Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
05-09-2022 16:27
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.W32.MSIL_Kryptik.DSR.gen.Eldorado.17895.exe
Resource
win7-20220812-en
General
-
Target
SecuriteInfo.com.W32.MSIL_Kryptik.DSR.gen.Eldorado.17895.exe
-
Size
1.5MB
-
MD5
3f2e73870793bf2c359618739bd46d7d
-
SHA1
2b484126a9f2239de3485bb517b6c12a144c1a1f
-
SHA256
1bc9fc8588f7db4618c9a65e672f3ee0e1bc15f4265b727b75c5a22f1d7b54d5
-
SHA512
db98cfba58b208c5556d527c7082e573f2557395901c6a6a284ce848f7a2037aee2eda04d1940d1f79b7f24bf4d32e5ea7c45982eb8a10e5d9d7e556346dce25
-
SSDEEP
49152:CBl7s9Cp4wu/OlghWTt2Ruus3lVrguSzlreQ:sl7s9CpRuWlghKt4/sPg1pSQ
Malware Config
Extracted
nanocore
1.2.2.0
godisgood1.hopto.org:7712
185.225.73.164:7712
bcd7727e-ef56-4958-8ed9-949f5c5ea8f6
-
activate_away_mode
true
-
backup_connection_host
185.225.73.164
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2022-05-24T09:37:49.129028236Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
7712
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
bcd7727e-ef56-4958-8ed9-949f5c5ea8f6
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
godisgood1.hopto.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
bil.exepid process 1092 bil.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 524 cmd.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
reg.exeInstallUtil.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\bil = "C:\\Users\\Admin\\AppData\\Local\\bil.exe" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SCSI Service = "C:\\Program Files (x86)\\SCSI Service\\scsisvc.exe" InstallUtil.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
bil.exedescription pid process target process PID 1092 set thread context of 1392 1092 bil.exe InstallUtil.exe -
Drops file in Program Files directory 2 IoCs
Processes:
InstallUtil.exedescription ioc process File created C:\Program Files (x86)\SCSI Service\scsisvc.exe InstallUtil.exe File opened for modification C:\Program Files (x86)\SCSI Service\scsisvc.exe InstallUtil.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Runs ping.exe 1 TTPs 3 IoCs
Processes:
PING.EXEPING.EXEPING.EXEpid process 1968 PING.EXE 1692 PING.EXE 1740 PING.EXE -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
SecuriteInfo.com.W32.MSIL_Kryptik.DSR.gen.Eldorado.17895.exebil.exeInstallUtil.exepid process 1500 SecuriteInfo.com.W32.MSIL_Kryptik.DSR.gen.Eldorado.17895.exe 1500 SecuriteInfo.com.W32.MSIL_Kryptik.DSR.gen.Eldorado.17895.exe 1500 SecuriteInfo.com.W32.MSIL_Kryptik.DSR.gen.Eldorado.17895.exe 1092 bil.exe 1092 bil.exe 1392 InstallUtil.exe 1392 InstallUtil.exe 1392 InstallUtil.exe 1392 InstallUtil.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
SecuriteInfo.com.W32.MSIL_Kryptik.DSR.gen.Eldorado.17895.exebil.exeInstallUtil.exedescription pid process Token: SeDebugPrivilege 1500 SecuriteInfo.com.W32.MSIL_Kryptik.DSR.gen.Eldorado.17895.exe Token: SeDebugPrivilege 1092 bil.exe Token: SeDebugPrivilege 1392 InstallUtil.exe -
Suspicious use of WriteProcessMemory 48 IoCs
Processes:
SecuriteInfo.com.W32.MSIL_Kryptik.DSR.gen.Eldorado.17895.execmd.execmd.exebil.exeInstallUtil.exedescription pid process target process PID 1500 wrote to memory of 1712 1500 SecuriteInfo.com.W32.MSIL_Kryptik.DSR.gen.Eldorado.17895.exe cmd.exe PID 1500 wrote to memory of 1712 1500 SecuriteInfo.com.W32.MSIL_Kryptik.DSR.gen.Eldorado.17895.exe cmd.exe PID 1500 wrote to memory of 1712 1500 SecuriteInfo.com.W32.MSIL_Kryptik.DSR.gen.Eldorado.17895.exe cmd.exe PID 1500 wrote to memory of 1712 1500 SecuriteInfo.com.W32.MSIL_Kryptik.DSR.gen.Eldorado.17895.exe cmd.exe PID 1712 wrote to memory of 1968 1712 cmd.exe PING.EXE PID 1712 wrote to memory of 1968 1712 cmd.exe PING.EXE PID 1712 wrote to memory of 1968 1712 cmd.exe PING.EXE PID 1712 wrote to memory of 1968 1712 cmd.exe PING.EXE PID 1500 wrote to memory of 524 1500 SecuriteInfo.com.W32.MSIL_Kryptik.DSR.gen.Eldorado.17895.exe cmd.exe PID 1500 wrote to memory of 524 1500 SecuriteInfo.com.W32.MSIL_Kryptik.DSR.gen.Eldorado.17895.exe cmd.exe PID 1500 wrote to memory of 524 1500 SecuriteInfo.com.W32.MSIL_Kryptik.DSR.gen.Eldorado.17895.exe cmd.exe PID 1500 wrote to memory of 524 1500 SecuriteInfo.com.W32.MSIL_Kryptik.DSR.gen.Eldorado.17895.exe cmd.exe PID 524 wrote to memory of 1692 524 cmd.exe PING.EXE PID 524 wrote to memory of 1692 524 cmd.exe PING.EXE PID 524 wrote to memory of 1692 524 cmd.exe PING.EXE PID 524 wrote to memory of 1692 524 cmd.exe PING.EXE PID 1712 wrote to memory of 760 1712 cmd.exe reg.exe PID 1712 wrote to memory of 760 1712 cmd.exe reg.exe PID 1712 wrote to memory of 760 1712 cmd.exe reg.exe PID 1712 wrote to memory of 760 1712 cmd.exe reg.exe PID 524 wrote to memory of 1740 524 cmd.exe PING.EXE PID 524 wrote to memory of 1740 524 cmd.exe PING.EXE PID 524 wrote to memory of 1740 524 cmd.exe PING.EXE PID 524 wrote to memory of 1740 524 cmd.exe PING.EXE PID 524 wrote to memory of 1092 524 cmd.exe bil.exe PID 524 wrote to memory of 1092 524 cmd.exe bil.exe PID 524 wrote to memory of 1092 524 cmd.exe bil.exe PID 524 wrote to memory of 1092 524 cmd.exe bil.exe PID 1092 wrote to memory of 1392 1092 bil.exe InstallUtil.exe PID 1092 wrote to memory of 1392 1092 bil.exe InstallUtil.exe PID 1092 wrote to memory of 1392 1092 bil.exe InstallUtil.exe PID 1092 wrote to memory of 1392 1092 bil.exe InstallUtil.exe PID 1092 wrote to memory of 1392 1092 bil.exe InstallUtil.exe PID 1092 wrote to memory of 1392 1092 bil.exe InstallUtil.exe PID 1092 wrote to memory of 1392 1092 bil.exe InstallUtil.exe PID 1092 wrote to memory of 1392 1092 bil.exe InstallUtil.exe PID 1092 wrote to memory of 1392 1092 bil.exe InstallUtil.exe PID 1092 wrote to memory of 1392 1092 bil.exe InstallUtil.exe PID 1092 wrote to memory of 1392 1092 bil.exe InstallUtil.exe PID 1092 wrote to memory of 1392 1092 bil.exe InstallUtil.exe PID 1392 wrote to memory of 776 1392 InstallUtil.exe schtasks.exe PID 1392 wrote to memory of 776 1392 InstallUtil.exe schtasks.exe PID 1392 wrote to memory of 776 1392 InstallUtil.exe schtasks.exe PID 1392 wrote to memory of 776 1392 InstallUtil.exe schtasks.exe PID 1392 wrote to memory of 1544 1392 InstallUtil.exe schtasks.exe PID 1392 wrote to memory of 1544 1392 InstallUtil.exe schtasks.exe PID 1392 wrote to memory of 1544 1392 InstallUtil.exe schtasks.exe PID 1392 wrote to memory of 1544 1392 InstallUtil.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Kryptik.DSR.gen.Eldorado.17895.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Kryptik.DSR.gen.Eldorado.17895.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 11 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "bil" /t REG_SZ /d "C:\Users\Admin\AppData\Local\bil.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 113⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "bil" /t REG_SZ /d "C:\Users\Admin\AppData\Local\bil.exe"3⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 23 > nul && copy "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Kryptik.DSR.gen.Eldorado.17895.exe" "C:\Users\Admin\AppData\Local\bil.exe" && ping 127.0.0.1 -n 23 > nul && "C:\Users\Admin\AppData\Local\bil.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 233⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 233⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\bil.exe"C:\Users\Admin\AppData\Local\bil.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"4⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "SCSI Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp3064.tmp"5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "SCSI Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp315F.tmp"5⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp3064.tmpFilesize
1KB
MD5576bbaf398045c3843d452ec83208236
SHA18ed5b2500ae7a40cbfa6e9018a1d1f1e70cb1374
SHA25633c0c2d72fa383e5988ce640febc5ac6a2bd71d4ae660b99e52234952e17467b
SHA512e7cc0ea0b351c6a8618e14f03c00e88ef83e2f169e0b4d66513f580f0a9352fbfe429e57186362b69407150d566bbdadca2f7b574fc748cc140b3249be67f96a
-
C:\Users\Admin\AppData\Local\Temp\tmp315F.tmpFilesize
1KB
MD54e71faa3a77029484cfaba423d96618f
SHA19c837d050bb43d69dc608af809c292e13bca4718
SHA256c470f45efd2e7c4c5b88534a18965a78dce0f8e154d3e45a9d5569ad0e334bdb
SHA5126d014de41352f2b0b494d94cd58188791e81d4e53578d0722110b6827793b735e19c614877f25c61b26233dea1b5f1998ba1240bdc8fa04c87b7e64a4ca15fe0
-
C:\Users\Admin\AppData\Local\bil.exeFilesize
1.5MB
MD53f2e73870793bf2c359618739bd46d7d
SHA12b484126a9f2239de3485bb517b6c12a144c1a1f
SHA2561bc9fc8588f7db4618c9a65e672f3ee0e1bc15f4265b727b75c5a22f1d7b54d5
SHA512db98cfba58b208c5556d527c7082e573f2557395901c6a6a284ce848f7a2037aee2eda04d1940d1f79b7f24bf4d32e5ea7c45982eb8a10e5d9d7e556346dce25
-
C:\Users\Admin\AppData\Local\bil.exeFilesize
1.5MB
MD53f2e73870793bf2c359618739bd46d7d
SHA12b484126a9f2239de3485bb517b6c12a144c1a1f
SHA2561bc9fc8588f7db4618c9a65e672f3ee0e1bc15f4265b727b75c5a22f1d7b54d5
SHA512db98cfba58b208c5556d527c7082e573f2557395901c6a6a284ce848f7a2037aee2eda04d1940d1f79b7f24bf4d32e5ea7c45982eb8a10e5d9d7e556346dce25
-
\Users\Admin\AppData\Local\bil.exeFilesize
1.5MB
MD53f2e73870793bf2c359618739bd46d7d
SHA12b484126a9f2239de3485bb517b6c12a144c1a1f
SHA2561bc9fc8588f7db4618c9a65e672f3ee0e1bc15f4265b727b75c5a22f1d7b54d5
SHA512db98cfba58b208c5556d527c7082e573f2557395901c6a6a284ce848f7a2037aee2eda04d1940d1f79b7f24bf4d32e5ea7c45982eb8a10e5d9d7e556346dce25
-
memory/524-60-0x0000000000000000-mapping.dmp
-
memory/760-62-0x0000000000000000-mapping.dmp
-
memory/776-86-0x0000000000000000-mapping.dmp
-
memory/1092-70-0x00000000004D0000-0x0000000000504000-memory.dmpFilesize
208KB
-
memory/1092-68-0x0000000000FE0000-0x000000000116E000-memory.dmpFilesize
1.6MB
-
memory/1092-71-0x0000000000880000-0x000000000089A000-memory.dmpFilesize
104KB
-
memory/1092-65-0x0000000000000000-mapping.dmp
-
memory/1092-72-0x0000000000A80000-0x0000000000A86000-memory.dmpFilesize
24KB
-
memory/1392-79-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1392-95-0x0000000000AE0000-0x0000000000AEE000-memory.dmpFilesize
56KB
-
memory/1392-105-0x0000000004E35000-0x0000000004E46000-memory.dmpFilesize
68KB
-
memory/1392-101-0x0000000000E30000-0x0000000000E44000-memory.dmpFilesize
80KB
-
memory/1392-102-0x0000000000E40000-0x0000000000E4E000-memory.dmpFilesize
56KB
-
memory/1392-74-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1392-76-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1392-77-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1392-73-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1392-104-0x0000000000ED0000-0x0000000000EE4000-memory.dmpFilesize
80KB
-
memory/1392-80-0x000000000041E792-mapping.dmp
-
memory/1392-82-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1392-84-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1392-103-0x0000000000EA0000-0x0000000000ECE000-memory.dmpFilesize
184KB
-
memory/1392-99-0x0000000000D10000-0x0000000000D24000-memory.dmpFilesize
80KB
-
memory/1392-100-0x0000000000D20000-0x0000000000D30000-memory.dmpFilesize
64KB
-
memory/1392-97-0x0000000000BF0000-0x0000000000BFC000-memory.dmpFilesize
48KB
-
memory/1392-90-0x0000000000460000-0x000000000046A000-memory.dmpFilesize
40KB
-
memory/1392-91-0x0000000000540000-0x000000000055E000-memory.dmpFilesize
120KB
-
memory/1392-92-0x00000000004F0000-0x00000000004FA000-memory.dmpFilesize
40KB
-
memory/1392-94-0x0000000000AB0000-0x0000000000ACA000-memory.dmpFilesize
104KB
-
memory/1392-93-0x0000000000AA0000-0x0000000000AB2000-memory.dmpFilesize
72KB
-
memory/1392-96-0x0000000000B00000-0x0000000000B12000-memory.dmpFilesize
72KB
-
memory/1392-98-0x0000000000C00000-0x0000000000C0E000-memory.dmpFilesize
56KB
-
memory/1500-55-0x0000000075B41000-0x0000000075B43000-memory.dmpFilesize
8KB
-
memory/1500-56-0x0000000000350000-0x0000000000384000-memory.dmpFilesize
208KB
-
memory/1500-57-0x0000000000A60000-0x0000000000A78000-memory.dmpFilesize
96KB
-
memory/1500-54-0x0000000000A80000-0x0000000000C0E000-memory.dmpFilesize
1.6MB
-
memory/1544-88-0x0000000000000000-mapping.dmp
-
memory/1692-61-0x0000000000000000-mapping.dmp
-
memory/1712-58-0x0000000000000000-mapping.dmp
-
memory/1740-63-0x0000000000000000-mapping.dmp
-
memory/1968-59-0x0000000000000000-mapping.dmp