Analysis
-
max time kernel
152s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 22:31
Static task
static1
Behavioral task
behavioral1
Sample
B882ITUI.exe
Resource
win7-20220414-en
General
-
Target
B882ITUI.exe
-
Size
587KB
-
MD5
60e77f32fe61bb0a0d5c15a97bc08110
-
SHA1
52c03a3566b4b06370b8610f54e9075656e273d2
-
SHA256
d24902af61b7ff0f4977fc9c13b8c2f8a94f1282fe5229156743e357c0654b4a
-
SHA512
379bae34f87de7d9003fbda71abb9d2dd81c251489b2e364f4e75dfbfcfa92bd867d921f18bec20229187a3c1c9bb9d865e78f481a16f661066bfe79782d346c
Malware Config
Extracted
nanocore
1.2.2.0
194.5.97.7:21600
127.0.0.1:21600
47e60659-c2cb-4e09-8cd1-9e66d234ee01
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-05-31T09:23:22.132388636Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
false
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
21600
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
47e60659-c2cb-4e09-8cd1-9e66d234ee01
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
194.5.97.7
-
primary_dns_server
8.8.8.8
-
request_elevation
false
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
B882ITUI.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation B882ITUI.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
B882ITUI.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SCSI Subsystem = "C:\\Program Files (x86)\\SCSI Subsystem\\scsiss.exe" B882ITUI.exe -
Processes:
B882ITUI.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA B882ITUI.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
B882ITUI.exedescription pid process target process PID 2272 set thread context of 4344 2272 B882ITUI.exe B882ITUI.exe -
Drops file in Program Files directory 2 IoCs
Processes:
B882ITUI.exedescription ioc process File opened for modification C:\Program Files (x86)\SCSI Subsystem\scsiss.exe B882ITUI.exe File created C:\Program Files (x86)\SCSI Subsystem\scsiss.exe B882ITUI.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 4484 schtasks.exe 4504 schtasks.exe 4564 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
B882ITUI.exeB882ITUI.exepid process 2272 B882ITUI.exe 4344 B882ITUI.exe 4344 B882ITUI.exe 4344 B882ITUI.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
B882ITUI.exepid process 4344 B882ITUI.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
B882ITUI.exeB882ITUI.exedescription pid process Token: SeDebugPrivilege 2272 B882ITUI.exe Token: SeDebugPrivilege 4344 B882ITUI.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
B882ITUI.exeB882ITUI.exedescription pid process target process PID 2272 wrote to memory of 4484 2272 B882ITUI.exe schtasks.exe PID 2272 wrote to memory of 4484 2272 B882ITUI.exe schtasks.exe PID 2272 wrote to memory of 4484 2272 B882ITUI.exe schtasks.exe PID 2272 wrote to memory of 4344 2272 B882ITUI.exe B882ITUI.exe PID 2272 wrote to memory of 4344 2272 B882ITUI.exe B882ITUI.exe PID 2272 wrote to memory of 4344 2272 B882ITUI.exe B882ITUI.exe PID 2272 wrote to memory of 4344 2272 B882ITUI.exe B882ITUI.exe PID 2272 wrote to memory of 4344 2272 B882ITUI.exe B882ITUI.exe PID 2272 wrote to memory of 4344 2272 B882ITUI.exe B882ITUI.exe PID 2272 wrote to memory of 4344 2272 B882ITUI.exe B882ITUI.exe PID 2272 wrote to memory of 4344 2272 B882ITUI.exe B882ITUI.exe PID 4344 wrote to memory of 4504 4344 B882ITUI.exe schtasks.exe PID 4344 wrote to memory of 4504 4344 B882ITUI.exe schtasks.exe PID 4344 wrote to memory of 4504 4344 B882ITUI.exe schtasks.exe PID 4344 wrote to memory of 4564 4344 B882ITUI.exe schtasks.exe PID 4344 wrote to memory of 4564 4344 B882ITUI.exe schtasks.exe PID 4344 wrote to memory of 4564 4344 B882ITUI.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\B882ITUI.exe"C:\Users\Admin\AppData\Local\Temp\B882ITUI.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yKCiTBv" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8B29.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\B882ITUI.exe"C:\Users\Admin\AppData\Local\Temp\B882ITUI.exe"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "SCSI Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp9A5B.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "SCSI Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp9B37.tmp"3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp8B29.tmpFilesize
1KB
MD51fc30b69894b31c1d61262ecef1de3b3
SHA1b657ed8c3ee2e99a280ef2a6c0e001512a66cb8f
SHA256061dfa7b5e4bc12375a04103b65ad1e8feed3b751244f1ee11f68a7f16b39bd3
SHA51229885f89f92699a48d36484e2f59274a555d9a5516c354214052d8b7d2c870c065b3355c31bd27c3e3a7f0d0613d22668c8006ef6de9f0f3671729c319a45861
-
C:\Users\Admin\AppData\Local\Temp\tmp9A5B.tmpFilesize
1KB
MD59b8a6b2d36f409d3ea4b8a5917afb582
SHA1685d622d43ff833787651295da0c6f6605b10d4c
SHA256223c2562c925ae4d4567352df2d938227dd1a3d71cb7d3e81763049b8c6a5337
SHA512ba60dd9e8a40650859b1b0b8075c1f1aba6cf408df8bc0b2ffe1cb5c55d9aa4d4ad1cb68c79aaa49ef50d8da681984dfa0441ab87a83cca8282b315f43807d5f
-
C:\Users\Admin\AppData\Local\Temp\tmp9B37.tmpFilesize
1KB
MD5bd110f9fc6c1a842f1d9b269010b0611
SHA1ef71c062902602faef9b66dcd1cfc9fe5baaf389
SHA2568135c4e4eeaa741f752c0ab8f4ee33e3bb8a0cac5923812234f2e5177d50eb5b
SHA512b8a7943a3126880b26407800bbdad5402c5b0e2aa106e7dbbb35d0cb145ca9de114401573a6aa66042a2e13674cfbcc2981d66b813f9b923fff5302210afba1f
-
memory/2272-130-0x0000000074BC0000-0x0000000075171000-memory.dmpFilesize
5.7MB
-
memory/4344-133-0x0000000000000000-mapping.dmp
-
memory/4344-134-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/4344-135-0x0000000074BC0000-0x0000000075171000-memory.dmpFilesize
5.7MB
-
memory/4484-131-0x0000000000000000-mapping.dmp
-
memory/4504-136-0x0000000000000000-mapping.dmp
-
memory/4564-138-0x0000000000000000-mapping.dmp