65c9f0517f21362d05bbc7361cf2fa89ae13933ac6f5d1c2092fff55795c20f3

Analysis

max time kernel
149s
max time network
147s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
11-01-2023 06:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c30e9f8272d0ad84ce2ce3bb6179e77af0e7e086.exe
Size

449KB
MD5

ad8256cb4be1b817a6df0726f8cdee0f
SHA1

c30e9f8272d0ad84ce2ce3bb6179e77af0e7e086
SHA256

65c9f0517f21362d05bbc7361cf2fa89ae13933ac6f5d1c2092fff55795c20f3
SHA512

5bbafeeb2fa046b9330268258e3bba987a7d270e3ce28d798db271e01e9ae663419a8fcab723c62d03c6d828ca7a61877efbadad71d3e454adc2ae95fff79593
SSDEEP

6144:SYa6VqwZutS+e5zeoD4P4uEhgVZx8Yr/V3qCSoC/LAIkmiFTo+mo:SY3tutXe5DD4PjogVP8sqC5CDqFEm

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2004	oslngvyxu.exe
544	oslngvyxu.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Control Panel\International\Geo\Nation	oslngvyxu.exe

Loads dropped DLL 4 IoCs

pid	Process
1544	c30e9f8272d0ad84ce2ce3bb6179e77af0e7e086.exe
1544	c30e9f8272d0ad84ce2ce3bb6179e77af0e7e086.exe
2004	oslngvyxu.exe
1204	NAPSTAT.EXE

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2004 set thread context of 544	2004	oslngvyxu.exe	28
PID 544 set thread context of 1312	544	oslngvyxu.exe	13
PID 1204 set thread context of 1312	1204	NAPSTAT.EXE	13

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-1214520366-621468234-4062160515-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	NAPSTAT.EXE

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
544	oslngvyxu.exe
544	oslngvyxu.exe
544	oslngvyxu.exe
544	oslngvyxu.exe
1204	NAPSTAT.EXE
1204	NAPSTAT.EXE
1204	NAPSTAT.EXE
1204	NAPSTAT.EXE
1204	NAPSTAT.EXE
1204	NAPSTAT.EXE
1204	NAPSTAT.EXE
1204	NAPSTAT.EXE
1204	NAPSTAT.EXE
1204	NAPSTAT.EXE
1204	NAPSTAT.EXE
1204	NAPSTAT.EXE
1204	NAPSTAT.EXE
1204	NAPSTAT.EXE
1204	NAPSTAT.EXE
1204	NAPSTAT.EXE
1204	NAPSTAT.EXE
1204	NAPSTAT.EXE
1204	NAPSTAT.EXE
1204	NAPSTAT.EXE
1204	NAPSTAT.EXE
1204	NAPSTAT.EXE
1204	NAPSTAT.EXE
1204	NAPSTAT.EXE
1204	NAPSTAT.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1312	Explorer.EXE

Suspicious behavior: MapViewOfSection 8 IoCs

pid	Process
2004	oslngvyxu.exe
544	oslngvyxu.exe
544	oslngvyxu.exe
544	oslngvyxu.exe
1204	NAPSTAT.EXE
1204	NAPSTAT.EXE
1204	NAPSTAT.EXE
1204	NAPSTAT.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	544	oslngvyxu.exe
Token: SeDebugPrivilege	1204	NAPSTAT.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1312	Explorer.EXE
1312	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1312	Explorer.EXE
1312	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1544 wrote to memory of 2004	1544	c30e9f8272d0ad84ce2ce3bb6179e77af0e7e086.exe	27
PID 1544 wrote to memory of 2004	1544	c30e9f8272d0ad84ce2ce3bb6179e77af0e7e086.exe	27
PID 1544 wrote to memory of 2004	1544	c30e9f8272d0ad84ce2ce3bb6179e77af0e7e086.exe	27
PID 1544 wrote to memory of 2004	1544	c30e9f8272d0ad84ce2ce3bb6179e77af0e7e086.exe	27
PID 2004 wrote to memory of 544	2004	oslngvyxu.exe	28
PID 2004 wrote to memory of 544	2004	oslngvyxu.exe	28
PID 2004 wrote to memory of 544	2004	oslngvyxu.exe	28
PID 2004 wrote to memory of 544	2004	oslngvyxu.exe	28
PID 2004 wrote to memory of 544	2004	oslngvyxu.exe	28
PID 1312 wrote to memory of 1204	1312	Explorer.EXE	29
PID 1312 wrote to memory of 1204	1312	Explorer.EXE	29
PID 1312 wrote to memory of 1204	1312	Explorer.EXE	29
PID 1312 wrote to memory of 1204	1312	Explorer.EXE	29
PID 1204 wrote to memory of 1656	1204	NAPSTAT.EXE	32
PID 1204 wrote to memory of 1656	1204	NAPSTAT.EXE	32
PID 1204 wrote to memory of 1656	1204	NAPSTAT.EXE	32
PID 1204 wrote to memory of 1656	1204	NAPSTAT.EXE	32
PID 1204 wrote to memory of 1656	1204	NAPSTAT.EXE	32

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1312
- C:\Users\Admin\AppData\Local\Temp\c30e9f8272d0ad84ce2ce3bb6179e77af0e7e086.exe
  "C:\Users\Admin\AppData\Local\Temp\c30e9f8272d0ad84ce2ce3bb6179e77af0e7e086.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1544
- - C:\Users\Admin\AppData\Local\Temp\oslngvyxu.exe
    "C:\Users\Admin\AppData\Local\Temp\oslngvyxu.exe" C:\Users\Admin\AppData\Local\Temp\lbshjq.yn
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2004
  - - C:\Users\Admin\AppData\Local\Temp\oslngvyxu.exe
      "C:\Users\Admin\AppData\Local\Temp\oslngvyxu.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:544
- C:\Windows\SysWOW64\NAPSTAT.EXE
  "C:\Windows\SysWOW64\NAPSTAT.EXE"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1204
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:1656

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lbshjq.yn

Filesize
5KB

MD5
3124e67d01e1a0935444d2b26a0d1aff

SHA1
99582b04f7e6333532dd34c07223319b98679ccb

SHA256
48e32963ad7afb05c5ea31b67a9eb75a973ca5f3793fd2e28568496099ae8af2

SHA512
479baf167743b8ccc21d46a409e4cf937e6667a7c417d03b9f17a2b5b7812e91b467d977d328429b6f3caeae123e9c7a53ba20a9131b7b313c920a6b518a8678

Download Submit
C:\Users\Admin\AppData\Local\Temp\oslngvyxu.exe

Filesize
61KB

MD5
8b2553bfab2c74f153508617e6111f0a

SHA1
85a6b8674329fa5a77145f11854ec27b773b9a40

SHA256
9be3756445bf3f93b1da094323358cd20eddb7141706e2b920bf3b2ec46be3cf

SHA512
a98f8f2daf9fe2646fbaf24f0d947862b58e65e64a4193e72a627e026a2039ad4ea2bb4d6a813e34c1b32e717f777240325f08452b07ba3153cc5d698cea0895

Download Submit
C:\Users\Admin\AppData\Local\Temp\oslngvyxu.exe

Filesize
61KB

MD5
8b2553bfab2c74f153508617e6111f0a

SHA1
85a6b8674329fa5a77145f11854ec27b773b9a40

SHA256
9be3756445bf3f93b1da094323358cd20eddb7141706e2b920bf3b2ec46be3cf

SHA512
a98f8f2daf9fe2646fbaf24f0d947862b58e65e64a4193e72a627e026a2039ad4ea2bb4d6a813e34c1b32e717f777240325f08452b07ba3153cc5d698cea0895

Download Submit
C:\Users\Admin\AppData\Local\Temp\oslngvyxu.exe

Filesize
61KB

MD5
8b2553bfab2c74f153508617e6111f0a

SHA1
85a6b8674329fa5a77145f11854ec27b773b9a40

SHA256
9be3756445bf3f93b1da094323358cd20eddb7141706e2b920bf3b2ec46be3cf

SHA512
a98f8f2daf9fe2646fbaf24f0d947862b58e65e64a4193e72a627e026a2039ad4ea2bb4d6a813e34c1b32e717f777240325f08452b07ba3153cc5d698cea0895

Download Submit
C:\Users\Admin\AppData\Local\Temp\pxxutqsis.ash

Filesize
205KB

MD5
37e4b21bc0f3710673a6a78da892f357

SHA1
cd657db285bc9d576e5199042d5cb639c65116b0

SHA256
d4d9390c3260f3c1bad24a80b4f466be3a76f75a05bc43f78b397aae0864b096

SHA512
1596550c54d99d46d9452a830e886d025847ad1fbd3f2283723e2612ff9a42d5b749b9c27b51ed5a9c419cbeaf943b1d7ee51a048647f62434cfbfc395524892

Download Submit
\Users\Admin\AppData\Local\Temp\oslngvyxu.exe

Filesize
61KB

MD5
8b2553bfab2c74f153508617e6111f0a

SHA1
85a6b8674329fa5a77145f11854ec27b773b9a40

SHA256
9be3756445bf3f93b1da094323358cd20eddb7141706e2b920bf3b2ec46be3cf

SHA512
a98f8f2daf9fe2646fbaf24f0d947862b58e65e64a4193e72a627e026a2039ad4ea2bb4d6a813e34c1b32e717f777240325f08452b07ba3153cc5d698cea0895

Download Submit
\Users\Admin\AppData\Local\Temp\oslngvyxu.exe

Filesize
61KB

MD5
8b2553bfab2c74f153508617e6111f0a

SHA1
85a6b8674329fa5a77145f11854ec27b773b9a40

SHA256
9be3756445bf3f93b1da094323358cd20eddb7141706e2b920bf3b2ec46be3cf

SHA512
a98f8f2daf9fe2646fbaf24f0d947862b58e65e64a4193e72a627e026a2039ad4ea2bb4d6a813e34c1b32e717f777240325f08452b07ba3153cc5d698cea0895

Download Submit
\Users\Admin\AppData\Local\Temp\oslngvyxu.exe

Filesize
61KB

MD5
8b2553bfab2c74f153508617e6111f0a

SHA1
85a6b8674329fa5a77145f11854ec27b773b9a40

SHA256
9be3756445bf3f93b1da094323358cd20eddb7141706e2b920bf3b2ec46be3cf

SHA512
a98f8f2daf9fe2646fbaf24f0d947862b58e65e64a4193e72a627e026a2039ad4ea2bb4d6a813e34c1b32e717f777240325f08452b07ba3153cc5d698cea0895

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll

Filesize
890KB

MD5
8402a6aa76d7787ff03943dd129e3d83

SHA1
895338cb761d62930ca93918011fd2cd33d5b30c

SHA256
49ff99d5b24f4f7d5a8ea175f35a6548c74b04e5c621c60121b5088dab19b4eb

SHA512
39bbe90385be35492825929296aae771fb4afb00a1f6a48f0e4ec17bc1097c3a32cea3b22033116c82695e66acbd6c847483a8da21e7302240467b58e39169ea

Download Submit
memory/544-66-0x00000000009C0000-0x0000000000CC3000-memory.dmp

Filesize
3.0MB

Download
memory/544-67-0x0000000000190000-0x00000000001A0000-memory.dmp

Filesize
64KB

Download
memory/544-65-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1204-70-0x00000000003D0000-0x0000000000416000-memory.dmp

Filesize
280KB

Download
memory/1204-71-0x00000000000C0000-0x00000000000ED000-memory.dmp

Filesize
180KB

Download
memory/1204-72-0x0000000001EF0000-0x00000000021F3000-memory.dmp

Filesize
3.0MB

Download
memory/1204-73-0x0000000000710000-0x000000000079F000-memory.dmp

Filesize
572KB

Download
memory/1204-75-0x00000000000C0000-0x00000000000ED000-memory.dmp

Filesize
180KB

Download
memory/1312-68-0x0000000004EE0000-0x0000000004FE2000-memory.dmp

Filesize
1.0MB

Download
memory/1312-74-0x0000000006BC0000-0x0000000006CC0000-memory.dmp

Filesize
1024KB

Download
memory/1312-76-0x0000000006BC0000-0x0000000006CC0000-memory.dmp

Filesize
1024KB

Download
memory/1544-54-0x0000000076201000-0x0000000076203000-memory.dmp

Filesize
8KB

Download