Analysis
-
max time kernel
145s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 02:52
Static task
static1
Behavioral task
behavioral1
Sample
YASEEN CV REF.2020 06 16.exe
Resource
win7-20220414-en
General
-
Target
YASEEN CV REF.2020 06 16.exe
-
Size
341KB
-
MD5
506ae668ac52b8ea017fb9167582a690
-
SHA1
5aa054596fc9b66a68136d5a3e243f4f4605d6af
-
SHA256
d49621996ba7b43c8d7cb35403ccbb13c50f1a1dddc9492ce7a74abd8597a115
-
SHA512
dde5fb4cc8bbf7dcd667989e18ed380eb9cdf5ed182db06d0ea5d76d21d0300ad9676b46253bcd277eac94aa58bfd8e09c9b79fe64267d257ef9060d4d1bcada
Malware Config
Extracted
nanocore
1.2.2.0
INDOMIE.LINKPC.NET:1818
185.140.53.9:1818
c2760388-119a-4b64-9007-01bc88004481
-
activate_away_mode
true
-
backup_connection_host
185.140.53.9
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-03-19T16:48:01.198372836Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
1818
-
default_group
INDOMIE
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
c2760388-119a-4b64-9007-01bc88004481
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
INDOMIE.LINKPC.NET
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
YASEEN CV REF.2020 06 16.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ARP Service = "C:\\Program Files (x86)\\ARP Service\\arpsvc.exe" YASEEN CV REF.2020 06 16.exe -
Processes:
YASEEN CV REF.2020 06 16.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA YASEEN CV REF.2020 06 16.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
YASEEN CV REF.2020 06 16.exedescription pid process target process PID 2020 set thread context of 1572 2020 YASEEN CV REF.2020 06 16.exe YASEEN CV REF.2020 06 16.exe -
Drops file in Program Files directory 2 IoCs
Processes:
YASEEN CV REF.2020 06 16.exedescription ioc process File created C:\Program Files (x86)\ARP Service\arpsvc.exe YASEEN CV REF.2020 06 16.exe File opened for modification C:\Program Files (x86)\ARP Service\arpsvc.exe YASEEN CV REF.2020 06 16.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
YASEEN CV REF.2020 06 16.exepid process 1572 YASEEN CV REF.2020 06 16.exe 1572 YASEEN CV REF.2020 06 16.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
YASEEN CV REF.2020 06 16.exepid process 1572 YASEEN CV REF.2020 06 16.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
YASEEN CV REF.2020 06 16.exedescription pid process Token: SeDebugPrivilege 1572 YASEEN CV REF.2020 06 16.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
YASEEN CV REF.2020 06 16.exedescription pid process target process PID 2020 wrote to memory of 900 2020 YASEEN CV REF.2020 06 16.exe schtasks.exe PID 2020 wrote to memory of 900 2020 YASEEN CV REF.2020 06 16.exe schtasks.exe PID 2020 wrote to memory of 900 2020 YASEEN CV REF.2020 06 16.exe schtasks.exe PID 2020 wrote to memory of 900 2020 YASEEN CV REF.2020 06 16.exe schtasks.exe PID 2020 wrote to memory of 1572 2020 YASEEN CV REF.2020 06 16.exe YASEEN CV REF.2020 06 16.exe PID 2020 wrote to memory of 1572 2020 YASEEN CV REF.2020 06 16.exe YASEEN CV REF.2020 06 16.exe PID 2020 wrote to memory of 1572 2020 YASEEN CV REF.2020 06 16.exe YASEEN CV REF.2020 06 16.exe PID 2020 wrote to memory of 1572 2020 YASEEN CV REF.2020 06 16.exe YASEEN CV REF.2020 06 16.exe PID 2020 wrote to memory of 1572 2020 YASEEN CV REF.2020 06 16.exe YASEEN CV REF.2020 06 16.exe PID 2020 wrote to memory of 1572 2020 YASEEN CV REF.2020 06 16.exe YASEEN CV REF.2020 06 16.exe PID 2020 wrote to memory of 1572 2020 YASEEN CV REF.2020 06 16.exe YASEEN CV REF.2020 06 16.exe PID 2020 wrote to memory of 1572 2020 YASEEN CV REF.2020 06 16.exe YASEEN CV REF.2020 06 16.exe PID 2020 wrote to memory of 1572 2020 YASEEN CV REF.2020 06 16.exe YASEEN CV REF.2020 06 16.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\YASEEN CV REF.2020 06 16.exe"C:\Users\Admin\AppData\Local\Temp\YASEEN CV REF.2020 06 16.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OywQzhQjZxD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7CA0.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\YASEEN CV REF.2020 06 16.exe"{path}"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp7CA0.tmpFilesize
1KB
MD531b419bbd93ee25708cfeff36383e71d
SHA1c2e64ae2cf26c44b9b665050f35bb5036335a1e9
SHA2568d3d9a1361cc9ffebbd67661c3e9b0553996304f397c9cc1bf8fe9c8dd740c2d
SHA51238b61b1c962a91ce5d26c5da4adb02a67fe2b83b781a331d5cce75267f478654632171006dd4bbc4f9f632f3e477e729313ce50f5f90e910c42bdda5f702f636
-
memory/900-56-0x0000000000000000-mapping.dmp
-
memory/1572-61-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1572-58-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1572-59-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1572-62-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1572-64-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1572-65-0x000000000041E792-mapping.dmp
-
memory/1572-67-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1572-69-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1572-71-0x0000000074800000-0x0000000074DAB000-memory.dmpFilesize
5.7MB
-
memory/2020-55-0x0000000074800000-0x0000000074DAB000-memory.dmpFilesize
5.7MB
-
memory/2020-54-0x00000000755C1000-0x00000000755C3000-memory.dmpFilesize
8KB