Analysis
-
max time kernel
143s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 22:00
Static task
static1
Behavioral task
behavioral1
Sample
68fc463038581b0243f1c85a6397232c5db10dd9482caaf08bdc9cc275134a6a.exe
Resource
win7-20220414-en
General
-
Target
68fc463038581b0243f1c85a6397232c5db10dd9482caaf08bdc9cc275134a6a.exe
-
Size
513KB
-
MD5
0a242406df260af40a8b4fd6258cfb5e
-
SHA1
2eac5ee482bc4b74a40f3d2d4537412d2708f2e5
-
SHA256
68fc463038581b0243f1c85a6397232c5db10dd9482caaf08bdc9cc275134a6a
-
SHA512
86b958e94a2d2ca5bafad1250920e1a1ab700757dabb0e53a5a8d6962ddcb55f5af07f42801c30604526418d18d636755d00d4d583ec988eca219da8b933f3d1
Malware Config
Extracted
nanocore
1.2.2.0
128.226.252.143:54984
127.0.0.1:54984
71004c52-6256-4356-bd30-5affe1ec6914
-
activate_away_mode
false
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2018-07-31T01:18:37.502649636Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
false
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
54984
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
71004c52-6256-4356-bd30-5affe1ec6914
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
128.226.252.143
-
primary_dns_server
8.8.8.8
-
request_elevation
false
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
false
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
HWID CHANGER.EXESERVICES.EXEpid process 548 HWID CHANGER.EXE 3068 SERVICES.EXE -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
68fc463038581b0243f1c85a6397232c5db10dd9482caaf08bdc9cc275134a6a.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation 68fc463038581b0243f1c85a6397232c5db10dd9482caaf08bdc9cc275134a6a.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
SERVICES.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WPA Monitor = "C:\\Program Files (x86)\\WPA Monitor\\wpamon.exe" SERVICES.EXE -
Processes:
SERVICES.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SERVICES.EXE -
Drops file in Program Files directory 2 IoCs
Processes:
SERVICES.EXEdescription ioc process File created C:\Program Files (x86)\WPA Monitor\wpamon.exe SERVICES.EXE File opened for modification C:\Program Files (x86)\WPA Monitor\wpamon.exe SERVICES.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 4068 schtasks.exe 3372 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
SERVICES.EXEpid process 3068 SERVICES.EXE 3068 SERVICES.EXE 3068 SERVICES.EXE 3068 SERVICES.EXE 3068 SERVICES.EXE 3068 SERVICES.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
SERVICES.EXEpid process 3068 SERVICES.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
SERVICES.EXEdescription pid process Token: SeDebugPrivilege 3068 SERVICES.EXE Token: SeDebugPrivilege 3068 SERVICES.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
68fc463038581b0243f1c85a6397232c5db10dd9482caaf08bdc9cc275134a6a.exeSERVICES.EXEdescription pid process target process PID 2176 wrote to memory of 548 2176 68fc463038581b0243f1c85a6397232c5db10dd9482caaf08bdc9cc275134a6a.exe HWID CHANGER.EXE PID 2176 wrote to memory of 548 2176 68fc463038581b0243f1c85a6397232c5db10dd9482caaf08bdc9cc275134a6a.exe HWID CHANGER.EXE PID 2176 wrote to memory of 548 2176 68fc463038581b0243f1c85a6397232c5db10dd9482caaf08bdc9cc275134a6a.exe HWID CHANGER.EXE PID 2176 wrote to memory of 3068 2176 68fc463038581b0243f1c85a6397232c5db10dd9482caaf08bdc9cc275134a6a.exe SERVICES.EXE PID 2176 wrote to memory of 3068 2176 68fc463038581b0243f1c85a6397232c5db10dd9482caaf08bdc9cc275134a6a.exe SERVICES.EXE PID 2176 wrote to memory of 3068 2176 68fc463038581b0243f1c85a6397232c5db10dd9482caaf08bdc9cc275134a6a.exe SERVICES.EXE PID 3068 wrote to memory of 4068 3068 SERVICES.EXE schtasks.exe PID 3068 wrote to memory of 4068 3068 SERVICES.EXE schtasks.exe PID 3068 wrote to memory of 4068 3068 SERVICES.EXE schtasks.exe PID 3068 wrote to memory of 3372 3068 SERVICES.EXE schtasks.exe PID 3068 wrote to memory of 3372 3068 SERVICES.EXE schtasks.exe PID 3068 wrote to memory of 3372 3068 SERVICES.EXE schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\68fc463038581b0243f1c85a6397232c5db10dd9482caaf08bdc9cc275134a6a.exe"C:\Users\Admin\AppData\Local\Temp\68fc463038581b0243f1c85a6397232c5db10dd9482caaf08bdc9cc275134a6a.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\HWID CHANGER.EXE"C:\Users\Admin\AppData\Local\Temp\HWID CHANGER.EXE"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\SERVICES.EXE"C:\Users\Admin\AppData\Local\Temp\SERVICES.EXE"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "WPA Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmpE871.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "WPA Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpEA27.tmp"3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\HWID CHANGER.EXEFilesize
138KB
MD588b430e9224557e9eeab96a9096a0e3b
SHA1cb7a4f3efbfe68009c6b1677ed50991e134161e8
SHA256c2b6d3a912a5dc8ddc8c4a2d67379d0395d60d4daf620ab7874741904a90793c
SHA512e9631bbef6b40a07080b985d5bffaeeaab0f5cb61471ed710e174474afd724ee4ae8c207c8818e1c9bc137f1b06c4013fe2b576be439b1f464ddcb6153bbf72d
-
C:\Users\Admin\AppData\Local\Temp\HWID CHANGER.EXEFilesize
138KB
MD588b430e9224557e9eeab96a9096a0e3b
SHA1cb7a4f3efbfe68009c6b1677ed50991e134161e8
SHA256c2b6d3a912a5dc8ddc8c4a2d67379d0395d60d4daf620ab7874741904a90793c
SHA512e9631bbef6b40a07080b985d5bffaeeaab0f5cb61471ed710e174474afd724ee4ae8c207c8818e1c9bc137f1b06c4013fe2b576be439b1f464ddcb6153bbf72d
-
C:\Users\Admin\AppData\Local\Temp\SERVICES.EXEFilesize
203KB
MD5fbf4540d5b491f75fe1c22ac4815fa83
SHA183275825f4b8c75bb0b7395baf910a64d2dffe61
SHA256e4d9229c04e7024390df8fae3a78756ac414064a5d5895c1adb67e25d034c8b6
SHA5121b74e235dd1681f7a3c047f3feff131bd898464e3a98e32c3c7f6c68bd2b6a76e7c3e5a06d4c8f31c1a40b8e62920a90fb50d05eb8711eee875d31f1bf18bda1
-
C:\Users\Admin\AppData\Local\Temp\SERVICES.EXEFilesize
203KB
MD5fbf4540d5b491f75fe1c22ac4815fa83
SHA183275825f4b8c75bb0b7395baf910a64d2dffe61
SHA256e4d9229c04e7024390df8fae3a78756ac414064a5d5895c1adb67e25d034c8b6
SHA5121b74e235dd1681f7a3c047f3feff131bd898464e3a98e32c3c7f6c68bd2b6a76e7c3e5a06d4c8f31c1a40b8e62920a90fb50d05eb8711eee875d31f1bf18bda1
-
C:\Users\Admin\AppData\Local\Temp\tmpE871.tmpFilesize
1KB
MD5ceee50b15e8af3709e3b6797b4fe0dff
SHA194686fe6430122551a42b8c9871845c0990161f3
SHA2569d5d630ffb1574bb8c5345c56805fcbd7879d2b9b7b7b799825cc6f33b232ce0
SHA512372c46f1e7a50282fcc0aec8747fe82b29ec4cad9fa0e8f7a40d831b0e5aeca1925366da0f5edc22eeed5ef412a0f7a3785669a62874f7c4d40b3b089926604d
-
C:\Users\Admin\AppData\Local\Temp\tmpEA27.tmpFilesize
1KB
MD5a246b3561d823177f3586e629f144233
SHA10f05d12e55a1d2e5e6a4f307c193882fba093315
SHA2566abae7707b06e52b58f537b335e367cc54b093e899d78f16e94ceaf7ceafca52
SHA5124246aa9a96331e2c7e36b37fa778e31ecae055c77164e0dc673aa50cdec368f08d356ab06ef1a4540816c474828048ab1bebed7e211a4eb929f2918e1fac9c6d
-
memory/548-136-0x0000000000A30000-0x0000000000A58000-memory.dmpFilesize
160KB
-
memory/548-137-0x0000000005500000-0x000000000559C000-memory.dmpFilesize
624KB
-
memory/548-138-0x0000000005B50000-0x00000000060F4000-memory.dmpFilesize
5.6MB
-
memory/548-139-0x00000000055A0000-0x0000000005632000-memory.dmpFilesize
584KB
-
memory/548-143-0x0000000005730000-0x0000000005786000-memory.dmpFilesize
344KB
-
memory/548-141-0x0000000005400000-0x000000000540A000-memory.dmpFilesize
40KB
-
memory/548-130-0x0000000000000000-mapping.dmp
-
memory/3068-133-0x0000000000000000-mapping.dmp
-
memory/3068-140-0x0000000074770000-0x0000000074D21000-memory.dmpFilesize
5.7MB
-
memory/3372-145-0x0000000000000000-mapping.dmp
-
memory/4068-142-0x0000000000000000-mapping.dmp