Analysis
-
max time kernel
121s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
13-03-2022 22:52
Static task
static1
Behavioral task
behavioral1
Sample
nes1.exe
Resource
win7-20220310-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
nes1.exe
Resource
win10v2004-en-20220113
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
nes1.exe
-
Size
75KB
-
MD5
147e760e14fcb833dd6dba8aabfbe092
-
SHA1
8ae5369a8a95737a8efc4831f5a20ca6b2d959b6
-
SHA256
4d4f1d9ac5e7887dda018ea46753789a0c3d8e1199ea3c34502aa8da2136fe0e
-
SHA512
ebad6c551e11acef22e2952131e68dec9931a31f366d89f9d02ed63b3e479a8e6fa2eaa38b6d4c2885e1714e888124c207a7dbc4c15741f5cb11d8081d1198a5
Score
10/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation nes1.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\applicationSU = "\"C:\\Users\\Admin\\AppData\\Roaming\\tmp1\\apps\\applicationSU.exe\"" nes1.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 34 eth0.me -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3000 set thread context of 4124 3000 nes1.exe 93 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 860 powershell.exe 860 powershell.exe 3000 nes1.exe 3000 nes1.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3000 nes1.exe Token: SeDebugPrivilege 860 powershell.exe Token: SeDebugPrivilege 4124 MSBuild.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 3000 wrote to memory of 860 3000 nes1.exe 91 PID 3000 wrote to memory of 860 3000 nes1.exe 91 PID 3000 wrote to memory of 860 3000 nes1.exe 91 PID 3000 wrote to memory of 4124 3000 nes1.exe 93 PID 3000 wrote to memory of 4124 3000 nes1.exe 93 PID 3000 wrote to memory of 4124 3000 nes1.exe 93 PID 3000 wrote to memory of 4124 3000 nes1.exe 93 PID 3000 wrote to memory of 4124 3000 nes1.exe 93 PID 3000 wrote to memory of 4124 3000 nes1.exe 93 PID 3000 wrote to memory of 4124 3000 nes1.exe 93 PID 3000 wrote to memory of 4124 3000 nes1.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\nes1.exe"C:\Users\Admin\AppData\Local\Temp\nes1.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACcAQwA6AFwAJwAsACcAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAXAB0AG0AcAAxAFwAYQBwAHAAcwBcAGEAcABwAGwAaQBjAGEAdABpAG8AbgBTAFUALgBlAHgAZQAnAA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:860
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4124
-