Analysis
-
max time kernel
120s -
max time network
153s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
20-10-2021 07:23
Static task
static1
Behavioral task
behavioral1
Sample
957cf22a9482b6f8dd1d2d3b372a89c2.exe
Resource
win7-en-20211014
General
-
Target
957cf22a9482b6f8dd1d2d3b372a89c2.exe
-
Size
1.4MB
-
MD5
957cf22a9482b6f8dd1d2d3b372a89c2
-
SHA1
968c7da9974abb70964b14111678b780c36d9b3c
-
SHA256
c8f88e8482ac653cd2b03a54695c1b27cb1c9b3c607e30847688023f2076e537
-
SHA512
1134fc172bf643591bd137b08dff03caab70eb88dff584a7fc05a1d742663e9da3ddaa04ad7902fe2aea4fa8a8d9ec87b1e05fe5e25ec1ddfbdde382c0f6f62b
Malware Config
Extracted
nanocore
1.2.2.0
newme122.3utilities.com:8822
newme1122.3utilities.com:8822
dcf3fee6-c103-45ee-a2f0-f8afaa78d1fe
-
activate_away_mode
true
-
backup_connection_host
newme1122.3utilities.com
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2021-07-31T13:00:17.372768836Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
8822
-
default_group
A New TIme Has Come
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
dcf3fee6-c103-45ee-a2f0-f8afaa78d1fe
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
newme122.3utilities.com
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
dcvpquafd.pifRegSvcs.exepid process 2280 dcvpquafd.pif 1360 RegSvcs.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
dcvpquafd.pifdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run dcvpquafd.pif Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\GoogleServices = "C:\\Users\\Admin\\17386207\\DCVPQU~1.PIF C:\\Users\\Admin\\17386207\\edask.vat" dcvpquafd.pif -
Processes:
RegSvcs.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
dcvpquafd.pifdescription pid process target process PID 2280 set thread context of 1360 2280 dcvpquafd.pif RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
RegSvcs.exepid process 1360 RegSvcs.exe 1360 RegSvcs.exe 1360 RegSvcs.exe 1360 RegSvcs.exe 1360 RegSvcs.exe 1360 RegSvcs.exe 1360 RegSvcs.exe 1360 RegSvcs.exe 1360 RegSvcs.exe 1360 RegSvcs.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegSvcs.exepid process 1360 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 1360 RegSvcs.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
957cf22a9482b6f8dd1d2d3b372a89c2.exedcvpquafd.pifdescription pid process target process PID 2180 wrote to memory of 2280 2180 957cf22a9482b6f8dd1d2d3b372a89c2.exe dcvpquafd.pif PID 2180 wrote to memory of 2280 2180 957cf22a9482b6f8dd1d2d3b372a89c2.exe dcvpquafd.pif PID 2180 wrote to memory of 2280 2180 957cf22a9482b6f8dd1d2d3b372a89c2.exe dcvpquafd.pif PID 2280 wrote to memory of 1360 2280 dcvpquafd.pif RegSvcs.exe PID 2280 wrote to memory of 1360 2280 dcvpquafd.pif RegSvcs.exe PID 2280 wrote to memory of 1360 2280 dcvpquafd.pif RegSvcs.exe PID 2280 wrote to memory of 1360 2280 dcvpquafd.pif RegSvcs.exe PID 2280 wrote to memory of 1360 2280 dcvpquafd.pif RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\957cf22a9482b6f8dd1d2d3b372a89c2.exe"C:\Users\Admin\AppData\Local\Temp\957cf22a9482b6f8dd1d2d3b372a89c2.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\17386207\dcvpquafd.pif"C:\Users\Admin\17386207\dcvpquafd.pif" edask.vat2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\17386207\dcvpquafd.pifMD5
1d7071dd5cda216508b235c0e2318b05
SHA10b972fbc1ea8a47204b2a187e608744a4e947bc2
SHA256788edeacd860a1a3bb22b839c1ecf408227e1e14bbe0b1baf55824075161f996
SHA51265965d2de629024773dddf5f8f37d40a15afc51cbaec48c8cda3b0763e9391e065c5ee6ab81b7f4e53ab1f531ef53bb9dccd9ddd4a1c9423922eebf37e544118
-
C:\Users\Admin\17386207\dcvpquafd.pifMD5
1d7071dd5cda216508b235c0e2318b05
SHA10b972fbc1ea8a47204b2a187e608744a4e947bc2
SHA256788edeacd860a1a3bb22b839c1ecf408227e1e14bbe0b1baf55824075161f996
SHA51265965d2de629024773dddf5f8f37d40a15afc51cbaec48c8cda3b0763e9391e065c5ee6ab81b7f4e53ab1f531ef53bb9dccd9ddd4a1c9423922eebf37e544118
-
C:\Users\Admin\17386207\edask.vatMD5
b2fadf9828132b5d1883b5bf3850571f
SHA10fa8770e87f4819cf45570112cff825cd3c3bedc
SHA2566a5ea5295355817b1782e504760a0925668743924d8406b8c62c98439ae27601
SHA512dcf315145f6701def243c11ed365f8a9c22c0609ada7349b0e89a366c88b0a637de5256475fd32fc8df4da407343f32bc67bd94186006259ed52ff78e6c6ff19
-
C:\Users\Admin\17386207\ltgokssdov.mp3MD5
4b6a00d393af4d73816edf20e082db9a
SHA1ae93247477f6f7f8fbe311241baf66962f6ab7c5
SHA25679dc15fe44c970c80e4871a5e7b83f451507853623bb34eda18eba7a10d68875
SHA512fe1c440bc26fc4eedf0aeadfcc7b65cd9cd3bdf86aabf4be827e1513edb60fe8194eec01140c6fdb81dd501de9b5d033add5c40fb1540a77bc2ea202ed4965c6
-
C:\Users\Admin\17386207\spxkgme.ucfMD5
24461c216ee93cde43cf9f46d70c9a0e
SHA178a31dddd030d3db4be437d7de36d1fffa7e2273
SHA2568e41d3cac288024286d45ec002473a9feaddfe9b4fb9b50e6a6d26acbb1ecbdf
SHA5125196efe4bd8e0d8339bdaf3476bd2a15fa13d34565b2095ff8dd79b162f9e02d9865dda74b8c22b43fd3bb5ebf93b725e4a5ee8da565b2376da30ae0cfb0d219
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exeMD5
0e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exeMD5
0e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
memory/1360-131-0x00000000055A0000-0x00000000055A1000-memory.dmpFilesize
4KB
-
memory/1360-135-0x00000000058F0000-0x00000000058F6000-memory.dmpFilesize
24KB
-
memory/1360-121-0x0000000000900000-0x0000000000F2E000-memory.dmpFilesize
6.2MB
-
memory/1360-127-0x0000000005AE0000-0x0000000005AE1000-memory.dmpFilesize
4KB
-
memory/1360-128-0x0000000005500000-0x0000000005501000-memory.dmpFilesize
4KB
-
memory/1360-129-0x0000000005680000-0x0000000005681000-memory.dmpFilesize
4KB
-
memory/1360-130-0x00000000055E0000-0x0000000005ADE000-memory.dmpFilesize
5.0MB
-
memory/1360-146-0x0000000006AB0000-0x0000000006AB1000-memory.dmpFilesize
4KB
-
memory/1360-132-0x0000000005670000-0x0000000005675000-memory.dmpFilesize
20KB
-
memory/1360-133-0x00000000057E0000-0x00000000057ED000-memory.dmpFilesize
52KB
-
memory/1360-134-0x00000000057F0000-0x0000000005805000-memory.dmpFilesize
84KB
-
memory/1360-122-0x000000000091E792-mapping.dmp
-
memory/1360-136-0x0000000005900000-0x0000000005907000-memory.dmpFilesize
28KB
-
memory/1360-138-0x0000000005AB0000-0x0000000005ABD000-memory.dmpFilesize
52KB
-
memory/1360-137-0x0000000005AA0000-0x0000000005AA6000-memory.dmpFilesize
24KB
-
memory/1360-139-0x00000000061E0000-0x00000000061E9000-memory.dmpFilesize
36KB
-
memory/1360-140-0x0000000006200000-0x000000000620F000-memory.dmpFilesize
60KB
-
memory/1360-141-0x0000000006210000-0x000000000621A000-memory.dmpFilesize
40KB
-
memory/1360-142-0x0000000006220000-0x0000000006239000-memory.dmpFilesize
100KB
-
memory/1360-143-0x0000000006240000-0x0000000006243000-memory.dmpFilesize
12KB
-
memory/1360-144-0x00000000064D0000-0x00000000064F9000-memory.dmpFilesize
164KB
-
memory/1360-145-0x0000000006520000-0x000000000652F000-memory.dmpFilesize
60KB
-
memory/2280-115-0x0000000000000000-mapping.dmp