Analysis
-
max time kernel
120s -
max time network
150s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
27-10-2021 10:22
Static task
static1
Behavioral task
behavioral1
Sample
RHK098760045678009000.exe
Resource
win7-en-20211014
General
-
Target
RHK098760045678009000.exe
-
Size
435KB
-
MD5
8ae8a20159a1fdedd8c4937e8cc4c571
-
SHA1
a68c405aa1bec64c9790c321b4785c98f5c9a2a6
-
SHA256
bd386b60f5a095f369d4473d5f3185c226363a563f45326cea048e10f0ff403b
-
SHA512
ae7ec190db374595c4612f937f8ff98172b4a9c828e218806498e6443c0490cfdf92fe7a8f2b965dc34015c5b5e004dd02c53289a55c94e194f079b0e8017261
Malware Config
Extracted
nanocore
1.2.2.0
185.222.57.90:4445
319d0527-f6c8-4b20-86a3-4c642aa02ef8
-
activate_away_mode
true
-
backup_connection_host
185.222.57.90
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2021-08-06T10:35:01.991255736Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
4445
-
default_group
MONEY
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
319d0527-f6c8-4b20-86a3-4c642aa02ef8
-
mutex_timeout
5000
-
prevent_system_sleep
false
- primary_connection_host
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
RHK098760045678009000.exepid process 1772 RHK098760045678009000.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RHK098760045678009000.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SMTP Service = "C:\\Program Files (x86)\\SMTP Service\\smtpsvc.exe" RHK098760045678009000.exe -
Processes:
RHK098760045678009000.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RHK098760045678009000.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
RHK098760045678009000.exedescription pid process target process PID 1772 set thread context of 1164 1772 RHK098760045678009000.exe RHK098760045678009000.exe -
Drops file in Program Files directory 2 IoCs
Processes:
RHK098760045678009000.exedescription ioc process File created C:\Program Files (x86)\SMTP Service\smtpsvc.exe RHK098760045678009000.exe File opened for modification C:\Program Files (x86)\SMTP Service\smtpsvc.exe RHK098760045678009000.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
RHK098760045678009000.exepid process 1164 RHK098760045678009000.exe 1164 RHK098760045678009000.exe 1164 RHK098760045678009000.exe 1164 RHK098760045678009000.exe 1164 RHK098760045678009000.exe 1164 RHK098760045678009000.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RHK098760045678009000.exepid process 1164 RHK098760045678009000.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RHK098760045678009000.exedescription pid process Token: SeDebugPrivilege 1164 RHK098760045678009000.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
RHK098760045678009000.exeRHK098760045678009000.exedescription pid process target process PID 1772 wrote to memory of 1164 1772 RHK098760045678009000.exe RHK098760045678009000.exe PID 1772 wrote to memory of 1164 1772 RHK098760045678009000.exe RHK098760045678009000.exe PID 1772 wrote to memory of 1164 1772 RHK098760045678009000.exe RHK098760045678009000.exe PID 1772 wrote to memory of 1164 1772 RHK098760045678009000.exe RHK098760045678009000.exe PID 1772 wrote to memory of 1164 1772 RHK098760045678009000.exe RHK098760045678009000.exe PID 1772 wrote to memory of 1164 1772 RHK098760045678009000.exe RHK098760045678009000.exe PID 1772 wrote to memory of 1164 1772 RHK098760045678009000.exe RHK098760045678009000.exe PID 1772 wrote to memory of 1164 1772 RHK098760045678009000.exe RHK098760045678009000.exe PID 1772 wrote to memory of 1164 1772 RHK098760045678009000.exe RHK098760045678009000.exe PID 1772 wrote to memory of 1164 1772 RHK098760045678009000.exe RHK098760045678009000.exe PID 1772 wrote to memory of 1164 1772 RHK098760045678009000.exe RHK098760045678009000.exe PID 1164 wrote to memory of 848 1164 RHK098760045678009000.exe schtasks.exe PID 1164 wrote to memory of 848 1164 RHK098760045678009000.exe schtasks.exe PID 1164 wrote to memory of 848 1164 RHK098760045678009000.exe schtasks.exe PID 1164 wrote to memory of 848 1164 RHK098760045678009000.exe schtasks.exe PID 1164 wrote to memory of 1228 1164 RHK098760045678009000.exe schtasks.exe PID 1164 wrote to memory of 1228 1164 RHK098760045678009000.exe schtasks.exe PID 1164 wrote to memory of 1228 1164 RHK098760045678009000.exe schtasks.exe PID 1164 wrote to memory of 1228 1164 RHK098760045678009000.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\RHK098760045678009000.exe"C:\Users\Admin\AppData\Local\Temp\RHK098760045678009000.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RHK098760045678009000.exe"C:\Users\Admin\AppData\Local\Temp\RHK098760045678009000.exe"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "SMTP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmpD6BF.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "SMTP Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpD9BD.tmp"3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpD6BF.tmpMD5
db2b9934bff158cab498a9fc4d9c1715
SHA14b2eca3bde44b15162a01df5de675958532f5a59
SHA2565530592ea8bd278a5ae7713ee77c892fa69295470d87e73e8d9442bd032e3e37
SHA512fb51095b00c05da525e760294abdd107bdb03e1ab522ae70016fa7b12d522e3921a1b8560e5cb66a230c9927da811bc0de5e18544afa04756f671339aa972b7f
-
C:\Users\Admin\AppData\Local\Temp\tmpD9BD.tmpMD5
cfae5a3b7d8aa9653fe2512578a0d23a
SHA1a91a2f8daef114f89038925ada6784646a0a5b12
SHA2562ab741415f193a2a9134eac48a2310899d18efb5e61c3e81c35140a7efea30fa
SHA5129dfd7eca6924ae2785ce826a447b6ce6d043c552fbd3b8a804ce6722b07a74900e703dc56cd4443cae9ab9601f21a6068e29771e48497a9ae434096a11814e84
-
\Users\Admin\AppData\Local\Temp\nsiC8EB.tmp\fbnwl.dllMD5
1288423dc0799d420e65125515ba8198
SHA1f1cb23453dfefed3bd256ebd8fe9c1fce230e901
SHA256be749029d5ffba43ebcd1be38e8486ba88fd77a39b08266cfe79c9fa21cf3466
SHA51260b548402cc56a944eaf8bbe0186f02633bed0f267154bea5844273c13f4b122d2ea7d8980b288aa0d272a742d49107e6de558b26bdd98583f787ac7d1895bac
-
memory/848-66-0x0000000000000000-mapping.dmp
-
memory/1164-63-0x0000000000332000-0x0000000000334000-memory.dmpFilesize
8KB
-
memory/1164-61-0x0000000000330000-0x0000000000331000-memory.dmpFilesize
4KB
-
memory/1164-62-0x0000000000331000-0x0000000000332000-memory.dmpFilesize
4KB
-
memory/1164-64-0x0000000000337000-0x0000000000338000-memory.dmpFilesize
4KB
-
memory/1164-65-0x0000000000338000-0x0000000000339000-memory.dmpFilesize
4KB
-
memory/1164-60-0x0000000000400000-0x0000000000448000-memory.dmpFilesize
288KB
-
memory/1164-58-0x000000000040188B-mapping.dmp
-
memory/1164-57-0x0000000000400000-0x0000000000448000-memory.dmpFilesize
288KB
-
memory/1228-68-0x0000000000000000-mapping.dmp
-
memory/1772-55-0x0000000075321000-0x0000000075323000-memory.dmpFilesize
8KB