Analysis
-
max time kernel
151s -
max time network
149s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
20-01-2021 14:03
Static task
static1
Behavioral task
behavioral1
Sample
company profile.scr
Resource
win7v20201028
General
-
Target
company profile.scr
-
Size
1.4MB
-
MD5
02f3eef9da2ef90d0cf59bfaca176886
-
SHA1
6bca96158d72284a8b5a9e1fe01eb8504a1a05ff
-
SHA256
76ffd919e86b374004bcbc276cb6e18be4b63287d0ce6f7d9b1b756bfd79d47e
-
SHA512
ce64211fa30c6c1f8541d8889e0e373a829abd4e786b1ef6b473e851e9e7cf7c5109d0b2f85936494d4d3125cf63ffc6a282c75e1a34cdcf052111753ac35747
Malware Config
Extracted
nanocore
1.2.2.0
kcfresh.duckdns.org:5050
kcfresh.ddns.net:5050
0af7db9b-e643-4242-8d33-72a12cf49afa
-
activate_away_mode
true
-
backup_connection_host
kcfresh.ddns.net
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-08-30T11:16:25.017143336Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
5050
-
default_group
ONGOD
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
0af7db9b-e643-4242-8d33-72a12cf49afa
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
kcfresh.duckdns.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Processes:
company profile.scrdescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA company profile.scr -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
company profile.scrdescription pid process target process PID 880 set thread context of 332 880 company profile.scr company profile.scr -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1688 schtasks.exe 1648 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
company profile.scrcompany profile.scrpid process 880 company profile.scr 880 company profile.scr 880 company profile.scr 332 company profile.scr 332 company profile.scr 332 company profile.scr -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
company profile.scrpid process 332 company profile.scr -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
company profile.scrcompany profile.scrdescription pid process Token: SeDebugPrivilege 880 company profile.scr Token: SeDebugPrivilege 332 company profile.scr -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
company profile.scrcompany profile.scrdescription pid process target process PID 880 wrote to memory of 1688 880 company profile.scr schtasks.exe PID 880 wrote to memory of 1688 880 company profile.scr schtasks.exe PID 880 wrote to memory of 1688 880 company profile.scr schtasks.exe PID 880 wrote to memory of 1688 880 company profile.scr schtasks.exe PID 880 wrote to memory of 332 880 company profile.scr company profile.scr PID 880 wrote to memory of 332 880 company profile.scr company profile.scr PID 880 wrote to memory of 332 880 company profile.scr company profile.scr PID 880 wrote to memory of 332 880 company profile.scr company profile.scr PID 880 wrote to memory of 332 880 company profile.scr company profile.scr PID 880 wrote to memory of 332 880 company profile.scr company profile.scr PID 880 wrote to memory of 332 880 company profile.scr company profile.scr PID 880 wrote to memory of 332 880 company profile.scr company profile.scr PID 880 wrote to memory of 332 880 company profile.scr company profile.scr PID 332 wrote to memory of 1648 332 company profile.scr schtasks.exe PID 332 wrote to memory of 1648 332 company profile.scr schtasks.exe PID 332 wrote to memory of 1648 332 company profile.scr schtasks.exe PID 332 wrote to memory of 1648 332 company profile.scr schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\company profile.scr"C:\Users\Admin\AppData\Local\Temp\company profile.scr" /S1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UnShSbgF" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB931.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\company profile.scr"{path}"2⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "WPA Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmpBE5F.tmp"3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpB931.tmpMD5
03faaf08a924e5a6029de7019df13dc1
SHA1357af48301f54f82688ff868d7eab2d6bd2f6672
SHA2562e3632cd6221ef4c10d022753ce94e1b3266f8f541b98c6ad4f225b69ba16e1b
SHA5128d1886415532ebd44e47d216c6626d7b53bc44f185c8f61d277b18834c7d8c1a2ff39ee9daf46d54503f8da10216e2181922c41eb5ac7b9363d749ed13f00575
-
C:\Users\Admin\AppData\Local\Temp\tmpBE5F.tmpMD5
67bc2a03290cda46ca32937084b2f24e
SHA17243d7baa72f70b9a4484a0ee624d60108db3f2e
SHA25690c09575440dcfa12d3f1d6b2656e4c5f6b137af9afd60263d285e0fe2061262
SHA5123e9fff4a093bf4471fbfd77dedcf20eb9def41f9d24adfdfeec87827dc7c5429074621e4343a049699b33c174f16e18a3c9740c230d8890b89d0f94b1ab88906
-
memory/332-16-0x0000000004A40000-0x0000000004A41000-memory.dmpFilesize
4KB
-
memory/332-13-0x0000000074120000-0x000000007480E000-memory.dmpFilesize
6.9MB
-
memory/332-21-0x0000000000460000-0x0000000000463000-memory.dmpFilesize
12KB
-
memory/332-20-0x00000000004E0000-0x00000000004F9000-memory.dmpFilesize
100KB
-
memory/332-19-0x0000000000450000-0x0000000000455000-memory.dmpFilesize
20KB
-
memory/332-14-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/332-11-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/332-12-0x000000000041E792-mapping.dmp
-
memory/880-2-0x0000000074120000-0x000000007480E000-memory.dmpFilesize
6.9MB
-
memory/880-5-0x0000000000A00000-0x0000000000A8E000-memory.dmpFilesize
568KB
-
memory/880-6-0x00000000004B0000-0x00000000004B1000-memory.dmpFilesize
4KB
-
memory/880-3-0x0000000000A90000-0x0000000000A91000-memory.dmpFilesize
4KB
-
memory/880-8-0x00000000021C0000-0x0000000002212000-memory.dmpFilesize
328KB
-
memory/880-7-0x0000000000470000-0x000000000047E000-memory.dmpFilesize
56KB
-
memory/1648-17-0x0000000000000000-mapping.dmp
-
memory/1688-9-0x0000000000000000-mapping.dmp