Analysis
-
max time kernel
145s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
15-04-2022 00:48
Static task
static1
Behavioral task
behavioral1
Sample
6f6a956472613361087e326a732044349891e4ebaff99b2278836389cabdec01.exe
Resource
win7-20220414-en
General
-
Target
6f6a956472613361087e326a732044349891e4ebaff99b2278836389cabdec01.exe
-
Size
462KB
-
MD5
48d86934fb781685122dfcdae8e4f256
-
SHA1
538e07a3422df1b78540849ab02a69097435adf8
-
SHA256
6f6a956472613361087e326a732044349891e4ebaff99b2278836389cabdec01
-
SHA512
aacaa639400595e66ed86ed69619eae9c5f22882b1a3119d272f8b9af5f1d03212d800813ba66a09a3fd0bda3dbcd6ef6b14eeceafa9b61c40470525af989c16
Malware Config
Extracted
nanocore
1.2.2.0
niiarmah.kozow.com:9301
ef42b77b-c8cc-45cb-b0b4-e774d77e37ba
-
activate_away_mode
true
- backup_connection_host
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-08-21T18:37:07.916019536Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
9301
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
ef42b77b-c8cc-45cb-b0b4-e774d77e37ba
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
niiarmah.kozow.com
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1296 svhost.exe -
Loads dropped DLL 2 IoCs
pid Process 1708 6f6a956472613361087e326a732044349891e4ebaff99b2278836389cabdec01.exe 1708 6f6a956472613361087e326a732044349891e4ebaff99b2278836389cabdec01.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA svhost.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1708 set thread context of 1296 1708 6f6a956472613361087e326a732044349891e4ebaff99b2278836389cabdec01.exe 27 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
pid Process 1068 timeout.exe -
NTFS ADS 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Security\Updates.exe:Zone.Identifier cmd.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1708 6f6a956472613361087e326a732044349891e4ebaff99b2278836389cabdec01.exe 1296 svhost.exe 1296 svhost.exe 1708 6f6a956472613361087e326a732044349891e4ebaff99b2278836389cabdec01.exe 1708 6f6a956472613361087e326a732044349891e4ebaff99b2278836389cabdec01.exe 1708 6f6a956472613361087e326a732044349891e4ebaff99b2278836389cabdec01.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1296 svhost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1708 6f6a956472613361087e326a732044349891e4ebaff99b2278836389cabdec01.exe Token: SeDebugPrivilege 1296 svhost.exe -
Suspicious use of WriteProcessMemory 40 IoCs
description pid Process procid_target PID 1708 wrote to memory of 1296 1708 6f6a956472613361087e326a732044349891e4ebaff99b2278836389cabdec01.exe 27 PID 1708 wrote to memory of 1296 1708 6f6a956472613361087e326a732044349891e4ebaff99b2278836389cabdec01.exe 27 PID 1708 wrote to memory of 1296 1708 6f6a956472613361087e326a732044349891e4ebaff99b2278836389cabdec01.exe 27 PID 1708 wrote to memory of 1296 1708 6f6a956472613361087e326a732044349891e4ebaff99b2278836389cabdec01.exe 27 PID 1708 wrote to memory of 1296 1708 6f6a956472613361087e326a732044349891e4ebaff99b2278836389cabdec01.exe 27 PID 1708 wrote to memory of 1296 1708 6f6a956472613361087e326a732044349891e4ebaff99b2278836389cabdec01.exe 27 PID 1708 wrote to memory of 1296 1708 6f6a956472613361087e326a732044349891e4ebaff99b2278836389cabdec01.exe 27 PID 1708 wrote to memory of 1296 1708 6f6a956472613361087e326a732044349891e4ebaff99b2278836389cabdec01.exe 27 PID 1708 wrote to memory of 1296 1708 6f6a956472613361087e326a732044349891e4ebaff99b2278836389cabdec01.exe 27 PID 1708 wrote to memory of 912 1708 6f6a956472613361087e326a732044349891e4ebaff99b2278836389cabdec01.exe 28 PID 1708 wrote to memory of 912 1708 6f6a956472613361087e326a732044349891e4ebaff99b2278836389cabdec01.exe 28 PID 1708 wrote to memory of 912 1708 6f6a956472613361087e326a732044349891e4ebaff99b2278836389cabdec01.exe 28 PID 1708 wrote to memory of 912 1708 6f6a956472613361087e326a732044349891e4ebaff99b2278836389cabdec01.exe 28 PID 1708 wrote to memory of 592 1708 6f6a956472613361087e326a732044349891e4ebaff99b2278836389cabdec01.exe 30 PID 1708 wrote to memory of 592 1708 6f6a956472613361087e326a732044349891e4ebaff99b2278836389cabdec01.exe 30 PID 1708 wrote to memory of 592 1708 6f6a956472613361087e326a732044349891e4ebaff99b2278836389cabdec01.exe 30 PID 1708 wrote to memory of 592 1708 6f6a956472613361087e326a732044349891e4ebaff99b2278836389cabdec01.exe 30 PID 592 wrote to memory of 1388 592 cmd.exe 32 PID 592 wrote to memory of 1388 592 cmd.exe 32 PID 592 wrote to memory of 1388 592 cmd.exe 32 PID 592 wrote to memory of 1388 592 cmd.exe 32 PID 1708 wrote to memory of 860 1708 6f6a956472613361087e326a732044349891e4ebaff99b2278836389cabdec01.exe 33 PID 1708 wrote to memory of 860 1708 6f6a956472613361087e326a732044349891e4ebaff99b2278836389cabdec01.exe 33 PID 1708 wrote to memory of 860 1708 6f6a956472613361087e326a732044349891e4ebaff99b2278836389cabdec01.exe 33 PID 1708 wrote to memory of 860 1708 6f6a956472613361087e326a732044349891e4ebaff99b2278836389cabdec01.exe 33 PID 1708 wrote to memory of 1376 1708 6f6a956472613361087e326a732044349891e4ebaff99b2278836389cabdec01.exe 35 PID 1708 wrote to memory of 1376 1708 6f6a956472613361087e326a732044349891e4ebaff99b2278836389cabdec01.exe 35 PID 1708 wrote to memory of 1376 1708 6f6a956472613361087e326a732044349891e4ebaff99b2278836389cabdec01.exe 35 PID 1708 wrote to memory of 1376 1708 6f6a956472613361087e326a732044349891e4ebaff99b2278836389cabdec01.exe 35 PID 1708 wrote to memory of 240 1708 6f6a956472613361087e326a732044349891e4ebaff99b2278836389cabdec01.exe 37 PID 1708 wrote to memory of 240 1708 6f6a956472613361087e326a732044349891e4ebaff99b2278836389cabdec01.exe 37 PID 1708 wrote to memory of 240 1708 6f6a956472613361087e326a732044349891e4ebaff99b2278836389cabdec01.exe 37 PID 1708 wrote to memory of 240 1708 6f6a956472613361087e326a732044349891e4ebaff99b2278836389cabdec01.exe 37 PID 1708 wrote to memory of 240 1708 6f6a956472613361087e326a732044349891e4ebaff99b2278836389cabdec01.exe 37 PID 1708 wrote to memory of 240 1708 6f6a956472613361087e326a732044349891e4ebaff99b2278836389cabdec01.exe 37 PID 1708 wrote to memory of 240 1708 6f6a956472613361087e326a732044349891e4ebaff99b2278836389cabdec01.exe 37 PID 240 wrote to memory of 1068 240 cmd.exe 39 PID 240 wrote to memory of 1068 240 cmd.exe 39 PID 240 wrote to memory of 1068 240 cmd.exe 39 PID 240 wrote to memory of 1068 240 cmd.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\6f6a956472613361087e326a732044349891e4ebaff99b2278836389cabdec01.exe"C:\Users\Admin\AppData\Local\Temp\6f6a956472613361087e326a732044349891e4ebaff99b2278836389cabdec01.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Users\Admin\AppData\Local\Temp\svhost.exe"C:\Users\Admin\AppData\Local\Temp\svhost.exe"2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1296
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/6f6a956472613361087e326a732044349891e4ebaff99b2278836389cabdec01.exe" "%appdata%\Security\Updates.exe" /Y2⤵PID:912
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%appdata%\Security\Updates.exe.lnk" /f2⤵
- Suspicious use of WriteProcessMemory
PID:592 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Security\Updates.exe.lnk" /f3⤵PID:1388
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %appdata%\Security\Updates.exe:Zone.Identifier2⤵
- NTFS ADS
PID:860
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ren "%appdata%\Security\Updates.exe.jpg" Updates.exe2⤵PID:1376
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\Security\Updates.exe.bat2⤵
- Suspicious use of WriteProcessMemory
PID:240 -
C:\Windows\SysWOW64\timeout.exetimeout /t 3003⤵
- Delays execution with timeout.exe
PID:1068
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD59af17c8393f0970ee5136bd3ffa27001
SHA14b285b72c1a11285a25f31f2597e090da6bbc049
SHA25671d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019
SHA512b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3
-
Filesize
255KB
MD59af17c8393f0970ee5136bd3ffa27001
SHA14b285b72c1a11285a25f31f2597e090da6bbc049
SHA25671d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019
SHA512b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3
-
Filesize
462KB
MD548d86934fb781685122dfcdae8e4f256
SHA1538e07a3422df1b78540849ab02a69097435adf8
SHA2566f6a956472613361087e326a732044349891e4ebaff99b2278836389cabdec01
SHA512aacaa639400595e66ed86ed69619eae9c5f22882b1a3119d272f8b9af5f1d03212d800813ba66a09a3fd0bda3dbcd6ef6b14eeceafa9b61c40470525af989c16
-
Filesize
205B
MD589c271e144581e0e00347269b020a002
SHA1ad9fe3d0aaf5579f17004982aa1ea53afee6d0d2
SHA256fa4f71efddbbc88768574504f59ca283911cb40cc0ca52185e782436342945a8
SHA512ea099eaf12aa74947171f861af1ee2223178942c722b08e45158dfb85c32fe6f38d61b5f5fea86223b5faede58f32cb6d0661cbdc9a29b78918e9b057bde1ed1
-
Filesize
255KB
MD59af17c8393f0970ee5136bd3ffa27001
SHA14b285b72c1a11285a25f31f2597e090da6bbc049
SHA25671d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019
SHA512b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3
-
Filesize
462KB
MD548d86934fb781685122dfcdae8e4f256
SHA1538e07a3422df1b78540849ab02a69097435adf8
SHA2566f6a956472613361087e326a732044349891e4ebaff99b2278836389cabdec01
SHA512aacaa639400595e66ed86ed69619eae9c5f22882b1a3119d272f8b9af5f1d03212d800813ba66a09a3fd0bda3dbcd6ef6b14eeceafa9b61c40470525af989c16