Analysis
-
max time kernel
30s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
07-04-2023 05:08
Static task
static1
Behavioral task
behavioral1
Sample
5e2689566cdced6fd6b94abf509ce8c4d87972ec4aa4716ae38023234df8155b.exe
Resource
win7-20230220-en
General
-
Target
5e2689566cdced6fd6b94abf509ce8c4d87972ec4aa4716ae38023234df8155b.exe
-
Size
10.0MB
-
MD5
207232b2d1fb67d1e357b41261d3ddc6
-
SHA1
bd712f1ee39c00d0293cae65f4092e4b23873c52
-
SHA256
5e2689566cdced6fd6b94abf509ce8c4d87972ec4aa4716ae38023234df8155b
-
SHA512
f2cc78ec6617f148ff2d9b1e5180a3acd7c204f3d90fe9219da0015ee1698a1dd465d11b41e851bb5d31781a0753cc5984a34ac91ef422f9379b0a75f52289ac
-
SSDEEP
196608:rbm2DxOu68KU2vzQ8aVoKPPg2mQm1wOWDjOwbcToKxQNO9UR:3Twu68wzGmgo2hrFDjf4oKiO9U
Malware Config
Signatures
-
Detectes Phoenix Miner Payload 5 IoCs
Processes:
resource yara_rule C:\Windows\ov\svchost.exe miner_phoenix \Windows\ov\svchost.exe miner_phoenix C:\Windows\ov\svchost.exe miner_phoenix behavioral1/memory/1056-102-0x0000000000400000-0x0000000000E42000-memory.dmp miner_phoenix behavioral1/memory/1056-104-0x0000000000400000-0x0000000000E42000-memory.dmp miner_phoenix -
Modifies Windows Firewall 1 TTPs 2 IoCs
-
Executes dropped EXE 2 IoCs
Processes:
rar.exesvchost.exepid process 1120 rar.exe 1056 svchost.exe -
Loads dropped DLL 3 IoCs
Processes:
5e2689566cdced6fd6b94abf509ce8c4d87972ec4aa4716ae38023234df8155b.exesvchost.exepid process 1532 5e2689566cdced6fd6b94abf509ce8c4d87972ec4aa4716ae38023234df8155b.exe 1532 5e2689566cdced6fd6b94abf509ce8c4d87972ec4aa4716ae38023234df8155b.exe 1056 svchost.exe -
Processes:
resource yara_rule C:\Windows\ov\nrov.dll upx \Windows\ov\nrov.dll upx C:\Program Files\ov\getov.dll upx \Program Files\ov\getov.dll upx behavioral1/memory/1532-100-0x00000000058B0000-0x0000000005B61000-memory.dmp upx behavioral1/memory/1056-101-0x00000000055E0000-0x0000000005980000-memory.dmp upx behavioral1/memory/1056-103-0x00000000055E0000-0x0000000005980000-memory.dmp upx -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
svchost.exedescription ioc process File opened (read-only) \??\E: svchost.exe -
Drops file in Program Files directory 1 IoCs
Processes:
5e2689566cdced6fd6b94abf509ce8c4d87972ec4aa4716ae38023234df8155b.exedescription ioc process File created C:\Program Files\ov\getov.dll 5e2689566cdced6fd6b94abf509ce8c4d87972ec4aa4716ae38023234df8155b.exe -
Drops file in Windows directory 16 IoCs
Processes:
rar.exesvchost.exe5e2689566cdced6fd6b94abf509ce8c4d87972ec4aa4716ae38023234df8155b.exeexpand.exedescription ioc process File created C:\Windows\ov\qskg.config rar.exe File created C:\Windows\ov\qskg.pools svchost.exe File opened for modification C:\Windows\ov\rar.exe 5e2689566cdced6fd6b94abf509ce8c4d87972ec4aa4716ae38023234df8155b.exe File created C:\Windows\ov\svchost.exe rar.exe File created C:\Windows\ov\nrov.dll rar.exe File opened for modification C:\Windows\ov\qskg.config svchost.exe File created C:\Windows\ov\rar.exe 5e2689566cdced6fd6b94abf509ce8c4d87972ec4aa4716ae38023234df8155b.exe File opened for modification C:\Windows\ov\svchost.exe rar.exe File opened for modification C:\Windows\Logs\DPX\setuperr.log expand.exe File opened for modification C:\Windows\ov\qskg.config rar.exe File opened for modification C:\Windows\Logs\DPX\setupact.log expand.exe File opened for modification C:\Windows\gconfig.ini 5e2689566cdced6fd6b94abf509ce8c4d87972ec4aa4716ae38023234df8155b.exe File opened for modification C:\Windows\ov\ov.rar 5e2689566cdced6fd6b94abf509ce8c4d87972ec4aa4716ae38023234df8155b.exe File opened for modification C:\Windows\ov\nrov.dll rar.exe File opened for modification C:\Windows\ov 5e2689566cdced6fd6b94abf509ce8c4d87972ec4aa4716ae38023234df8155b.exe File created C:\Windows\ov\ov.rar 5e2689566cdced6fd6b94abf509ce8c4d87972ec4aa4716ae38023234df8155b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
rar.exepid process 1120 rar.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
5e2689566cdced6fd6b94abf509ce8c4d87972ec4aa4716ae38023234df8155b.exepid process 1532 5e2689566cdced6fd6b94abf509ce8c4d87972ec4aa4716ae38023234df8155b.exe 1532 5e2689566cdced6fd6b94abf509ce8c4d87972ec4aa4716ae38023234df8155b.exe 1532 5e2689566cdced6fd6b94abf509ce8c4d87972ec4aa4716ae38023234df8155b.exe 1532 5e2689566cdced6fd6b94abf509ce8c4d87972ec4aa4716ae38023234df8155b.exe 1532 5e2689566cdced6fd6b94abf509ce8c4d87972ec4aa4716ae38023234df8155b.exe 1532 5e2689566cdced6fd6b94abf509ce8c4d87972ec4aa4716ae38023234df8155b.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
Processes:
svchost.exe5e2689566cdced6fd6b94abf509ce8c4d87972ec4aa4716ae38023234df8155b.exedescription pid process Token: SeBackupPrivilege 1056 svchost.exe Token: SeSecurityPrivilege 1056 svchost.exe Token: SeSecurityPrivilege 1056 svchost.exe Token: SeSecurityPrivilege 1056 svchost.exe Token: SeSecurityPrivilege 1056 svchost.exe Token: SeSecurityPrivilege 1056 svchost.exe Token: SeSecurityPrivilege 1056 svchost.exe Token: SeSecurityPrivilege 1056 svchost.exe Token: SeBackupPrivilege 1056 svchost.exe Token: SeSecurityPrivilege 1056 svchost.exe Token: SeSecurityPrivilege 1056 svchost.exe Token: SeSecurityPrivilege 1056 svchost.exe Token: SeSecurityPrivilege 1056 svchost.exe Token: SeSecurityPrivilege 1056 svchost.exe Token: SeSecurityPrivilege 1056 svchost.exe Token: SeSecurityPrivilege 1056 svchost.exe Token: SeDebugPrivilege 1532 5e2689566cdced6fd6b94abf509ce8c4d87972ec4aa4716ae38023234df8155b.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
svchost.exepid process 1056 svchost.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
5e2689566cdced6fd6b94abf509ce8c4d87972ec4aa4716ae38023234df8155b.execmd.execmd.exesvchost.exedescription pid process target process PID 1532 wrote to memory of 860 1532 5e2689566cdced6fd6b94abf509ce8c4d87972ec4aa4716ae38023234df8155b.exe cmd.exe PID 1532 wrote to memory of 860 1532 5e2689566cdced6fd6b94abf509ce8c4d87972ec4aa4716ae38023234df8155b.exe cmd.exe PID 1532 wrote to memory of 860 1532 5e2689566cdced6fd6b94abf509ce8c4d87972ec4aa4716ae38023234df8155b.exe cmd.exe PID 860 wrote to memory of 1120 860 cmd.exe rar.exe PID 860 wrote to memory of 1120 860 cmd.exe rar.exe PID 860 wrote to memory of 1120 860 cmd.exe rar.exe PID 860 wrote to memory of 1120 860 cmd.exe rar.exe PID 1532 wrote to memory of 1436 1532 5e2689566cdced6fd6b94abf509ce8c4d87972ec4aa4716ae38023234df8155b.exe cmd.exe PID 1532 wrote to memory of 1436 1532 5e2689566cdced6fd6b94abf509ce8c4d87972ec4aa4716ae38023234df8155b.exe cmd.exe PID 1532 wrote to memory of 1436 1532 5e2689566cdced6fd6b94abf509ce8c4d87972ec4aa4716ae38023234df8155b.exe cmd.exe PID 1532 wrote to memory of 1056 1532 5e2689566cdced6fd6b94abf509ce8c4d87972ec4aa4716ae38023234df8155b.exe svchost.exe PID 1532 wrote to memory of 1056 1532 5e2689566cdced6fd6b94abf509ce8c4d87972ec4aa4716ae38023234df8155b.exe svchost.exe PID 1532 wrote to memory of 1056 1532 5e2689566cdced6fd6b94abf509ce8c4d87972ec4aa4716ae38023234df8155b.exe svchost.exe PID 1436 wrote to memory of 108 1436 cmd.exe netsh.exe PID 1436 wrote to memory of 108 1436 cmd.exe netsh.exe PID 1436 wrote to memory of 108 1436 cmd.exe netsh.exe PID 1056 wrote to memory of 848 1056 svchost.exe expand.exe PID 1056 wrote to memory of 848 1056 svchost.exe expand.exe PID 1056 wrote to memory of 848 1056 svchost.exe expand.exe PID 1436 wrote to memory of 1964 1436 cmd.exe netsh.exe PID 1436 wrote to memory of 1964 1436 cmd.exe netsh.exe PID 1436 wrote to memory of 1964 1436 cmd.exe netsh.exe PID 1532 wrote to memory of 1056 1532 5e2689566cdced6fd6b94abf509ce8c4d87972ec4aa4716ae38023234df8155b.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e2689566cdced6fd6b94abf509ce8c4d87972ec4aa4716ae38023234df8155b.exe"C:\Users\Admin\AppData\Local\Temp\5e2689566cdced6fd6b94abf509ce8c4d87972ec4aa4716ae38023234df8155b.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\system32\cmd.execmd /c rar x -ep2 -y ov.rar & exit2⤵
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\ov\rar.exerar x -ep2 -y ov.rar3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1120 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall delete rule name=ov dir=out & netsh advfirewall firewall add rule name=ov dir=out action=block program=C:\Windows\ov\svchost.exe remoteip=0.0.0.0-255.255.255.255 & exit2⤵
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall delete rule name=ov dir=out3⤵
- Modifies Windows Firewall
PID:108 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name=ov dir=out action=block program=C:\Windows\ov\svchost.exe remoteip=0.0.0.0-255.255.255.2553⤵
- Modifies Windows Firewall
PID:1964 -
C:\Windows\ov\svchost.exe"C:\Windows\ov\svchost.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\system32\expand.exeexpand "C:\Users\Admin\AppData\Roaming\qskg\\qskg.tmp" "C:\Users\Admin\AppData\Roaming\qskg\\7za.exe"3⤵
- Drops file in Windows directory
PID:848
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
864KB
MD52a9c389b9fd376ecc40f591565531e9e
SHA159d5b8aba37a710dbb7926f0cb1561c672a59b96
SHA2560569b96d8b717a0af32cbb4ad155c42da1eb3180e727fd123df54612ecc1eff9
SHA512bff25a75559c70da7d7918afb7575ad64d5d08d8febb04f8987c0743a07857d305683a6975b1003ec2c3d6ccb92f7e5a171972c6bb22e532f25443021631b1d1
-
Filesize
1.3MB
MD59d7805a480ccb9fb877d7ba05b15dd9f
SHA1bbef4eae1d880eb713823e58c8f7469c7e8a5783
SHA256edfa30141d904b1da9de5942dc656c0dccb308c04e8786c4c08248d7f6a0394b
SHA512ab539d58e9e0a0934ad11157713876b68a526966208f730b4ce41c2c9f6b5c18c6c092fc843ed292c83331a0ca37a0ca85e10c0c93353e7ee4970745aa7c16fe
-
Filesize
3.9MB
MD587099260c00a3891fd96f2a92e31308f
SHA17ea1edf45d0bef3fdef52da5b635462461735eb9
SHA256c500f72e837e48fdb85e3881311a7e10d038c5020598edbf645cb0f125df4f73
SHA512a04a842fa30c15a9f8b830a9dc1d184c38d44dcd517e7bd5f4891a3b52938e7d457a17603b0fd8df36a580ae39e1b172cf2357a3ea943b108a0f77cd175fa449
-
Filesize
3.9MB
MD587099260c00a3891fd96f2a92e31308f
SHA17ea1edf45d0bef3fdef52da5b635462461735eb9
SHA256c500f72e837e48fdb85e3881311a7e10d038c5020598edbf645cb0f125df4f73
SHA512a04a842fa30c15a9f8b830a9dc1d184c38d44dcd517e7bd5f4891a3b52938e7d457a17603b0fd8df36a580ae39e1b172cf2357a3ea943b108a0f77cd175fa449
-
Filesize
787B
MD55ada09545331f33ba9833b4c2f320014
SHA1941edce8cd486ecf2e69ea37f3f87650f8899cbb
SHA256b63ee3ed578fb804f4d4bd19302e03fc02388337cc0d4124ce88ed09be6dc57b
SHA51271140b737858a12ed4cddef2639afbb14af176c25736d313759969eb3164238050e131ee8e1e74b969b598bc4e0757685078e901235e2f074016325d4a632fa8
-
Filesize
532KB
MD52075b20cc7b891b00ac2135909ee420c
SHA10e182e2ebf3befab3fbca1c1a6b080338d99abd7
SHA2560c9f681cb5b56773636ae2211e0e49d0a89add91427c56139f2a55ff72f01bf1
SHA5120cfda2658189cd303ed038a1443f472a6a7b4e921ae100d65d1efba544dc515308b59a8aca35a89ad605cc62890423034b7ead393cac9038d99f47041031052e
-
Filesize
532KB
MD52075b20cc7b891b00ac2135909ee420c
SHA10e182e2ebf3befab3fbca1c1a6b080338d99abd7
SHA2560c9f681cb5b56773636ae2211e0e49d0a89add91427c56139f2a55ff72f01bf1
SHA5120cfda2658189cd303ed038a1443f472a6a7b4e921ae100d65d1efba544dc515308b59a8aca35a89ad605cc62890423034b7ead393cac9038d99f47041031052e
-
Filesize
9.9MB
MD5fe52776bea1e40791de81198fa50f9a4
SHA14c73c759e5131144dc82f60d385d440406230f6c
SHA256f730cd04d180adc20a79b65aa169bd0e2671b308baf1ded12a867c52c6375e87
SHA512ecf68170eb0ebcaa7585ecb39d025ba006f2c6f6094d520bcb5f0681e65c49090af84f1316604a9697499f023b4890663ab50d80ec3fa2a6c463f9309387f8f1
-
Filesize
9.9MB
MD5fe52776bea1e40791de81198fa50f9a4
SHA14c73c759e5131144dc82f60d385d440406230f6c
SHA256f730cd04d180adc20a79b65aa169bd0e2671b308baf1ded12a867c52c6375e87
SHA512ecf68170eb0ebcaa7585ecb39d025ba006f2c6f6094d520bcb5f0681e65c49090af84f1316604a9697499f023b4890663ab50d80ec3fa2a6c463f9309387f8f1
-
Filesize
373KB
MD57d246c632d2bf4e2a7ef1a13d0940ec0
SHA1accb19ce32802fb7e268ad43e29f919810e423f8
SHA256b6fec99ec42bd0f01304f2ff6733752b65bee274d39bd53dd4131c277a2aac79
SHA51263d7eb0659d19a8183d40c81b2ef705b5fd8631ff049b46088f60b2936fea4fec199669239cd9d9dd161fd232d782d78a6b59073428d5039ed35de8a53e92383
-
Filesize
864KB
MD52a9c389b9fd376ecc40f591565531e9e
SHA159d5b8aba37a710dbb7926f0cb1561c672a59b96
SHA2560569b96d8b717a0af32cbb4ad155c42da1eb3180e727fd123df54612ecc1eff9
SHA512bff25a75559c70da7d7918afb7575ad64d5d08d8febb04f8987c0743a07857d305683a6975b1003ec2c3d6ccb92f7e5a171972c6bb22e532f25443021631b1d1
-
Filesize
1.3MB
MD59d7805a480ccb9fb877d7ba05b15dd9f
SHA1bbef4eae1d880eb713823e58c8f7469c7e8a5783
SHA256edfa30141d904b1da9de5942dc656c0dccb308c04e8786c4c08248d7f6a0394b
SHA512ab539d58e9e0a0934ad11157713876b68a526966208f730b4ce41c2c9f6b5c18c6c092fc843ed292c83331a0ca37a0ca85e10c0c93353e7ee4970745aa7c16fe
-
Filesize
9.9MB
MD5fe52776bea1e40791de81198fa50f9a4
SHA14c73c759e5131144dc82f60d385d440406230f6c
SHA256f730cd04d180adc20a79b65aa169bd0e2671b308baf1ded12a867c52c6375e87
SHA512ecf68170eb0ebcaa7585ecb39d025ba006f2c6f6094d520bcb5f0681e65c49090af84f1316604a9697499f023b4890663ab50d80ec3fa2a6c463f9309387f8f1