Analysis

  • max time kernel
    103s
  • max time network
    130s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-04-2023 04:53

General

  • Target

    449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe

  • Size

    10.0MB

  • MD5

    48185b9d80c6fe5b1987755507322cd6

  • SHA1

    a3232833bc84314fe081c93864e0b4df737b90f3

  • SHA256

    449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185

  • SHA512

    55d0c666492ecdfccf71a2fae55c54d7eca402650cf64f049621a97f6abda8c0e1f7ae4128482016b85b7c33129a5426cd01ce6a754c017f6cfd456e44e37410

  • SSDEEP

    196608:jbfSWxOu68KU2vzQ8aVoKPPg2mQm1wOWDjOwbcToKxQNO9U:/fEu68wzGmgo2hrFDjf4oKiO9U

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
  • Detectes Phoenix Miner Payload 4 IoCs
  • Modifies Windows Firewall 1 TTPs 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 5 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 16 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 2 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs
  • System policy modification 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe
    "C:\Users\Admin\AppData\Local\Temp\449dfb001ec66253cd32dc9205836faa08b5ddb28b8a32bed3bf8805c54e1185.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4632
    • C:\Windows\SYSTEM32\cmd.exe
      cmd /c rar x -ep2 -y ov.rar & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2208
      • C:\Windows\ov\rar.exe
        rar x -ep2 -y ov.rar
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:3908
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall delete rule name=ov dir=out & netsh advfirewall firewall add rule name=ov dir=out action=block program=C:\Windows\ov\svchost.exe remoteip=0.0.0.0-255.255.255.255 & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4128
      • C:\Windows\system32\netsh.exe
        netsh advfirewall firewall delete rule name=ov dir=out
        3⤵
        • Modifies Windows Firewall
        PID:4784
      • C:\Windows\system32\netsh.exe
        netsh advfirewall firewall add rule name=ov dir=out action=block program=C:\Windows\ov\svchost.exe remoteip=0.0.0.0-255.255.255.255
        3⤵
        • Modifies Windows Firewall
        PID:376
    • C:\Windows\ov\svchost.exe
      "C:\Windows\ov\svchost.exe"
      2⤵
      • UAC bypass
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Enumerates connected drives
      • Writes to the Master Boot Record (MBR)
      • Drops file in Windows directory
      • Checks SCSI registry key(s)
      • Checks processor information in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:656
      • C:\Windows\SYSTEM32\expand.exe
        expand "C:\Users\Admin\AppData\Roaming\qskg\\qskg.tmp" "C:\Users\Admin\AppData\Roaming\qskg\\7za.exe"
        3⤵
        • Drops file in Windows directory
        PID:1352
      • C:\Users\Admin\AppData\Roaming\qskg\7za.exe
        "C:\Users\Admin\AppData\Roaming\qskg\\7za.exe" x "C:\Users\Admin\AppData\Roaming\qskg\\qskg.tmp" -y -o"C:\Users\Admin\AppData\Roaming\qskg\"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2328
      • C:\Windows\SYSTEM32\powercfg.exe
        powercfg -h off
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2936
      • C:\Windows\SYSTEM32\powercfg.exe
        powercfg -x -standby-timeout-ac 000
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3220

Network

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Modify Existing Service

1
T1031

Bootkit

1
T1067

Privilege Escalation

Bypass User Account Control

1
T1088

Defense Evasion

Bypass User Account Control

1
T1088

Disabling Security Tools

1
T1089

Modify Registry

2
T1112

Discovery

Query Registry

4
T1012

System Information Discovery

6
T1082

Peripheral Device Discovery

2
T1120

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\ov\getov.dll
    Filesize

    864KB

    MD5

    2a9c389b9fd376ecc40f591565531e9e

    SHA1

    59d5b8aba37a710dbb7926f0cb1561c672a59b96

    SHA256

    0569b96d8b717a0af32cbb4ad155c42da1eb3180e727fd123df54612ecc1eff9

    SHA512

    bff25a75559c70da7d7918afb7575ad64d5d08d8febb04f8987c0743a07857d305683a6975b1003ec2c3d6ccb92f7e5a171972c6bb22e532f25443021631b1d1

  • C:\Program Files\ov\getov.dll
    Filesize

    864KB

    MD5

    2a9c389b9fd376ecc40f591565531e9e

    SHA1

    59d5b8aba37a710dbb7926f0cb1561c672a59b96

    SHA256

    0569b96d8b717a0af32cbb4ad155c42da1eb3180e727fd123df54612ecc1eff9

    SHA512

    bff25a75559c70da7d7918afb7575ad64d5d08d8febb04f8987c0743a07857d305683a6975b1003ec2c3d6ccb92f7e5a171972c6bb22e532f25443021631b1d1

  • C:\Program Files\ov\getov.dll
    Filesize

    864KB

    MD5

    2a9c389b9fd376ecc40f591565531e9e

    SHA1

    59d5b8aba37a710dbb7926f0cb1561c672a59b96

    SHA256

    0569b96d8b717a0af32cbb4ad155c42da1eb3180e727fd123df54612ecc1eff9

    SHA512

    bff25a75559c70da7d7918afb7575ad64d5d08d8febb04f8987c0743a07857d305683a6975b1003ec2c3d6ccb92f7e5a171972c6bb22e532f25443021631b1d1

  • C:\Users\Admin\AppData\Local\Temp\autB200.tmp
    Filesize

    3.9MB

    MD5

    87099260c00a3891fd96f2a92e31308f

    SHA1

    7ea1edf45d0bef3fdef52da5b635462461735eb9

    SHA256

    c500f72e837e48fdb85e3881311a7e10d038c5020598edbf645cb0f125df4f73

    SHA512

    a04a842fa30c15a9f8b830a9dc1d184c38d44dcd517e7bd5f4891a3b52938e7d457a17603b0fd8df36a580ae39e1b172cf2357a3ea943b108a0f77cd175fa449

  • C:\Users\Admin\AppData\Roaming\qskg\7za.exe
    Filesize

    676KB

    MD5

    2e3309647ce678ca313fe3825a57ccb9

    SHA1

    792fdeccddd3cc182eac3a1ecd7affe5b48262c8

    SHA256

    e6855553350fa6fb23e05839c7f3ef140dad29d9a0e3495de4d1b17a9fbf5ca4

    SHA512

    5eb2af380fed7117d45232d42dec4d05a6f4f6cd6c7d03583c181b235344ea922290b6e0bf6b9683592bccc0f4a3b2b9b9fd7d41fbfebf1045bd95b027539dbc

  • C:\Users\Admin\AppData\Roaming\qskg\7za.exe
    Filesize

    676KB

    MD5

    2e3309647ce678ca313fe3825a57ccb9

    SHA1

    792fdeccddd3cc182eac3a1ecd7affe5b48262c8

    SHA256

    e6855553350fa6fb23e05839c7f3ef140dad29d9a0e3495de4d1b17a9fbf5ca4

    SHA512

    5eb2af380fed7117d45232d42dec4d05a6f4f6cd6c7d03583c181b235344ea922290b6e0bf6b9683592bccc0f4a3b2b9b9fd7d41fbfebf1045bd95b027539dbc

  • C:\Users\Admin\AppData\Roaming\qskg\pcid_x64.dll
    Filesize

    207KB

    MD5

    bf53fdbae95f8e912865c25e1787e660

    SHA1

    3397cd69bdfa9ddaccb36e4b0cfe089b1be81174

    SHA256

    e0fed7e42068d42b913773ca1ed8cdc1ea53a85b811aefcb89ecd7b9a68f7dcc

    SHA512

    59876642809061d18eb7f7ba864898245593c6fd8c12c340e937e317de49eddbde4757fc2c864349217ce5ac96c08cbbb9c77dba4685240ecb35b462d40437dc

  • C:\Users\Admin\AppData\Roaming\qskg\pcid_x64.dll
    Filesize

    207KB

    MD5

    bf53fdbae95f8e912865c25e1787e660

    SHA1

    3397cd69bdfa9ddaccb36e4b0cfe089b1be81174

    SHA256

    e0fed7e42068d42b913773ca1ed8cdc1ea53a85b811aefcb89ecd7b9a68f7dcc

    SHA512

    59876642809061d18eb7f7ba864898245593c6fd8c12c340e937e317de49eddbde4757fc2c864349217ce5ac96c08cbbb9c77dba4685240ecb35b462d40437dc

  • C:\Users\Admin\AppData\Roaming\qskg\pcid_x64.dll
    Filesize

    207KB

    MD5

    bf53fdbae95f8e912865c25e1787e660

    SHA1

    3397cd69bdfa9ddaccb36e4b0cfe089b1be81174

    SHA256

    e0fed7e42068d42b913773ca1ed8cdc1ea53a85b811aefcb89ecd7b9a68f7dcc

    SHA512

    59876642809061d18eb7f7ba864898245593c6fd8c12c340e937e317de49eddbde4757fc2c864349217ce5ac96c08cbbb9c77dba4685240ecb35b462d40437dc

  • C:\Users\Admin\AppData\Roaming\qskg\qskg.tmp
    Filesize

    85KB

    MD5

    b3a4ee7d08335917583403746e32f3d9

    SHA1

    d2f4761d73914756e828a899a5949ca6a6f96e5b

    SHA256

    0d4d9a9d57b5a8bb79f225315d050bb76e89fe79e8888c3ce62544e75b229919

    SHA512

    2de091071946d81ed994d3404e38d98523c6f33985890058c305e27fa9b789fc24423f4eb3d14feae8f78cceafac3e294f9cf0c6b7f63b168fb471da7e0ebfc3

  • C:\Windows\ov\nrov.dll
    Filesize

    1.3MB

    MD5

    9d7805a480ccb9fb877d7ba05b15dd9f

    SHA1

    bbef4eae1d880eb713823e58c8f7469c7e8a5783

    SHA256

    edfa30141d904b1da9de5942dc656c0dccb308c04e8786c4c08248d7f6a0394b

    SHA512

    ab539d58e9e0a0934ad11157713876b68a526966208f730b4ce41c2c9f6b5c18c6c092fc843ed292c83331a0ca37a0ca85e10c0c93353e7ee4970745aa7c16fe

  • C:\Windows\ov\nrov.dll
    Filesize

    1.3MB

    MD5

    9d7805a480ccb9fb877d7ba05b15dd9f

    SHA1

    bbef4eae1d880eb713823e58c8f7469c7e8a5783

    SHA256

    edfa30141d904b1da9de5942dc656c0dccb308c04e8786c4c08248d7f6a0394b

    SHA512

    ab539d58e9e0a0934ad11157713876b68a526966208f730b4ce41c2c9f6b5c18c6c092fc843ed292c83331a0ca37a0ca85e10c0c93353e7ee4970745aa7c16fe

  • C:\Windows\ov\ov.rar
    Filesize

    3.9MB

    MD5

    87099260c00a3891fd96f2a92e31308f

    SHA1

    7ea1edf45d0bef3fdef52da5b635462461735eb9

    SHA256

    c500f72e837e48fdb85e3881311a7e10d038c5020598edbf645cb0f125df4f73

    SHA512

    a04a842fa30c15a9f8b830a9dc1d184c38d44dcd517e7bd5f4891a3b52938e7d457a17603b0fd8df36a580ae39e1b172cf2357a3ea943b108a0f77cd175fa449

  • C:\Windows\ov\qskg.config
    Filesize

    787B

    MD5

    5ada09545331f33ba9833b4c2f320014

    SHA1

    941edce8cd486ecf2e69ea37f3f87650f8899cbb

    SHA256

    b63ee3ed578fb804f4d4bd19302e03fc02388337cc0d4124ce88ed09be6dc57b

    SHA512

    71140b737858a12ed4cddef2639afbb14af176c25736d313759969eb3164238050e131ee8e1e74b969b598bc4e0757685078e901235e2f074016325d4a632fa8

  • C:\Windows\ov\qskg.config
    Filesize

    776B

    MD5

    5743c538ad7506f2613dad86a09df230

    SHA1

    95fb7f75869d08b89393edc5f7264ded5478cd4c

    SHA256

    0701858cf2b46442225dfbd4dc7c059c7f7f6f092d180898a1bcfb7f0c095ae1

    SHA512

    527ac1f4715a1c23264a181320c53cf3438cff5d224cf9f50fa8725058f737bb1a12fc511c3596f7a0bb85a784e597e8eeda25be721560c6709d730b18cfc34f

  • C:\Windows\ov\rar.exe
    Filesize

    532KB

    MD5

    2075b20cc7b891b00ac2135909ee420c

    SHA1

    0e182e2ebf3befab3fbca1c1a6b080338d99abd7

    SHA256

    0c9f681cb5b56773636ae2211e0e49d0a89add91427c56139f2a55ff72f01bf1

    SHA512

    0cfda2658189cd303ed038a1443f472a6a7b4e921ae100d65d1efba544dc515308b59a8aca35a89ad605cc62890423034b7ead393cac9038d99f47041031052e

  • C:\Windows\ov\svchost.exe
    Filesize

    9.9MB

    MD5

    fe52776bea1e40791de81198fa50f9a4

    SHA1

    4c73c759e5131144dc82f60d385d440406230f6c

    SHA256

    f730cd04d180adc20a79b65aa169bd0e2671b308baf1ded12a867c52c6375e87

    SHA512

    ecf68170eb0ebcaa7585ecb39d025ba006f2c6f6094d520bcb5f0681e65c49090af84f1316604a9697499f023b4890663ab50d80ec3fa2a6c463f9309387f8f1

  • C:\Windows\ov\svchost.exe
    Filesize

    9.9MB

    MD5

    fe52776bea1e40791de81198fa50f9a4

    SHA1

    4c73c759e5131144dc82f60d385d440406230f6c

    SHA256

    f730cd04d180adc20a79b65aa169bd0e2671b308baf1ded12a867c52c6375e87

    SHA512

    ecf68170eb0ebcaa7585ecb39d025ba006f2c6f6094d520bcb5f0681e65c49090af84f1316604a9697499f023b4890663ab50d80ec3fa2a6c463f9309387f8f1

  • \??\c:\users\admin\appdata\roaming\qskg\qskg.tmp
    Filesize

    373KB

    MD5

    7d246c632d2bf4e2a7ef1a13d0940ec0

    SHA1

    accb19ce32802fb7e268ad43e29f919810e423f8

    SHA256

    b6fec99ec42bd0f01304f2ff6733752b65bee274d39bd53dd4131c277a2aac79

    SHA512

    63d7eb0659d19a8183d40c81b2ef705b5fd8631ff049b46088f60b2936fea4fec199669239cd9d9dd161fd232d782d78a6b59073428d5039ed35de8a53e92383

  • memory/656-158-0x0000000000F30000-0x0000000000F31000-memory.dmp
    Filesize

    4KB

  • memory/656-177-0x0000000003A60000-0x0000000003A9A000-memory.dmp
    Filesize

    232KB

  • memory/656-202-0x0000000007C00000-0x0000000007FA0000-memory.dmp
    Filesize

    3.6MB

  • memory/656-203-0x0000000000400000-0x0000000000E42000-memory.dmp
    Filesize

    10.3MB

  • memory/656-204-0x0000000007C00000-0x0000000007FA0000-memory.dmp
    Filesize

    3.6MB

  • memory/656-205-0x0000000000F30000-0x0000000000F31000-memory.dmp
    Filesize

    4KB

  • memory/656-206-0x0000000000400000-0x0000000000E42000-memory.dmp
    Filesize

    10.3MB

  • memory/4632-201-0x0000000000400000-0x00000000006B1000-memory.dmp
    Filesize

    2.7MB