Analysis
-
max time kernel
169s -
max time network
177s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 23:50
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Variant.Tedy.122593.7296.exe
Resource
win7-20220414-en
General
-
Target
SecuriteInfo.com.Variant.Tedy.122593.7296.exe
-
Size
1.0MB
-
MD5
a3f9db216c595bbb5081ad0430248975
-
SHA1
e06a7da7340e4e27d9737e58554ab4419116a0e2
-
SHA256
647c540fe4c9f3dc5a06c978ff0644905b07a53517e637f674a089f866a135d0
-
SHA512
3a6eb7aac3afed0438d1005f4534cc9a45b6697b8c0c266d1fae1b32cf84cd15726a005fc707ff2500f8b2bc045ea7ec20c715efeb4211e6b4b33d6c1afa56a5
Malware Config
Extracted
nanocore
1.2.2.0
185.220.69.56:6662
nwme22.duckdns.org:6662
20fcb0e8-3b1f-4bdb-88e7-54967ec4f249
-
activate_away_mode
true
-
backup_connection_host
nwme22.duckdns.org
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2022-02-27T22:17:25.361662736Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
6662
-
default_group
PDF
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
20fcb0e8-3b1f-4bdb-88e7-54967ec4f249
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
185.220.69.56
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
SecuriteInfo.com.Variant.Tedy.122593.7296.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion SecuriteInfo.com.Variant.Tedy.122593.7296.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion SecuriteInfo.com.Variant.Tedy.122593.7296.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
SecuriteInfo.com.Variant.Tedy.122593.7296.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation SecuriteInfo.com.Variant.Tedy.122593.7296.exe -
Processes:
SecuriteInfo.com.Variant.Tedy.122593.7296.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths SecuriteInfo.com.Variant.Tedy.122593.7296.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions SecuriteInfo.com.Variant.Tedy.122593.7296.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files\Common Files\System\9f3df393cbbd19b\svchost.exe = "0" SecuriteInfo.com.Variant.Tedy.122593.7296.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Tedy.122593.7296.exe = "0" SecuriteInfo.com.Variant.Tedy.122593.7296.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
SecuriteInfo.com.Variant.Tedy.122593.7296.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b1bbd3cd1f3dc3f = "C:\\Program Files\\Common Files\\System\\9f3df393cbbd19b\\svchost.exe" SecuriteInfo.com.Variant.Tedy.122593.7296.exe Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\b1bbd3cd1f3dc3f = "C:\\Program Files\\Common Files\\System\\9f3df393cbbd19b\\svchost.exe" SecuriteInfo.com.Variant.Tedy.122593.7296.exe -
Processes:
SecuriteInfo.com.Variant.Tedy.122593.7296.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SecuriteInfo.com.Variant.Tedy.122593.7296.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
SecuriteInfo.com.Variant.Tedy.122593.7296.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum SecuriteInfo.com.Variant.Tedy.122593.7296.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 SecuriteInfo.com.Variant.Tedy.122593.7296.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SecuriteInfo.com.Variant.Tedy.122593.7296.exedescription pid process target process PID 2240 set thread context of 1940 2240 SecuriteInfo.com.Variant.Tedy.122593.7296.exe SecuriteInfo.com.Variant.Tedy.122593.7296.exe -
Drops file in Program Files directory 2 IoCs
Processes:
SecuriteInfo.com.Variant.Tedy.122593.7296.exedescription ioc process File opened for modification C:\Program Files\Common Files\System\9f3df393cbbd19b SecuriteInfo.com.Variant.Tedy.122593.7296.exe File created C:\Program Files\Common Files\System\9f3df393cbbd19b\svchost.exe SecuriteInfo.com.Variant.Tedy.122593.7296.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 19 IoCs
Processes:
SecuriteInfo.com.Variant.Tedy.122593.7296.exepowershell.exepowershell.exepowershell.exeSecuriteInfo.com.Variant.Tedy.122593.7296.exepid process 2240 SecuriteInfo.com.Variant.Tedy.122593.7296.exe 2240 SecuriteInfo.com.Variant.Tedy.122593.7296.exe 2240 SecuriteInfo.com.Variant.Tedy.122593.7296.exe 2240 SecuriteInfo.com.Variant.Tedy.122593.7296.exe 4452 powershell.exe 4924 powershell.exe 3616 powershell.exe 2240 SecuriteInfo.com.Variant.Tedy.122593.7296.exe 2240 SecuriteInfo.com.Variant.Tedy.122593.7296.exe 2240 SecuriteInfo.com.Variant.Tedy.122593.7296.exe 2240 SecuriteInfo.com.Variant.Tedy.122593.7296.exe 3616 powershell.exe 4452 powershell.exe 4924 powershell.exe 1940 SecuriteInfo.com.Variant.Tedy.122593.7296.exe 1940 SecuriteInfo.com.Variant.Tedy.122593.7296.exe 1940 SecuriteInfo.com.Variant.Tedy.122593.7296.exe 2240 SecuriteInfo.com.Variant.Tedy.122593.7296.exe 2240 SecuriteInfo.com.Variant.Tedy.122593.7296.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
SecuriteInfo.com.Variant.Tedy.122593.7296.exepid process 1940 SecuriteInfo.com.Variant.Tedy.122593.7296.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
SecuriteInfo.com.Variant.Tedy.122593.7296.exepowershell.exepowershell.exepowershell.exeSecuriteInfo.com.Variant.Tedy.122593.7296.exedescription pid process Token: SeDebugPrivilege 2240 SecuriteInfo.com.Variant.Tedy.122593.7296.exe Token: SeDebugPrivilege 4924 powershell.exe Token: SeDebugPrivilege 4452 powershell.exe Token: SeDebugPrivilege 3616 powershell.exe Token: SeDebugPrivilege 1940 SecuriteInfo.com.Variant.Tedy.122593.7296.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
SecuriteInfo.com.Variant.Tedy.122593.7296.exedescription pid process target process PID 2240 wrote to memory of 3616 2240 SecuriteInfo.com.Variant.Tedy.122593.7296.exe powershell.exe PID 2240 wrote to memory of 3616 2240 SecuriteInfo.com.Variant.Tedy.122593.7296.exe powershell.exe PID 2240 wrote to memory of 3616 2240 SecuriteInfo.com.Variant.Tedy.122593.7296.exe powershell.exe PID 2240 wrote to memory of 4452 2240 SecuriteInfo.com.Variant.Tedy.122593.7296.exe powershell.exe PID 2240 wrote to memory of 4452 2240 SecuriteInfo.com.Variant.Tedy.122593.7296.exe powershell.exe PID 2240 wrote to memory of 4452 2240 SecuriteInfo.com.Variant.Tedy.122593.7296.exe powershell.exe PID 2240 wrote to memory of 4924 2240 SecuriteInfo.com.Variant.Tedy.122593.7296.exe powershell.exe PID 2240 wrote to memory of 4924 2240 SecuriteInfo.com.Variant.Tedy.122593.7296.exe powershell.exe PID 2240 wrote to memory of 4924 2240 SecuriteInfo.com.Variant.Tedy.122593.7296.exe powershell.exe PID 2240 wrote to memory of 1940 2240 SecuriteInfo.com.Variant.Tedy.122593.7296.exe SecuriteInfo.com.Variant.Tedy.122593.7296.exe PID 2240 wrote to memory of 1940 2240 SecuriteInfo.com.Variant.Tedy.122593.7296.exe SecuriteInfo.com.Variant.Tedy.122593.7296.exe PID 2240 wrote to memory of 1940 2240 SecuriteInfo.com.Variant.Tedy.122593.7296.exe SecuriteInfo.com.Variant.Tedy.122593.7296.exe PID 2240 wrote to memory of 1940 2240 SecuriteInfo.com.Variant.Tedy.122593.7296.exe SecuriteInfo.com.Variant.Tedy.122593.7296.exe PID 2240 wrote to memory of 1940 2240 SecuriteInfo.com.Variant.Tedy.122593.7296.exe SecuriteInfo.com.Variant.Tedy.122593.7296.exe PID 2240 wrote to memory of 1940 2240 SecuriteInfo.com.Variant.Tedy.122593.7296.exe SecuriteInfo.com.Variant.Tedy.122593.7296.exe PID 2240 wrote to memory of 1940 2240 SecuriteInfo.com.Variant.Tedy.122593.7296.exe SecuriteInfo.com.Variant.Tedy.122593.7296.exe PID 2240 wrote to memory of 1940 2240 SecuriteInfo.com.Variant.Tedy.122593.7296.exe SecuriteInfo.com.Variant.Tedy.122593.7296.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Tedy.122593.7296.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Tedy.122593.7296.exe"1⤵
- Checks BIOS information in registry
- Checks computer location settings
- Windows security modification
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\9f3df393cbbd19b\svchost.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\9f3df393cbbd19b\svchost.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Tedy.122593.7296.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Tedy.122593.7296.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Tedy.122593.7296.exe"2⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD56758b138e4d24e637c4dca50039f62b7
SHA1e8c3e85d1068c4a4524554d720de960282be8420
SHA25685da73fea35bffc001139379b68575dc733c16896dceb8a48f1f3a10fcd6a784
SHA51250bb69d778b88dfe1d096e47a6a9a374b887341c508593b841996bc9695fcaf115a8ee0eabd809925b40a29644b3de5bf8b821c1af97d524c3939027f4259481
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD57405491082b59c16603933cd96a91097
SHA1bd8786e265e3103a9a8f5a0be450178ff50bd75a
SHA256c9be617a8ac780664a1686b607fa680271ceac606187af0b47c5ddab187b6cb5
SHA51299c2557edf6a4261f6c1445e00977c854851f859f4220e5492ea545ed0cf7b2a38fff2a8b7e79ba77fd2c4f6d3e8eb71bc8db166fe9b4f5919af537e50ad5018
-
memory/1940-144-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1940-143-0x0000000000000000-mapping.dmp
-
memory/2240-131-0x0000000004AE0000-0x0000000004B7C000-memory.dmpFilesize
624KB
-
memory/2240-132-0x0000000005180000-0x0000000005724000-memory.dmpFilesize
5.6MB
-
memory/2240-133-0x0000000004C70000-0x0000000004D02000-memory.dmpFilesize
584KB
-
memory/2240-134-0x00000000050E0000-0x0000000005146000-memory.dmpFilesize
408KB
-
memory/2240-130-0x0000000000DC0000-0x0000000000ED2000-memory.dmpFilesize
1.1MB
-
memory/2240-140-0x0000000008680000-0x000000000868A000-memory.dmpFilesize
40KB
-
memory/3616-138-0x0000000000EE0000-0x0000000000F16000-memory.dmpFilesize
216KB
-
memory/3616-155-0x0000000007160000-0x000000000716E000-memory.dmpFilesize
56KB
-
memory/3616-157-0x0000000007250000-0x0000000007258000-memory.dmpFilesize
32KB
-
memory/3616-135-0x0000000000000000-mapping.dmp
-
memory/3616-154-0x00000000071B0000-0x0000000007246000-memory.dmpFilesize
600KB
-
memory/3616-152-0x00000000060A0000-0x00000000060BA000-memory.dmpFilesize
104KB
-
memory/3616-146-0x0000000006BD0000-0x0000000006C02000-memory.dmpFilesize
200KB
-
memory/3616-148-0x000000006F850000-0x000000006F89C000-memory.dmpFilesize
304KB
-
memory/4452-151-0x0000000007F30000-0x00000000085AA000-memory.dmpFilesize
6.5MB
-
memory/4452-150-0x000000006F850000-0x000000006F89C000-memory.dmpFilesize
304KB
-
memory/4452-153-0x0000000007970000-0x000000000797A000-memory.dmpFilesize
40KB
-
memory/4452-145-0x0000000006460000-0x000000000647E000-memory.dmpFilesize
120KB
-
memory/4452-142-0x0000000005EA0000-0x0000000005F06000-memory.dmpFilesize
408KB
-
memory/4452-156-0x0000000007C40000-0x0000000007C5A000-memory.dmpFilesize
104KB
-
memory/4452-139-0x0000000005650000-0x0000000005C78000-memory.dmpFilesize
6.2MB
-
memory/4452-136-0x0000000000000000-mapping.dmp
-
memory/4924-149-0x0000000006560000-0x000000000657E000-memory.dmpFilesize
120KB
-
memory/4924-147-0x000000006F850000-0x000000006F89C000-memory.dmpFilesize
304KB
-
memory/4924-141-0x0000000005050000-0x0000000005072000-memory.dmpFilesize
136KB
-
memory/4924-137-0x0000000000000000-mapping.dmp