| File name: | payload drop NSB ransomware and virlock |
| Full analysis: | https://app.any.run/tasks/df5e1809-168c-4eac-86e1-d29e25dcf1f4 |
| Verdict: | Malicious activity |
| Threats: | Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying. |
| Analysis date: | November 11, 2023, 08:54:08 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | 29671C98A348FB110B427CEF0E0A3014 |
| SHA1: | DA5DEDA0D4C608850DCCD623695AFA5DC743BBDF |
| SHA256: | BBD31363051A2F09AB984CEFDB81E366561FBDC7A5C1B107241D56FF9AFE3AA6 |
| SSDEEP: | 12288:0OGSbSu9ohsBL4l/xf4/rb9j9h4ZlEh4xF4k4M4p4s454vmayLExoDELEHntx2xd:0OGSbSu9dBL4l/xf4/rb9j9h4ZlEh4xC |
MALICIOUS
Drops the executable file immediately after the start
- payload drop NSB ransomware and virlock.exe (PID: 3128)
- 2015-10-21-Neutrino-EK-malware-payload.exe (PID: 3948)
- nSoAoQMI.exe (PID: 3432)
Changes the autorun value in the registry
- nSoAoQMI.exe (PID: 3432)
Modifies files in the Chrome extension folder
- nSoAoQMI.exe (PID: 3432)
Probably malicious OneNote attachment is found
- nSoAoQMI.exe (PID: 3432)
Actions looks like stealing of personal data
- nSoAoQMI.exe (PID: 3432)
SUSPICIOUS
Starts CMD.EXE for commands execution
- payload drop NSB ransomware and virlock.exe (PID: 3128)
- 2015-10-21-Neutrino-EK-malware-payload.exe (PID: 3140)
- 2015-10-21-Neutrino-EK-malware-payload.exe (PID: 3948)
Uses REG/REGEDIT.EXE to modify registry
- payload drop NSB ransomware and virlock.exe (PID: 3128)
Reads the Internet Settings
- 2015-10-21-Neutrino-EK-malware-payload.exe (PID: 3140)
The process creates files with name similar to system file names
- 2015-10-21-Neutrino-EK-malware-payload.exe (PID: 3948)
Uses NETSH.EXE to change the status of the firewall
- syshost.exe (PID: 3768)
Executes as Windows Service
- syshost.exe (PID: 3768)
Uses NETSH.EXE to add a firewall rule or allowed programs
- syshost.exe (PID: 3768)
Connects to unusual port
- nSoAoQMI.exe (PID: 3432)
- QyswEEgY.exe (PID: 3456)
- syshost.exe (PID: 3768)
The process checks if it is being run in the virtual environment
- nSoAoQMI.exe (PID: 3432)
INFO
Checks supported languages
- nSoAoQMI.exe (PID: 3432)
- payload drop NSB ransomware and virlock.exe (PID: 3128)
- QyswEEgY.exe (PID: 3456)
- 2015-10-21-Neutrino-EK-malware-payload.exe (PID: 3140)
- 2015-10-21-Neutrino-EK-malware-payload.exe (PID: 3948)
- syshost.exe (PID: 3768)
Reads the computer name
- payload drop NSB ransomware and virlock.exe (PID: 3128)
- nSoAoQMI.exe (PID: 3432)
- QyswEEgY.exe (PID: 3456)
- 2015-10-21-Neutrino-EK-malware-payload.exe (PID: 3140)
- 2015-10-21-Neutrino-EK-malware-payload.exe (PID: 3948)
- syshost.exe (PID: 3768)
Creates files in the program directory
- payload drop NSB ransomware and virlock.exe (PID: 3128)
- QyswEEgY.exe (PID: 3456)
- nSoAoQMI.exe (PID: 3432)
The executable file from the user directory is run by the CMD process
- 2015-10-21-Neutrino-EK-malware-payload.exe (PID: 3140)
- 2015-10-21-Neutrino-EK-malware-payload.exe (PID: 3948)
Create files in a temporary directory
- payload drop NSB ransomware and virlock.exe (PID: 3128)
Changes appearance of the Explorer extensions
- reg.exe (PID: 3544)
- reg.exe (PID: 2912)
Reads the machine GUID from the registry
- syshost.exe (PID: 3768)
Creates files or folders in the user directory
- nSoAoQMI.exe (PID: 3432)
Process checks computer location settings
- nSoAoQMI.exe (PID: 3432)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable (generic) (52.9) |
|---|---|---|
| .exe | | | Generic Win/DOS Executable (23.5) |
| .exe | | | DOS Executable Generic (23.5) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 1970:01:01 01:02:03+01:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 5.12 |
| CodeSize: | 393728 |
| InitializedDataSize: | 4608 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x5cb61 |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
Total processes
69
Monitored processes
16
Malicious processes
3
Suspicious processes
3
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2900 | reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f | C:\Windows\System32\reg.exe | — | payload drop NSB ransomware and virlock.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2912 | reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1 | C:\Windows\System32\reg.exe | — | payload drop NSB ransomware and virlock.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3128 | "C:\Users\admin\Desktop\payload drop NSB ransomware and virlock.exe" | C:\Users\admin\Desktop\payload drop NSB ransomware and virlock.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 3140 | C:\Users\admin\AppData\Local\Temp\2015-10-21-Neutrino-EK-malware-payload.exe drop NSB ransomware and virlock.exe" | C:\Users\admin\AppData\Local\Temp\2015-10-21-Neutrino-EK-malware-payload.exe | — | cmd.exe | |||||||||||
User: admin Company: Accmeware Corporation Integrity Level: MEDIUM Description: FLAC to MP3 Converter Exit code: 0 Version: 6, 1, 7, 0 Modules
| |||||||||||||||
| 3216 | C:\Windows\system32\cmd.exe /c C:\Users\admin\AppData\Local\Temp\2015-10-21-Neutrino-EK-malware-payload.exe drop NSB ransomware and virlock.exe" | C:\Windows\System32\cmd.exe | — | payload drop NSB ransomware and virlock.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 3432 | "C:\Users\admin\qKQocMko\nSoAoQMI.exe" | C:\Users\admin\qKQocMko\nSoAoQMI.exe | payload drop NSB ransomware and virlock.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 3456 | "C:\ProgramData\QYEcYIMU\QyswEEgY.exe" | C:\ProgramData\QYEcYIMU\QyswEEgY.exe | payload drop NSB ransomware and virlock.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 3544 | reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2 | C:\Windows\System32\reg.exe | — | payload drop NSB ransomware and virlock.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3568 | "C:\Windows\system32\netsh.exe" advfirewall firewall set rule name="Core Networking - System IP Core" dir=out new action=allow enable=yes profile=any | C:\Windows\System32\netsh.exe | — | syshost.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Network Command Shell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3764 | "C:\Windows\system32\netsh.exe" advfirewall firewall set rule name="Core Networking - System IP Core" dir=in new action=allow enable=yes profile=any | C:\Windows\System32\netsh.exe | — | syshost.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Network Command Shell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
3 926
Read events
3 739
Write events
187
Delete events
0
Modification events
| (PID) Process: | (3140) 2015-10-21-Neutrino-EK-malware-payload.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (3140) 2015-10-21-Neutrino-EK-malware-payload.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (3140) 2015-10-21-Neutrino-EK-malware-payload.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (3140) 2015-10-21-Neutrino-EK-malware-payload.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (3544) reg.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced |
| Operation: | write | Name: | Hidden |
Value: 1 | |||
| (PID) Process: | (2912) reg.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced |
| Operation: | write | Name: | HideFileExt |
Value: 0 | |||
| (PID) Process: | (3432) nSoAoQMI.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run |
| Operation: | write | Name: | nSoAoQMI.exe |
Value: C:\Users\admin\qKQocMko\nSoAoQMI.exe | |||
| (PID) Process: | (3764) netsh.exe | Key: | HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\17A\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (3872) netsh.exe | Key: | HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\17A\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (3568) netsh.exe | Key: | HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\17A\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
Executable files
1 013
Suspicious files
1
Text files
279
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3128 | payload drop NSB ransomware and virlock.exe | C:\Users\admin\qKQocMko\nSoAoQMI.exe | executable | |
MD5:F33DDA7DAD3E19663A5DD7026BC26623 | SHA256:AA1C9F6E6BCF06533A109E3BC84D1A00B564DC6C978E8C0446C188EAE25302B4 | |||
| 3432 | nSoAoQMI.exe | C:\MSOCache\All Users\{90140000-003D-0000-0000-0000000FF1CE}-C\setup.exe | executable | |
MD5:208E1EDEB0F3BD8F57AE7072E2FFBCFD | SHA256:4E00E743442A1EB6C3EECD75799675F164503F0028B5C151D7572B14757023F9 | |||
| 3432 | nSoAoQMI.exe | C:\Users\admin\Desktop\KAsW.exe | executable | |
MD5:686814D899A4D329CB6D57BCFDC0E02D | SHA256:BCB14384721F9C032CA6E46D05E90D8568A87FCF7A2F4DAA3420FC8369D2EBDF | |||
| 3948 | 2015-10-21-Neutrino-EK-malware-payload.exe | C:\Users\admin\AppData\Local\Temp\cbf60d3c.tmp | executable | |
MD5:3251E5EBE7C0E61AAC2D2F74B3423E12 | SHA256:3E2A76ED82BD9320700DEB079A8D6FDCB5236C37B8F5C2B0E72683FD8DACB048 | |||
| 3432 | nSoAoQMI.exe | C:\Users\admin\Desktop\NkEO.ico | image | |
MD5:83B6EF670DC0895AD0FB5CAD0C7FC5F9 | SHA256:83D9DEA522BED400139AA27D1C9BE33327A94ECDF2CEB6501F70A10489E7C57A | |||
| 3432 | nSoAoQMI.exe | C:\Users\admin\AppData\Local\VirtualStore\RCXA4D0.tmp | executable | |
MD5:208E1EDEB0F3BD8F57AE7072E2FFBCFD | SHA256:4E00E743442A1EB6C3EECD75799675F164503F0028B5C151D7572B14757023F9 | |||
| 3128 | payload drop NSB ransomware and virlock.exe | C:\Users\admin\AppData\Local\Temp\2015-10-21-Neutrino-EK-malware-payload.exe | executable | |
MD5:3251E5EBE7C0E61AAC2D2F74B3423E12 | SHA256:3E2A76ED82BD9320700DEB079A8D6FDCB5236C37B8F5C2B0E72683FD8DACB048 | |||
| 3432 | nSoAoQMI.exe | C:\Users\admin\qKQocMko\nSoAoQMI.inf | text | |
MD5:28A956F9B342B744ADE45F705DDB639E | SHA256:ED046135EEBDCC3972BE01731A1AC1D89951AC1A861D6CAF4EEBBE83DB79843B | |||
| 3456 | QyswEEgY.exe | C:\ProgramData\QYEcYIMU\QyswEEgY.inf | text | |
MD5:28A956F9B342B744ADE45F705DDB639E | SHA256:ED046135EEBDCC3972BE01731A1AC1D89951AC1A861D6CAF4EEBBE83DB79843B | |||
| 3768 | syshost.exe | C:\Windows\TEMP\b6205b5f-4d5a-fc60-72aa-989e74800151.tmp | binary | |
MD5:63B2DDEE671B5BD3EA2056378E21CFE6 | SHA256:8A6950F290560E3992E4B07F0CC54F3618D7FBE23E519AF5743A76D951BFF18A | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
56
DNS requests
24
Threats
18
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
3432 | nSoAoQMI.exe | GET | 403 | 216.58.214.14:80 | http://google.com/ | unknown | html | 1.54 Kb | unknown |
3456 | QyswEEgY.exe | GET | 403 | 216.58.214.14:80 | http://google.com/ | unknown | html | 1.54 Kb | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
3432 | nSoAoQMI.exe | 200.87.164.69:9999 | — | Entel S.A. - EntelNet | BO | unknown |
2588 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
3432 | nSoAoQMI.exe | 216.58.214.14:80 | — | GOOGLE | US | whitelisted |
3456 | QyswEEgY.exe | 200.87.164.69:9999 | — | Entel S.A. - EntelNet | BO | unknown |
3456 | QyswEEgY.exe | 216.58.214.14:80 | — | GOOGLE | US | whitelisted |
3768 | syshost.exe | 157.240.0.35:80 | facebook.com | FACEBOOK | US | unknown |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
3768 | syshost.exe | 162.159.200.1:123 | 0.pool.ntp.org | — | — | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
facebook.com |
| whitelisted |
xybnucguoogm.com |
| unknown |
hvciczgbklplt.com |
| unknown |
stkvtasoihesl.com |
| unknown |
vkcgatuncexk.com |
| unknown |
0.pool.ntp.org |
| whitelisted |
1.pool.ntp.org |
| whitelisted |
2.pool.ntp.org |
| whitelisted |
npkxghmoru.biz |
| unknown |
Threats
PID | Process | Class | Message |
|---|---|---|---|
3432 | nSoAoQMI.exe | A Network Trojan was detected | ET HUNTING Terse Unencrypted Request for Google - Likely Connectivity Check |
3456 | QyswEEgY.exe | A Network Trojan was detected | ET HUNTING Terse Unencrypted Request for Google - Likely Connectivity Check |
3456 | QyswEEgY.exe | Potentially Bad Traffic | ET HUNTING SUSPICIOUS Possible automated connectivity check (www.google.com) |
1080 | svchost.exe | Potentially Bad Traffic | ET INFO Observed DNS Query to .biz TLD |
1080 | svchost.exe | Potentially Bad Traffic | ET INFO Observed DNS Query to .biz TLD |
1080 | svchost.exe | Potentially Bad Traffic | ET INFO Observed DNS Query to .biz TLD |
1080 | svchost.exe | Potentially Bad Traffic | ET INFO Observed DNS Query to .biz TLD |
1080 | svchost.exe | Potentially Bad Traffic | ET INFO Observed DNS Query to .biz TLD |
1080 | svchost.exe | Potentially Bad Traffic | ET INFO Observed DNS Query to .biz TLD |
1080 | svchost.exe | Potentially Bad Traffic | ET INFO Observed DNS Query to .biz TLD |