Analysis
-
max time kernel
148s -
max time network
173s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 12:12
Static task
static1
Behavioral task
behavioral1
Sample
Documents AWB 5-5-2020.exe
Resource
win7-20220414-en
General
-
Target
Documents AWB 5-5-2020.exe
-
Size
624KB
-
MD5
9c97db9b4c7abc229cd0ecde2d4835c0
-
SHA1
d17aabdf43d9bea4c10cf31ce16c0d7592579c64
-
SHA256
dca09e669f01dcc5efa9ab9120ce3febd53868b3ba12a6e0b4574b82b3d0e392
-
SHA512
31cb47c8319cfedec4526c466daf066f03d081b381ba2dbf80353c7bd3c247aeef4b01c52430762c63fc148a900e13650ba42fdc26879d2c0f15d8e6201219fd
Malware Config
Extracted
nanocore
1.2.2.0
atallatall.ddns.net:5355
127.0.0.1:5355
89e6cd78-9910-49b0-9bd8-c349f0a39e34
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-02-09T20:42:30.623082036Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
5355
-
default_group
ATALL CURRENCY ETRADE
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
89e6cd78-9910-49b0-9bd8-c349f0a39e34
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
atallatall.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1800 cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegAsm.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WPA Subsystem = "C:\\Program Files (x86)\\WPA Subsystem\\wpass.exe" RegAsm.exe -
Processes:
RegAsm.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegAsm.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
Documents AWB 5-5-2020.exeRegAsm.exedescription pid process target process PID 1084 set thread context of 1960 1084 Documents AWB 5-5-2020.exe RegAsm.exe PID 1960 set thread context of 1756 1960 RegAsm.exe RegAsm.exe -
Drops file in Program Files directory 2 IoCs
Processes:
RegAsm.exedescription ioc process File created C:\Program Files (x86)\WPA Subsystem\wpass.exe RegAsm.exe File opened for modification C:\Program Files (x86)\WPA Subsystem\wpass.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegAsm.exepid process 1756 RegAsm.exe 1756 RegAsm.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegAsm.exepid process 1756 RegAsm.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
Documents AWB 5-5-2020.exeRegAsm.exepid process 1084 Documents AWB 5-5-2020.exe 1960 RegAsm.exe 1960 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegAsm.exedescription pid process Token: SeDebugPrivilege 1756 RegAsm.exe -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
Documents AWB 5-5-2020.exeRegAsm.execmd.exedescription pid process target process PID 1084 wrote to memory of 1960 1084 Documents AWB 5-5-2020.exe RegAsm.exe PID 1084 wrote to memory of 1960 1084 Documents AWB 5-5-2020.exe RegAsm.exe PID 1084 wrote to memory of 1960 1084 Documents AWB 5-5-2020.exe RegAsm.exe PID 1084 wrote to memory of 1960 1084 Documents AWB 5-5-2020.exe RegAsm.exe PID 1084 wrote to memory of 1960 1084 Documents AWB 5-5-2020.exe RegAsm.exe PID 1084 wrote to memory of 1960 1084 Documents AWB 5-5-2020.exe RegAsm.exe PID 1084 wrote to memory of 1960 1084 Documents AWB 5-5-2020.exe RegAsm.exe PID 1084 wrote to memory of 1960 1084 Documents AWB 5-5-2020.exe RegAsm.exe PID 1960 wrote to memory of 2020 1960 RegAsm.exe RegAsm.exe PID 1960 wrote to memory of 2020 1960 RegAsm.exe RegAsm.exe PID 1960 wrote to memory of 2020 1960 RegAsm.exe RegAsm.exe PID 1960 wrote to memory of 2020 1960 RegAsm.exe RegAsm.exe PID 1960 wrote to memory of 2020 1960 RegAsm.exe RegAsm.exe PID 1960 wrote to memory of 2020 1960 RegAsm.exe RegAsm.exe PID 1960 wrote to memory of 2020 1960 RegAsm.exe RegAsm.exe PID 1960 wrote to memory of 1756 1960 RegAsm.exe RegAsm.exe PID 1960 wrote to memory of 1756 1960 RegAsm.exe RegAsm.exe PID 1960 wrote to memory of 1756 1960 RegAsm.exe RegAsm.exe PID 1960 wrote to memory of 1756 1960 RegAsm.exe RegAsm.exe PID 1960 wrote to memory of 1756 1960 RegAsm.exe RegAsm.exe PID 1960 wrote to memory of 1756 1960 RegAsm.exe RegAsm.exe PID 1960 wrote to memory of 1756 1960 RegAsm.exe RegAsm.exe PID 1960 wrote to memory of 1756 1960 RegAsm.exe RegAsm.exe PID 1084 wrote to memory of 1800 1084 Documents AWB 5-5-2020.exe cmd.exe PID 1084 wrote to memory of 1800 1084 Documents AWB 5-5-2020.exe cmd.exe PID 1084 wrote to memory of 1800 1084 Documents AWB 5-5-2020.exe cmd.exe PID 1084 wrote to memory of 1800 1084 Documents AWB 5-5-2020.exe cmd.exe PID 1800 wrote to memory of 1072 1800 cmd.exe choice.exe PID 1800 wrote to memory of 1072 1800 cmd.exe choice.exe PID 1800 wrote to memory of 1072 1800 cmd.exe choice.exe PID 1800 wrote to memory of 1072 1800 cmd.exe choice.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Documents AWB 5-5-2020.exe"C:\Users\Admin\AppData\Local\Temp\Documents AWB 5-5-2020.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Documents AWB 5-5-2020.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 33⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1072-66-0x0000000000000000-mapping.dmp
-
memory/1084-55-0x00000000004D0000-0x000000000052A000-memory.dmpFilesize
360KB
-
memory/1084-56-0x0000000075FC1000-0x0000000075FC3000-memory.dmpFilesize
8KB
-
memory/1084-54-0x0000000000EB0000-0x0000000000F52000-memory.dmpFilesize
648KB
-
memory/1756-70-0x0000000002665000-0x0000000002676000-memory.dmpFilesize
68KB
-
memory/1756-69-0x00000000007F0000-0x00000000007FA000-memory.dmpFilesize
40KB
-
memory/1756-68-0x0000000000840000-0x000000000085E000-memory.dmpFilesize
120KB
-
memory/1756-61-0x000000000041E792-mapping.dmp
-
memory/1756-64-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1756-67-0x00000000007A0000-0x00000000007AA000-memory.dmpFilesize
40KB
-
memory/1800-65-0x0000000000000000-mapping.dmp
-
memory/1960-63-0x00000000003F0000-0x00000000003F3000-memory.dmpFilesize
12KB
-
memory/1960-59-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1960-60-0x0000000000590000-0x00000000005D2000-memory.dmpFilesize
264KB
-
memory/1960-57-0x000000000044CA4E-mapping.dmp