Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system -
submitted
25-07-2022 05:45
Static task
static1
Behavioral task
behavioral1
Sample
Scan Copy$$.scr
Resource
win7-20220715-en
General
-
Target
Scan Copy$$.scr
-
Size
1.1MB
-
MD5
7abe31b58ea898b5f25c33d9572d70ca
-
SHA1
a6be14ddb35a3d13d826bcc5833836b5ef4c8e4a
-
SHA256
01dbae054610259b1b33585a88a042e8762ec1c5a239c9fd0f821dc240235c16
-
SHA512
bf56d9321467b93011258753e3fd976755e2f4a1e81a95a4b1fcdf3eff45a7e1a70d58049d6a9da2d00dc6a9c7536eaebe4a680f72f8a351b3456f246cf99110
Malware Config
Signatures
-
suricata: ET MALWARE Possible NanoCore C2 60B
suricata: ET MALWARE Possible NanoCore C2 60B
-
Processes:
RegAsm.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegAsm.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\pcaui\bdeunlock.exe autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Scan Copy$$.scrdescription pid process target process PID 1752 set thread context of 1552 1752 Scan Copy$$.scr RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
Scan Copy$$.scrRegAsm.exepid process 1752 Scan Copy$$.scr 1752 Scan Copy$$.scr 1552 RegAsm.exe 1552 RegAsm.exe 1752 Scan Copy$$.scr 1752 Scan Copy$$.scr 1752 Scan Copy$$.scr 1752 Scan Copy$$.scr 1752 Scan Copy$$.scr 1752 Scan Copy$$.scr 1752 Scan Copy$$.scr 1752 Scan Copy$$.scr 1752 Scan Copy$$.scr 1752 Scan Copy$$.scr 1752 Scan Copy$$.scr 1752 Scan Copy$$.scr 1752 Scan Copy$$.scr 1752 Scan Copy$$.scr -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegAsm.exepid process 1552 RegAsm.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
Scan Copy$$.scrpid process 1752 Scan Copy$$.scr -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegAsm.exedescription pid process Token: SeDebugPrivilege 1552 RegAsm.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
Scan Copy$$.scrpid process 1752 Scan Copy$$.scr 1752 Scan Copy$$.scr 1752 Scan Copy$$.scr -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
Scan Copy$$.scrpid process 1752 Scan Copy$$.scr 1752 Scan Copy$$.scr 1752 Scan Copy$$.scr -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Scan Copy$$.scrdescription pid process target process PID 1752 wrote to memory of 2032 1752 Scan Copy$$.scr cmd.exe PID 1752 wrote to memory of 2032 1752 Scan Copy$$.scr cmd.exe PID 1752 wrote to memory of 2032 1752 Scan Copy$$.scr cmd.exe PID 1752 wrote to memory of 2032 1752 Scan Copy$$.scr cmd.exe PID 1752 wrote to memory of 1552 1752 Scan Copy$$.scr RegAsm.exe PID 1752 wrote to memory of 1552 1752 Scan Copy$$.scr RegAsm.exe PID 1752 wrote to memory of 1552 1752 Scan Copy$$.scr RegAsm.exe PID 1752 wrote to memory of 1552 1752 Scan Copy$$.scr RegAsm.exe PID 1752 wrote to memory of 1552 1752 Scan Copy$$.scr RegAsm.exe PID 1752 wrote to memory of 1552 1752 Scan Copy$$.scr RegAsm.exe PID 1752 wrote to memory of 1552 1752 Scan Copy$$.scr RegAsm.exe PID 1752 wrote to memory of 1552 1752 Scan Copy$$.scr RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Scan Copy$$.scr"C:\Users\Admin\AppData\Local\Temp\Scan Copy$$.scr" /S1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\Scan Copy$$.scr" "C:\Users\Admin\AppData\Roaming\pcaui\bdeunlock.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\pcaui\bdeunlock.exeFilesize
1.1MB
MD53b41fc6b7655fec3be0be0f493c5870b
SHA1855555b7ac79f6cddc2fc1e04efa984643244c4a
SHA256e4f7964893da20ebe76a30128cc08a33fc67b670b0de5fc017d45822fccad856
SHA512a509e1bf2bbdbfd7bc08be3f79d675ccab1f1831b7a075b7e2128d2fa5d2115a04844b6efa69385cbd7d28bb055be84245c8320e50a5d3fbeb90b2cd385f3e58
-
memory/1552-57-0x000000000041E792-mapping.dmp
-
memory/1552-60-0x0000000074230000-0x00000000747DB000-memory.dmpFilesize
5.7MB
-
memory/1552-61-0x00000000004E6000-0x00000000004F7000-memory.dmpFilesize
68KB
-
memory/1552-63-0x0000000074230000-0x00000000747DB000-memory.dmpFilesize
5.7MB
-
memory/1752-54-0x0000000075741000-0x0000000075743000-memory.dmpFilesize
8KB
-
memory/1752-59-0x00000000005D0000-0x00000000005D3000-memory.dmpFilesize
12KB
-
memory/1752-62-0x00000000005D0000-0x00000000005D3000-memory.dmpFilesize
12KB
-
memory/2032-55-0x0000000000000000-mapping.dmp