Analysis
-
max time kernel
82s -
max time network
80s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
20-01-2022 14:41
Static task
static1
Behavioral task
behavioral1
Sample
EvilNominatusCrypto.exe
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
EvilNominatusCrypto.exe
Resource
win10v2004-en-20220112
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
EvilNominatusCrypto.exe
-
Size
14KB
-
MD5
8e23d84e5c58270136539c4cb3e604a4
-
SHA1
4cc242e1f24af73d2a3e38e4ad103df0ae62d93c
-
SHA256
01cec0306b25849804ac2770d877423d9f00adfae6217c72842630d18c048ba4
-
SHA512
159cd61686bec5c83c529e69f1ce653c9b8176c386b0d28b192fa25f07c2784749855f27cd144e6c581c37fd411db857c1476777719feb6f6a291bf8acf4344f
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
EvilNominatusCrypto.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EvilNominatusCrypto.exe" EvilNominatusCrypto.exe -
Disables RegEdit via registry modification
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
EvilNominatusCrypto.exedescription pid process Token: SeDebugPrivilege 1636 EvilNominatusCrypto.exe Token: SeDebugPrivilege 1636 EvilNominatusCrypto.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
EvilNominatusCrypto.exepid process 1636 EvilNominatusCrypto.exe 1636 EvilNominatusCrypto.exe 1636 EvilNominatusCrypto.exe 1636 EvilNominatusCrypto.exe 1636 EvilNominatusCrypto.exe 1636 EvilNominatusCrypto.exe 1636 EvilNominatusCrypto.exe 1636 EvilNominatusCrypto.exe 1636 EvilNominatusCrypto.exe 1636 EvilNominatusCrypto.exe 1636 EvilNominatusCrypto.exe 1636 EvilNominatusCrypto.exe 1636 EvilNominatusCrypto.exe 1636 EvilNominatusCrypto.exe 1636 EvilNominatusCrypto.exe 1636 EvilNominatusCrypto.exe 1636 EvilNominatusCrypto.exe 1636 EvilNominatusCrypto.exe 1636 EvilNominatusCrypto.exe 1636 EvilNominatusCrypto.exe 1636 EvilNominatusCrypto.exe 1636 EvilNominatusCrypto.exe 1636 EvilNominatusCrypto.exe 1636 EvilNominatusCrypto.exe 1636 EvilNominatusCrypto.exe 1636 EvilNominatusCrypto.exe 1636 EvilNominatusCrypto.exe 1636 EvilNominatusCrypto.exe 1636 EvilNominatusCrypto.exe 1636 EvilNominatusCrypto.exe 1636 EvilNominatusCrypto.exe 1636 EvilNominatusCrypto.exe 1636 EvilNominatusCrypto.exe 1636 EvilNominatusCrypto.exe 1636 EvilNominatusCrypto.exe 1636 EvilNominatusCrypto.exe 1636 EvilNominatusCrypto.exe 1636 EvilNominatusCrypto.exe 1636 EvilNominatusCrypto.exe 1636 EvilNominatusCrypto.exe 1636 EvilNominatusCrypto.exe 1636 EvilNominatusCrypto.exe 1636 EvilNominatusCrypto.exe 1636 EvilNominatusCrypto.exe 1636 EvilNominatusCrypto.exe 1636 EvilNominatusCrypto.exe 1636 EvilNominatusCrypto.exe 1636 EvilNominatusCrypto.exe 1636 EvilNominatusCrypto.exe 1636 EvilNominatusCrypto.exe 1636 EvilNominatusCrypto.exe 1636 EvilNominatusCrypto.exe 1636 EvilNominatusCrypto.exe 1636 EvilNominatusCrypto.exe 1636 EvilNominatusCrypto.exe 1636 EvilNominatusCrypto.exe 1636 EvilNominatusCrypto.exe 1636 EvilNominatusCrypto.exe 1636 EvilNominatusCrypto.exe 1636 EvilNominatusCrypto.exe 1636 EvilNominatusCrypto.exe 1636 EvilNominatusCrypto.exe 1636 EvilNominatusCrypto.exe 1636 EvilNominatusCrypto.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
EvilNominatusCrypto.execmd.exedescription pid process target process PID 1636 wrote to memory of 1660 1636 EvilNominatusCrypto.exe cmd.exe PID 1636 wrote to memory of 1660 1636 EvilNominatusCrypto.exe cmd.exe PID 1636 wrote to memory of 1660 1636 EvilNominatusCrypto.exe cmd.exe PID 1636 wrote to memory of 1660 1636 EvilNominatusCrypto.exe cmd.exe PID 1660 wrote to memory of 544 1660 cmd.exe reg.exe PID 1660 wrote to memory of 544 1660 cmd.exe reg.exe PID 1660 wrote to memory of 544 1660 cmd.exe reg.exe PID 1660 wrote to memory of 544 1660 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\EvilNominatusCrypto.exe"C:\Users\Admin\AppData\Local\Temp\EvilNominatusCrypto.exe"1⤵
- Modifies WinLogon for persistence
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f3⤵
- Modifies registry key
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/292-58-0x000007FEFC0E1000-0x000007FEFC0E3000-memory.dmpFilesize
8KB
-
memory/1636-53-0x0000000000F80000-0x0000000000F8A000-memory.dmpFilesize
40KB
-
memory/1636-54-0x0000000075531000-0x0000000075533000-memory.dmpFilesize
8KB
-
memory/1636-55-0x0000000004C20000-0x0000000004C21000-memory.dmpFilesize
4KB
-
memory/1636-56-0x0000000004C25000-0x0000000004C36000-memory.dmpFilesize
68KB
-
memory/1636-57-0x0000000004C36000-0x0000000004C37000-memory.dmpFilesize
4KB