Analysis
-
max time kernel
30s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
01-04-2023 04:53
Static task
static1
Behavioral task
behavioral1
Sample
449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe
Resource
win7-20230220-en
General
-
Target
449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe
-
Size
10.0MB
-
MD5
48185b9d80c6fe5b1987755507322cd6
-
SHA1
a3232833bc84314fe081c93864e0b4df737b90f3
-
SHA256
449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185
-
SHA512
55d0c666492ecdfccf71a2fae55c54d7eca402650cf64f049621a97f6abda8c0e1f7ae4128482016b85b7c33129a5426cd01ce6a754c017f6cfd456e44e37410
-
SSDEEP
196608:jbfSWxOu68KU2vzQ8aVoKPPg2mQm1wOWDjOwbcToKxQNO9U:/fEu68wzGmgo2hrFDjf4oKiO9U
Malware Config
Signatures
-
Detectes Phoenix Miner Payload 5 IoCs
Processes:
resource yara_rule C:\Windows\ov\svchost.exe miner_phoenix \Windows\ov\svchost.exe miner_phoenix C:\Windows\ov\svchost.exe miner_phoenix behavioral1/memory/1820-102-0x0000000000400000-0x0000000000E42000-memory.dmp miner_phoenix behavioral1/memory/1820-104-0x0000000000400000-0x0000000000E42000-memory.dmp miner_phoenix -
Modifies Windows Firewall 1 TTPs 2 IoCs
-
Executes dropped EXE 2 IoCs
Processes:
rar.exesvchost.exepid process 340 rar.exe 1820 svchost.exe -
Loads dropped DLL 3 IoCs
Processes:
449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exesvchost.exepid process 892 449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe 892 449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe 1820 svchost.exe -
Processes:
resource yara_rule C:\Windows\ov\nrov.dll upx \Windows\ov\nrov.dll upx C:\Program Files\ov\getov.dll upx \Program Files\ov\getov.dll upx behavioral1/memory/892-100-0x0000000006480000-0x0000000006731000-memory.dmp upx behavioral1/memory/1820-101-0x0000000005500000-0x00000000058A0000-memory.dmp upx behavioral1/memory/1820-103-0x0000000005500000-0x00000000058A0000-memory.dmp upx -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
svchost.exedescription ioc process File opened (read-only) \??\E: svchost.exe -
Drops file in Program Files directory 1 IoCs
Processes:
449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exedescription ioc process File created C:\Program Files\ov\getov.dll 449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe -
Drops file in Windows directory 16 IoCs
Processes:
449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exerar.exeexpand.exesvchost.exedescription ioc process File opened for modification C:\Windows\gconfig.ini 449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe File opened for modification C:\Windows\ov 449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe File created C:\Windows\ov\rar.exe 449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe File opened for modification C:\Windows\ov\rar.exe 449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe File opened for modification C:\Windows\ov\qskg.config rar.exe File opened for modification C:\Windows\Logs\DPX\setuperr.log expand.exe File opened for modification C:\Windows\ov\qskg.config svchost.exe File created C:\Windows\ov\ov.rar 449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe File opened for modification C:\Windows\ov\ov.rar 449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe File created C:\Windows\ov\svchost.exe rar.exe File created C:\Windows\ov\nrov.dll rar.exe File created C:\Windows\ov\qskg.config rar.exe File opened for modification C:\Windows\ov\svchost.exe rar.exe File opened for modification C:\Windows\ov\nrov.dll rar.exe File opened for modification C:\Windows\Logs\DPX\setupact.log expand.exe File created C:\Windows\ov\qskg.pools svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
rar.exepid process 340 rar.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exepid process 892 449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe 892 449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe 892 449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe 892 449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe 892 449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe 892 449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
Processes:
svchost.exe449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exedescription pid process Token: SeBackupPrivilege 1820 svchost.exe Token: SeSecurityPrivilege 1820 svchost.exe Token: SeSecurityPrivilege 1820 svchost.exe Token: SeSecurityPrivilege 1820 svchost.exe Token: SeSecurityPrivilege 1820 svchost.exe Token: SeSecurityPrivilege 1820 svchost.exe Token: SeSecurityPrivilege 1820 svchost.exe Token: SeSecurityPrivilege 1820 svchost.exe Token: SeBackupPrivilege 1820 svchost.exe Token: SeSecurityPrivilege 1820 svchost.exe Token: SeSecurityPrivilege 1820 svchost.exe Token: SeSecurityPrivilege 1820 svchost.exe Token: SeSecurityPrivilege 1820 svchost.exe Token: SeSecurityPrivilege 1820 svchost.exe Token: SeSecurityPrivilege 1820 svchost.exe Token: SeSecurityPrivilege 1820 svchost.exe Token: SeDebugPrivilege 892 449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
svchost.exepid process 1820 svchost.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.execmd.execmd.exesvchost.exedescription pid process target process PID 892 wrote to memory of 1172 892 449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe cmd.exe PID 892 wrote to memory of 1172 892 449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe cmd.exe PID 892 wrote to memory of 1172 892 449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe cmd.exe PID 1172 wrote to memory of 340 1172 cmd.exe rar.exe PID 1172 wrote to memory of 340 1172 cmd.exe rar.exe PID 1172 wrote to memory of 340 1172 cmd.exe rar.exe PID 1172 wrote to memory of 340 1172 cmd.exe rar.exe PID 892 wrote to memory of 848 892 449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe cmd.exe PID 892 wrote to memory of 848 892 449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe cmd.exe PID 892 wrote to memory of 848 892 449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe cmd.exe PID 848 wrote to memory of 880 848 cmd.exe netsh.exe PID 848 wrote to memory of 880 848 cmd.exe netsh.exe PID 848 wrote to memory of 880 848 cmd.exe netsh.exe PID 892 wrote to memory of 1820 892 449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe svchost.exe PID 892 wrote to memory of 1820 892 449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe svchost.exe PID 892 wrote to memory of 1820 892 449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe svchost.exe PID 848 wrote to memory of 1916 848 cmd.exe netsh.exe PID 848 wrote to memory of 1916 848 cmd.exe netsh.exe PID 848 wrote to memory of 1916 848 cmd.exe netsh.exe PID 1820 wrote to memory of 1836 1820 svchost.exe expand.exe PID 1820 wrote to memory of 1836 1820 svchost.exe expand.exe PID 1820 wrote to memory of 1836 1820 svchost.exe expand.exe PID 892 wrote to memory of 1820 892 449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe"C:\Users\Admin\AppData\Local\Temp\449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c rar x -ep2 -y ov.rar & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\ov\rar.exerar x -ep2 -y ov.rar3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall delete rule name=ov dir=out & netsh advfirewall firewall add rule name=ov dir=out action=block program=C:\Windows\ov\svchost.exe remoteip=0.0.0.0-255.255.255.255 & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall delete rule name=ov dir=out3⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name=ov dir=out action=block program=C:\Windows\ov\svchost.exe remoteip=0.0.0.0-255.255.255.2553⤵
- Modifies Windows Firewall
-
C:\Windows\ov\svchost.exe"C:\Windows\ov\svchost.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\expand.exeexpand "C:\Users\Admin\AppData\Roaming\qskg\\qskg.tmp" "C:\Users\Admin\AppData\Roaming\qskg\\7za.exe"3⤵
- Drops file in Windows directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\ov\getov.dllFilesize
864KB
MD52a9c389b9fd376ecc40f591565531e9e
SHA159d5b8aba37a710dbb7926f0cb1561c672a59b96
SHA2560569b96d8b717a0af32cbb4ad155c42da1eb3180e727fd123df54612ecc1eff9
SHA512bff25a75559c70da7d7918afb7575ad64d5d08d8febb04f8987c0743a07857d305683a6975b1003ec2c3d6ccb92f7e5a171972c6bb22e532f25443021631b1d1
-
C:\Windows\ov\nrov.dllFilesize
1.3MB
MD59d7805a480ccb9fb877d7ba05b15dd9f
SHA1bbef4eae1d880eb713823e58c8f7469c7e8a5783
SHA256edfa30141d904b1da9de5942dc656c0dccb308c04e8786c4c08248d7f6a0394b
SHA512ab539d58e9e0a0934ad11157713876b68a526966208f730b4ce41c2c9f6b5c18c6c092fc843ed292c83331a0ca37a0ca85e10c0c93353e7ee4970745aa7c16fe
-
C:\Windows\ov\ov.rarFilesize
3.9MB
MD587099260c00a3891fd96f2a92e31308f
SHA17ea1edf45d0bef3fdef52da5b635462461735eb9
SHA256c500f72e837e48fdb85e3881311a7e10d038c5020598edbf645cb0f125df4f73
SHA512a04a842fa30c15a9f8b830a9dc1d184c38d44dcd517e7bd5f4891a3b52938e7d457a17603b0fd8df36a580ae39e1b172cf2357a3ea943b108a0f77cd175fa449
-
C:\Windows\ov\ov.rarFilesize
3.9MB
MD587099260c00a3891fd96f2a92e31308f
SHA17ea1edf45d0bef3fdef52da5b635462461735eb9
SHA256c500f72e837e48fdb85e3881311a7e10d038c5020598edbf645cb0f125df4f73
SHA512a04a842fa30c15a9f8b830a9dc1d184c38d44dcd517e7bd5f4891a3b52938e7d457a17603b0fd8df36a580ae39e1b172cf2357a3ea943b108a0f77cd175fa449
-
C:\Windows\ov\qskg.configFilesize
787B
MD55ada09545331f33ba9833b4c2f320014
SHA1941edce8cd486ecf2e69ea37f3f87650f8899cbb
SHA256b63ee3ed578fb804f4d4bd19302e03fc02388337cc0d4124ce88ed09be6dc57b
SHA51271140b737858a12ed4cddef2639afbb14af176c25736d313759969eb3164238050e131ee8e1e74b969b598bc4e0757685078e901235e2f074016325d4a632fa8
-
C:\Windows\ov\rar.exeFilesize
532KB
MD52075b20cc7b891b00ac2135909ee420c
SHA10e182e2ebf3befab3fbca1c1a6b080338d99abd7
SHA2560c9f681cb5b56773636ae2211e0e49d0a89add91427c56139f2a55ff72f01bf1
SHA5120cfda2658189cd303ed038a1443f472a6a7b4e921ae100d65d1efba544dc515308b59a8aca35a89ad605cc62890423034b7ead393cac9038d99f47041031052e
-
C:\Windows\ov\rar.exeFilesize
532KB
MD52075b20cc7b891b00ac2135909ee420c
SHA10e182e2ebf3befab3fbca1c1a6b080338d99abd7
SHA2560c9f681cb5b56773636ae2211e0e49d0a89add91427c56139f2a55ff72f01bf1
SHA5120cfda2658189cd303ed038a1443f472a6a7b4e921ae100d65d1efba544dc515308b59a8aca35a89ad605cc62890423034b7ead393cac9038d99f47041031052e
-
C:\Windows\ov\svchost.exeFilesize
9.9MB
MD5fe52776bea1e40791de81198fa50f9a4
SHA14c73c759e5131144dc82f60d385d440406230f6c
SHA256f730cd04d180adc20a79b65aa169bd0e2671b308baf1ded12a867c52c6375e87
SHA512ecf68170eb0ebcaa7585ecb39d025ba006f2c6f6094d520bcb5f0681e65c49090af84f1316604a9697499f023b4890663ab50d80ec3fa2a6c463f9309387f8f1
-
C:\Windows\ov\svchost.exeFilesize
9.9MB
MD5fe52776bea1e40791de81198fa50f9a4
SHA14c73c759e5131144dc82f60d385d440406230f6c
SHA256f730cd04d180adc20a79b65aa169bd0e2671b308baf1ded12a867c52c6375e87
SHA512ecf68170eb0ebcaa7585ecb39d025ba006f2c6f6094d520bcb5f0681e65c49090af84f1316604a9697499f023b4890663ab50d80ec3fa2a6c463f9309387f8f1
-
\??\c:\users\admin\appdata\roaming\qskg\qskg.tmpFilesize
373KB
MD57d246c632d2bf4e2a7ef1a13d0940ec0
SHA1accb19ce32802fb7e268ad43e29f919810e423f8
SHA256b6fec99ec42bd0f01304f2ff6733752b65bee274d39bd53dd4131c277a2aac79
SHA51263d7eb0659d19a8183d40c81b2ef705b5fd8631ff049b46088f60b2936fea4fec199669239cd9d9dd161fd232d782d78a6b59073428d5039ed35de8a53e92383
-
\Program Files\ov\getov.dllFilesize
864KB
MD52a9c389b9fd376ecc40f591565531e9e
SHA159d5b8aba37a710dbb7926f0cb1561c672a59b96
SHA2560569b96d8b717a0af32cbb4ad155c42da1eb3180e727fd123df54612ecc1eff9
SHA512bff25a75559c70da7d7918afb7575ad64d5d08d8febb04f8987c0743a07857d305683a6975b1003ec2c3d6ccb92f7e5a171972c6bb22e532f25443021631b1d1
-
\Windows\ov\nrov.dllFilesize
1.3MB
MD59d7805a480ccb9fb877d7ba05b15dd9f
SHA1bbef4eae1d880eb713823e58c8f7469c7e8a5783
SHA256edfa30141d904b1da9de5942dc656c0dccb308c04e8786c4c08248d7f6a0394b
SHA512ab539d58e9e0a0934ad11157713876b68a526966208f730b4ce41c2c9f6b5c18c6c092fc843ed292c83331a0ca37a0ca85e10c0c93353e7ee4970745aa7c16fe
-
\Windows\ov\svchost.exeFilesize
9.9MB
MD5fe52776bea1e40791de81198fa50f9a4
SHA14c73c759e5131144dc82f60d385d440406230f6c
SHA256f730cd04d180adc20a79b65aa169bd0e2671b308baf1ded12a867c52c6375e87
SHA512ecf68170eb0ebcaa7585ecb39d025ba006f2c6f6094d520bcb5f0681e65c49090af84f1316604a9697499f023b4890663ab50d80ec3fa2a6c463f9309387f8f1
-
memory/892-100-0x0000000006480000-0x0000000006731000-memory.dmpFilesize
2.7MB
-
memory/1820-97-0x0000000004A00000-0x0000000004A01000-memory.dmpFilesize
4KB
-
memory/1820-78-0x00000000003F0000-0x00000000003F1000-memory.dmpFilesize
4KB
-
memory/1820-101-0x0000000005500000-0x00000000058A0000-memory.dmpFilesize
3.6MB
-
memory/1820-102-0x0000000000400000-0x0000000000E42000-memory.dmpFilesize
10.3MB
-
memory/1820-103-0x0000000005500000-0x00000000058A0000-memory.dmpFilesize
3.6MB
-
memory/1820-104-0x0000000000400000-0x0000000000E42000-memory.dmpFilesize
10.3MB