Analysis
-
max time kernel
149s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 23:17
Static task
static1
Behavioral task
behavioral1
Sample
RF172474228ES.exe
Resource
win7-20220414-en
General
-
Target
RF172474228ES.exe
-
Size
506KB
-
MD5
8bbd8695bdfb7fb7438053fcdb6d79a4
-
SHA1
202966c54b72362c2e8c18e09d368eedd7dcc62a
-
SHA256
d278d26f9221b6542223942ce10c1a6c34c8a550c0d8e0d724798cadaf160bfd
-
SHA512
716cfd55b155014338fa2ff99e9c999a98163aa0977d1a274e3ca9505aa681509dccfe3853809c297140f58d9e8c6c669865bf285a0aabf552fe4b246feb849c
Malware Config
Extracted
nanocore
1.2.2.0
185.140.53.9:9124
127.0.0.1:9124
abee0a6e-9120-44aa-a70c-1e32c9a07128
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-04-05T19:51:22.629259936Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
true
-
connect_delay
4000
-
connection_port
9124
-
default_group
Wish
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
abee0a6e-9120-44aa-a70c-1e32c9a07128
-
mutex_timeout
5000
-
prevent_system_sleep
true
-
primary_connection_host
185.140.53.9
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
RF172474228ES.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation RF172474228ES.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
RF172474228ES.exedescription pid process target process PID 4716 set thread context of 3668 4716 RF172474228ES.exe MSBuild.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
RF172474228ES.exeMSBuild.exepid process 4716 RF172474228ES.exe 3668 MSBuild.exe 3668 MSBuild.exe 3668 MSBuild.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
MSBuild.exepid process 3668 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
RF172474228ES.exeMSBuild.exedescription pid process Token: SeDebugPrivilege 4716 RF172474228ES.exe Token: SeDebugPrivilege 3668 MSBuild.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
RF172474228ES.exedescription pid process target process PID 4716 wrote to memory of 4520 4716 RF172474228ES.exe schtasks.exe PID 4716 wrote to memory of 4520 4716 RF172474228ES.exe schtasks.exe PID 4716 wrote to memory of 4520 4716 RF172474228ES.exe schtasks.exe PID 4716 wrote to memory of 3668 4716 RF172474228ES.exe MSBuild.exe PID 4716 wrote to memory of 3668 4716 RF172474228ES.exe MSBuild.exe PID 4716 wrote to memory of 3668 4716 RF172474228ES.exe MSBuild.exe PID 4716 wrote to memory of 3668 4716 RF172474228ES.exe MSBuild.exe PID 4716 wrote to memory of 3668 4716 RF172474228ES.exe MSBuild.exe PID 4716 wrote to memory of 3668 4716 RF172474228ES.exe MSBuild.exe PID 4716 wrote to memory of 3668 4716 RF172474228ES.exe MSBuild.exe PID 4716 wrote to memory of 3668 4716 RF172474228ES.exe MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\RF172474228ES.exe"C:\Users\Admin\AppData\Local\Temp\RF172474228ES.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\skzSSQhxUahA" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7E96.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp7E96.tmpFilesize
1KB
MD5ff85fa666ae3822f8be113c5b40652df
SHA1071d8a8500f9eabdd47d0ad9bd93278e6b651f0a
SHA256c563fc8c6d81ac40cfe4fc2e8b3ef41b8274f071babef24c067e40a0fa835859
SHA51291d2604e92ebbf6964c7a7237f14d1a5baca2e56df71862e4b095a01c1a5f0333acb031ca913ab19dfe7ac05bdd387dd2d8e279c5c0d222740651752891e2652
-
memory/3668-138-0x0000000000000000-mapping.dmp
-
memory/3668-139-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/4520-136-0x0000000000000000-mapping.dmp
-
memory/4716-130-0x00000000006E0000-0x0000000000764000-memory.dmpFilesize
528KB
-
memory/4716-131-0x0000000005130000-0x00000000051CC000-memory.dmpFilesize
624KB
-
memory/4716-132-0x0000000005780000-0x0000000005D24000-memory.dmpFilesize
5.6MB
-
memory/4716-133-0x00000000051D0000-0x0000000005262000-memory.dmpFilesize
584KB
-
memory/4716-134-0x00000000050F0000-0x00000000050FA000-memory.dmpFilesize
40KB
-
memory/4716-135-0x00000000053F0000-0x0000000005446000-memory.dmpFilesize
344KB