Analysis
-
max time kernel
146s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 00:12
Static task
static1
Behavioral task
behavioral1
Sample
0RY9t35YcXOZNbf.exe
Resource
win7-20220414-en
General
-
Target
0RY9t35YcXOZNbf.exe
-
Size
594KB
-
MD5
0b5122869b9f16726f19a5f22d32eaad
-
SHA1
61d5174d14e9c5fce2e441619d7064c67fc969ac
-
SHA256
320b9847b87acc72f35b69c9767584a8627d6cce512d65d45ca5bbc62b94230e
-
SHA512
d3b41e245aed263e9f4938e65cb4189bc26cdf996354722334a314e40affdf5961de0f8d0972f30818736d81c52fb5537e99945a274cac9c91a6904e9068ca6b
Malware Config
Extracted
nanocore
1.2.2.0
79.134.225.71:1985
127.0.0.1:1985
b906c32a-7c7b-408f-aea8-c2cf051540c7
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-05-08T07:10:15.167894836Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
false
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
1985
-
default_group
Cherry
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
b906c32a-7c7b-408f-aea8-c2cf051540c7
-
mutex_timeout
5000
-
prevent_system_sleep
true
-
primary_connection_host
79.134.225.71
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0RY9t35YcXOZNbf.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation 0RY9t35YcXOZNbf.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WPA Monitor = "C:\\Program Files (x86)\\WPA Monitor\\wpamon.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
0RY9t35YcXOZNbf.exedescription pid process target process PID 2176 set thread context of 3732 2176 0RY9t35YcXOZNbf.exe RegSvcs.exe -
Drops file in Program Files directory 2 IoCs
Processes:
RegSvcs.exedescription ioc process File created C:\Program Files (x86)\WPA Monitor\wpamon.exe RegSvcs.exe File opened for modification C:\Program Files (x86)\WPA Monitor\wpamon.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
0RY9t35YcXOZNbf.exeRegSvcs.exepid process 2176 0RY9t35YcXOZNbf.exe 2176 0RY9t35YcXOZNbf.exe 2176 0RY9t35YcXOZNbf.exe 2176 0RY9t35YcXOZNbf.exe 3732 RegSvcs.exe 3732 RegSvcs.exe 3732 RegSvcs.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegSvcs.exepid process 3732 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
0RY9t35YcXOZNbf.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 2176 0RY9t35YcXOZNbf.exe Token: SeDebugPrivilege 3732 RegSvcs.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
0RY9t35YcXOZNbf.exedescription pid process target process PID 2176 wrote to memory of 3760 2176 0RY9t35YcXOZNbf.exe schtasks.exe PID 2176 wrote to memory of 3760 2176 0RY9t35YcXOZNbf.exe schtasks.exe PID 2176 wrote to memory of 3760 2176 0RY9t35YcXOZNbf.exe schtasks.exe PID 2176 wrote to memory of 3732 2176 0RY9t35YcXOZNbf.exe RegSvcs.exe PID 2176 wrote to memory of 3732 2176 0RY9t35YcXOZNbf.exe RegSvcs.exe PID 2176 wrote to memory of 3732 2176 0RY9t35YcXOZNbf.exe RegSvcs.exe PID 2176 wrote to memory of 3732 2176 0RY9t35YcXOZNbf.exe RegSvcs.exe PID 2176 wrote to memory of 3732 2176 0RY9t35YcXOZNbf.exe RegSvcs.exe PID 2176 wrote to memory of 3732 2176 0RY9t35YcXOZNbf.exe RegSvcs.exe PID 2176 wrote to memory of 3732 2176 0RY9t35YcXOZNbf.exe RegSvcs.exe PID 2176 wrote to memory of 3732 2176 0RY9t35YcXOZNbf.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0RY9t35YcXOZNbf.exe"C:\Users\Admin\AppData\Local\Temp\0RY9t35YcXOZNbf.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\&startupname&" /XML "C:\Users\Admin\AppData\Local\Temp\tmp82CC.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"{path}"2⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp82CC.tmpFilesize
1KB
MD5ab9f8a9574d9209cd8666decb37e33cc
SHA1b768b98d37b96bcf5eeeb4bae10589a196b66db2
SHA2562c052172f943620c36053efd2ab1d6ef9fbb671c55669b9f49430f0f7acd7704
SHA5125059538580cce17a2c7516e3117297310455e38ff32d51c6e17ef188448ce3567f9c968ad478df725ed2ce8630ceee2340246264a6e60877895591a67d45da70
-
memory/2176-130-0x0000000074660000-0x0000000074C11000-memory.dmpFilesize
5.7MB
-
memory/3732-133-0x0000000000000000-mapping.dmp
-
memory/3732-134-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/3732-135-0x0000000074660000-0x0000000074C11000-memory.dmpFilesize
5.7MB
-
memory/3760-131-0x0000000000000000-mapping.dmp