Analysis
-
max time kernel
120s -
max time network
151s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
24-11-2021 11:00
Static task
static1
Behavioral task
behavioral1
Sample
versions.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
versions.exe
Resource
win10-en-20211014
General
-
Target
versions.exe
-
Size
1.0MB
-
MD5
e40c85fb0613efb7c73b93d51a72cda5
-
SHA1
8db384a16df0c904d09e11577640b422355983d2
-
SHA256
fc738d6f2c037f7fa3f40e362d99013664e4e0fc2ef54d61e1d2c4156e07ad50
-
SHA512
046fe8316d680df22914b1a13c27efd5a877f7c36183ab25a5723d6bb412e7419d1e4122a6281db09a285b20310b9bbcddb280b6384efb9a712446da94cf2d49
Malware Config
Extracted
nanocore
1.2.2.0
sicoslanderfamilydog.gleeze.com:4984
cdfecb88-9e93-4c42-b7dc-3c480e7d2431
-
activate_away_mode
true
- backup_connection_host
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2021-08-15T08:39:45.330389636Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
4984
-
default_group
Family-B
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
cdfecb88-9e93-4c42-b7dc-3c480e7d2431
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
sicoslanderfamilydog.gleeze.com
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\Microsoft Dlli\\versions.exe," reg.exe -
Executes dropped EXE 4 IoCs
Processes:
versions.exeversions.exesys30.exesys30.exepid process 744 versions.exe 996 versions.exe 1800 sys30.exe 1552 sys30.exe -
Loads dropped DLL 3 IoCs
Processes:
versions.exeversions.exesys30.exepid process 1644 versions.exe 744 versions.exe 1800 sys30.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/1644-58-0x0000000004190000-0x00000000041B1000-memory.dmp agile_net -
Processes:
versions.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA versions.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
versions.exedescription pid process target process PID 744 set thread context of 996 744 versions.exe versions.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 23 IoCs
Processes:
versions.exeversions.exeversions.exesys30.exesys30.exepid process 1644 versions.exe 1644 versions.exe 1644 versions.exe 744 versions.exe 744 versions.exe 744 versions.exe 744 versions.exe 996 versions.exe 996 versions.exe 996 versions.exe 996 versions.exe 996 versions.exe 996 versions.exe 1800 sys30.exe 1552 sys30.exe 1552 sys30.exe 1552 sys30.exe 744 versions.exe 744 versions.exe 744 versions.exe 744 versions.exe 744 versions.exe 744 versions.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
versions.exepid process 996 versions.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
versions.exeversions.exeversions.exesys30.exesys30.exedescription pid process Token: SeDebugPrivilege 1644 versions.exe Token: SeDebugPrivilege 744 versions.exe Token: SeDebugPrivilege 996 versions.exe Token: SeDebugPrivilege 1800 sys30.exe Token: SeDebugPrivilege 1552 sys30.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
versions.execmd.exeversions.exesys30.exedescription pid process target process PID 1644 wrote to memory of 1980 1644 versions.exe cmd.exe PID 1644 wrote to memory of 1980 1644 versions.exe cmd.exe PID 1644 wrote to memory of 1980 1644 versions.exe cmd.exe PID 1644 wrote to memory of 1980 1644 versions.exe cmd.exe PID 1980 wrote to memory of 1680 1980 cmd.exe reg.exe PID 1980 wrote to memory of 1680 1980 cmd.exe reg.exe PID 1980 wrote to memory of 1680 1980 cmd.exe reg.exe PID 1980 wrote to memory of 1680 1980 cmd.exe reg.exe PID 1644 wrote to memory of 744 1644 versions.exe versions.exe PID 1644 wrote to memory of 744 1644 versions.exe versions.exe PID 1644 wrote to memory of 744 1644 versions.exe versions.exe PID 1644 wrote to memory of 744 1644 versions.exe versions.exe PID 744 wrote to memory of 996 744 versions.exe versions.exe PID 744 wrote to memory of 996 744 versions.exe versions.exe PID 744 wrote to memory of 996 744 versions.exe versions.exe PID 744 wrote to memory of 996 744 versions.exe versions.exe PID 744 wrote to memory of 996 744 versions.exe versions.exe PID 744 wrote to memory of 996 744 versions.exe versions.exe PID 744 wrote to memory of 996 744 versions.exe versions.exe PID 744 wrote to memory of 996 744 versions.exe versions.exe PID 744 wrote to memory of 996 744 versions.exe versions.exe PID 744 wrote to memory of 1800 744 versions.exe sys30.exe PID 744 wrote to memory of 1800 744 versions.exe sys30.exe PID 744 wrote to memory of 1800 744 versions.exe sys30.exe PID 744 wrote to memory of 1800 744 versions.exe sys30.exe PID 1800 wrote to memory of 1552 1800 sys30.exe sys30.exe PID 1800 wrote to memory of 1552 1800 sys30.exe sys30.exe PID 1800 wrote to memory of 1552 1800 sys30.exe sys30.exe PID 1800 wrote to memory of 1552 1800 sys30.exe sys30.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\versions.exe"C:\Users\Admin\AppData\Local\Temp\versions.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\Microsoft Dlli\versions.exe,"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\Microsoft Dlli\versions.exe,"3⤵
- Modifies WinLogon for persistence
-
C:\Users\Admin\AppData\Local\Microsoft Dlli\versions.exe"C:\Users\Admin\AppData\Local\Microsoft Dlli\versions.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Microsoft Dlli\versions.exe"C:\Users\Admin\AppData\Local\Microsoft Dlli\versions.exe"3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\sys30.exe"C:\Users\Admin\AppData\Local\Temp\sys30.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\sys30.exe"C:\Users\Admin\AppData\Local\Temp\sys30.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft Dlli\versions.exeMD5
e40c85fb0613efb7c73b93d51a72cda5
SHA18db384a16df0c904d09e11577640b422355983d2
SHA256fc738d6f2c037f7fa3f40e362d99013664e4e0fc2ef54d61e1d2c4156e07ad50
SHA512046fe8316d680df22914b1a13c27efd5a877f7c36183ab25a5723d6bb412e7419d1e4122a6281db09a285b20310b9bbcddb280b6384efb9a712446da94cf2d49
-
C:\Users\Admin\AppData\Local\Microsoft Dlli\versions.exeMD5
e40c85fb0613efb7c73b93d51a72cda5
SHA18db384a16df0c904d09e11577640b422355983d2
SHA256fc738d6f2c037f7fa3f40e362d99013664e4e0fc2ef54d61e1d2c4156e07ad50
SHA512046fe8316d680df22914b1a13c27efd5a877f7c36183ab25a5723d6bb412e7419d1e4122a6281db09a285b20310b9bbcddb280b6384efb9a712446da94cf2d49
-
C:\Users\Admin\AppData\Local\Microsoft Dlli\versions.exeMD5
e40c85fb0613efb7c73b93d51a72cda5
SHA18db384a16df0c904d09e11577640b422355983d2
SHA256fc738d6f2c037f7fa3f40e362d99013664e4e0fc2ef54d61e1d2c4156e07ad50
SHA512046fe8316d680df22914b1a13c27efd5a877f7c36183ab25a5723d6bb412e7419d1e4122a6281db09a285b20310b9bbcddb280b6384efb9a712446da94cf2d49
-
C:\Users\Admin\AppData\Local\Temp\sys30.exeMD5
0e362e7005823d0bec3719b902ed6d62
SHA1590d860b909804349e0cdc2f1662b37bd62f7463
SHA2562d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad
SHA512518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3
-
C:\Users\Admin\AppData\Local\Temp\sys30.exeMD5
0e362e7005823d0bec3719b902ed6d62
SHA1590d860b909804349e0cdc2f1662b37bd62f7463
SHA2562d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad
SHA512518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3
-
C:\Users\Admin\AppData\Local\Temp\sys30.exeMD5
0e362e7005823d0bec3719b902ed6d62
SHA1590d860b909804349e0cdc2f1662b37bd62f7463
SHA2562d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad
SHA512518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3
-
C:\Users\Admin\AppData\Local\Temp\sys30.txtMD5
fe8776fcf5ba77ca8da2adafbcc71f9c
SHA1f3b38408d225169de4bccf82155d6aac0956cd94
SHA256fb0f1c480500367ee0804f87b5885701d39f51fe53330ec79bcf14119fe9dbc3
SHA51214d25888656e79b1214bb85ba6da32f5e189e4d38c4714029754efe5a4b3445a79292e89610cad669b1c07977643635863df2e556f1ecca1491b3fc58c03e704
-
C:\Users\Admin\AppData\Local\Temp\sys30.txtMD5
51ec579b34f887293d5f1a5d2dc0474c
SHA10651533e3c65e8910d01d9e0b28066c09cebb5d4
SHA256ab9aa22079648535d8ef465b50a3c8b47d22050a2ece6cf2943f8f98c125350c
SHA51290161e61511e245afdfa3f185b7dc925c579a66566e45a632b656ce8fde8504f9069e638cb43529ca0bbc21acc004c64b9de1a238d87f813cecc45ebfc52ba6e
-
C:\Users\Admin\AppData\Local\Temp\sys30.txtMD5
62b24a8b79dbaa491ee19e87a06922da
SHA1b6ff934067d1afb9a62333c0494c9411037924e1
SHA256df7e95dc7537f958b824aafda70dae69dd1947f0030bbcc7789f633a4a6061a0
SHA512c6911fffa0758b7348ebebeeaff07401f8da996db4b3e800ecb40226c49e1fea9ae436077f689ddaa6915b2b43bdc13e2666bc86375279367136ab6c0e7955c3
-
\Users\Admin\AppData\Local\Microsoft Dlli\versions.exeMD5
e40c85fb0613efb7c73b93d51a72cda5
SHA18db384a16df0c904d09e11577640b422355983d2
SHA256fc738d6f2c037f7fa3f40e362d99013664e4e0fc2ef54d61e1d2c4156e07ad50
SHA512046fe8316d680df22914b1a13c27efd5a877f7c36183ab25a5723d6bb412e7419d1e4122a6281db09a285b20310b9bbcddb280b6384efb9a712446da94cf2d49
-
\Users\Admin\AppData\Local\Temp\sys30.exeMD5
0e362e7005823d0bec3719b902ed6d62
SHA1590d860b909804349e0cdc2f1662b37bd62f7463
SHA2562d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad
SHA512518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3
-
\Users\Admin\AppData\Local\Temp\sys30.exeMD5
0e362e7005823d0bec3719b902ed6d62
SHA1590d860b909804349e0cdc2f1662b37bd62f7463
SHA2562d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad
SHA512518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3
-
memory/744-72-0x0000000000650000-0x0000000000651000-memory.dmpFilesize
4KB
-
memory/744-71-0x0000000000690000-0x000000000069B000-memory.dmpFilesize
44KB
-
memory/744-66-0x0000000001340000-0x0000000001341000-memory.dmpFilesize
4KB
-
memory/744-70-0x0000000000E91000-0x0000000000E92000-memory.dmpFilesize
4KB
-
memory/744-63-0x0000000000000000-mapping.dmp
-
memory/744-68-0x0000000000E90000-0x0000000000E91000-memory.dmpFilesize
4KB
-
memory/996-73-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/996-74-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/996-84-0x00000000006B0000-0x00000000006C9000-memory.dmpFilesize
100KB
-
memory/996-85-0x00000000006D0000-0x00000000006D3000-memory.dmpFilesize
12KB
-
memory/996-82-0x0000000000630000-0x0000000000631000-memory.dmpFilesize
4KB
-
memory/996-103-0x0000000000FB0000-0x0000000000FBF000-memory.dmpFilesize
60KB
-
memory/996-80-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/996-78-0x000000000041E792-mapping.dmp
-
memory/996-77-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/996-76-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/996-75-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/996-83-0x00000000005E0000-0x00000000005E5000-memory.dmpFilesize
20KB
-
memory/996-102-0x0000000000F80000-0x0000000000FA9000-memory.dmpFilesize
164KB
-
memory/996-93-0x0000000000840000-0x0000000000855000-memory.dmpFilesize
84KB
-
memory/996-92-0x0000000000830000-0x000000000083D000-memory.dmpFilesize
52KB
-
memory/996-98-0x0000000000DB0000-0x0000000000DBD000-memory.dmpFilesize
52KB
-
memory/996-97-0x0000000000D20000-0x0000000000D26000-memory.dmpFilesize
24KB
-
memory/996-96-0x0000000000CD0000-0x0000000000CD7000-memory.dmpFilesize
28KB
-
memory/996-95-0x0000000000C80000-0x0000000000C8C000-memory.dmpFilesize
48KB
-
memory/996-94-0x0000000000C20000-0x0000000000C26000-memory.dmpFilesize
24KB
-
memory/996-99-0x0000000000DC0000-0x0000000000DC9000-memory.dmpFilesize
36KB
-
memory/996-100-0x0000000000DD0000-0x0000000000DDF000-memory.dmpFilesize
60KB
-
memory/996-101-0x0000000000DE0000-0x0000000000DEA000-memory.dmpFilesize
40KB
-
memory/1552-107-0x0000000000000000-mapping.dmp
-
memory/1644-58-0x0000000004190000-0x00000000041B1000-memory.dmpFilesize
132KB
-
memory/1644-61-0x0000000004BB1000-0x0000000004BB2000-memory.dmpFilesize
4KB
-
memory/1644-57-0x0000000004BB0000-0x0000000004BB1000-memory.dmpFilesize
4KB
-
memory/1644-55-0x0000000000910000-0x0000000000911000-memory.dmpFilesize
4KB
-
memory/1680-60-0x0000000000000000-mapping.dmp
-
memory/1800-90-0x0000000000BB0000-0x0000000000BB1000-memory.dmpFilesize
4KB
-
memory/1800-87-0x0000000000000000-mapping.dmp
-
memory/1980-59-0x0000000000000000-mapping.dmp