Analysis
-
max time kernel
153s -
max time network
206s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 01:57
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220414-en
General
-
Target
file.exe
-
Size
478KB
-
MD5
17474288d46bec313d81e0c0a418ebce
-
SHA1
98eec9e6b8ad986077e96071112db24ee0ce118a
-
SHA256
f036e2aa7615446d2cb3ab689b13aac4055bf2cb8b19b0999db08d7052a80bf1
-
SHA512
ca1f2d3a3b07802811b59c8b1a848c9910feafdf7c16b460e6972e243460d17d9669d277f97f79ecad3ba0f38917422ee6b63b1e064a20c0f9cea595799ff22e
Malware Config
Extracted
nanocore
1.2.2.0
megida123.ddns.net:9900
64aa071e-5b44-426b-ad7e-e6d42b713d32
-
activate_away_mode
true
- backup_connection_host
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-03-01T17:02:01.784418836Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
9900
-
default_group
00000
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
64aa071e-5b44-426b-ad7e-e6d42b713d32
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
megida123.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
file.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion file.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
file.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation file.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
MSBuild.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SCSI Subsystem = "C:\\Program Files (x86)\\SCSI Subsystem\\scsiss.exe" MSBuild.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
file.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum file.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 file.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
file.exedescription pid process target process PID 3692 set thread context of 4848 3692 file.exe MSBuild.exe -
Drops file in Program Files directory 2 IoCs
Processes:
MSBuild.exedescription ioc process File opened for modification C:\Program Files (x86)\SCSI Subsystem\scsiss.exe MSBuild.exe File created C:\Program Files (x86)\SCSI Subsystem\scsiss.exe MSBuild.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
file.exeMSBuild.exepid process 3692 file.exe 4848 MSBuild.exe 4848 MSBuild.exe 4848 MSBuild.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
MSBuild.exepid process 4848 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
file.exeMSBuild.exedescription pid process Token: SeDebugPrivilege 3692 file.exe Token: SeDebugPrivilege 4848 MSBuild.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
file.exedescription pid process target process PID 3692 wrote to memory of 3220 3692 file.exe schtasks.exe PID 3692 wrote to memory of 3220 3692 file.exe schtasks.exe PID 3692 wrote to memory of 3220 3692 file.exe schtasks.exe PID 3692 wrote to memory of 4848 3692 file.exe MSBuild.exe PID 3692 wrote to memory of 4848 3692 file.exe MSBuild.exe PID 3692 wrote to memory of 4848 3692 file.exe MSBuild.exe PID 3692 wrote to memory of 4848 3692 file.exe MSBuild.exe PID 3692 wrote to memory of 4848 3692 file.exe MSBuild.exe PID 3692 wrote to memory of 4848 3692 file.exe MSBuild.exe PID 3692 wrote to memory of 4848 3692 file.exe MSBuild.exe PID 3692 wrote to memory of 4848 3692 file.exe MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GHjTzl" /XML "C:\Users\Admin\AppData\Local\Temp\tmp70E5.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"{path}"2⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp70E5.tmpFilesize
1KB
MD54b8f05c5e7240953865516deed507c89
SHA1d27eb1926385c870b8db7d6f188cecafe95139b2
SHA256ecfb2807def1c72780dcc446b07a1fd9e344728f62e016c807741f511aad9b6d
SHA512cf54ab5fdbcb069d968acd1d982073ca4c07a4a4e2a7816aa5f5272d0c718e98d016b7d2e53bc82c33a96f691e11b7926cfb8f81254cf8a8f6e93384b8e7dbb2
-
memory/3220-131-0x0000000000000000-mapping.dmp
-
memory/3692-130-0x00000000748D0000-0x0000000074E81000-memory.dmpFilesize
5.7MB
-
memory/4848-133-0x0000000000000000-mapping.dmp
-
memory/4848-134-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/4848-135-0x00000000748D0000-0x0000000074E81000-memory.dmpFilesize
5.7MB