Analysis
-
max time kernel
110s -
max time network
151s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
27-10-2021 10:22
Static task
static1
Behavioral task
behavioral1
Sample
RHK098760045678009000.exe
Resource
win7-en-20211014
General
-
Target
RHK098760045678009000.exe
-
Size
435KB
-
MD5
8ae8a20159a1fdedd8c4937e8cc4c571
-
SHA1
a68c405aa1bec64c9790c321b4785c98f5c9a2a6
-
SHA256
bd386b60f5a095f369d4473d5f3185c226363a563f45326cea048e10f0ff403b
-
SHA512
ae7ec190db374595c4612f937f8ff98172b4a9c828e218806498e6443c0490cfdf92fe7a8f2b965dc34015c5b5e004dd02c53289a55c94e194f079b0e8017261
Malware Config
Extracted
nanocore
1.2.2.0
185.222.57.90:4445
319d0527-f6c8-4b20-86a3-4c642aa02ef8
-
activate_away_mode
true
-
backup_connection_host
185.222.57.90
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2021-08-06T10:35:01.991255736Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
4445
-
default_group
MONEY
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
319d0527-f6c8-4b20-86a3-4c642aa02ef8
-
mutex_timeout
5000
-
prevent_system_sleep
false
- primary_connection_host
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
RHK098760045678009000.exepid process 592 RHK098760045678009000.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RHK098760045678009000.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SCSI Service = "C:\\Program Files (x86)\\SCSI Service\\scsisvc.exe" RHK098760045678009000.exe -
Processes:
RHK098760045678009000.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RHK098760045678009000.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
RHK098760045678009000.exedescription pid process target process PID 592 set thread context of 4252 592 RHK098760045678009000.exe RHK098760045678009000.exe -
Drops file in Program Files directory 2 IoCs
Processes:
RHK098760045678009000.exedescription ioc process File created C:\Program Files (x86)\SCSI Service\scsisvc.exe RHK098760045678009000.exe File opened for modification C:\Program Files (x86)\SCSI Service\scsisvc.exe RHK098760045678009000.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 4032 schtasks.exe 1924 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
RHK098760045678009000.exepid process 4252 RHK098760045678009000.exe 4252 RHK098760045678009000.exe 4252 RHK098760045678009000.exe 4252 RHK098760045678009000.exe 4252 RHK098760045678009000.exe 4252 RHK098760045678009000.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RHK098760045678009000.exepid process 4252 RHK098760045678009000.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RHK098760045678009000.exedescription pid process Token: SeDebugPrivilege 4252 RHK098760045678009000.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
RHK098760045678009000.exeRHK098760045678009000.exedescription pid process target process PID 592 wrote to memory of 4252 592 RHK098760045678009000.exe RHK098760045678009000.exe PID 592 wrote to memory of 4252 592 RHK098760045678009000.exe RHK098760045678009000.exe PID 592 wrote to memory of 4252 592 RHK098760045678009000.exe RHK098760045678009000.exe PID 592 wrote to memory of 4252 592 RHK098760045678009000.exe RHK098760045678009000.exe PID 592 wrote to memory of 4252 592 RHK098760045678009000.exe RHK098760045678009000.exe PID 592 wrote to memory of 4252 592 RHK098760045678009000.exe RHK098760045678009000.exe PID 592 wrote to memory of 4252 592 RHK098760045678009000.exe RHK098760045678009000.exe PID 592 wrote to memory of 4252 592 RHK098760045678009000.exe RHK098760045678009000.exe PID 592 wrote to memory of 4252 592 RHK098760045678009000.exe RHK098760045678009000.exe PID 592 wrote to memory of 4252 592 RHK098760045678009000.exe RHK098760045678009000.exe PID 4252 wrote to memory of 4032 4252 RHK098760045678009000.exe schtasks.exe PID 4252 wrote to memory of 4032 4252 RHK098760045678009000.exe schtasks.exe PID 4252 wrote to memory of 4032 4252 RHK098760045678009000.exe schtasks.exe PID 4252 wrote to memory of 1924 4252 RHK098760045678009000.exe schtasks.exe PID 4252 wrote to memory of 1924 4252 RHK098760045678009000.exe schtasks.exe PID 4252 wrote to memory of 1924 4252 RHK098760045678009000.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\RHK098760045678009000.exe"C:\Users\Admin\AppData\Local\Temp\RHK098760045678009000.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RHK098760045678009000.exe"C:\Users\Admin\AppData\Local\Temp\RHK098760045678009000.exe"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "SCSI Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmpB297.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "SCSI Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpB354.tmp"3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpB297.tmpMD5
db2b9934bff158cab498a9fc4d9c1715
SHA14b2eca3bde44b15162a01df5de675958532f5a59
SHA2565530592ea8bd278a5ae7713ee77c892fa69295470d87e73e8d9442bd032e3e37
SHA512fb51095b00c05da525e760294abdd107bdb03e1ab522ae70016fa7b12d522e3921a1b8560e5cb66a230c9927da811bc0de5e18544afa04756f671339aa972b7f
-
C:\Users\Admin\AppData\Local\Temp\tmpB354.tmpMD5
4e71faa3a77029484cfaba423d96618f
SHA19c837d050bb43d69dc608af809c292e13bca4718
SHA256c470f45efd2e7c4c5b88534a18965a78dce0f8e154d3e45a9d5569ad0e334bdb
SHA5126d014de41352f2b0b494d94cd58188791e81d4e53578d0722110b6827793b735e19c614877f25c61b26233dea1b5f1998ba1240bdc8fa04c87b7e64a4ca15fe0
-
\Users\Admin\AppData\Local\Temp\nslAC7E.tmp\fbnwl.dllMD5
1288423dc0799d420e65125515ba8198
SHA1f1cb23453dfefed3bd256ebd8fe9c1fce230e901
SHA256be749029d5ffba43ebcd1be38e8486ba88fd77a39b08266cfe79c9fa21cf3466
SHA51260b548402cc56a944eaf8bbe0186f02633bed0f267154bea5844273c13f4b122d2ea7d8980b288aa0d272a742d49107e6de558b26bdd98583f787ac7d1895bac
-
memory/1924-127-0x0000000000000000-mapping.dmp
-
memory/4032-125-0x0000000000000000-mapping.dmp
-
memory/4252-119-0x0000000000400000-0x0000000000448000-memory.dmpFilesize
288KB
-
memory/4252-122-0x0000000000912000-0x0000000000914000-memory.dmpFilesize
8KB
-
memory/4252-123-0x0000000000917000-0x0000000000918000-memory.dmpFilesize
4KB
-
memory/4252-124-0x0000000000918000-0x0000000000919000-memory.dmpFilesize
4KB
-
memory/4252-120-0x0000000000910000-0x0000000000911000-memory.dmpFilesize
4KB
-
memory/4252-121-0x0000000000911000-0x0000000000912000-memory.dmpFilesize
4KB
-
memory/4252-118-0x000000000040188B-mapping.dmp
-
memory/4252-117-0x0000000000400000-0x0000000000448000-memory.dmpFilesize
288KB