Analysis
-
max time kernel
166s -
max time network
173s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 01:20
Static task
static1
Behavioral task
behavioral1
Sample
RxAiLsC8IM0TZpd.exe
Resource
win7-20220414-en
General
-
Target
RxAiLsC8IM0TZpd.exe
-
Size
443KB
-
MD5
91fffd2debf555464c6ab22b1a439a64
-
SHA1
86bd10469e908471a8707ea488e7b0cb0ca17385
-
SHA256
5d9ebdf2cc71a3daaf79800947f04e0c54d10d0bfb2a5b2884d62408615c6027
-
SHA512
88ce4ee88fbf5281d2074f7ad14209f6f7e4eb3a05ac558b72fd1b0f0d0ae1f23d52206aa47a8d5518d3ba367e6da7a45900ce9313c996c991c5366e17f1fe33
Malware Config
Extracted
nanocore
1.2.2.0
u870797.nvpn.to:3119
f813c4e2-fc76-409a-b46f-571ed35f6a5f
-
activate_away_mode
true
-
backup_connection_host
u870797.nvpn.to
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-03-29T11:52:57.396056536Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
3119
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
f813c4e2-fc76-409a-b46f-571ed35f6a5f
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
u870797.nvpn.to
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
RxAiLsC8IM0TZpd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation RxAiLsC8IM0TZpd.exe -
Processes:
RxAiLsC8IM0TZpd.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RxAiLsC8IM0TZpd.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
RxAiLsC8IM0TZpd.exedescription pid process target process PID 2672 set thread context of 4168 2672 RxAiLsC8IM0TZpd.exe RxAiLsC8IM0TZpd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 3976 schtasks.exe 4680 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
RxAiLsC8IM0TZpd.exepid process 4168 RxAiLsC8IM0TZpd.exe 4168 RxAiLsC8IM0TZpd.exe 4168 RxAiLsC8IM0TZpd.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RxAiLsC8IM0TZpd.exepid process 4168 RxAiLsC8IM0TZpd.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RxAiLsC8IM0TZpd.exedescription pid process Token: SeDebugPrivilege 4168 RxAiLsC8IM0TZpd.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
RxAiLsC8IM0TZpd.exeRxAiLsC8IM0TZpd.exedescription pid process target process PID 2672 wrote to memory of 3976 2672 RxAiLsC8IM0TZpd.exe schtasks.exe PID 2672 wrote to memory of 3976 2672 RxAiLsC8IM0TZpd.exe schtasks.exe PID 2672 wrote to memory of 3976 2672 RxAiLsC8IM0TZpd.exe schtasks.exe PID 2672 wrote to memory of 4168 2672 RxAiLsC8IM0TZpd.exe RxAiLsC8IM0TZpd.exe PID 2672 wrote to memory of 4168 2672 RxAiLsC8IM0TZpd.exe RxAiLsC8IM0TZpd.exe PID 2672 wrote to memory of 4168 2672 RxAiLsC8IM0TZpd.exe RxAiLsC8IM0TZpd.exe PID 2672 wrote to memory of 4168 2672 RxAiLsC8IM0TZpd.exe RxAiLsC8IM0TZpd.exe PID 2672 wrote to memory of 4168 2672 RxAiLsC8IM0TZpd.exe RxAiLsC8IM0TZpd.exe PID 2672 wrote to memory of 4168 2672 RxAiLsC8IM0TZpd.exe RxAiLsC8IM0TZpd.exe PID 2672 wrote to memory of 4168 2672 RxAiLsC8IM0TZpd.exe RxAiLsC8IM0TZpd.exe PID 2672 wrote to memory of 4168 2672 RxAiLsC8IM0TZpd.exe RxAiLsC8IM0TZpd.exe PID 4168 wrote to memory of 4680 4168 RxAiLsC8IM0TZpd.exe schtasks.exe PID 4168 wrote to memory of 4680 4168 RxAiLsC8IM0TZpd.exe schtasks.exe PID 4168 wrote to memory of 4680 4168 RxAiLsC8IM0TZpd.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\RxAiLsC8IM0TZpd.exe"C:\Users\Admin\AppData\Local\Temp\RxAiLsC8IM0TZpd.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pnOnsQElhkAyZ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp64E4.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\RxAiLsC8IM0TZpd.exe"{path}"2⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "TCP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp755F.tmp"3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RxAiLsC8IM0TZpd.exe.logFilesize
1KB
MD58ec831f3e3a3f77e4a7b9cd32b48384c
SHA1d83f09fd87c5bd86e045873c231c14836e76a05c
SHA2567667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA51226bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3
-
C:\Users\Admin\AppData\Local\Temp\tmp64E4.tmpFilesize
1KB
MD583b183259007f6c9c6de92bd2810f687
SHA171ca94fc62aacf87117cafed5f0a309639f9e8eb
SHA256f2ad6deed6fed222b0ed0653cb12de26e7e711f5ed34cf4474e1466c1a9ae477
SHA512bdf283cbb2ac436192094056ad76067e27498223ae8e8bb5c71e3f36fa63d343bf5df0c4cd5aa94c9ca7b7fb097326e5201a23ff332c731951a33320aebb684c
-
C:\Users\Admin\AppData\Local\Temp\tmp755F.tmpFilesize
1KB
MD502e5054b4a2078b944da99494c6f44e7
SHA1352b828db80967ba438b904f388ac1ea486aeb1c
SHA256a01d2ce2a8c09589d52cfbd82a903e6d056cfbb2a0e0dde4dd26f7fdcbd117ef
SHA512bcb12336d2ac83cca7bbc77013151f3e76421fa394f22f4a2338734e006012c2002de5494f3581d49e127174e05f66599bf62b18f889e8006f27d6ccff8f737a
-
memory/2672-130-0x0000000000350000-0x00000000003C4000-memory.dmpFilesize
464KB
-
memory/2672-131-0x0000000005220000-0x00000000057C4000-memory.dmpFilesize
5.6MB
-
memory/2672-132-0x0000000004D60000-0x0000000004DF2000-memory.dmpFilesize
584KB
-
memory/2672-133-0x0000000004F10000-0x0000000004F1A000-memory.dmpFilesize
40KB
-
memory/2672-134-0x0000000008A30000-0x0000000008ACC000-memory.dmpFilesize
624KB
-
memory/3976-135-0x0000000000000000-mapping.dmp
-
memory/4168-137-0x0000000000000000-mapping.dmp
-
memory/4168-138-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/4680-140-0x0000000000000000-mapping.dmp