Analysis
-
max time kernel
169s -
max time network
196s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
15-04-2022 12:42
Static task
static1
Behavioral task
behavioral1
Sample
11e036c1794cd85102d2db5dc7cd5e1440d266ccd6f09fb541661c63ddbebeec.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
11e036c1794cd85102d2db5dc7cd5e1440d266ccd6f09fb541661c63ddbebeec.exe
Resource
win10v2004-20220414-en
General
-
Target
11e036c1794cd85102d2db5dc7cd5e1440d266ccd6f09fb541661c63ddbebeec.exe
-
Size
708KB
-
MD5
848a0266b194123408dd4429ef761db0
-
SHA1
95348194c757655c1d7832db285de8d3d3baf8f5
-
SHA256
11e036c1794cd85102d2db5dc7cd5e1440d266ccd6f09fb541661c63ddbebeec
-
SHA512
49240e1684c2bf7eaf5e869b95cf878693811148b37aa73db6cfcfb46331dc3c2bccc5455f99d180964202571f6e31a918ffc17e6458aede1db2c04607249440
Malware Config
Extracted
nanocore
1.2.2.0
farah99.zapto.org:19720
6d50c134-6325-499c-b5ec-dbc7a37a8117
-
activate_away_mode
true
-
backup_connection_host
farah99.zapto.org
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-08-20T23:36:09.518759436Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
19720
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
6d50c134-6325-499c-b5ec-dbc7a37a8117
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
farah99.zapto.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 11e036c1794cd85102d2db5dc7cd5e1440d266ccd6f09fb541661c63ddbebeec.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 11e036c1794cd85102d2db5dc7cd5e1440d266ccd6f09fb541661c63ddbebeec.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WPA Subsystem = "C:\\Program Files (x86)\\WPA Subsystem\\wpass.exe" 11e036c1794cd85102d2db5dc7cd5e1440d266ccd6f09fb541661c63ddbebeec.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 11e036c1794cd85102d2db5dc7cd5e1440d266ccd6f09fb541661c63ddbebeec.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 11e036c1794cd85102d2db5dc7cd5e1440d266ccd6f09fb541661c63ddbebeec.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 11e036c1794cd85102d2db5dc7cd5e1440d266ccd6f09fb541661c63ddbebeec.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1640 set thread context of 1364 1640 11e036c1794cd85102d2db5dc7cd5e1440d266ccd6f09fb541661c63ddbebeec.exe 30 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\WPA Subsystem\wpass.exe 11e036c1794cd85102d2db5dc7cd5e1440d266ccd6f09fb541661c63ddbebeec.exe File opened for modification C:\Program Files (x86)\WPA Subsystem\wpass.exe 11e036c1794cd85102d2db5dc7cd5e1440d266ccd6f09fb541661c63ddbebeec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 428 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1640 11e036c1794cd85102d2db5dc7cd5e1440d266ccd6f09fb541661c63ddbebeec.exe 1640 11e036c1794cd85102d2db5dc7cd5e1440d266ccd6f09fb541661c63ddbebeec.exe 1364 11e036c1794cd85102d2db5dc7cd5e1440d266ccd6f09fb541661c63ddbebeec.exe 1364 11e036c1794cd85102d2db5dc7cd5e1440d266ccd6f09fb541661c63ddbebeec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1640 11e036c1794cd85102d2db5dc7cd5e1440d266ccd6f09fb541661c63ddbebeec.exe Token: SeDebugPrivilege 1364 11e036c1794cd85102d2db5dc7cd5e1440d266ccd6f09fb541661c63ddbebeec.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 1640 wrote to memory of 428 1640 11e036c1794cd85102d2db5dc7cd5e1440d266ccd6f09fb541661c63ddbebeec.exe 28 PID 1640 wrote to memory of 428 1640 11e036c1794cd85102d2db5dc7cd5e1440d266ccd6f09fb541661c63ddbebeec.exe 28 PID 1640 wrote to memory of 428 1640 11e036c1794cd85102d2db5dc7cd5e1440d266ccd6f09fb541661c63ddbebeec.exe 28 PID 1640 wrote to memory of 428 1640 11e036c1794cd85102d2db5dc7cd5e1440d266ccd6f09fb541661c63ddbebeec.exe 28 PID 1640 wrote to memory of 1364 1640 11e036c1794cd85102d2db5dc7cd5e1440d266ccd6f09fb541661c63ddbebeec.exe 30 PID 1640 wrote to memory of 1364 1640 11e036c1794cd85102d2db5dc7cd5e1440d266ccd6f09fb541661c63ddbebeec.exe 30 PID 1640 wrote to memory of 1364 1640 11e036c1794cd85102d2db5dc7cd5e1440d266ccd6f09fb541661c63ddbebeec.exe 30 PID 1640 wrote to memory of 1364 1640 11e036c1794cd85102d2db5dc7cd5e1440d266ccd6f09fb541661c63ddbebeec.exe 30 PID 1640 wrote to memory of 1364 1640 11e036c1794cd85102d2db5dc7cd5e1440d266ccd6f09fb541661c63ddbebeec.exe 30 PID 1640 wrote to memory of 1364 1640 11e036c1794cd85102d2db5dc7cd5e1440d266ccd6f09fb541661c63ddbebeec.exe 30 PID 1640 wrote to memory of 1364 1640 11e036c1794cd85102d2db5dc7cd5e1440d266ccd6f09fb541661c63ddbebeec.exe 30 PID 1640 wrote to memory of 1364 1640 11e036c1794cd85102d2db5dc7cd5e1440d266ccd6f09fb541661c63ddbebeec.exe 30 PID 1640 wrote to memory of 1364 1640 11e036c1794cd85102d2db5dc7cd5e1440d266ccd6f09fb541661c63ddbebeec.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\11e036c1794cd85102d2db5dc7cd5e1440d266ccd6f09fb541661c63ddbebeec.exe"C:\Users\Admin\AppData\Local\Temp\11e036c1794cd85102d2db5dc7cd5e1440d266ccd6f09fb541661c63ddbebeec.exe"1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XGcETK" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC553.tmp"2⤵
- Creates scheduled task(s)
PID:428
-
-
C:\Users\Admin\AppData\Local\Temp\11e036c1794cd85102d2db5dc7cd5e1440d266ccd6f09fb541661c63ddbebeec.exe"{path}"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1364
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5f4f3d0ea1aa5ce60391c4be405d47d04
SHA11ccd4ac95b85fa1380bed126c6467882f5bbef10
SHA25696ae351e1234bc86a5d30c7b5a6b91d0aecf86600b41edd198c66f46fc50306f
SHA512641e50e5e95210ba521c28367e6fa7a9da0c75a8f5b54808deda8607b2cc7d912c7ee779c42d26471db8c8edc3c70c59c7820203fde8678434cb7a64a22e802a