ssload | ca066896a28840f4eccb9150adf86170d83337650d28b128cb584e7d8b178695

General

Target

app.exe
Size

1.5MB
MD5

bd3231011448b2d6a335032d11c12cad
SHA1

b14bdeccca499668fac5049890bb7f3e5bef9537
SHA256

ca066896a28840f4eccb9150adf86170d83337650d28b128cb584e7d8b178695
SHA512

4fdf90883f5fde3aeb02b2ddc46c5e3cd421fe98697aca0d31b1aaea39598d2624c3339ab75a96997287c611a7d4dd8459b1c3341fe972cf049885d22c31f3de
SSDEEP

24576:U7fGyyeUW7jK9ijzqPoKQ+2L7uUgtAsjxy5U2dTfUpHkKBdsQM+WAM7W:OfFU2m9ijzWoK0zgtAsI5U2dTfAHowQW

Score

10^/10

ssload loader

Malware Config

Signatures

SSLoad
SSLoad Unpacked DLL payload.
loader ssload

Detects SSLoad Unpacked payload 4 IoCs

loader

Processes:

resource	yara_rule
behavioral2/memory/5072-1-0x00000000023E0000-0x0000000002449000-memory.dmp	family_ssload
behavioral2/memory/5072-14-0x00000000023E0000-0x0000000002449000-memory.dmp	family_ssload
behavioral2/memory/1760-15-0x0000000002270000-0x00000000022D9000-memory.dmp	family_ssload
behavioral2/memory/1760-16-0x0000000002270000-0x00000000022D9000-memory.dmp	family_ssload

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

87 1456 rundll32.exe
Downloads MZ/PE file
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

app.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation app.exe
Executes dropped EXE 1 IoCs

Processes:

app.exe

pid process

1760 app.exe
Loads dropped DLL 2 IoCs

Processes:

rundll32.exerundll32.exe

pid process

3152 rundll32.exe
1456 rundll32.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

29 api.ipify.org
30 api.ipify.org
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	pid	process
87	1456	rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	app.exe

pid	process
1760	app.exe

pid	process
3152	rundll32.exe
1456	rundll32.exe

flow	ioc
29	api.ipify.org
30	api.ipify.org

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

app.exeapp.exerundll32.exe

description	pid	process	target process
PID 5072 wrote to memory of 1760	5072	app.exe	app.exe
PID 5072 wrote to memory of 1760	5072	app.exe	app.exe
PID 5072 wrote to memory of 1760	5072	app.exe	app.exe
PID 1760 wrote to memory of 3152	1760	app.exe	rundll32.exe
PID 1760 wrote to memory of 3152	1760	app.exe	rundll32.exe
PID 1760 wrote to memory of 3152	1760	app.exe	rundll32.exe
PID 3152 wrote to memory of 1456	3152	rundll32.exe	rundll32.exe
PID 3152 wrote to memory of 1456	3152	rundll32.exe	rundll32.exe
PID 1760 wrote to memory of 4084	1760	app.exe	rundll32.exe
PID 1760 wrote to memory of 4084	1760	app.exe	rundll32.exe
PID 1760 wrote to memory of 4084	1760	app.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\app.exe
"C:\Users\Admin\AppData\Local\Temp\app.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5072
- C:\Users\Admin\AppData\Local\Temp\7041956494665639546\app.exe
  "C:\Users\Admin\AppData\Local\Temp\7041956494665639546\app.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1760
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Roaming\Microsoft\vtTbIPG\zVizMZWCQhr.dll,LTSoLUI
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3152
  - - C:\Windows\system32\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Roaming\Microsoft\vtTbIPG\zVizMZWCQhr.dll,LTSoLUI
      4⤵
      Blocklisted process makes network request
      Loads dropped DLL
      PID:1456
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Roaming\Microsoft\vtTbIPG\Siq9y0yIISK.exe
    3⤵
    PID:4084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4088 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8
1⤵
PID:2956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1412 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8
1⤵
PID:1228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7041956494665639546\app.exe

Filesize
1.5MB

MD5
bd3231011448b2d6a335032d11c12cad

SHA1
b14bdeccca499668fac5049890bb7f3e5bef9537

SHA256
ca066896a28840f4eccb9150adf86170d83337650d28b128cb584e7d8b178695

SHA512
4fdf90883f5fde3aeb02b2ddc46c5e3cd421fe98697aca0d31b1aaea39598d2624c3339ab75a96997287c611a7d4dd8459b1c3341fe972cf049885d22c31f3de

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\vtTbIPG\zVizMZWCQhr.dll

Filesize
615KB

MD5
3ef28aaf4994359294424230e93350de

SHA1
0428c582d8a00fe6c61860332e1aca74826f0de9

SHA256
b0c7181195e3739c5408f7db26660576d0656bf22dce4f2ab4d76925935f67e4

SHA512
13fe0237b346ea75edb1f8cda92ff4a859ef039414b172d9042be1b06bdcbcccca0c9e965eebb4acefe79db892df23f0a23f752e520947f10b4188a6209d5106

Download Submit
memory/1456-22-0x000002830A070000-0x000002830A0D0000-memory.dmp

Filesize
384KB

Download
memory/1760-12-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/1760-15-0x0000000002270000-0x00000000022D9000-memory.dmp

Filesize
420KB

Download
memory/1760-16-0x0000000002270000-0x00000000022D9000-memory.dmp

Filesize
420KB

Download
memory/1760-17-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/5072-0-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/5072-1-0x00000000023E0000-0x0000000002449000-memory.dmp

Filesize
420KB

Download
memory/5072-13-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/5072-14-0x00000000023E0000-0x0000000002449000-memory.dmp

Filesize
420KB

Download

Analysis

Sharing