296-78-0x0000000006540000-0x0000000006688000-memory.dmpFilesize
1.3MB