Analysis
-
max time kernel
151s -
max time network
114s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
28-08-2020 05:18
Static task
static1
Behavioral task
behavioral1
Sample
nocrypt.dll
Resource
win7v200722
windows7_x64
0 signatures
0 seconds
General
-
Target
nocrypt.dll
-
Size
156KB
-
MD5
388cc3b6cd3ae537f404e235556d78ad
-
SHA1
2a41fdcb1e82af69fc6c41d572039204b16e43dd
-
SHA256
63f29f078acebb36b44d7875c4a54ec051736481ee85898a2ad7e28e2fe1dc08
-
SHA512
5edc123da2507e2bac2c642bce8b7654bc0c69c792cd1523dcc6766754220109040de2a2197a0314a47f0560cbd593a3f80606959654329b3af1af2de12584f2
Score
10/10
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 1768 created 1236 1768 rundll32.exe Explorer.EXE -
Blacklisted process makes network request 24 IoCs
Processes:
msiexec.exeflow pid process 8 1588 msiexec.exe 10 1588 msiexec.exe 12 1588 msiexec.exe 14 1588 msiexec.exe 15 1588 msiexec.exe 16 1588 msiexec.exe 17 1588 msiexec.exe 18 1588 msiexec.exe 19 1588 msiexec.exe 20 1588 msiexec.exe 21 1588 msiexec.exe 22 1588 msiexec.exe 23 1588 msiexec.exe 24 1588 msiexec.exe 25 1588 msiexec.exe 26 1588 msiexec.exe 27 1588 msiexec.exe 28 1588 msiexec.exe 29 1588 msiexec.exe 30 1588 msiexec.exe 31 1588 msiexec.exe 32 1588 msiexec.exe 33 1588 msiexec.exe 34 1588 msiexec.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Modifies service 2 TTPs 2 IoCs
Processes:
ipconfig.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas ipconfig.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs ipconfig.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 1768 set thread context of 1588 1768 rundll32.exe msiexec.exe -
Discovers systems in the same network 1 TTPs 2 IoCs
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 240 ipconfig.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exemsiexec.exepid process 1768 rundll32.exe 1588 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
rundll32.exemsiexec.exedescription pid process Token: SeDebugPrivilege 1768 rundll32.exe Token: SeSecurityPrivilege 1588 msiexec.exe Token: SeSecurityPrivilege 1588 msiexec.exe -
Suspicious use of WriteProcessMemory 52 IoCs
Processes:
rundll32.exerundll32.exemsiexec.execmd.execmd.exenet.execmd.execmd.exedescription pid process target process PID 1516 wrote to memory of 1768 1516 rundll32.exe rundll32.exe PID 1516 wrote to memory of 1768 1516 rundll32.exe rundll32.exe PID 1516 wrote to memory of 1768 1516 rundll32.exe rundll32.exe PID 1516 wrote to memory of 1768 1516 rundll32.exe rundll32.exe PID 1516 wrote to memory of 1768 1516 rundll32.exe rundll32.exe PID 1516 wrote to memory of 1768 1516 rundll32.exe rundll32.exe PID 1516 wrote to memory of 1768 1516 rundll32.exe rundll32.exe PID 1768 wrote to memory of 1588 1768 rundll32.exe msiexec.exe PID 1768 wrote to memory of 1588 1768 rundll32.exe msiexec.exe PID 1768 wrote to memory of 1588 1768 rundll32.exe msiexec.exe PID 1768 wrote to memory of 1588 1768 rundll32.exe msiexec.exe PID 1768 wrote to memory of 1588 1768 rundll32.exe msiexec.exe PID 1768 wrote to memory of 1588 1768 rundll32.exe msiexec.exe PID 1768 wrote to memory of 1588 1768 rundll32.exe msiexec.exe PID 1768 wrote to memory of 1588 1768 rundll32.exe msiexec.exe PID 1768 wrote to memory of 1588 1768 rundll32.exe msiexec.exe PID 1588 wrote to memory of 300 1588 msiexec.exe cmd.exe PID 1588 wrote to memory of 300 1588 msiexec.exe cmd.exe PID 1588 wrote to memory of 300 1588 msiexec.exe cmd.exe PID 1588 wrote to memory of 300 1588 msiexec.exe cmd.exe PID 300 wrote to memory of 240 300 cmd.exe ipconfig.exe PID 300 wrote to memory of 240 300 cmd.exe ipconfig.exe PID 300 wrote to memory of 240 300 cmd.exe ipconfig.exe PID 300 wrote to memory of 240 300 cmd.exe ipconfig.exe PID 1588 wrote to memory of 1476 1588 msiexec.exe cmd.exe PID 1588 wrote to memory of 1476 1588 msiexec.exe cmd.exe PID 1588 wrote to memory of 1476 1588 msiexec.exe cmd.exe PID 1588 wrote to memory of 1476 1588 msiexec.exe cmd.exe PID 1476 wrote to memory of 908 1476 cmd.exe net.exe PID 1476 wrote to memory of 908 1476 cmd.exe net.exe PID 1476 wrote to memory of 908 1476 cmd.exe net.exe PID 1476 wrote to memory of 908 1476 cmd.exe net.exe PID 908 wrote to memory of 968 908 net.exe net1.exe PID 908 wrote to memory of 968 908 net.exe net1.exe PID 908 wrote to memory of 968 908 net.exe net1.exe PID 908 wrote to memory of 968 908 net.exe net1.exe PID 1588 wrote to memory of 940 1588 msiexec.exe cmd.exe PID 1588 wrote to memory of 940 1588 msiexec.exe cmd.exe PID 1588 wrote to memory of 940 1588 msiexec.exe cmd.exe PID 1588 wrote to memory of 940 1588 msiexec.exe cmd.exe PID 940 wrote to memory of 1748 940 cmd.exe net.exe PID 940 wrote to memory of 1748 940 cmd.exe net.exe PID 940 wrote to memory of 1748 940 cmd.exe net.exe PID 940 wrote to memory of 1748 940 cmd.exe net.exe PID 1588 wrote to memory of 1452 1588 msiexec.exe cmd.exe PID 1588 wrote to memory of 1452 1588 msiexec.exe cmd.exe PID 1588 wrote to memory of 1452 1588 msiexec.exe cmd.exe PID 1588 wrote to memory of 1452 1588 msiexec.exe cmd.exe PID 1452 wrote to memory of 1836 1452 cmd.exe net.exe PID 1452 wrote to memory of 1836 1452 cmd.exe net.exe PID 1452 wrote to memory of 1836 1452 cmd.exe net.exe PID 1452 wrote to memory of 1836 1452 cmd.exe net.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\nocrypt.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\nocrypt.dll,#13⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe2⤵
- Blacklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c ipconfig /all3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all4⤵
- Modifies service
- Gathers network information
-
C:\Windows\SysWOW64\cmd.execmd.exe /c net config workstation3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet config workstation4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 config workstation5⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c net view /all3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet view /all4⤵
- Discovers systems in the same network
-
C:\Windows\SysWOW64\cmd.execmd.exe /c net view /all /domain3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet view /all /domain4⤵
- Discovers systems in the same network
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/240-7-0x0000000000000000-mapping.dmp
-
memory/300-6-0x0000000000000000-mapping.dmp
-
memory/908-9-0x0000000000000000-mapping.dmp
-
memory/940-11-0x0000000000000000-mapping.dmp
-
memory/968-10-0x0000000000000000-mapping.dmp
-
memory/1292-5-0x000007FEF8560000-0x000007FEF87DA000-memory.dmpFilesize
2.5MB
-
memory/1452-13-0x0000000000000000-mapping.dmp
-
memory/1476-8-0x0000000000000000-mapping.dmp
-
memory/1588-3-0x0000000000090000-0x00000000000BC000-memory.dmpFilesize
176KB
-
memory/1588-4-0x0000000000000000-mapping.dmp
-
memory/1588-2-0x00000000000C0000-0x00000000000C1000-memory.dmpFilesize
4KB
-
memory/1588-1-0x0000000000090000-0x00000000000BC000-memory.dmpFilesize
176KB
-
memory/1748-12-0x0000000000000000-mapping.dmp
-
memory/1768-0-0x0000000000000000-mapping.dmp
-
memory/1836-14-0x0000000000000000-mapping.dmp