Analysis
-
max time kernel
151s -
max time network
151s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
19-10-2021 14:10
Static task
static1
Behavioral task
behavioral1
Sample
Output.js
Resource
win7-en-20210920
General
-
Target
Output.js
-
Size
1.5MB
-
MD5
10121200161a9b69383c486c79db5c3c
-
SHA1
bd3a112217bd7dbfacd85d0375e26b048c617cb2
-
SHA256
a6aaa67c49799355898d8682152182b03f37a7d603bac9a70ddd7e0f9634aced
-
SHA512
d6bc5157638b35997c5a937c70c700f671e4cdc11eb19e4665defc1c332d246b16f017bb76d8fc87dcc3d7df1d8471ce5d9730e218ffd7d9c0cacc8b3ac74eda
Malware Config
Extracted
nanocore
1.2.2.0
23.105.131.186:8777
f96139ab-4501-4b7f-8179-e6ccdbddf26e
-
activate_away_mode
true
-
backup_connection_host
23.105.131.186
- backup_dns_server
-
buffer_size
65535
-
build_time
2021-07-24T21:27:22.697649536Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
8777
-
default_group
new bind
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
f96139ab-4501-4b7f-8179-e6ccdbddf26e
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
23.105.131.186
- primary_dns_server
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Disables Task Manager via registry modification
-
Executes dropped EXE 2 IoCs
Processes:
Filname.exevmgsxoas.pifpid process 1296 Filname.exe 1392 vmgsxoas.pif -
Drops startup file 2 IoCs
Processes:
vmgsxoas.pifdescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk vmgsxoas.pif File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk vmgsxoas.pif -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
vmgsxoas.pifRegSvcs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\08480610 = "c:\\08480610\\start.vbs" vmgsxoas.pif Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SMTP Manager = "C:\\Program Files (x86)\\SMTP Manager\\smtpmgr.exe" RegSvcs.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run vmgsxoas.pif Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\08480610\\vmgsxoas.pif c:\\08480610\\nxxe.dst" vmgsxoas.pif Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AutoUpdate = "c:\\08480610\\Update.vbs" vmgsxoas.pif Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce vmgsxoas.pif -
Suspicious use of SetThreadContext 1 IoCs
Processes:
vmgsxoas.pifdescription pid process target process PID 1392 set thread context of 2296 1392 vmgsxoas.pif RegSvcs.exe -
Drops file in Program Files directory 2 IoCs
Processes:
RegSvcs.exedescription ioc process File created C:\Program Files (x86)\SMTP Manager\smtpmgr.exe RegSvcs.exe File opened for modification C:\Program Files (x86)\SMTP Manager\smtpmgr.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
vmgsxoas.pifRegSvcs.exepid process 1392 vmgsxoas.pif 1392 vmgsxoas.pif 1392 vmgsxoas.pif 1392 vmgsxoas.pif 1392 vmgsxoas.pif 1392 vmgsxoas.pif 1392 vmgsxoas.pif 1392 vmgsxoas.pif 1392 vmgsxoas.pif 1392 vmgsxoas.pif 1392 vmgsxoas.pif 1392 vmgsxoas.pif 1392 vmgsxoas.pif 1392 vmgsxoas.pif 1392 vmgsxoas.pif 1392 vmgsxoas.pif 2296 RegSvcs.exe 2296 RegSvcs.exe 2296 RegSvcs.exe 2296 RegSvcs.exe 1392 vmgsxoas.pif 1392 vmgsxoas.pif 1392 vmgsxoas.pif 1392 vmgsxoas.pif 2296 RegSvcs.exe 2296 RegSvcs.exe 2296 RegSvcs.exe 1392 vmgsxoas.pif 1392 vmgsxoas.pif 1392 vmgsxoas.pif 1392 vmgsxoas.pif 1392 vmgsxoas.pif 1392 vmgsxoas.pif 1392 vmgsxoas.pif 1392 vmgsxoas.pif 1392 vmgsxoas.pif 1392 vmgsxoas.pif 1392 vmgsxoas.pif 1392 vmgsxoas.pif 1392 vmgsxoas.pif 1392 vmgsxoas.pif 1392 vmgsxoas.pif 1392 vmgsxoas.pif 1392 vmgsxoas.pif 1392 vmgsxoas.pif 1392 vmgsxoas.pif 1392 vmgsxoas.pif 1392 vmgsxoas.pif 1392 vmgsxoas.pif 1392 vmgsxoas.pif 1392 vmgsxoas.pif 1392 vmgsxoas.pif 1392 vmgsxoas.pif 1392 vmgsxoas.pif 1392 vmgsxoas.pif 1392 vmgsxoas.pif 1392 vmgsxoas.pif 1392 vmgsxoas.pif 1392 vmgsxoas.pif 1392 vmgsxoas.pif 1392 vmgsxoas.pif 1392 vmgsxoas.pif 1392 vmgsxoas.pif 1392 vmgsxoas.pif -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegSvcs.exepid process 2296 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 2296 RegSvcs.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
wscript.exeFilname.exevmgsxoas.pifdescription pid process target process PID 2784 wrote to memory of 1296 2784 wscript.exe Filname.exe PID 2784 wrote to memory of 1296 2784 wscript.exe Filname.exe PID 2784 wrote to memory of 1296 2784 wscript.exe Filname.exe PID 1296 wrote to memory of 1392 1296 Filname.exe vmgsxoas.pif PID 1296 wrote to memory of 1392 1296 Filname.exe vmgsxoas.pif PID 1296 wrote to memory of 1392 1296 Filname.exe vmgsxoas.pif PID 1392 wrote to memory of 2544 1392 vmgsxoas.pif mshta.exe PID 1392 wrote to memory of 2544 1392 vmgsxoas.pif mshta.exe PID 1392 wrote to memory of 2544 1392 vmgsxoas.pif mshta.exe PID 1392 wrote to memory of 1048 1392 vmgsxoas.pif mshta.exe PID 1392 wrote to memory of 1048 1392 vmgsxoas.pif mshta.exe PID 1392 wrote to memory of 1048 1392 vmgsxoas.pif mshta.exe PID 1392 wrote to memory of 2768 1392 vmgsxoas.pif mshta.exe PID 1392 wrote to memory of 2768 1392 vmgsxoas.pif mshta.exe PID 1392 wrote to memory of 2768 1392 vmgsxoas.pif mshta.exe PID 1392 wrote to memory of 828 1392 vmgsxoas.pif mshta.exe PID 1392 wrote to memory of 828 1392 vmgsxoas.pif mshta.exe PID 1392 wrote to memory of 828 1392 vmgsxoas.pif mshta.exe PID 1392 wrote to memory of 1040 1392 vmgsxoas.pif mshta.exe PID 1392 wrote to memory of 1040 1392 vmgsxoas.pif mshta.exe PID 1392 wrote to memory of 1040 1392 vmgsxoas.pif mshta.exe PID 1392 wrote to memory of 3452 1392 vmgsxoas.pif mshta.exe PID 1392 wrote to memory of 3452 1392 vmgsxoas.pif mshta.exe PID 1392 wrote to memory of 3452 1392 vmgsxoas.pif mshta.exe PID 1392 wrote to memory of 3572 1392 vmgsxoas.pif mshta.exe PID 1392 wrote to memory of 3572 1392 vmgsxoas.pif mshta.exe PID 1392 wrote to memory of 3572 1392 vmgsxoas.pif mshta.exe PID 1392 wrote to memory of 2296 1392 vmgsxoas.pif RegSvcs.exe PID 1392 wrote to memory of 2296 1392 vmgsxoas.pif RegSvcs.exe PID 1392 wrote to memory of 2296 1392 vmgsxoas.pif RegSvcs.exe PID 1392 wrote to memory of 2296 1392 vmgsxoas.pif RegSvcs.exe PID 1392 wrote to memory of 2296 1392 vmgsxoas.pif RegSvcs.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Output.js1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Filname.exe"C:\Users\Admin\AppData\Local\Temp\Filname.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\08480610\vmgsxoas.pif"C:\08480610\vmgsxoas.pif" nxxe.dst3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"4⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"4⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"4⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"4⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"4⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"4⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\08480610\hrmrjq.egwMD5
47ab01c250eaaee33a4c1657e2de043b
SHA16522bd97d4b32ba3d5f61beb194e11f3af2c7e9b
SHA256bd1d8be825067d7dca1804b07059aebd172d0b80f11278c46859dc1e266405a8
SHA5122e07a13a9d9bdae012ad109fd208e5c1daacfad1c3f39753a28fc5a5ae151dd79b87db3096ba190b241ec72c364665359e8c88c9aeb36deebfe289036b6b9113
-
C:\08480610\nxxe.dstMD5
8ad9153a1924adba4775343d0e0bd5cf
SHA12854cc18b0f53e554cb8f63a0dffa8f452275f57
SHA256170a983e13eecbe68cdafef68b975a414fa4f2d6c84da2cdf36decc92fa8519b
SHA51209360c9c6e24435d24cab1d6d0ee7befea8fc43636dd75de07a27625b9a52fd3f319a9bfa86221d45acabc55a5936cea09f5f11a3bbbc3342d9126496a07548a
-
C:\08480610\segwpjxen.mscMD5
9de579d72ccea1846d549ddca751db8e
SHA1c821135312c0653e9dfc2ee6b1b70cfcee198a0e
SHA2563d73d4dec94ba4d4cbab3d5b5f00f6a7f04963b760cd666809cae6e9d05306ee
SHA51200d9b0e1c44b1072a37735eca70105f4962b51e744f8d806c27d063f283fa27233a32ee49d40cada4f948b0475633eca5cbe19c37bfcbed08f71fd1e02b3ad89
-
C:\08480610\vmgsxoas.pifMD5
8e699954f6b5d64683412cc560938507
SHA18ca6708b0f158eacce3ac28b23c23ed42c168c29
SHA256c9a2399cc1ce6f71db9da2f16e6c025bf6cb0f4345b427f21449cf927d627a40
SHA51213035106149c8d336189b4a6bdaf25e10ac0b027baea963b3ec66a815a572426b2e9485258447cf1362802a0f03a2aa257b276057590663161d9d55d5b737b02
-
C:\08480610\vmgsxoas.pifMD5
8e699954f6b5d64683412cc560938507
SHA18ca6708b0f158eacce3ac28b23c23ed42c168c29
SHA256c9a2399cc1ce6f71db9da2f16e6c025bf6cb0f4345b427f21449cf927d627a40
SHA51213035106149c8d336189b4a6bdaf25e10ac0b027baea963b3ec66a815a572426b2e9485258447cf1362802a0f03a2aa257b276057590663161d9d55d5b737b02
-
C:\Users\Admin\AppData\Local\Temp\Filname.exeMD5
4d606b05f624febecbb3ae59014ef1e5
SHA1bf6e4cc9fabc4196d53c8648ba2e813423aeedb7
SHA25697fc758fb55917d833e5c6adbf1e64bed2a9c9542e29b08479d3d6864c482ec1
SHA512d2a8288ee4d2f0029efd9dd12f6fe0e324de0d973a01b4f0aff10d896e91b7475965c71d4fe5381edbff30cb1baa3bebef27bde5f85840a39b9f11031cbdd15d
-
C:\Users\Admin\AppData\Local\Temp\Filname.exeMD5
4d606b05f624febecbb3ae59014ef1e5
SHA1bf6e4cc9fabc4196d53c8648ba2e813423aeedb7
SHA25697fc758fb55917d833e5c6adbf1e64bed2a9c9542e29b08479d3d6864c482ec1
SHA512d2a8288ee4d2f0029efd9dd12f6fe0e324de0d973a01b4f0aff10d896e91b7475965c71d4fe5381edbff30cb1baa3bebef27bde5f85840a39b9f11031cbdd15d
-
memory/828-126-0x0000000000000000-mapping.dmp
-
memory/1040-127-0x0000000000000000-mapping.dmp
-
memory/1048-124-0x0000000000000000-mapping.dmp
-
memory/1296-115-0x0000000000000000-mapping.dmp
-
memory/1392-118-0x0000000000000000-mapping.dmp
-
memory/2296-138-0x0000000005F90000-0x0000000005F91000-memory.dmpFilesize
4KB
-
memory/2296-136-0x0000000005FF0000-0x0000000005FF1000-memory.dmpFilesize
4KB
-
memory/2296-143-0x0000000005F50000-0x000000000644E000-memory.dmpFilesize
5.0MB
-
memory/2296-142-0x0000000006CF0000-0x0000000006CF3000-memory.dmpFilesize
12KB
-
memory/2296-131-0x00000000013C0000-0x0000000001926000-memory.dmpFilesize
5.4MB
-
memory/2296-132-0x00000000013DE792-mapping.dmp
-
memory/2296-135-0x0000000006450000-0x0000000006451000-memory.dmpFilesize
4KB
-
memory/2296-141-0x0000000006430000-0x0000000006449000-memory.dmpFilesize
100KB
-
memory/2296-137-0x0000000006090000-0x0000000006091000-memory.dmpFilesize
4KB
-
memory/2296-140-0x0000000006250000-0x0000000006255000-memory.dmpFilesize
20KB
-
memory/2296-139-0x0000000005F50000-0x000000000644E000-memory.dmpFilesize
5.0MB
-
memory/2544-123-0x0000000000000000-mapping.dmp
-
memory/2768-125-0x0000000000000000-mapping.dmp
-
memory/3452-128-0x0000000000000000-mapping.dmp
-
memory/3572-129-0x0000000000000000-mapping.dmp