Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
06-12-2022 03:34
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Gen.Variant.Nemesis.1957.29333.23781.exe
Resource
win7-20221111-en
General
-
Target
SecuriteInfo.com.Gen.Variant.Nemesis.1957.29333.23781.exe
-
Size
422KB
-
MD5
2671db3cba1e1848ec04b0dfb326fea8
-
SHA1
e78905b037becf55e0049aa3247f1bcecc379cd3
-
SHA256
93887029eda377fa78729cbf1c96c582c029a828a8f721b731d5ecdda7555fec
-
SHA512
7023a6be740c4e3ee0a1e3c12df743976130a20ab7a0cafed1f88fd5ff623587ca31a2317d727ec1c2f89adb33aa7f4c54567323a7d3b6f878124256e3baf908
-
SSDEEP
6144:qBnmeG0xkz6C2U/2aqg9JBP/W5/tuzQxgJhyESBNoliLAmtESJwx6rbs8S:OGlaKpW5/tuxJhyfB6iLA8ac/S
Malware Config
Extracted
formbook
m9ae
nWTQpX6TYm6dfT3Lcw==
7JaBLgMm8EKn2AlTy5Ksj4Jq
yWRJIhE3viQgqEpZS3o=
ES9dFo0bytF8vlvRcg==
aX/aBZn29pD+cg==
lU64sYOZV7ZVpUy1ag==
9BpOCYAPv8L8TyIFAiTp2PSqLg==
uEJ2RyQ1BcBXfFr8kT5Z1KV0
oVM42Ury9pD+cg==
0Zl3VkcuKaY+
OjZeGI8dw67Z6eWtnOoBfoI=
ytwFn9j4i+N8nKYRSgcfh3xn5LU=
xMb1+YkOyxmbxJ53JsP7Pg==
HODQpzTBS1gVoi4X0hStKQ==
fQ417ycwD+ziKt1u0hStKQ==
nsApOqE62sA8uS735uCXVP+YcrQ=
4aobG3oZ3AHqTPs=
P2LEwJatZbQZUTayTW0=
/bopO7NR6clCfT3Lcw==
bBxRRkFY01R+20pZS3o=
enylSY//R0Euo5Hc
s3hoHGn+blzIzLD2XcWsj4Jq
MvZlcWyHEnNHRGHB
qDJgM38Zlp2BriDZBnI=
JlaRDbpPJo43fT3Lcw==
aZgM/YERpLJOfT3Lcw==
dgcdTgcuKaY+
N12TQ5X0uI7/dA==
85d5Cn4gEuXNHOY=
XGyjNRUvzkzpFEb98NiZYf+YcrQ=
nUc1kamtJHlHRGHB
M+1WZ6NvT6VHRGHB
k1iSQqU6E3biHW3Ev1x/
yoeZZ9suKaY+
yiqErKzdOA==
I8FYQ4Mx9pD+cg==
e3sMggibmaRHRGHB
YBxPTjVYD4c2WVRYdfxP9f/w5W+IU0g=
A6GFXmNsA4y3ByPuEXU=
RkSck9R+79lCe5vEv1x/
c4Hf8OWx18LuWN4pPnA=
IK6UOZcpvKTL2/PbBHI=
dpbLY0FV8mxHRGHB
RoTt48Dgi/aZtJ/Ev1x/
4/FRPhpH3TPGD0uYB7Yf2PSqLg==
5A5CBZYyzanG52lgk7V7K8G4gdDu5w==
p8IpCMzdxqyj2UpZS3o=
cToa+3QRpLJOfT3Lcw==
Lat9/Yk19pD+cg==
CrjklYWQN6tXfIjEv1x/
SfQyB+TxpJSt20pZS3o=
eTEdrAOeVYJ4Cx6WSxqnYGgz01Yv7w==
NP7rnOJz7QXxQfk=
hrYdLa1V+exp20UX0hStKQ==
R+gl+MvhTQHqTPs=
CC6YqK+3hWJYpEseExvt2PSqLg==
VmybWD1f6EIreDUVP47Yw5la3rI=
Sgv5moChVKcQSZYjwYWyvbeuMw==
rtxt7QYo5mxHRGHB
cH/l/4Ecn61OfT3Lcw==
T4iddmuQEGhd1NwMviZm
cyH/sQGRb8s6e5vEv1x/
Y3DL3M3XS86ftJ7Ev1x/
U2jGyqnCYcDDJt3mAjZDxf+YcrQ=
spirituallyzen.com
Extracted
xloader
3.Æ…
m9ae
nWTQpX6TYm6dfT3Lcw==
7JaBLgMm8EKn2AlTy5Ksj4Jq
yWRJIhE3viQgqEpZS3o=
ES9dFo0bytF8vlvRcg==
aX/aBZn29pD+cg==
lU64sYOZV7ZVpUy1ag==
9BpOCYAPv8L8TyIFAiTp2PSqLg==
uEJ2RyQ1BcBXfFr8kT5Z1KV0
oVM42Ury9pD+cg==
0Zl3VkcuKaY+
OjZeGI8dw67Z6eWtnOoBfoI=
ytwFn9j4i+N8nKYRSgcfh3xn5LU=
xMb1+YkOyxmbxJ53JsP7Pg==
HODQpzTBS1gVoi4X0hStKQ==
fQ417ycwD+ziKt1u0hStKQ==
nsApOqE62sA8uS735uCXVP+YcrQ=
4aobG3oZ3AHqTPs=
P2LEwJatZbQZUTayTW0=
/bopO7NR6clCfT3Lcw==
bBxRRkFY01R+20pZS3o=
enylSY//R0Euo5Hc
s3hoHGn+blzIzLD2XcWsj4Jq
MvZlcWyHEnNHRGHB
qDJgM38Zlp2BriDZBnI=
JlaRDbpPJo43fT3Lcw==
aZgM/YERpLJOfT3Lcw==
dgcdTgcuKaY+
N12TQ5X0uI7/dA==
85d5Cn4gEuXNHOY=
XGyjNRUvzkzpFEb98NiZYf+YcrQ=
nUc1kamtJHlHRGHB
M+1WZ6NvT6VHRGHB
k1iSQqU6E3biHW3Ev1x/
yoeZZ9suKaY+
yiqErKzdOA==
I8FYQ4Mx9pD+cg==
e3sMggibmaRHRGHB
YBxPTjVYD4c2WVRYdfxP9f/w5W+IU0g=
A6GFXmNsA4y3ByPuEXU=
RkSck9R+79lCe5vEv1x/
c4Hf8OWx18LuWN4pPnA=
IK6UOZcpvKTL2/PbBHI=
dpbLY0FV8mxHRGHB
RoTt48Dgi/aZtJ/Ev1x/
4/FRPhpH3TPGD0uYB7Yf2PSqLg==
5A5CBZYyzanG52lgk7V7K8G4gdDu5w==
p8IpCMzdxqyj2UpZS3o=
cToa+3QRpLJOfT3Lcw==
Lat9/Yk19pD+cg==
CrjklYWQN6tXfIjEv1x/
SfQyB+TxpJSt20pZS3o=
eTEdrAOeVYJ4Cx6WSxqnYGgz01Yv7w==
NP7rnOJz7QXxQfk=
hrYdLa1V+exp20UX0hStKQ==
R+gl+MvhTQHqTPs=
CC6YqK+3hWJYpEseExvt2PSqLg==
VmybWD1f6EIreDUVP47Yw5la3rI=
Sgv5moChVKcQSZYjwYWyvbeuMw==
rtxt7QYo5mxHRGHB
cH/l/4Ecn61OfT3Lcw==
T4iddmuQEGhd1NwMviZm
cyH/sQGRb8s6e5vEv1x/
Y3DL3M3XS86ftJ7Ev1x/
U2jGyqnCYcDDJt3mAjZDxf+YcrQ=
spirituallyzen.com
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
opwovm.exeopwovm.exepid process 2784 opwovm.exe 4340 opwovm.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
opwovm.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation opwovm.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
opwovm.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\satytuyqndhqqq = "C:\\Users\\Admin\\AppData\\Roaming\\pugcbmf\\wnrbbehkxrwbgu.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\opwovm.exe\" C:\\Users\\Admin\\AppData\\Lo" opwovm.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
opwovm.exeopwovm.exemsdt.exedescription pid process target process PID 2784 set thread context of 4340 2784 opwovm.exe opwovm.exe PID 4340 set thread context of 3048 4340 opwovm.exe Explorer.EXE PID 5056 set thread context of 3048 5056 msdt.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
msdt.exedescription ioc process Key created \Registry\User\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 msdt.exe -
Suspicious behavior: EnumeratesProcesses 58 IoCs
Processes:
opwovm.exemsdt.exepid process 4340 opwovm.exe 4340 opwovm.exe 4340 opwovm.exe 4340 opwovm.exe 4340 opwovm.exe 4340 opwovm.exe 4340 opwovm.exe 4340 opwovm.exe 5056 msdt.exe 5056 msdt.exe 5056 msdt.exe 5056 msdt.exe 5056 msdt.exe 5056 msdt.exe 5056 msdt.exe 5056 msdt.exe 5056 msdt.exe 5056 msdt.exe 5056 msdt.exe 5056 msdt.exe 5056 msdt.exe 5056 msdt.exe 5056 msdt.exe 5056 msdt.exe 5056 msdt.exe 5056 msdt.exe 5056 msdt.exe 5056 msdt.exe 5056 msdt.exe 5056 msdt.exe 5056 msdt.exe 5056 msdt.exe 5056 msdt.exe 5056 msdt.exe 5056 msdt.exe 5056 msdt.exe 5056 msdt.exe 5056 msdt.exe 5056 msdt.exe 5056 msdt.exe 5056 msdt.exe 5056 msdt.exe 5056 msdt.exe 5056 msdt.exe 5056 msdt.exe 5056 msdt.exe 5056 msdt.exe 5056 msdt.exe 5056 msdt.exe 5056 msdt.exe 5056 msdt.exe 5056 msdt.exe 5056 msdt.exe 5056 msdt.exe 5056 msdt.exe 5056 msdt.exe 5056 msdt.exe 5056 msdt.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3048 Explorer.EXE -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
opwovm.exeopwovm.exemsdt.exepid process 2784 opwovm.exe 4340 opwovm.exe 4340 opwovm.exe 4340 opwovm.exe 5056 msdt.exe 5056 msdt.exe 5056 msdt.exe 5056 msdt.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
opwovm.exemsdt.exedescription pid process Token: SeDebugPrivilege 4340 opwovm.exe Token: SeDebugPrivilege 5056 msdt.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
SecuriteInfo.com.Gen.Variant.Nemesis.1957.29333.23781.exeopwovm.exeExplorer.EXEmsdt.exedescription pid process target process PID 3108 wrote to memory of 2784 3108 SecuriteInfo.com.Gen.Variant.Nemesis.1957.29333.23781.exe opwovm.exe PID 3108 wrote to memory of 2784 3108 SecuriteInfo.com.Gen.Variant.Nemesis.1957.29333.23781.exe opwovm.exe PID 3108 wrote to memory of 2784 3108 SecuriteInfo.com.Gen.Variant.Nemesis.1957.29333.23781.exe opwovm.exe PID 2784 wrote to memory of 4340 2784 opwovm.exe opwovm.exe PID 2784 wrote to memory of 4340 2784 opwovm.exe opwovm.exe PID 2784 wrote to memory of 4340 2784 opwovm.exe opwovm.exe PID 2784 wrote to memory of 4340 2784 opwovm.exe opwovm.exe PID 3048 wrote to memory of 5056 3048 Explorer.EXE msdt.exe PID 3048 wrote to memory of 5056 3048 Explorer.EXE msdt.exe PID 3048 wrote to memory of 5056 3048 Explorer.EXE msdt.exe PID 5056 wrote to memory of 3132 5056 msdt.exe Firefox.exe PID 5056 wrote to memory of 3132 5056 msdt.exe Firefox.exe PID 5056 wrote to memory of 3132 5056 msdt.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Gen.Variant.Nemesis.1957.29333.23781.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Gen.Variant.Nemesis.1957.29333.23781.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\opwovm.exe"C:\Users\Admin\AppData\Local\Temp\opwovm.exe" C:\Users\Admin\AppData\Local\Temp\jzacvyuruta.yv3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\opwovm.exe"C:\Users\Admin\AppData\Local\Temp\opwovm.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\msdt.exe"C:\Windows\SysWOW64\msdt.exe"2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\jzacvyuruta.yvFilesize
7KB
MD59a98bcbaeadc635d0612286a89c766a9
SHA105293ad929c73cde605a08682691613a8b05c4b0
SHA2561e740c732eeb938a59122b1b15e3ec15d56ac5b2a6462f1662c8b98465243181
SHA512fd62d37d09907bd390257da69a36117a305f56bf94e74dc9063924c0f30f21aedcf66f066f3824b3ee34c53637206d4a286eb81ccafdbeea079525b9941ec2cb
-
C:\Users\Admin\AppData\Local\Temp\opwovm.exeFilesize
12KB
MD56e53ec51f109b4b2f96df15d9f57b63c
SHA18c5d9586542abf5ff996a1e29dd079197c85483e
SHA2566814d2488b5dfe90c8985bf2b482655457cc44b24d58c4094e5d69a42edc8c0e
SHA51298777876611029169268b9de5cac66f33cc09d039d5f2825e0887749a0dd01107491e9d81e5185b6105f4e75e9aec0942ed3bffe27a375ac2a11530c10abdeca
-
C:\Users\Admin\AppData\Local\Temp\opwovm.exeFilesize
12KB
MD56e53ec51f109b4b2f96df15d9f57b63c
SHA18c5d9586542abf5ff996a1e29dd079197c85483e
SHA2566814d2488b5dfe90c8985bf2b482655457cc44b24d58c4094e5d69a42edc8c0e
SHA51298777876611029169268b9de5cac66f33cc09d039d5f2825e0887749a0dd01107491e9d81e5185b6105f4e75e9aec0942ed3bffe27a375ac2a11530c10abdeca
-
C:\Users\Admin\AppData\Local\Temp\opwovm.exeFilesize
12KB
MD56e53ec51f109b4b2f96df15d9f57b63c
SHA18c5d9586542abf5ff996a1e29dd079197c85483e
SHA2566814d2488b5dfe90c8985bf2b482655457cc44b24d58c4094e5d69a42edc8c0e
SHA51298777876611029169268b9de5cac66f33cc09d039d5f2825e0887749a0dd01107491e9d81e5185b6105f4e75e9aec0942ed3bffe27a375ac2a11530c10abdeca
-
C:\Users\Admin\AppData\Local\Temp\sjxwsz.gzFilesize
185KB
MD56d5c5d1fb0c5217ddaf28db7ae4e5a91
SHA12c911a84e92136f2f37ca979198b4b5ac1f3f2d7
SHA2563c483f7dfd417a90a73fb0305e3dedd0e5a91bdb2b17c8209308e4d90c2ab1ba
SHA5125e8084ab7c9001823878a8099dcbb37df11419c31b3c4200a020c46a0354226d4c31d3a247c0bfcef02c5a1b284527e86b87eaba5918e1fafa02a11f424dfc48
-
memory/2784-132-0x0000000000000000-mapping.dmp
-
memory/3048-154-0x0000000007D30000-0x0000000007E5D000-memory.dmpFilesize
1.2MB
-
memory/3048-152-0x0000000007D30000-0x0000000007E5D000-memory.dmpFilesize
1.2MB
-
memory/3048-144-0x00000000075E0000-0x0000000007712000-memory.dmpFilesize
1.2MB
-
memory/4340-142-0x00000000018D0000-0x00000000018E0000-memory.dmpFilesize
64KB
-
memory/4340-139-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4340-143-0x0000000000422000-0x0000000000424000-memory.dmpFilesize
8KB
-
memory/4340-140-0x0000000000401000-0x000000000042F000-memory.dmpFilesize
184KB
-
memory/4340-137-0x0000000000000000-mapping.dmp
-
memory/4340-146-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4340-147-0x0000000000401000-0x000000000042F000-memory.dmpFilesize
184KB
-
memory/4340-141-0x0000000001910000-0x0000000001C5A000-memory.dmpFilesize
3.3MB
-
memory/5056-148-0x00000000009D0000-0x0000000000A27000-memory.dmpFilesize
348KB
-
memory/5056-150-0x0000000003330000-0x000000000367A000-memory.dmpFilesize
3.3MB
-
memory/5056-151-0x0000000003060000-0x00000000030EF000-memory.dmpFilesize
572KB
-
memory/5056-149-0x0000000001220000-0x000000000124D000-memory.dmpFilesize
180KB
-
memory/5056-153-0x0000000001220000-0x000000000124D000-memory.dmpFilesize
180KB
-
memory/5056-145-0x0000000000000000-mapping.dmp