ssload | e99c79bc77c3b9679a974cbb9fd4fe2a952c675f56a05503b505b24304ba23ba

General

Target

e99c79bc77c3b9679a974cbb9fd4fe2a952c675f56a05503b505b24304ba23ba.exe
Size

408KB
MD5

d98749205fff0909e335b5eeb1378973
SHA1

927e94563e873026f5a3964fee8b008c9ad84b7b
SHA256

e99c79bc77c3b9679a974cbb9fd4fe2a952c675f56a05503b505b24304ba23ba
SHA512

c635fe74b819b21f35a6a3c8548e25c519323caf17c0fea04efd03a4116ef2a8d4036c3788c51553ba7045f2ec6c5c9adf534831f07f16111a8a142d5ab28205
SSDEEP

6144:iDzDSWsuWBjDbzcEXDmm2pcITwhoner+zP308sq+0cUkV8lQnr3Z5n19YzpYmZj:iDXSfDUkmm2px3NgqUUkV8lqp162mZj

Score

10^/10

ssload loader

Malware Config

Signatures

SSLoad
SSLoad Unpacked DLL payload.
loader ssload

Detects SSLoad Unpacked payload 1 IoCs

loader

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\5795410910065270241\e99c79bc77c3b9679a974cbb9fd4fe2a952c675f56a05503b505b24304ba23ba.exe	family_ssload

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

27 2312 rundll32.exe
Downloads MZ/PE file

flow	pid	process
27	2312	rundll32.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e99c79bc77c3b9679a974cbb9fd4fe2a952c675f56a05503b505b24304ba23ba.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	e99c79bc77c3b9679a974cbb9fd4fe2a952c675f56a05503b505b24304ba23ba.exe

Executes dropped EXE 2 IoCs

Processes:

e99c79bc77c3b9679a974cbb9fd4fe2a952c675f56a05503b505b24304ba23ba.exe41q1oGpbEVt.exe

pid process

3588 e99c79bc77c3b9679a974cbb9fd4fe2a952c675f56a05503b505b24304ba23ba.exe
2660 41q1oGpbEVt.exe
Loads dropped DLL 2 IoCs

Processes:

rundll32.exerundll32.exe

pid process

1820 rundll32.exe
2312 rundll32.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

11 api.ipify.org
12 api.ipify.org
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3588	e99c79bc77c3b9679a974cbb9fd4fe2a952c675f56a05503b505b24304ba23ba.exe
2660	41q1oGpbEVt.exe

pid	process
1820	rundll32.exe
2312	rundll32.exe

flow	ioc
11	api.ipify.org
12	api.ipify.org

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

e99c79bc77c3b9679a974cbb9fd4fe2a952c675f56a05503b505b24304ba23ba.exee99c79bc77c3b9679a974cbb9fd4fe2a952c675f56a05503b505b24304ba23ba.exerundll32.exeexplorer.exe

description	pid	process	target process
PID 1488 wrote to memory of 3588	1488	e99c79bc77c3b9679a974cbb9fd4fe2a952c675f56a05503b505b24304ba23ba.exe	e99c79bc77c3b9679a974cbb9fd4fe2a952c675f56a05503b505b24304ba23ba.exe
PID 1488 wrote to memory of 3588	1488	e99c79bc77c3b9679a974cbb9fd4fe2a952c675f56a05503b505b24304ba23ba.exe	e99c79bc77c3b9679a974cbb9fd4fe2a952c675f56a05503b505b24304ba23ba.exe
PID 1488 wrote to memory of 3588	1488	e99c79bc77c3b9679a974cbb9fd4fe2a952c675f56a05503b505b24304ba23ba.exe	e99c79bc77c3b9679a974cbb9fd4fe2a952c675f56a05503b505b24304ba23ba.exe
PID 3588 wrote to memory of 1820	3588	e99c79bc77c3b9679a974cbb9fd4fe2a952c675f56a05503b505b24304ba23ba.exe	rundll32.exe
PID 3588 wrote to memory of 1820	3588	e99c79bc77c3b9679a974cbb9fd4fe2a952c675f56a05503b505b24304ba23ba.exe	rundll32.exe
PID 3588 wrote to memory of 1820	3588	e99c79bc77c3b9679a974cbb9fd4fe2a952c675f56a05503b505b24304ba23ba.exe	rundll32.exe
PID 1820 wrote to memory of 2312	1820	rundll32.exe	rundll32.exe
PID 1820 wrote to memory of 2312	1820	rundll32.exe	rundll32.exe
PID 3588 wrote to memory of 2916	3588	e99c79bc77c3b9679a974cbb9fd4fe2a952c675f56a05503b505b24304ba23ba.exe	explorer.exe
PID 3588 wrote to memory of 2916	3588	e99c79bc77c3b9679a974cbb9fd4fe2a952c675f56a05503b505b24304ba23ba.exe	explorer.exe
PID 3588 wrote to memory of 2916	3588	e99c79bc77c3b9679a974cbb9fd4fe2a952c675f56a05503b505b24304ba23ba.exe	explorer.exe
PID 312 wrote to memory of 2660	312	explorer.exe	41q1oGpbEVt.exe
PID 312 wrote to memory of 2660	312	explorer.exe	41q1oGpbEVt.exe
PID 312 wrote to memory of 2660	312	explorer.exe	41q1oGpbEVt.exe

C:\Users\Admin\AppData\Local\Temp\e99c79bc77c3b9679a974cbb9fd4fe2a952c675f56a05503b505b24304ba23ba.exe
"C:\Users\Admin\AppData\Local\Temp\e99c79bc77c3b9679a974cbb9fd4fe2a952c675f56a05503b505b24304ba23ba.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Users\Admin\AppData\Local\Temp\5795410910065270241\e99c79bc77c3b9679a974cbb9fd4fe2a952c675f56a05503b505b24304ba23ba.exe
  "C:\Users\Admin\AppData\Local\Temp\5795410910065270241\e99c79bc77c3b9679a974cbb9fd4fe2a952c675f56a05503b505b24304ba23ba.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3588
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Roaming\Microsoft\HJiOQHr\VvVbn4T5VGL.dll,LTSoLUI
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1820
  - - C:\Windows\system32\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Roaming\Microsoft\HJiOQHr\VvVbn4T5VGL.dll,LTSoLUI
      4⤵
      Blocklisted process makes network request
      Loads dropped DLL
      PID:2312
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe C:\Users\Admin\AppData\Roaming\Microsoft\HJiOQHr\41q1oGpbEVt.exe
    3⤵
    PID:2916

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:312
- C:\Users\Admin\AppData\Roaming\Microsoft\HJiOQHr\41q1oGpbEVt.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\HJiOQHr\41q1oGpbEVt.exe"
  2⤵
  - Executes dropped EXE
  PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5795410910065270241\e99c79bc77c3b9679a974cbb9fd4fe2a952c675f56a05503b505b24304ba23ba.exe

Filesize
408KB

MD5
d98749205fff0909e335b5eeb1378973

SHA1
927e94563e873026f5a3964fee8b008c9ad84b7b

SHA256
e99c79bc77c3b9679a974cbb9fd4fe2a952c675f56a05503b505b24304ba23ba

SHA512
c635fe74b819b21f35a6a3c8548e25c519323caf17c0fea04efd03a4116ef2a8d4036c3788c51553ba7045f2ec6c5c9adf534831f07f16111a8a142d5ab28205

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\HJiOQHr\41q1oGpbEVt.exe

Filesize
2.3MB

MD5
64397899c5cd141e6c5da7aab56f0f42

SHA1
aed115066979e6abebad02f7087f0b50c27963c9

SHA256
16fbf35ccfa2ba2d6954c266d18f7b62a8ccc72d83a8a79c3ad810ea68e4aa93

SHA512
1610313eebb9ea5037820c898e8bfaf31f711d364687cdad7c0374dd18d7cf823d67c7651f1f84da7ff557bdd6c44ef9f10d3916643ce82665306bb5f42f8b5f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\HJiOQHr\VvVbn4T5VGL.dll

Filesize
615KB

MD5
3ef28aaf4994359294424230e93350de

SHA1
0428c582d8a00fe6c61860332e1aca74826f0de9

SHA256
b0c7181195e3739c5408f7db26660576d0656bf22dce4f2ab4d76925935f67e4

SHA512
13fe0237b346ea75edb1f8cda92ff4a859ef039414b172d9042be1b06bdcbcccca0c9e965eebb4acefe79db892df23f0a23f752e520947f10b4188a6209d5106

Download Submit
memory/2312-12-0x000001AB0EC60000-0x000001AB0ECC0000-memory.dmp

Filesize
384KB

Download
memory/2312-13-0x000001AB0EBF0000-0x000001AB0EC51000-memory.dmp

Filesize
388KB

Download
memory/2312-14-0x000001AB0EC60000-0x000001AB0ECC0000-memory.dmp

Filesize
384KB

Download
memory/2660-18-0x000000006BAC0000-0x000000006BB16000-memory.dmp

Filesize
344KB

Download
memory/2660-28-0x0000000002850000-0x000000000288D000-memory.dmp

Filesize
244KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads