ssload | ca066896a28840f4eccb9150adf86170d83337650d28b128cb584e7d8b178695

General

Target

app.exe
Size

1.5MB
MD5

bd3231011448b2d6a335032d11c12cad
SHA1

b14bdeccca499668fac5049890bb7f3e5bef9537
SHA256

ca066896a28840f4eccb9150adf86170d83337650d28b128cb584e7d8b178695
SHA512

4fdf90883f5fde3aeb02b2ddc46c5e3cd421fe98697aca0d31b1aaea39598d2624c3339ab75a96997287c611a7d4dd8459b1c3341fe972cf049885d22c31f3de
SSDEEP

24576:U7fGyyeUW7jK9ijzqPoKQ+2L7uUgtAsjxy5U2dTfUpHkKBdsQM+WAM7W:OfFU2m9ijzWoK0zgtAsI5U2dTfAHowQW

Score

10^/10

ssload loader

Malware Config

Signatures

SSLoad
SSLoad Unpacked DLL payload.
loader ssload

Detects SSLoad Unpacked payload 4 IoCs

loader

Processes:

resource	yara_rule
behavioral1/memory/5000-1-0x0000000002240000-0x00000000022A9000-memory.dmp	family_ssload
behavioral1/memory/5000-7-0x0000000002240000-0x00000000022A9000-memory.dmp	family_ssload
behavioral1/memory/4424-9-0x0000000002270000-0x00000000022D9000-memory.dmp	family_ssload
behavioral1/memory/4424-10-0x0000000002270000-0x00000000022D9000-memory.dmp	family_ssload

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

22 3504 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

app.exejRT8CRKGIUR.exe

pid process

4424 app.exe
4128 jRT8CRKGIUR.exe
Loads dropped DLL 2 IoCs

Processes:

rundll32.exerundll32.exe

pid process

520 rundll32.exe
3504 rundll32.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 api.ipify.org
2 api.ipify.org
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	pid	process
22	3504	rundll32.exe

pid	process
4424	app.exe
4128	jRT8CRKGIUR.exe

pid	process
520	rundll32.exe
3504	rundll32.exe

flow	ioc
1	api.ipify.org
2	api.ipify.org

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

app.exeapp.exerundll32.exeexplorer.exe

description	pid	process	target process
PID 5000 wrote to memory of 4424	5000	app.exe	app.exe
PID 5000 wrote to memory of 4424	5000	app.exe	app.exe
PID 5000 wrote to memory of 4424	5000	app.exe	app.exe
PID 4424 wrote to memory of 520	4424	app.exe	rundll32.exe
PID 4424 wrote to memory of 520	4424	app.exe	rundll32.exe
PID 4424 wrote to memory of 520	4424	app.exe	rundll32.exe
PID 520 wrote to memory of 3504	520	rundll32.exe	rundll32.exe
PID 520 wrote to memory of 3504	520	rundll32.exe	rundll32.exe
PID 4424 wrote to memory of 3456	4424	app.exe	explorer.exe
PID 4424 wrote to memory of 3456	4424	app.exe	explorer.exe
PID 4424 wrote to memory of 3456	4424	app.exe	explorer.exe
PID 4296 wrote to memory of 4128	4296	explorer.exe	jRT8CRKGIUR.exe
PID 4296 wrote to memory of 4128	4296	explorer.exe	jRT8CRKGIUR.exe
PID 4296 wrote to memory of 4128	4296	explorer.exe	jRT8CRKGIUR.exe

C:\Users\Admin\AppData\Local\Temp\app.exe
"C:\Users\Admin\AppData\Local\Temp\app.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5000
- C:\Users\Admin\AppData\Local\Temp\7041956494665639546\app.exe
  "C:\Users\Admin\AppData\Local\Temp\7041956494665639546\app.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4424
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Roaming\Microsoft\eqmGD0n\C9q1n0R5nGM.dll,LTSoLUI
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:520
  - - C:\Windows\system32\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Roaming\Microsoft\eqmGD0n\C9q1n0R5nGM.dll,LTSoLUI
      4⤵
      Blocklisted process makes network request
      Loads dropped DLL
      PID:3504
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe C:\Users\Admin\AppData\Roaming\Microsoft\eqmGD0n\jRT8CRKGIUR.exe
    3⤵
    PID:3456

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:4296
- C:\Users\Admin\AppData\Roaming\Microsoft\eqmGD0n\jRT8CRKGIUR.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\eqmGD0n\jRT8CRKGIUR.exe"
  2⤵
  - Executes dropped EXE
  PID:4128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7041956494665639546\app.exe

Filesize
1.5MB

MD5
bd3231011448b2d6a335032d11c12cad

SHA1
b14bdeccca499668fac5049890bb7f3e5bef9537

SHA256
ca066896a28840f4eccb9150adf86170d83337650d28b128cb584e7d8b178695

SHA512
4fdf90883f5fde3aeb02b2ddc46c5e3cd421fe98697aca0d31b1aaea39598d2624c3339ab75a96997287c611a7d4dd8459b1c3341fe972cf049885d22c31f3de

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\eqmGD0n\C9q1n0R5nGM.dll

Filesize
615KB

MD5
3ef28aaf4994359294424230e93350de

SHA1
0428c582d8a00fe6c61860332e1aca74826f0de9

SHA256
b0c7181195e3739c5408f7db26660576d0656bf22dce4f2ab4d76925935f67e4

SHA512
13fe0237b346ea75edb1f8cda92ff4a859ef039414b172d9042be1b06bdcbcccca0c9e965eebb4acefe79db892df23f0a23f752e520947f10b4188a6209d5106

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\eqmGD0n\jRT8CRKGIUR.exe

Filesize
2.3MB

MD5
64397899c5cd141e6c5da7aab56f0f42

SHA1
aed115066979e6abebad02f7087f0b50c27963c9

SHA256
16fbf35ccfa2ba2d6954c266d18f7b62a8ccc72d83a8a79c3ad810ea68e4aa93

SHA512
1610313eebb9ea5037820c898e8bfaf31f711d364687cdad7c0374dd18d7cf823d67c7651f1f84da7ff557bdd6c44ef9f10d3916643ce82665306bb5f42f8b5f

Download Submit
memory/3504-16-0x000002827E360000-0x000002827E3C0000-memory.dmp

Filesize
384KB

Download
memory/4424-8-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/4424-9-0x0000000002270000-0x00000000022D9000-memory.dmp

Filesize
420KB

Download
memory/4424-10-0x0000000002270000-0x00000000022D9000-memory.dmp

Filesize
420KB

Download
memory/4424-11-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/5000-0-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/5000-1-0x0000000002240000-0x00000000022A9000-memory.dmp

Filesize
420KB

Download
memory/5000-6-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/5000-7-0x0000000002240000-0x00000000022A9000-memory.dmp

Filesize
420KB

Download

Analysis

Sharing