Analysis
-
max time kernel
166s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 18:39
Static task
static1
Behavioral task
behavioral1
Sample
MARINA ADVISORY No. 2020-54.PDF.exe
Resource
win7-20220414-en
General
-
Target
MARINA ADVISORY No. 2020-54.PDF.exe
-
Size
1.1MB
-
MD5
f2660762105cdfd3e513fb600e803048
-
SHA1
c813fed1d814ed0d2b898a9dd40d5e4209750968
-
SHA256
b14306aa1789a4d6b9bfa4f8c9392033ef0fc70e584addad632135f7f832dec1
-
SHA512
739cb208a9271d4eaea10fe76ee28a89e3c85b751cf662cc5eb204b582c8b27a1817eb803d49983aa9898b6c48c123e2f7e3314672d75b45029e2b22af1770d3
Malware Config
Extracted
nanocore
1.2.2.0
alhabib4rec.freeddns.org:54985
alhabib4rec.ddns.net:54985
22bc31d6-040e-4279-8d75-351d7e3250f5
-
activate_away_mode
true
-
backup_connection_host
alhabib4rec.ddns.net
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-05-02T05:45:02.292927536Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
54985
-
default_group
JULY-LOGS
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
22bc31d6-040e-4279-8d75-351d7e3250f5
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
alhabib4rec.freeddns.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
kmpqiclno.pifRegSvcs.exepid process 4400 kmpqiclno.pif 3124 RegSvcs.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
MARINA ADVISORY No. 2020-54.PDF.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation MARINA ADVISORY No. 2020-54.PDF.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
kmpqiclno.pifdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\62062111\\KMPQIC~1.PIF c:\\62062111\\VBNKPN~1.OKE" kmpqiclno.pif Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run kmpqiclno.pif -
Processes:
RegSvcs.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
kmpqiclno.pifdescription pid process target process PID 4400 set thread context of 3124 4400 kmpqiclno.pif RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
RegSvcs.exekmpqiclno.pifpid process 3124 RegSvcs.exe 3124 RegSvcs.exe 3124 RegSvcs.exe 3124 RegSvcs.exe 4400 kmpqiclno.pif 4400 kmpqiclno.pif 4400 kmpqiclno.pif 4400 kmpqiclno.pif 3124 RegSvcs.exe 3124 RegSvcs.exe 3124 RegSvcs.exe 4400 kmpqiclno.pif 4400 kmpqiclno.pif 4400 kmpqiclno.pif 4400 kmpqiclno.pif 4400 kmpqiclno.pif 4400 kmpqiclno.pif 4400 kmpqiclno.pif 4400 kmpqiclno.pif 4400 kmpqiclno.pif 4400 kmpqiclno.pif 4400 kmpqiclno.pif 4400 kmpqiclno.pif 4400 kmpqiclno.pif 4400 kmpqiclno.pif 4400 kmpqiclno.pif 4400 kmpqiclno.pif 4400 kmpqiclno.pif 4400 kmpqiclno.pif 4400 kmpqiclno.pif 4400 kmpqiclno.pif 4400 kmpqiclno.pif 4400 kmpqiclno.pif 4400 kmpqiclno.pif 4400 kmpqiclno.pif 4400 kmpqiclno.pif 4400 kmpqiclno.pif 4400 kmpqiclno.pif 4400 kmpqiclno.pif 4400 kmpqiclno.pif 4400 kmpqiclno.pif 4400 kmpqiclno.pif 4400 kmpqiclno.pif 4400 kmpqiclno.pif 4400 kmpqiclno.pif 4400 kmpqiclno.pif 4400 kmpqiclno.pif 4400 kmpqiclno.pif 4400 kmpqiclno.pif 4400 kmpqiclno.pif 4400 kmpqiclno.pif 4400 kmpqiclno.pif 4400 kmpqiclno.pif 4400 kmpqiclno.pif 4400 kmpqiclno.pif 4400 kmpqiclno.pif 4400 kmpqiclno.pif 4400 kmpqiclno.pif 4400 kmpqiclno.pif 4400 kmpqiclno.pif 4400 kmpqiclno.pif 4400 kmpqiclno.pif 4400 kmpqiclno.pif 4400 kmpqiclno.pif -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegSvcs.exepid process 3124 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 3124 RegSvcs.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
kmpqiclno.pifpid process 4400 kmpqiclno.pif -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
MARINA ADVISORY No. 2020-54.PDF.exekmpqiclno.pifRegSvcs.exedescription pid process target process PID 2660 wrote to memory of 4400 2660 MARINA ADVISORY No. 2020-54.PDF.exe kmpqiclno.pif PID 2660 wrote to memory of 4400 2660 MARINA ADVISORY No. 2020-54.PDF.exe kmpqiclno.pif PID 2660 wrote to memory of 4400 2660 MARINA ADVISORY No. 2020-54.PDF.exe kmpqiclno.pif PID 4400 wrote to memory of 3124 4400 kmpqiclno.pif RegSvcs.exe PID 4400 wrote to memory of 3124 4400 kmpqiclno.pif RegSvcs.exe PID 4400 wrote to memory of 3124 4400 kmpqiclno.pif RegSvcs.exe PID 4400 wrote to memory of 3124 4400 kmpqiclno.pif RegSvcs.exe PID 4400 wrote to memory of 3124 4400 kmpqiclno.pif RegSvcs.exe PID 3124 wrote to memory of 4464 3124 RegSvcs.exe schtasks.exe PID 3124 wrote to memory of 4464 3124 RegSvcs.exe schtasks.exe PID 3124 wrote to memory of 4464 3124 RegSvcs.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\MARINA ADVISORY No. 2020-54.PDF.exe"C:\Users\Admin\AppData\Local\Temp\MARINA ADVISORY No. 2020-54.PDF.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\62062111\kmpqiclno.pif"C:\62062111\kmpqiclno.pif" vbnkpnqls.oke2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "SCSI Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp158.tmp"4⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\62062111\bqlrhpupmw.logFilesize
462KB
MD5a89bc70037282b20b7766e54309c59ae
SHA148140c59459671c0b449a040d64a71f0e010ab1b
SHA256b1876566bf70721284ce7fd36e92b3e5af4e476906977c6340dec8620cfbfbab
SHA5125a6ea0c89cb98833f4555a9c88e1a575f00cf5b3a14fe1f85011ff683ff0260d0258457978b8fc98780705b81033aa30befd2fd9591f08234863bc2ac65fd325
-
C:\62062111\kmpqiclno.pifFilesize
712KB
MD50ccbaaf7aec34840fcd7c27a8539c8a1
SHA130f905338f43c12abc44226e1a6211e16f3491d2
SHA256da606b2ce7c6d525844f1fdc751719c42ec59d662a8794104ca12eb5de280438
SHA51204583d42685b0a904c08bcc7c4b360577ceff8e72f74133d856175df8c005e49a8ac2ae4d75bb764b4a9e0a8c7d7adfb12cf45caf70beaf52f273d1e39e7a0a9
-
C:\62062111\kmpqiclno.pifFilesize
712KB
MD50ccbaaf7aec34840fcd7c27a8539c8a1
SHA130f905338f43c12abc44226e1a6211e16f3491d2
SHA256da606b2ce7c6d525844f1fdc751719c42ec59d662a8794104ca12eb5de280438
SHA51204583d42685b0a904c08bcc7c4b360577ceff8e72f74133d856175df8c005e49a8ac2ae4d75bb764b4a9e0a8c7d7adfb12cf45caf70beaf52f273d1e39e7a0a9
-
C:\62062111\vbnkpnqls.okeFilesize
205.9MB
MD59d7bf9eddb1a5c1a2090f57fbf10bc59
SHA1bc8dbe90e306d1ac12c0f7434294e974f4c4a9ff
SHA256b34bb4c384fda25109ebad3744f41144d6a5bfa77ef8bbb95aa41f4924bb8b06
SHA5122b9b70e367888ee13bf7928c17bc72f4e92676ec679396998d2c0f737f95e2276750a8ef95554cb14fe463d023ab9d7666167f9ce75a1f0da79c5b14263849cd
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exeFilesize
44KB
MD59d352bc46709f0cb5ec974633a0c3c94
SHA11969771b2f022f9a86d77ac4d4d239becdf08d07
SHA2562c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA51213c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exeFilesize
44KB
MD59d352bc46709f0cb5ec974633a0c3c94
SHA11969771b2f022f9a86d77ac4d4d239becdf08d07
SHA2562c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA51213c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b
-
C:\Users\Admin\AppData\Local\Temp\tmp158.tmpFilesize
1KB
MD595aceabc58acad5d73372b0966ee1b35
SHA12293b7ad4793cf574b1a5220e85f329b5601040a
SHA2568d9642e1c3cd1e0b5d1763de2fb5e605ba593e5a918b93eec15acbc5dcc48fd4
SHA51200760dfc9d8caf357f0cee5336e5448a4cca18e32cc63e1a69c16e34fe00ea29acd5b2cf278e86c6f9c3e66a1b176d27ed927361848212e6bf1fade7d3d06e74
-
memory/3124-136-0x0000000000F1E792-mapping.dmp
-
memory/3124-135-0x0000000000F00000-0x0000000001513000-memory.dmpFilesize
6.1MB
-
memory/3124-139-0x0000000000F00000-0x0000000000F38000-memory.dmpFilesize
224KB
-
memory/3124-140-0x0000000006220000-0x00000000067C4000-memory.dmpFilesize
5.6MB
-
memory/3124-141-0x0000000005C70000-0x0000000005D02000-memory.dmpFilesize
584KB
-
memory/3124-142-0x0000000005D10000-0x0000000005DAC000-memory.dmpFilesize
624KB
-
memory/3124-143-0x0000000005BE0000-0x0000000005BEA000-memory.dmpFilesize
40KB
-
memory/4400-130-0x0000000000000000-mapping.dmp
-
memory/4464-144-0x0000000000000000-mapping.dmp