Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
08-06-2022 04:36
Static task
static1
Behavioral task
behavioral1
Sample
1a061c74619de6af8c02cba0fa00754bdd9e3515c0e08cad6350c7adfc8cdd5b.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
1a061c74619de6af8c02cba0fa00754bdd9e3515c0e08cad6350c7adfc8cdd5b.exe
Resource
win10v2004-20220414-en
General
-
Target
1a061c74619de6af8c02cba0fa00754bdd9e3515c0e08cad6350c7adfc8cdd5b.exe
-
Size
60KB
-
MD5
42893adbc36605ec79b5bd610759947e
-
SHA1
b4e581f173f782a2f1da5d29c95946ee500eb2d0
-
SHA256
1a061c74619de6af8c02cba0fa00754bdd9e3515c0e08cad6350c7adfc8cdd5b
-
SHA512
725ff9ba2ce45438983ca5d3596119cb59a9bfe9e661cb9cd8daf42185c4166de34951ac92560d4e129ba9bccb7db0114b15844c660e49fd902001265eb51702
Malware Config
Extracted
metasploit
encoder/shikata_ga_nai
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Executes dropped EXE 1 IoCs
Processes:
NvSmart.exepid process 2760 NvSmart.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1a061c74619de6af8c02cba0fa00754bdd9e3515c0e08cad6350c7adfc8cdd5b.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation 1a061c74619de6af8c02cba0fa00754bdd9e3515c0e08cad6350c7adfc8cdd5b.exe -
Loads dropped DLL 1 IoCs
Processes:
NvSmart.exepid process 2760 NvSmart.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
NvSmart.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run NvSmart.exe Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\360v = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" NvSmart.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1a061c74619de6af8c02cba0fa00754bdd9e3515c0e08cad6350c7adfc8cdd5b.exedescription pid process Token: SeIncBasePriorityPrivilege 4176 1a061c74619de6af8c02cba0fa00754bdd9e3515c0e08cad6350c7adfc8cdd5b.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
1a061c74619de6af8c02cba0fa00754bdd9e3515c0e08cad6350c7adfc8cdd5b.exeNvSmart.exedescription pid process target process PID 4176 wrote to memory of 2760 4176 1a061c74619de6af8c02cba0fa00754bdd9e3515c0e08cad6350c7adfc8cdd5b.exe NvSmart.exe PID 4176 wrote to memory of 2760 4176 1a061c74619de6af8c02cba0fa00754bdd9e3515c0e08cad6350c7adfc8cdd5b.exe NvSmart.exe PID 4176 wrote to memory of 2760 4176 1a061c74619de6af8c02cba0fa00754bdd9e3515c0e08cad6350c7adfc8cdd5b.exe NvSmart.exe PID 4176 wrote to memory of 1212 4176 1a061c74619de6af8c02cba0fa00754bdd9e3515c0e08cad6350c7adfc8cdd5b.exe cmd.exe PID 4176 wrote to memory of 1212 4176 1a061c74619de6af8c02cba0fa00754bdd9e3515c0e08cad6350c7adfc8cdd5b.exe cmd.exe PID 4176 wrote to memory of 1212 4176 1a061c74619de6af8c02cba0fa00754bdd9e3515c0e08cad6350c7adfc8cdd5b.exe cmd.exe PID 2760 wrote to memory of 1020 2760 NvSmart.exe cmd.exe PID 2760 wrote to memory of 1020 2760 NvSmart.exe cmd.exe PID 2760 wrote to memory of 1020 2760 NvSmart.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1a061c74619de6af8c02cba0fa00754bdd9e3515c0e08cad6350c7adfc8cdd5b.exe"C:\Users\Admin\AppData\Local\Temp\1a061c74619de6af8c02cba0fa00754bdd9e3515c0e08cad6350c7adfc8cdd5b.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\NvSmart.exe"C:\Users\Admin\AppData\Roaming\NvSmart.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /A3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c del /q "C:\Users\Admin\AppData\Local\Temp\1a061c74619de6af8c02cba0fa00754bdd9e3515c0e08cad6350c7adfc8cdd5b.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\NvSmart.exeFilesize
46KB
MD509b8b54f78a10c435cd319070aa13c28
SHA16474d0369f97e72e01e4971128d1062f5c2b3656
SHA256523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256
SHA512c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7
-
C:\Users\Admin\AppData\Roaming\NvSmart.exeFilesize
46KB
MD509b8b54f78a10c435cd319070aa13c28
SHA16474d0369f97e72e01e4971128d1062f5c2b3656
SHA256523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256
SHA512c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7
-
C:\Users\Admin\AppData\Roaming\NvSmartMax.dllFilesize
4KB
MD52d8fb1f82724cf542cd2e3a5e041fb52
SHA14e14894860034fefbab41cfe9a763d8061d19ef9
SHA256ece29e4af4b33c02dafac24748a9c125b057e39455acf3c45464db36bfe74881
SHA5126694a6719bd726c8302240e13e9f75bd6dd9611eec61b2a509392802d36470c09969b9dc11ef13612eff283f06d36b2586a46a7b4d84a6a8e4dd2f3825fd7aa4
-
C:\Users\Admin\AppData\Roaming\NvSmartMax.dllFilesize
4KB
MD52d8fb1f82724cf542cd2e3a5e041fb52
SHA14e14894860034fefbab41cfe9a763d8061d19ef9
SHA256ece29e4af4b33c02dafac24748a9c125b057e39455acf3c45464db36bfe74881
SHA5126694a6719bd726c8302240e13e9f75bd6dd9611eec61b2a509392802d36470c09969b9dc11ef13612eff283f06d36b2586a46a7b4d84a6a8e4dd2f3825fd7aa4
-
C:\Users\Admin\AppData\Roaming\NvSmartMax.dll.urlFilesize
9KB
MD57aefbad9367ab56db1f6f20dcfcd38a0
SHA1a639e0fe6800012c7ff1256e2875771342194b96
SHA256d8a59fd0ab8e06439c4eb98c39b24cdcfbb3c93ab4cc57d366cf527f6d88c973
SHA5125a79c5e3b23df51ba4f8054990c690b6641d28bfade41323cc29bf6f2c2cb98b48190dfb2843e513b293ac77f350815da111a535412f3a44cab376294b096b13
-
memory/1020-140-0x0000000000000000-mapping.dmp
-
memory/1212-136-0x0000000000000000-mapping.dmp
-
memory/2760-130-0x0000000000000000-mapping.dmp
-
memory/2760-137-0x0000000010000000-0x0000000010006000-memory.dmpFilesize
24KB
-
memory/2760-141-0x0000000000510000-0x0000000000513000-memory.dmpFilesize
12KB