449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185

Analysis

max time kernel
30s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
01-04-2023 04:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe
Size

10.0MB
MD5

48185b9d80c6fe5b1987755507322cd6
SHA1

a3232833bc84314fe081c93864e0b4df737b90f3
SHA256

449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185
SHA512

55d0c666492ecdfccf71a2fae55c54d7eca402650cf64f049621a97f6abda8c0e1f7ae4128482016b85b7c33129a5426cd01ce6a754c017f6cfd456e44e37410
SSDEEP

196608:jbfSWxOu68KU2vzQ8aVoKPPg2mQm1wOWDjOwbcToKxQNO9U:/fEu68wzGmgo2hrFDjf4oKiO9U

Score

9^/10

evasion miner upx

Malware Config

Signatures

Detectes Phoenix Miner Payload 5 IoCs

miner

Processes:

resource	yara_rule
C:\Windows\ov\svchost.exe	miner_phoenix
\Windows\ov\svchost.exe	miner_phoenix
C:\Windows\ov\svchost.exe	miner_phoenix
behavioral1/memory/1820-102-0x0000000000400000-0x0000000000E42000-memory.dmp	miner_phoenix
behavioral1/memory/1820-104-0x0000000000400000-0x0000000000E42000-memory.dmp	miner_phoenix

Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exe

pid process

880 netsh.exe
1916 netsh.exe
Executes dropped EXE 2 IoCs

Processes:

rar.exesvchost.exe

pid process

340 rar.exe
1820 svchost.exe

pid	process
880	netsh.exe
1916	netsh.exe

pid	process
340	rar.exe
1820	svchost.exe

Loads dropped DLL 3 IoCs

Processes:

449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exesvchost.exe

pid	process
892	449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe
892	449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe
1820	svchost.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\ov\nrov.dll	upx
\Windows\ov\nrov.dll	upx
C:\Program Files\ov\getov.dll	upx
\Program Files\ov\getov.dll	upx
behavioral1/memory/892-100-0x0000000006480000-0x0000000006731000-memory.dmp	upx
behavioral1/memory/1820-101-0x0000000005500000-0x00000000058A0000-memory.dmp	upx
behavioral1/memory/1820-103-0x0000000005500000-0x00000000058A0000-memory.dmp	upx

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

svchost.exe

description ioc process

File opened (read-only) \??\E: svchost.exe
Drops file in Program Files directory 1 IoCs

Processes:

449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe

description ioc process

File created C:\Program Files\ov\getov.dll 449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe

description	ioc	process
File opened (read-only)	\??\E:	svchost.exe

description	ioc	process
File created	C:\Program Files\ov\getov.dll	449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe

Drops file in Windows directory 16 IoCs

Processes:

449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exerar.exeexpand.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\gconfig.ini	449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe
File opened for modification	C:\Windows\ov	449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe
File created	C:\Windows\ov\rar.exe	449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe
File opened for modification	C:\Windows\ov\rar.exe	449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe
File opened for modification	C:\Windows\ov\qskg.config	rar.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	expand.exe
File opened for modification	C:\Windows\ov\qskg.config	svchost.exe
File created	C:\Windows\ov\ov.rar	449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe
File opened for modification	C:\Windows\ov\ov.rar	449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe
File created	C:\Windows\ov\svchost.exe	rar.exe
File created	C:\Windows\ov\nrov.dll	rar.exe
File created	C:\Windows\ov\qskg.config	rar.exe
File opened for modification	C:\Windows\ov\svchost.exe	rar.exe
File opened for modification	C:\Windows\ov\nrov.dll	rar.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	expand.exe
File created	C:\Windows\ov\qskg.pools	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

rar.exe

pid process

340 rar.exe

pid	process
340	rar.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe

pid	process
892	449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe
892	449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe
892	449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe
892	449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe
892	449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe
892	449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

svchost.exe449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe

description	pid	process
Token: SeBackupPrivilege	1820	svchost.exe
Token: SeSecurityPrivilege	1820	svchost.exe
Token: SeSecurityPrivilege	1820	svchost.exe
Token: SeSecurityPrivilege	1820	svchost.exe
Token: SeSecurityPrivilege	1820	svchost.exe
Token: SeSecurityPrivilege	1820	svchost.exe
Token: SeSecurityPrivilege	1820	svchost.exe
Token: SeSecurityPrivilege	1820	svchost.exe
Token: SeBackupPrivilege	1820	svchost.exe
Token: SeSecurityPrivilege	1820	svchost.exe
Token: SeSecurityPrivilege	1820	svchost.exe
Token: SeSecurityPrivilege	1820	svchost.exe
Token: SeSecurityPrivilege	1820	svchost.exe
Token: SeSecurityPrivilege	1820	svchost.exe
Token: SeSecurityPrivilege	1820	svchost.exe
Token: SeSecurityPrivilege	1820	svchost.exe
Token: SeDebugPrivilege	892	449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

svchost.exe

pid process

1820 svchost.exe

pid	process
1820	svchost.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.execmd.execmd.exesvchost.exe

description	pid	process	target process
PID 892 wrote to memory of 1172	892	449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe	cmd.exe
PID 892 wrote to memory of 1172	892	449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe	cmd.exe
PID 892 wrote to memory of 1172	892	449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe	cmd.exe
PID 1172 wrote to memory of 340	1172	cmd.exe	rar.exe
PID 1172 wrote to memory of 340	1172	cmd.exe	rar.exe
PID 1172 wrote to memory of 340	1172	cmd.exe	rar.exe
PID 1172 wrote to memory of 340	1172	cmd.exe	rar.exe
PID 892 wrote to memory of 848	892	449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe	cmd.exe
PID 892 wrote to memory of 848	892	449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe	cmd.exe
PID 892 wrote to memory of 848	892	449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe	cmd.exe
PID 848 wrote to memory of 880	848	cmd.exe	netsh.exe
PID 848 wrote to memory of 880	848	cmd.exe	netsh.exe
PID 848 wrote to memory of 880	848	cmd.exe	netsh.exe
PID 892 wrote to memory of 1820	892	449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe	svchost.exe
PID 892 wrote to memory of 1820	892	449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe	svchost.exe
PID 892 wrote to memory of 1820	892	449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe	svchost.exe
PID 848 wrote to memory of 1916	848	cmd.exe	netsh.exe
PID 848 wrote to memory of 1916	848	cmd.exe	netsh.exe
PID 848 wrote to memory of 1916	848	cmd.exe	netsh.exe
PID 1820 wrote to memory of 1836	1820	svchost.exe	expand.exe
PID 1820 wrote to memory of 1836	1820	svchost.exe	expand.exe
PID 1820 wrote to memory of 1836	1820	svchost.exe	expand.exe
PID 892 wrote to memory of 1820	892	449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe
"C:\Users\Admin\AppData\Local\Temp\449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:892

C:\Windows\system32\cmd.exe
cmd /c rar x -ep2 -y ov.rar & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1172

C:\Windows\ov\rar.exe
rar x -ep2 -y ov.rar
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall delete rule name=ov dir=out & netsh advfirewall firewall add rule name=ov dir=out action=block program=C:\Windows\ov\svchost.exe remoteip=0.0.0.0-255.255.255.255 & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:848

C:\Windows\system32\netsh.exe
netsh advfirewall firewall delete rule name=ov dir=out
3⤵
- Modifies Windows Firewall
PID:880

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name=ov dir=out action=block program=C:\Windows\ov\svchost.exe remoteip=0.0.0.0-255.255.255.255
3⤵
- Modifies Windows Firewall
PID:1916

C:\Windows\ov\svchost.exe
"C:\Windows\ov\svchost.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1820

C:\Windows\system32\expand.exe
expand "C:\Users\Admin\AppData\Roaming\qskg\\qskg.tmp" "C:\Users\Admin\AppData\Roaming\qskg\\7za.exe"
3⤵
- Drops file in Windows directory
PID:1836

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\ov\getov.dll
Filesize
864KB

MD5
2a9c389b9fd376ecc40f591565531e9e

SHA1
59d5b8aba37a710dbb7926f0cb1561c672a59b96

SHA256
0569b96d8b717a0af32cbb4ad155c42da1eb3180e727fd123df54612ecc1eff9

SHA512
bff25a75559c70da7d7918afb7575ad64d5d08d8febb04f8987c0743a07857d305683a6975b1003ec2c3d6ccb92f7e5a171972c6bb22e532f25443021631b1d1

Download Submit
C:\Windows\ov\nrov.dll
Filesize
1.3MB

MD5
9d7805a480ccb9fb877d7ba05b15dd9f

SHA1
bbef4eae1d880eb713823e58c8f7469c7e8a5783

SHA256
edfa30141d904b1da9de5942dc656c0dccb308c04e8786c4c08248d7f6a0394b

SHA512
ab539d58e9e0a0934ad11157713876b68a526966208f730b4ce41c2c9f6b5c18c6c092fc843ed292c83331a0ca37a0ca85e10c0c93353e7ee4970745aa7c16fe

Download Submit
C:\Windows\ov\ov.rar
Filesize
3.9MB

MD5
87099260c00a3891fd96f2a92e31308f

SHA1
7ea1edf45d0bef3fdef52da5b635462461735eb9

SHA256
c500f72e837e48fdb85e3881311a7e10d038c5020598edbf645cb0f125df4f73

SHA512
a04a842fa30c15a9f8b830a9dc1d184c38d44dcd517e7bd5f4891a3b52938e7d457a17603b0fd8df36a580ae39e1b172cf2357a3ea943b108a0f77cd175fa449

Download Submit
C:\Windows\ov\ov.rar
Filesize
3.9MB

MD5
87099260c00a3891fd96f2a92e31308f

SHA1
7ea1edf45d0bef3fdef52da5b635462461735eb9

SHA256
c500f72e837e48fdb85e3881311a7e10d038c5020598edbf645cb0f125df4f73

SHA512
a04a842fa30c15a9f8b830a9dc1d184c38d44dcd517e7bd5f4891a3b52938e7d457a17603b0fd8df36a580ae39e1b172cf2357a3ea943b108a0f77cd175fa449

Download Submit
C:\Windows\ov\qskg.config
Filesize
787B

MD5
5ada09545331f33ba9833b4c2f320014

SHA1
941edce8cd486ecf2e69ea37f3f87650f8899cbb

SHA256
b63ee3ed578fb804f4d4bd19302e03fc02388337cc0d4124ce88ed09be6dc57b

SHA512
71140b737858a12ed4cddef2639afbb14af176c25736d313759969eb3164238050e131ee8e1e74b969b598bc4e0757685078e901235e2f074016325d4a632fa8

Download Submit
C:\Windows\ov\rar.exe
Filesize
532KB

MD5
2075b20cc7b891b00ac2135909ee420c

SHA1
0e182e2ebf3befab3fbca1c1a6b080338d99abd7

SHA256
0c9f681cb5b56773636ae2211e0e49d0a89add91427c56139f2a55ff72f01bf1

SHA512
0cfda2658189cd303ed038a1443f472a6a7b4e921ae100d65d1efba544dc515308b59a8aca35a89ad605cc62890423034b7ead393cac9038d99f47041031052e

Download Submit
C:\Windows\ov\rar.exe
Filesize
532KB

MD5
2075b20cc7b891b00ac2135909ee420c

SHA1
0e182e2ebf3befab3fbca1c1a6b080338d99abd7

SHA256
0c9f681cb5b56773636ae2211e0e49d0a89add91427c56139f2a55ff72f01bf1

SHA512
0cfda2658189cd303ed038a1443f472a6a7b4e921ae100d65d1efba544dc515308b59a8aca35a89ad605cc62890423034b7ead393cac9038d99f47041031052e

Download Submit
C:\Windows\ov\svchost.exe
Filesize
9.9MB

MD5
fe52776bea1e40791de81198fa50f9a4

SHA1
4c73c759e5131144dc82f60d385d440406230f6c

SHA256
f730cd04d180adc20a79b65aa169bd0e2671b308baf1ded12a867c52c6375e87

SHA512
ecf68170eb0ebcaa7585ecb39d025ba006f2c6f6094d520bcb5f0681e65c49090af84f1316604a9697499f023b4890663ab50d80ec3fa2a6c463f9309387f8f1

Download Submit
C:\Windows\ov\svchost.exe
Filesize
9.9MB

MD5
fe52776bea1e40791de81198fa50f9a4

SHA1
4c73c759e5131144dc82f60d385d440406230f6c

SHA256
f730cd04d180adc20a79b65aa169bd0e2671b308baf1ded12a867c52c6375e87

SHA512
ecf68170eb0ebcaa7585ecb39d025ba006f2c6f6094d520bcb5f0681e65c49090af84f1316604a9697499f023b4890663ab50d80ec3fa2a6c463f9309387f8f1

Download Submit
\??\c:\users\admin\appdata\roaming\qskg\qskg.tmp
Filesize
373KB

MD5
7d246c632d2bf4e2a7ef1a13d0940ec0

SHA1
accb19ce32802fb7e268ad43e29f919810e423f8

SHA256
b6fec99ec42bd0f01304f2ff6733752b65bee274d39bd53dd4131c277a2aac79

SHA512
63d7eb0659d19a8183d40c81b2ef705b5fd8631ff049b46088f60b2936fea4fec199669239cd9d9dd161fd232d782d78a6b59073428d5039ed35de8a53e92383

Download Submit
\Program Files\ov\getov.dll
Filesize
864KB

MD5
2a9c389b9fd376ecc40f591565531e9e

SHA1
59d5b8aba37a710dbb7926f0cb1561c672a59b96

SHA256
0569b96d8b717a0af32cbb4ad155c42da1eb3180e727fd123df54612ecc1eff9

SHA512
bff25a75559c70da7d7918afb7575ad64d5d08d8febb04f8987c0743a07857d305683a6975b1003ec2c3d6ccb92f7e5a171972c6bb22e532f25443021631b1d1

Download Submit
\Windows\ov\nrov.dll
Filesize
1.3MB

MD5
9d7805a480ccb9fb877d7ba05b15dd9f

SHA1
bbef4eae1d880eb713823e58c8f7469c7e8a5783

SHA256
edfa30141d904b1da9de5942dc656c0dccb308c04e8786c4c08248d7f6a0394b

SHA512
ab539d58e9e0a0934ad11157713876b68a526966208f730b4ce41c2c9f6b5c18c6c092fc843ed292c83331a0ca37a0ca85e10c0c93353e7ee4970745aa7c16fe

Download Submit
\Windows\ov\svchost.exe
Filesize
9.9MB

MD5
fe52776bea1e40791de81198fa50f9a4

SHA1
4c73c759e5131144dc82f60d385d440406230f6c

SHA256
f730cd04d180adc20a79b65aa169bd0e2671b308baf1ded12a867c52c6375e87

SHA512
ecf68170eb0ebcaa7585ecb39d025ba006f2c6f6094d520bcb5f0681e65c49090af84f1316604a9697499f023b4890663ab50d80ec3fa2a6c463f9309387f8f1

Download Submit
memory/892-100-0x0000000006480000-0x0000000006731000-memory.dmp

Filesize
2.7MB

Download
memory/1820-97-0x0000000004A00000-0x0000000004A01000-memory.dmp

Filesize
4KB

Download
memory/1820-78-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1820-101-0x0000000005500000-0x00000000058A0000-memory.dmp

Filesize
3.6MB

Download
memory/1820-102-0x0000000000400000-0x0000000000E42000-memory.dmp

Filesize
10.3MB

Download
memory/1820-103-0x0000000005500000-0x00000000058A0000-memory.dmp

Filesize
3.6MB

Download
memory/1820-104-0x0000000000400000-0x0000000000E42000-memory.dmp

Filesize
10.3MB

Download