Analysis
-
max time kernel
165s -
max time network
181s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 02:52
Static task
static1
Behavioral task
behavioral1
Sample
YASEEN CV REF.2020 06 16.exe
Resource
win7-20220414-en
General
-
Target
YASEEN CV REF.2020 06 16.exe
-
Size
341KB
-
MD5
506ae668ac52b8ea017fb9167582a690
-
SHA1
5aa054596fc9b66a68136d5a3e243f4f4605d6af
-
SHA256
d49621996ba7b43c8d7cb35403ccbb13c50f1a1dddc9492ce7a74abd8597a115
-
SHA512
dde5fb4cc8bbf7dcd667989e18ed380eb9cdf5ed182db06d0ea5d76d21d0300ad9676b46253bcd277eac94aa58bfd8e09c9b79fe64267d257ef9060d4d1bcada
Malware Config
Extracted
nanocore
1.2.2.0
INDOMIE.LINKPC.NET:1818
185.140.53.9:1818
c2760388-119a-4b64-9007-01bc88004481
-
activate_away_mode
true
-
backup_connection_host
185.140.53.9
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-03-19T16:48:01.198372836Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
1818
-
default_group
INDOMIE
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
c2760388-119a-4b64-9007-01bc88004481
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
INDOMIE.LINKPC.NET
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
YASEEN CV REF.2020 06 16.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation YASEEN CV REF.2020 06 16.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
YASEEN CV REF.2020 06 16.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TCP Service = "C:\\Program Files (x86)\\TCP Service\\tcpsvc.exe" YASEEN CV REF.2020 06 16.exe -
Processes:
YASEEN CV REF.2020 06 16.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA YASEEN CV REF.2020 06 16.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
YASEEN CV REF.2020 06 16.exedescription pid process target process PID 1788 set thread context of 4716 1788 YASEEN CV REF.2020 06 16.exe YASEEN CV REF.2020 06 16.exe -
Drops file in Program Files directory 2 IoCs
Processes:
YASEEN CV REF.2020 06 16.exedescription ioc process File created C:\Program Files (x86)\TCP Service\tcpsvc.exe YASEEN CV REF.2020 06 16.exe File opened for modification C:\Program Files (x86)\TCP Service\tcpsvc.exe YASEEN CV REF.2020 06 16.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
YASEEN CV REF.2020 06 16.exepid process 4716 YASEEN CV REF.2020 06 16.exe 4716 YASEEN CV REF.2020 06 16.exe 4716 YASEEN CV REF.2020 06 16.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
YASEEN CV REF.2020 06 16.exepid process 4716 YASEEN CV REF.2020 06 16.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
YASEEN CV REF.2020 06 16.exedescription pid process Token: SeDebugPrivilege 4716 YASEEN CV REF.2020 06 16.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
YASEEN CV REF.2020 06 16.exedescription pid process target process PID 1788 wrote to memory of 3292 1788 YASEEN CV REF.2020 06 16.exe schtasks.exe PID 1788 wrote to memory of 3292 1788 YASEEN CV REF.2020 06 16.exe schtasks.exe PID 1788 wrote to memory of 3292 1788 YASEEN CV REF.2020 06 16.exe schtasks.exe PID 1788 wrote to memory of 4716 1788 YASEEN CV REF.2020 06 16.exe YASEEN CV REF.2020 06 16.exe PID 1788 wrote to memory of 4716 1788 YASEEN CV REF.2020 06 16.exe YASEEN CV REF.2020 06 16.exe PID 1788 wrote to memory of 4716 1788 YASEEN CV REF.2020 06 16.exe YASEEN CV REF.2020 06 16.exe PID 1788 wrote to memory of 4716 1788 YASEEN CV REF.2020 06 16.exe YASEEN CV REF.2020 06 16.exe PID 1788 wrote to memory of 4716 1788 YASEEN CV REF.2020 06 16.exe YASEEN CV REF.2020 06 16.exe PID 1788 wrote to memory of 4716 1788 YASEEN CV REF.2020 06 16.exe YASEEN CV REF.2020 06 16.exe PID 1788 wrote to memory of 4716 1788 YASEEN CV REF.2020 06 16.exe YASEEN CV REF.2020 06 16.exe PID 1788 wrote to memory of 4716 1788 YASEEN CV REF.2020 06 16.exe YASEEN CV REF.2020 06 16.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\YASEEN CV REF.2020 06 16.exe"C:\Users\Admin\AppData\Local\Temp\YASEEN CV REF.2020 06 16.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OywQzhQjZxD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp62D1.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\YASEEN CV REF.2020 06 16.exe"{path}"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\YASEEN CV REF.2020 06 16.exe.logFilesize
408B
MD58adbb2cb7759fdcbc51cfbf0bfd7c867
SHA1f7549e6ea430e7d64b3afb3fc27c77ed5122f85b
SHA256c67092561e4b1472672374c3439004e2bc0191d9a901cde2b8b69a2d34dc6297
SHA512f465311e884dd82e3152959b6a59ac8d6be0a056a1cfddabbcc6714079a2269cd5c09b2b8fbc87a9ec3323c531383526ae19ef24fed100dec80730fae0d79991
-
C:\Users\Admin\AppData\Local\Temp\tmp62D1.tmpFilesize
1KB
MD5a604625c58acc492779ddbacfe783114
SHA1189445a57435ebde7b6fb5de32c99e6efd98ae64
SHA2564d116130d9cac981006eed24a08b1cc9923202e47caf1da307660e7fabc5d97a
SHA51213c2e943779b331dcdb218d2df8c0981f84e83309ec562456bd750fe829e28c0e779ba248e59a45fb4e12e0525050c45806c475eaf53488deb508ed358a4d124
-
memory/1788-130-0x0000000074D70000-0x0000000075321000-memory.dmpFilesize
5.7MB
-
memory/3292-131-0x0000000000000000-mapping.dmp
-
memory/4716-133-0x0000000000000000-mapping.dmp
-
memory/4716-134-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/4716-136-0x0000000074D70000-0x0000000075321000-memory.dmpFilesize
5.7MB