Overview

overview

10

Static

static

nes1.exe

windows7_x64

10

nes1.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    4294178s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20220310-en
  • submitted
    13-03-2022 22:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    nes1.exe

  • Size

    75KB

  • MD5

    147e760e14fcb833dd6dba8aabfbe092

  • SHA1

    8ae5369a8a95737a8efc4831f5a20ca6b2d959b6

  • SHA256

    4d4f1d9ac5e7887dda018ea46753789a0c3d8e1199ea3c34502aa8da2136fe0e

  • SHA512

    ebad6c551e11acef22e2952131e68dec9931a31f366d89f9d02ed63b3e479a8e6fa2eaa38b6d4c2885e1714e888124c207a7dbc4c15741f5cb11d8081d1198a5

Score
10/10
evasionpersistencespywaretrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\nes1.exe
    "C:\Users\Admin\AppData\Local\Temp\nes1.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2016
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACcAQwA6AFwAJwAsACcAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAXAB0AG0AcAAxAFwAYQBwAHAAcwBcAGEAcABwAGwAaQBjAGEAdABpAG8AbgBTAFUALgBlAHgAZQAnAA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1100
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2040
      • C:\Windows\SysWOW64\taskkill.exe
        "taskkill.exe" /im chrome.exe /f
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:852

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Bypass User Account Control

1
T1088

Defense Evasion

Bypass User Account Control

1
T1088

Disabling Security Tools

1
T1089

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1100-60-0x00000000765D1000-0x00000000765D3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1100-63-0x0000000002450000-0x000000000309A000-memory.dmp
    Filesize

    12.3MB

    Download
  • memory/1100-64-0x000000006F890000-0x000000006FE3B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1100-62-0x0000000002450000-0x000000000309A000-memory.dmp
    Filesize

    12.3MB

    Download
  • memory/1100-61-0x000000006F890000-0x000000006FE3B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2016-59-0x0000000004660000-0x00000000046AC000-memory.dmp
    Filesize

    304KB

    Download
  • memory/2016-54-0x0000000000B10000-0x0000000000B26000-memory.dmp
    Filesize

    88KB

    Download
  • memory/2016-58-0x0000000005F80000-0x0000000006000000-memory.dmp
    Filesize

    512KB

    Download
  • memory/2016-57-0x0000000005C80000-0x0000000005D34000-memory.dmp
    Filesize

    720KB

    Download
  • memory/2016-56-0x0000000000550000-0x0000000000551000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2016-55-0x0000000074BE0000-0x00000000752CE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2040-67-0x0000000000400000-0x00000000004A0000-memory.dmp
    Filesize

    640KB

    Download
  • memory/2040-65-0x0000000000400000-0x00000000004A0000-memory.dmp
    Filesize

    640KB

    Download
  • memory/2040-69-0x0000000000400000-0x00000000004A0000-memory.dmp
    Filesize

    640KB

    Download
  • memory/2040-71-0x0000000000400000-0x00000000004A0000-memory.dmp
    Filesize

    640KB

    Download
  • memory/2040-73-0x0000000000400000-0x00000000004A0000-memory.dmp
    Filesize

    640KB

    Download
  • memory/2040-75-0x0000000000400000-0x00000000004A0000-memory.dmp
    Filesize

    640KB

    Download
  • memory/2040-77-0x0000000000400000-0x00000000004A0000-memory.dmp
    Filesize

    640KB

    Download
  • memory/2040-78-0x0000000074BE0000-0x00000000752CE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2040-79-0x00000000056D0000-0x00000000056D1000-memory.dmp
    Filesize

    4KB

    Download