Analysis
-
max time kernel
136s -
max time network
148s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
20-01-2021 14:03
Static task
static1
Behavioral task
behavioral1
Sample
company profile.scr
Resource
win7v20201028
General
-
Target
company profile.scr
-
Size
1.4MB
-
MD5
02f3eef9da2ef90d0cf59bfaca176886
-
SHA1
6bca96158d72284a8b5a9e1fe01eb8504a1a05ff
-
SHA256
76ffd919e86b374004bcbc276cb6e18be4b63287d0ce6f7d9b1b756bfd79d47e
-
SHA512
ce64211fa30c6c1f8541d8889e0e373a829abd4e786b1ef6b473e851e9e7cf7c5109d0b2f85936494d4d3125cf63ffc6a282c75e1a34cdcf052111753ac35747
Malware Config
Extracted
nanocore
1.2.2.0
kcfresh.duckdns.org:5050
kcfresh.ddns.net:5050
0af7db9b-e643-4242-8d33-72a12cf49afa
-
activate_away_mode
true
-
backup_connection_host
kcfresh.ddns.net
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-08-30T11:16:25.017143336Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
5050
-
default_group
ONGOD
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
0af7db9b-e643-4242-8d33-72a12cf49afa
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
kcfresh.duckdns.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Processes:
company profile.scrdescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA company profile.scr -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
company profile.scrdescription pid process target process PID 3108 set thread context of 4056 3108 company profile.scr company profile.scr -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 3292 schtasks.exe 3896 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
company profile.scrcompany profile.scrpid process 3108 company profile.scr 3108 company profile.scr 3108 company profile.scr 4056 company profile.scr 4056 company profile.scr 4056 company profile.scr -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
company profile.scrpid process 4056 company profile.scr -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
company profile.scrcompany profile.scrdescription pid process Token: SeDebugPrivilege 3108 company profile.scr Token: SeDebugPrivilege 4056 company profile.scr -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
company profile.scrcompany profile.scrdescription pid process target process PID 3108 wrote to memory of 3292 3108 company profile.scr schtasks.exe PID 3108 wrote to memory of 3292 3108 company profile.scr schtasks.exe PID 3108 wrote to memory of 3292 3108 company profile.scr schtasks.exe PID 3108 wrote to memory of 4056 3108 company profile.scr company profile.scr PID 3108 wrote to memory of 4056 3108 company profile.scr company profile.scr PID 3108 wrote to memory of 4056 3108 company profile.scr company profile.scr PID 3108 wrote to memory of 4056 3108 company profile.scr company profile.scr PID 3108 wrote to memory of 4056 3108 company profile.scr company profile.scr PID 3108 wrote to memory of 4056 3108 company profile.scr company profile.scr PID 3108 wrote to memory of 4056 3108 company profile.scr company profile.scr PID 3108 wrote to memory of 4056 3108 company profile.scr company profile.scr PID 4056 wrote to memory of 3896 4056 company profile.scr schtasks.exe PID 4056 wrote to memory of 3896 4056 company profile.scr schtasks.exe PID 4056 wrote to memory of 3896 4056 company profile.scr schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\company profile.scr"C:\Users\Admin\AppData\Local\Temp\company profile.scr" /S1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UnShSbgF" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCEBF.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\company profile.scr"{path}"2⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "WAN Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmpD3EF.tmp"3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\company profile.scr.logMD5
b4f7a6a57cb46d94b72410eb6a6d45a9
SHA169f3596ffa027202d391444b769ceea0ae14c5f7
SHA25623994ebe221a48ea16ebad51ae0d4b47ccd415ae10581f9405e588d4f6c2523b
SHA512be6da516e54c3a5b33ac2603137a2f8cf8445ff5961dd266faedf3627bae8979953d7ef305538df0151c609917a5b99bf5d023bdd32de50fd5c723950f90db5c
-
C:\Users\Admin\AppData\Local\Temp\tmpCEBF.tmpMD5
80b8fddf12ecc1ac055aaba8cdb5ce94
SHA184f29b925e7b74900a1b437c7815df0d756b00e8
SHA256a674305cddfeb0d75159484a7b49ea1c2efc217ccc22e0a5305776f07f7e6dc9
SHA5126f41116cfa03e839ae6bbb2a9b367a462c22d2fb2e1e23fbb0a7a138b721a0cca942a3f99028fc2a329b3399d669c1f5d6b66dd8ffcf763784d01f83547128c3
-
C:\Users\Admin\AppData\Local\Temp\tmpD3EF.tmpMD5
67bc2a03290cda46ca32937084b2f24e
SHA17243d7baa72f70b9a4484a0ee624d60108db3f2e
SHA25690c09575440dcfa12d3f1d6b2656e4c5f6b137af9afd60263d285e0fe2061262
SHA5123e9fff4a093bf4471fbfd77dedcf20eb9def41f9d24adfdfeec87827dc7c5429074621e4343a049699b33c174f16e18a3c9740c230d8890b89d0f94b1ab88906
-
memory/3108-9-0x0000000002630000-0x0000000002631000-memory.dmpFilesize
4KB
-
memory/3108-7-0x000000000A560000-0x000000000A561000-memory.dmpFilesize
4KB
-
memory/3108-8-0x000000000A510000-0x000000000A511000-memory.dmpFilesize
4KB
-
memory/3108-6-0x000000000A880000-0x000000000A881000-memory.dmpFilesize
4KB
-
memory/3108-10-0x000000000A700000-0x000000000A70E000-memory.dmpFilesize
56KB
-
memory/3108-11-0x0000000004D80000-0x0000000004DD2000-memory.dmpFilesize
328KB
-
memory/3108-12-0x0000000004E90000-0x0000000004E91000-memory.dmpFilesize
4KB
-
memory/3108-2-0x00000000739A0000-0x000000007408E000-memory.dmpFilesize
6.9MB
-
memory/3108-5-0x00000000070F0000-0x000000000717E000-memory.dmpFilesize
568KB
-
memory/3108-3-0x0000000000310000-0x0000000000311000-memory.dmpFilesize
4KB
-
memory/3292-13-0x0000000000000000-mapping.dmp
-
memory/3896-25-0x0000000000000000-mapping.dmp
-
memory/4056-16-0x000000000041E792-mapping.dmp
-
memory/4056-18-0x00000000739A0000-0x000000007408E000-memory.dmpFilesize
6.9MB
-
memory/4056-15-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/4056-27-0x0000000005900000-0x0000000005905000-memory.dmpFilesize
20KB
-
memory/4056-28-0x0000000005620000-0x0000000005621000-memory.dmpFilesize
4KB
-
memory/4056-29-0x0000000005B60000-0x0000000005B79000-memory.dmpFilesize
100KB
-
memory/4056-30-0x0000000006780000-0x0000000006783000-memory.dmpFilesize
12KB