Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 01:48
Static task
static1
Behavioral task
behavioral1
Sample
0K408j3RN7U8UB6.exe
Resource
win7-20220414-en
General
-
Target
0K408j3RN7U8UB6.exe
-
Size
444KB
-
MD5
0d2a1d6662af45ba909226b2992798b0
-
SHA1
40f3e3e5f00436a1f779e9eafb15bcf3c1c8ae3e
-
SHA256
358935d89163fa342e0707a3be3e844b44df91341a48dcf1c28d8b8c8424e6b5
-
SHA512
f0eed196650f254d916c2041f157788dffed25e27f76c0f043f111492e058a1a784d94c062e0c3fd39e04671ba089b99b92c2159022d90992a9eb13877fa2727
Malware Config
Extracted
nanocore
1.2.2.0
darlingtondc.hopto.org:1905
185.165.153.17:1905
f1e189ea-bf5f-4d37-b84c-3b194f4e6fe7
-
activate_away_mode
true
-
backup_connection_host
185.165.153.17
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-03-14T23:32:54.424872236Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
1905
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
f1e189ea-bf5f-4d37-b84c-3b194f4e6fe7
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
darlingtondc.hopto.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0K408j3RN7U8UB6.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation 0K408j3RN7U8UB6.exe -
Processes:
0K408j3RN7U8UB6.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 0K408j3RN7U8UB6.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
0K408j3RN7U8UB6.exedescription pid process target process PID 1320 set thread context of 5108 1320 0K408j3RN7U8UB6.exe 0K408j3RN7U8UB6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
0K408j3RN7U8UB6.exe0K408j3RN7U8UB6.exepid process 1320 0K408j3RN7U8UB6.exe 1320 0K408j3RN7U8UB6.exe 1320 0K408j3RN7U8UB6.exe 1320 0K408j3RN7U8UB6.exe 1320 0K408j3RN7U8UB6.exe 1320 0K408j3RN7U8UB6.exe 5108 0K408j3RN7U8UB6.exe 5108 0K408j3RN7U8UB6.exe 5108 0K408j3RN7U8UB6.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
0K408j3RN7U8UB6.exepid process 5108 0K408j3RN7U8UB6.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
0K408j3RN7U8UB6.exe0K408j3RN7U8UB6.exedescription pid process Token: SeDebugPrivilege 1320 0K408j3RN7U8UB6.exe Token: SeDebugPrivilege 5108 0K408j3RN7U8UB6.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
0K408j3RN7U8UB6.exedescription pid process target process PID 1320 wrote to memory of 2148 1320 0K408j3RN7U8UB6.exe schtasks.exe PID 1320 wrote to memory of 2148 1320 0K408j3RN7U8UB6.exe schtasks.exe PID 1320 wrote to memory of 2148 1320 0K408j3RN7U8UB6.exe schtasks.exe PID 1320 wrote to memory of 5036 1320 0K408j3RN7U8UB6.exe 0K408j3RN7U8UB6.exe PID 1320 wrote to memory of 5036 1320 0K408j3RN7U8UB6.exe 0K408j3RN7U8UB6.exe PID 1320 wrote to memory of 5036 1320 0K408j3RN7U8UB6.exe 0K408j3RN7U8UB6.exe PID 1320 wrote to memory of 5108 1320 0K408j3RN7U8UB6.exe 0K408j3RN7U8UB6.exe PID 1320 wrote to memory of 5108 1320 0K408j3RN7U8UB6.exe 0K408j3RN7U8UB6.exe PID 1320 wrote to memory of 5108 1320 0K408j3RN7U8UB6.exe 0K408j3RN7U8UB6.exe PID 1320 wrote to memory of 5108 1320 0K408j3RN7U8UB6.exe 0K408j3RN7U8UB6.exe PID 1320 wrote to memory of 5108 1320 0K408j3RN7U8UB6.exe 0K408j3RN7U8UB6.exe PID 1320 wrote to memory of 5108 1320 0K408j3RN7U8UB6.exe 0K408j3RN7U8UB6.exe PID 1320 wrote to memory of 5108 1320 0K408j3RN7U8UB6.exe 0K408j3RN7U8UB6.exe PID 1320 wrote to memory of 5108 1320 0K408j3RN7U8UB6.exe 0K408j3RN7U8UB6.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0K408j3RN7U8UB6.exe"C:\Users\Admin\AppData\Local\Temp\0K408j3RN7U8UB6.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eECnqy" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1FAD.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\0K408j3RN7U8UB6.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\0K408j3RN7U8UB6.exe"{path}"2⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp1FAD.tmpFilesize
1KB
MD5dbafda3fab23f97ed35c006e4ad69e41
SHA1c948736c2e094d4d5b8cc228733860eef4e82f69
SHA256952997cf21e3e8f081cf5ae96dba05dd5b99261292af3596463006f757973906
SHA512bbbb6fded058ec3f73a338d26c816ac8d801810ee5b2e4f013d2d5a76af7d2e0fe1130d4ceb2a3b0e99365a71906049f02fb6b08868cdd54b406da9afc1a1107
-
memory/1320-130-0x0000000075210000-0x00000000757C1000-memory.dmpFilesize
5.7MB
-
memory/2148-131-0x0000000000000000-mapping.dmp
-
memory/5036-133-0x0000000000000000-mapping.dmp
-
memory/5108-134-0x0000000000000000-mapping.dmp
-
memory/5108-135-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/5108-136-0x0000000075210000-0x00000000757C1000-memory.dmpFilesize
5.7MB