Analysis
-
max time kernel
177s -
max time network
188s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 12:12
Static task
static1
Behavioral task
behavioral1
Sample
Documents AWB 5-5-2020.exe
Resource
win7-20220414-en
General
-
Target
Documents AWB 5-5-2020.exe
-
Size
624KB
-
MD5
9c97db9b4c7abc229cd0ecde2d4835c0
-
SHA1
d17aabdf43d9bea4c10cf31ce16c0d7592579c64
-
SHA256
dca09e669f01dcc5efa9ab9120ce3febd53868b3ba12a6e0b4574b82b3d0e392
-
SHA512
31cb47c8319cfedec4526c466daf066f03d081b381ba2dbf80353c7bd3c247aeef4b01c52430762c63fc148a900e13650ba42fdc26879d2c0f15d8e6201219fd
Malware Config
Extracted
nanocore
1.2.2.0
atallatall.ddns.net:5355
127.0.0.1:5355
89e6cd78-9910-49b0-9bd8-c349f0a39e34
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-02-09T20:42:30.623082036Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
5355
-
default_group
ATALL CURRENCY ETRADE
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
89e6cd78-9910-49b0-9bd8-c349f0a39e34
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
atallatall.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Documents AWB 5-5-2020.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation Documents AWB 5-5-2020.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegAsm.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SCSI Subsystem = "C:\\Program Files (x86)\\SCSI Subsystem\\scsiss.exe" RegAsm.exe -
Processes:
RegAsm.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegAsm.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
Documents AWB 5-5-2020.exeRegAsm.exedescription pid process target process PID 4936 set thread context of 4556 4936 Documents AWB 5-5-2020.exe RegAsm.exe PID 4556 set thread context of 2840 4556 RegAsm.exe RegAsm.exe -
Drops file in Program Files directory 2 IoCs
Processes:
RegAsm.exedescription ioc process File created C:\Program Files (x86)\SCSI Subsystem\scsiss.exe RegAsm.exe File opened for modification C:\Program Files (x86)\SCSI Subsystem\scsiss.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
RegAsm.exepid process 2840 RegAsm.exe 2840 RegAsm.exe 2840 RegAsm.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegAsm.exepid process 2840 RegAsm.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
Documents AWB 5-5-2020.exeRegAsm.exepid process 4936 Documents AWB 5-5-2020.exe 4556 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegAsm.exedescription pid process Token: SeDebugPrivilege 2840 RegAsm.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
Documents AWB 5-5-2020.exeRegAsm.execmd.exedescription pid process target process PID 4936 wrote to memory of 4556 4936 Documents AWB 5-5-2020.exe RegAsm.exe PID 4936 wrote to memory of 4556 4936 Documents AWB 5-5-2020.exe RegAsm.exe PID 4936 wrote to memory of 4556 4936 Documents AWB 5-5-2020.exe RegAsm.exe PID 4936 wrote to memory of 4556 4936 Documents AWB 5-5-2020.exe RegAsm.exe PID 4556 wrote to memory of 2840 4556 RegAsm.exe RegAsm.exe PID 4556 wrote to memory of 2840 4556 RegAsm.exe RegAsm.exe PID 4556 wrote to memory of 2840 4556 RegAsm.exe RegAsm.exe PID 4556 wrote to memory of 2840 4556 RegAsm.exe RegAsm.exe PID 4936 wrote to memory of 5056 4936 Documents AWB 5-5-2020.exe cmd.exe PID 4936 wrote to memory of 5056 4936 Documents AWB 5-5-2020.exe cmd.exe PID 4936 wrote to memory of 5056 4936 Documents AWB 5-5-2020.exe cmd.exe PID 5056 wrote to memory of 4604 5056 cmd.exe choice.exe PID 5056 wrote to memory of 4604 5056 cmd.exe choice.exe PID 5056 wrote to memory of 4604 5056 cmd.exe choice.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Documents AWB 5-5-2020.exe"C:\Users\Admin\AppData\Local\Temp\Documents AWB 5-5-2020.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Documents AWB 5-5-2020.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 33⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.logFilesize
226B
MD5916851e072fbabc4796d8916c5131092
SHA1d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA2567e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA51207ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521
-
memory/2840-139-0x00000000059B0000-0x0000000005A4C000-memory.dmpFilesize
624KB
-
memory/2840-134-0x0000000000000000-mapping.dmp
-
memory/2840-136-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2840-137-0x0000000005F60000-0x0000000006504000-memory.dmpFilesize
5.6MB
-
memory/2840-138-0x00000000058B0000-0x0000000005942000-memory.dmpFilesize
584KB
-
memory/2840-140-0x0000000005830000-0x000000000583A000-memory.dmpFilesize
40KB
-
memory/4556-132-0x0000000000000000-mapping.dmp
-
memory/4556-133-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/4604-142-0x0000000000000000-mapping.dmp
-
memory/4936-131-0x00000000049D0000-0x00000000049D3000-memory.dmpFilesize
12KB
-
memory/4936-130-0x0000000000030000-0x00000000000D2000-memory.dmpFilesize
648KB
-
memory/5056-141-0x0000000000000000-mapping.dmp