Analysis
-
max time kernel
141s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
03-07-2022 09:35
Static task
static1
Behavioral task
behavioral1
Sample
3bcdebfae009e22bd85921170567886ba793e9475dcce0560ab39e75ec756b28.exe
Resource
win7-20220414-en
General
-
Target
3bcdebfae009e22bd85921170567886ba793e9475dcce0560ab39e75ec756b28.exe
-
Size
732KB
-
MD5
5a7daf9c6ffca459f9f7b52c682cc0ff
-
SHA1
1dbdf451554848528d60d7cf4023ec822499c511
-
SHA256
3bcdebfae009e22bd85921170567886ba793e9475dcce0560ab39e75ec756b28
-
SHA512
f599dcc53e1917c2b18e98b25dae05214e590019ab646500ced4955edfc92ff109db31366d9c89f9ee3b1e025fd8f58a8c15e1c3913675525a65d0555f59ceca
Malware Config
Extracted
nanocore
1.2.2.0
212.7.208.94:3413
5b6af941-fda6-43f6-be1a-bb052e8fa4d9
-
activate_away_mode
true
-
backup_connection_host
212.7.208.94
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2018-09-15T09:16:35.620530336Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
3413
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
5b6af941-fda6-43f6-be1a-bb052e8fa4d9
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
212.7.208.94
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Processes:
RegAsm.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
3bcdebfae009e22bd85921170567886ba793e9475dcce0560ab39e75ec756b28.exedescription pid process target process PID 1684 set thread context of 2032 1684 3bcdebfae009e22bd85921170567886ba793e9475dcce0560ab39e75ec756b28.exe RegAsm.exe -
Drops file in Windows directory 1 IoCs
Processes:
3bcdebfae009e22bd85921170567886ba793e9475dcce0560ab39e75ec756b28.exedescription ioc process File opened for modification C:\Windows\debug\WIA\fjEVuHISE.exe 3bcdebfae009e22bd85921170567886ba793e9475dcce0560ab39e75ec756b28.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1276 schtasks.exe 1240 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
3bcdebfae009e22bd85921170567886ba793e9475dcce0560ab39e75ec756b28.exeRegAsm.exepid process 1684 3bcdebfae009e22bd85921170567886ba793e9475dcce0560ab39e75ec756b28.exe 2032 RegAsm.exe 2032 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
3bcdebfae009e22bd85921170567886ba793e9475dcce0560ab39e75ec756b28.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 1684 3bcdebfae009e22bd85921170567886ba793e9475dcce0560ab39e75ec756b28.exe Token: SeDebugPrivilege 2032 RegAsm.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
3bcdebfae009e22bd85921170567886ba793e9475dcce0560ab39e75ec756b28.exeRegAsm.exedescription pid process target process PID 1684 wrote to memory of 1276 1684 3bcdebfae009e22bd85921170567886ba793e9475dcce0560ab39e75ec756b28.exe schtasks.exe PID 1684 wrote to memory of 1276 1684 3bcdebfae009e22bd85921170567886ba793e9475dcce0560ab39e75ec756b28.exe schtasks.exe PID 1684 wrote to memory of 1276 1684 3bcdebfae009e22bd85921170567886ba793e9475dcce0560ab39e75ec756b28.exe schtasks.exe PID 1684 wrote to memory of 1276 1684 3bcdebfae009e22bd85921170567886ba793e9475dcce0560ab39e75ec756b28.exe schtasks.exe PID 1684 wrote to memory of 2032 1684 3bcdebfae009e22bd85921170567886ba793e9475dcce0560ab39e75ec756b28.exe RegAsm.exe PID 1684 wrote to memory of 2032 1684 3bcdebfae009e22bd85921170567886ba793e9475dcce0560ab39e75ec756b28.exe RegAsm.exe PID 1684 wrote to memory of 2032 1684 3bcdebfae009e22bd85921170567886ba793e9475dcce0560ab39e75ec756b28.exe RegAsm.exe PID 1684 wrote to memory of 2032 1684 3bcdebfae009e22bd85921170567886ba793e9475dcce0560ab39e75ec756b28.exe RegAsm.exe PID 1684 wrote to memory of 2032 1684 3bcdebfae009e22bd85921170567886ba793e9475dcce0560ab39e75ec756b28.exe RegAsm.exe PID 1684 wrote to memory of 2032 1684 3bcdebfae009e22bd85921170567886ba793e9475dcce0560ab39e75ec756b28.exe RegAsm.exe PID 1684 wrote to memory of 2032 1684 3bcdebfae009e22bd85921170567886ba793e9475dcce0560ab39e75ec756b28.exe RegAsm.exe PID 1684 wrote to memory of 2032 1684 3bcdebfae009e22bd85921170567886ba793e9475dcce0560ab39e75ec756b28.exe RegAsm.exe PID 1684 wrote to memory of 2032 1684 3bcdebfae009e22bd85921170567886ba793e9475dcce0560ab39e75ec756b28.exe RegAsm.exe PID 1684 wrote to memory of 2032 1684 3bcdebfae009e22bd85921170567886ba793e9475dcce0560ab39e75ec756b28.exe RegAsm.exe PID 1684 wrote to memory of 2032 1684 3bcdebfae009e22bd85921170567886ba793e9475dcce0560ab39e75ec756b28.exe RegAsm.exe PID 1684 wrote to memory of 2032 1684 3bcdebfae009e22bd85921170567886ba793e9475dcce0560ab39e75ec756b28.exe RegAsm.exe PID 2032 wrote to memory of 1240 2032 RegAsm.exe schtasks.exe PID 2032 wrote to memory of 1240 2032 RegAsm.exe schtasks.exe PID 2032 wrote to memory of 1240 2032 RegAsm.exe schtasks.exe PID 2032 wrote to memory of 1240 2032 RegAsm.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3bcdebfae009e22bd85921170567886ba793e9475dcce0560ab39e75ec756b28.exe"C:\Users\Admin\AppData\Local\Temp\3bcdebfae009e22bd85921170567886ba793e9475dcce0560ab39e75ec756b28.exe"1⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fjEVuHISE" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC717.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "ARP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp4635.tmp"3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp4635.tmpFilesize
1KB
MD5c6f0625bf4c1cdfb699980c9243d3b22
SHA143de1fe580576935516327f17b5da0c656c72851
SHA2568dfc4e937f0b2374e3ced25fce344b0731cf44b8854625b318d50ece2da8f576
SHA5129ef2dbd4142ad0e1e6006929376ecb8011e7ffc801ee2101e906787d70325ad82752df65839de9972391fa52e1e5974ec1a5c7465a88aa56257633ebb7d70969
-
C:\Users\Admin\AppData\Local\Temp\tmpC717.tmpFilesize
1KB
MD5c59c76e7b20e890c41dbc79b538eb97c
SHA1db1a5b197429b831d17a7231084b6ca22fb79e25
SHA2569129efa20d8d6b851f1eb02381f480e5f57712bf5231d5e6424ceaed80c73a15
SHA512386929273a1bd07eb721977154fe4f6d7914b5073a368a9b570a6114fa0f72489262de1706fcbe1ae3198adec7d8adabfe9e80dbf493ae2b69eaf8729b6459c4
-
memory/1240-74-0x0000000000000000-mapping.dmp
-
memory/1276-57-0x0000000000000000-mapping.dmp
-
memory/1684-54-0x0000000076431000-0x0000000076433000-memory.dmpFilesize
8KB
-
memory/1684-55-0x0000000074640000-0x0000000074BEB000-memory.dmpFilesize
5.7MB
-
memory/1684-56-0x0000000074640000-0x0000000074BEB000-memory.dmpFilesize
5.7MB
-
memory/1684-70-0x0000000074640000-0x0000000074BEB000-memory.dmpFilesize
5.7MB
-
memory/2032-63-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2032-65-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2032-66-0x000000000041E792-mapping.dmp
-
memory/2032-68-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2032-71-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2032-62-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2032-73-0x00000000742A0000-0x000000007484B000-memory.dmpFilesize
5.7MB
-
memory/2032-60-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2032-59-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2032-76-0x00000000742A0000-0x000000007484B000-memory.dmpFilesize
5.7MB