Overview

overview

10

Static

static

EvilNomina...to.exe

windows7_x64

10

EvilNomina...to.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    82s
  • max time network
    80s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    20-01-2022 14:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    EvilNominatusCrypto.exe

  • Size

    14KB

  • MD5

    8e23d84e5c58270136539c4cb3e604a4

  • SHA1

    4cc242e1f24af73d2a3e38e4ad103df0ae62d93c

  • SHA256

    01cec0306b25849804ac2770d877423d9f00adfae6217c72842630d18c048ba4

  • SHA512

    159cd61686bec5c83c529e69f1ce653c9b8176c386b0d28b192fa25f07c2784749855f27cd144e6c581c37fd411db857c1476777719feb6f6a291bf8acf4344f

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Disables RegEdit via registry modification
    evasion
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\EvilNominatusCrypto.exe
    "C:\Users\Admin\AppData\Local\Temp\EvilNominatusCrypto.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:1636
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1660
      • C:\Windows\SysWOW64\reg.exe
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f
        3⤵
        • Modifies registry key
        PID:544
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:292

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Winlogon Helper DLL

    1
    T1004

    Privilege Escalation

    Defense Evasion

    Modify Registry

    2
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/292-58-0x000007FEFC0E1000-0x000007FEFC0E3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1636-53-0x0000000000F80000-0x0000000000F8A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/1636-54-0x0000000075531000-0x0000000075533000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1636-55-0x0000000004C20000-0x0000000004C21000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1636-56-0x0000000004C25000-0x0000000004C36000-memory.dmp
      Filesize

      68KB

      Download
    • memory/1636-57-0x0000000004C36000-0x0000000004C37000-memory.dmp
      Filesize

      4KB

      Download