Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
09-12-2021 21:23
Static task
static1
Behavioral task
behavioral1
Sample
img-098765678.exe
Resource
win7-en-20211208
General
-
Target
img-098765678.exe
-
Size
1.2MB
-
MD5
84f0d89c41aa198450c551b715eeec1c
-
SHA1
a6eb13901ebe55192a224c7ef170892d2f932f79
-
SHA256
50e40b11c1d866597929f9b8020a644cc0bdbeb7ca12de0cff68ce78d018a50d
-
SHA512
9930942697767e93273b66459f68e5564aa73f2e6dce3f06a573e9882647c18e2f0d1f7eb4c2abc6db876cbec8d8f97845194c20545f00d3ed875ef57d77f1aa
Malware Config
Extracted
nanocore
1.2.2.0
6262.hopto.org:6262
185.140.53.131:6262
7b578534-8b04-4a5d-9eb5-d375830cf45d
-
activate_away_mode
true
-
backup_connection_host
185.140.53.131
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2021-08-31T05:14:41.931016736Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
6262
-
default_group
6262
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
7b578534-8b04-4a5d-9eb5-d375830cf45d
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
6262.hopto.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
img-098765678.exeInstallUtil.exepid process 1572 img-098765678.exe 1784 InstallUtil.exe -
Obfuscated with Agile.Net obfuscator 3 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral2/memory/2880-121-0x0000000005E90000-0x0000000005EB1000-memory.dmp agile_net behavioral2/memory/2880-126-0x0000000004D50000-0x000000000524E000-memory.dmp agile_net behavioral2/memory/1572-140-0x0000000005260000-0x000000000575E000-memory.dmp agile_net -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\new open = "C:\\Users\\Admin\\Favorites\\img-098765678.exe" reg.exe -
Processes:
InstallUtil.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA InstallUtil.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
img-098765678.exedescription pid process target process PID 1572 set thread context of 1784 1572 img-098765678.exe InstallUtil.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
img-098765678.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\MuiCache img-098765678.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
Processes:
img-098765678.exeimg-098765678.exeInstallUtil.exepid process 2880 img-098765678.exe 2880 img-098765678.exe 2880 img-098765678.exe 2880 img-098765678.exe 2880 img-098765678.exe 2880 img-098765678.exe 2880 img-098765678.exe 2880 img-098765678.exe 2880 img-098765678.exe 2880 img-098765678.exe 2880 img-098765678.exe 2880 img-098765678.exe 2880 img-098765678.exe 2880 img-098765678.exe 2880 img-098765678.exe 1572 img-098765678.exe 1572 img-098765678.exe 1572 img-098765678.exe 1784 InstallUtil.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
InstallUtil.exepid process 1784 InstallUtil.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
img-098765678.exeimg-098765678.exeInstallUtil.exedescription pid process Token: SeDebugPrivilege 2880 img-098765678.exe Token: SeDebugPrivilege 1572 img-098765678.exe Token: SeDebugPrivilege 1784 InstallUtil.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
img-098765678.execmd.exeimg-098765678.exedescription pid process target process PID 2880 wrote to memory of 848 2880 img-098765678.exe cmd.exe PID 2880 wrote to memory of 848 2880 img-098765678.exe cmd.exe PID 2880 wrote to memory of 848 2880 img-098765678.exe cmd.exe PID 848 wrote to memory of 2000 848 cmd.exe reg.exe PID 848 wrote to memory of 2000 848 cmd.exe reg.exe PID 848 wrote to memory of 2000 848 cmd.exe reg.exe PID 2880 wrote to memory of 1572 2880 img-098765678.exe img-098765678.exe PID 2880 wrote to memory of 1572 2880 img-098765678.exe img-098765678.exe PID 2880 wrote to memory of 1572 2880 img-098765678.exe img-098765678.exe PID 1572 wrote to memory of 1784 1572 img-098765678.exe InstallUtil.exe PID 1572 wrote to memory of 1784 1572 img-098765678.exe InstallUtil.exe PID 1572 wrote to memory of 1784 1572 img-098765678.exe InstallUtil.exe PID 1572 wrote to memory of 1784 1572 img-098765678.exe InstallUtil.exe PID 1572 wrote to memory of 1784 1572 img-098765678.exe InstallUtil.exe PID 1572 wrote to memory of 1784 1572 img-098765678.exe InstallUtil.exe PID 1572 wrote to memory of 1784 1572 img-098765678.exe InstallUtil.exe PID 1572 wrote to memory of 1784 1572 img-098765678.exe InstallUtil.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\img-098765678.exe"C:\Users\Admin\AppData\Local\Temp\img-098765678.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "new open" /t REG_SZ /d "C:\Users\Admin\Favorites\img-098765678.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "new open" /t REG_SZ /d "C:\Users\Admin\Favorites\img-098765678.exe"3⤵
- Adds Run key to start application
-
C:\Users\Admin\Favorites\img-098765678.exe"C:\Users\Admin\Favorites\img-098765678.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\img-098765678.exe.logMD5
009b86ab4020fc209c5914515b3aff93
SHA1780cabb26fba207e4de8a78a89092b5b681d3ef9
SHA256f866c5c64134450a52ec440545e84269cef199217fb61a640d79c17c5126c951
SHA5129837fb25e9a72ca4397bef8eb72d0f2820deebfa79b81771ea071a0e853330bc791714795e2096704523b3bdc1a914632b86ae311182c12bcc4d93eb0de0b408
-
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exeMD5
91c9ae9c9a17a9db5e08b120e668c74c
SHA150770954c1ceb0bb6f1d5d3f2de2a0a065773723
SHA256e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f
SHA512ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e
-
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exeMD5
91c9ae9c9a17a9db5e08b120e668c74c
SHA150770954c1ceb0bb6f1d5d3f2de2a0a065773723
SHA256e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f
SHA512ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e
-
C:\Users\Admin\Favorites\img-098765678.exeMD5
84f0d89c41aa198450c551b715eeec1c
SHA1a6eb13901ebe55192a224c7ef170892d2f932f79
SHA25650e40b11c1d866597929f9b8020a644cc0bdbeb7ca12de0cff68ce78d018a50d
SHA5129930942697767e93273b66459f68e5564aa73f2e6dce3f06a573e9882647c18e2f0d1f7eb4c2abc6db876cbec8d8f97845194c20545f00d3ed875ef57d77f1aa
-
C:\Users\Admin\Favorites\img-098765678.exeMD5
84f0d89c41aa198450c551b715eeec1c
SHA1a6eb13901ebe55192a224c7ef170892d2f932f79
SHA25650e40b11c1d866597929f9b8020a644cc0bdbeb7ca12de0cff68ce78d018a50d
SHA5129930942697767e93273b66459f68e5564aa73f2e6dce3f06a573e9882647c18e2f0d1f7eb4c2abc6db876cbec8d8f97845194c20545f00d3ed875ef57d77f1aa
-
memory/848-124-0x0000000000000000-mapping.dmp
-
memory/1572-142-0x00000000096E0000-0x00000000096E1000-memory.dmpFilesize
4KB
-
memory/1572-127-0x0000000000000000-mapping.dmp
-
memory/1572-136-0x0000000005260000-0x000000000575E000-memory.dmpFilesize
5.0MB
-
memory/1572-140-0x0000000005260000-0x000000000575E000-memory.dmpFilesize
5.0MB
-
memory/1572-141-0x00000000070D0000-0x00000000070DB000-memory.dmpFilesize
44KB
-
memory/1784-143-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1784-155-0x0000000004F10000-0x000000000540E000-memory.dmpFilesize
5.0MB
-
memory/1784-154-0x0000000005A90000-0x0000000005AA9000-memory.dmpFilesize
100KB
-
memory/1784-153-0x0000000004EF0000-0x0000000004EF5000-memory.dmpFilesize
20KB
-
memory/1784-152-0x0000000004DF0000-0x0000000004DF1000-memory.dmpFilesize
4KB
-
memory/1784-144-0x000000000041E792-mapping.dmp
-
memory/2000-125-0x0000000000000000-mapping.dmp
-
memory/2880-121-0x0000000005E90000-0x0000000005EB1000-memory.dmpFilesize
132KB
-
memory/2880-115-0x00000000002A0000-0x00000000002A1000-memory.dmpFilesize
4KB
-
memory/2880-119-0x0000000004D50000-0x0000000004D51000-memory.dmpFilesize
4KB
-
memory/2880-118-0x0000000005250000-0x0000000005251000-memory.dmpFilesize
4KB
-
memory/2880-117-0x0000000004CB0000-0x0000000004CB1000-memory.dmpFilesize
4KB
-
memory/2880-120-0x0000000004D50000-0x000000000524E000-memory.dmpFilesize
5.0MB
-
memory/2880-123-0x0000000005F10000-0x0000000005F11000-memory.dmpFilesize
4KB
-
memory/2880-126-0x0000000004D50000-0x000000000524E000-memory.dmpFilesize
5.0MB
-
memory/2880-122-0x0000000005F50000-0x0000000005F51000-memory.dmpFilesize
4KB