Analysis
-
max time kernel
154s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
05-09-2022 16:27
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.W32.MSIL_Kryptik.DSR.gen.Eldorado.17895.exe
Resource
win7-20220812-en
General
-
Target
SecuriteInfo.com.W32.MSIL_Kryptik.DSR.gen.Eldorado.17895.exe
-
Size
1.5MB
-
MD5
3f2e73870793bf2c359618739bd46d7d
-
SHA1
2b484126a9f2239de3485bb517b6c12a144c1a1f
-
SHA256
1bc9fc8588f7db4618c9a65e672f3ee0e1bc15f4265b727b75c5a22f1d7b54d5
-
SHA512
db98cfba58b208c5556d527c7082e573f2557395901c6a6a284ce848f7a2037aee2eda04d1940d1f79b7f24bf4d32e5ea7c45982eb8a10e5d9d7e556346dce25
-
SSDEEP
49152:CBl7s9Cp4wu/OlghWTt2Ruus3lVrguSzlreQ:sl7s9CpRuWlghKt4/sPg1pSQ
Malware Config
Extracted
nanocore
1.2.2.0
godisgood1.hopto.org:7712
185.225.73.164:7712
bcd7727e-ef56-4958-8ed9-949f5c5ea8f6
-
activate_away_mode
true
-
backup_connection_host
185.225.73.164
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2022-05-24T09:37:49.129028236Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
7712
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
bcd7727e-ef56-4958-8ed9-949f5c5ea8f6
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
godisgood1.hopto.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
bil.exepid process 2232 bil.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
reg.exeInstallUtil.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bil = "C:\\Users\\Admin\\AppData\\Local\\bil.exe" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DDP Manager = "C:\\Program Files (x86)\\DDP Manager\\ddpmgr.exe" InstallUtil.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
bil.exedescription pid process target process PID 2232 set thread context of 1348 2232 bil.exe InstallUtil.exe -
Drops file in Program Files directory 2 IoCs
Processes:
InstallUtil.exedescription ioc process File created C:\Program Files (x86)\DDP Manager\ddpmgr.exe InstallUtil.exe File opened for modification C:\Program Files (x86)\DDP Manager\ddpmgr.exe InstallUtil.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2820 schtasks.exe 4116 schtasks.exe -
Runs ping.exe 1 TTPs 3 IoCs
Processes:
PING.EXEPING.EXEPING.EXEpid process 3552 PING.EXE 3368 PING.EXE 3580 PING.EXE -
Suspicious behavior: EnumeratesProcesses 33 IoCs
Processes:
SecuriteInfo.com.W32.MSIL_Kryptik.DSR.gen.Eldorado.17895.exebil.exeInstallUtil.exepid process 4236 SecuriteInfo.com.W32.MSIL_Kryptik.DSR.gen.Eldorado.17895.exe 4236 SecuriteInfo.com.W32.MSIL_Kryptik.DSR.gen.Eldorado.17895.exe 4236 SecuriteInfo.com.W32.MSIL_Kryptik.DSR.gen.Eldorado.17895.exe 4236 SecuriteInfo.com.W32.MSIL_Kryptik.DSR.gen.Eldorado.17895.exe 4236 SecuriteInfo.com.W32.MSIL_Kryptik.DSR.gen.Eldorado.17895.exe 4236 SecuriteInfo.com.W32.MSIL_Kryptik.DSR.gen.Eldorado.17895.exe 4236 SecuriteInfo.com.W32.MSIL_Kryptik.DSR.gen.Eldorado.17895.exe 4236 SecuriteInfo.com.W32.MSIL_Kryptik.DSR.gen.Eldorado.17895.exe 4236 SecuriteInfo.com.W32.MSIL_Kryptik.DSR.gen.Eldorado.17895.exe 4236 SecuriteInfo.com.W32.MSIL_Kryptik.DSR.gen.Eldorado.17895.exe 4236 SecuriteInfo.com.W32.MSIL_Kryptik.DSR.gen.Eldorado.17895.exe 4236 SecuriteInfo.com.W32.MSIL_Kryptik.DSR.gen.Eldorado.17895.exe 4236 SecuriteInfo.com.W32.MSIL_Kryptik.DSR.gen.Eldorado.17895.exe 4236 SecuriteInfo.com.W32.MSIL_Kryptik.DSR.gen.Eldorado.17895.exe 4236 SecuriteInfo.com.W32.MSIL_Kryptik.DSR.gen.Eldorado.17895.exe 4236 SecuriteInfo.com.W32.MSIL_Kryptik.DSR.gen.Eldorado.17895.exe 4236 SecuriteInfo.com.W32.MSIL_Kryptik.DSR.gen.Eldorado.17895.exe 4236 SecuriteInfo.com.W32.MSIL_Kryptik.DSR.gen.Eldorado.17895.exe 4236 SecuriteInfo.com.W32.MSIL_Kryptik.DSR.gen.Eldorado.17895.exe 4236 SecuriteInfo.com.W32.MSIL_Kryptik.DSR.gen.Eldorado.17895.exe 4236 SecuriteInfo.com.W32.MSIL_Kryptik.DSR.gen.Eldorado.17895.exe 4236 SecuriteInfo.com.W32.MSIL_Kryptik.DSR.gen.Eldorado.17895.exe 4236 SecuriteInfo.com.W32.MSIL_Kryptik.DSR.gen.Eldorado.17895.exe 4236 SecuriteInfo.com.W32.MSIL_Kryptik.DSR.gen.Eldorado.17895.exe 4236 SecuriteInfo.com.W32.MSIL_Kryptik.DSR.gen.Eldorado.17895.exe 2232 bil.exe 2232 bil.exe 1348 InstallUtil.exe 1348 InstallUtil.exe 1348 InstallUtil.exe 1348 InstallUtil.exe 1348 InstallUtil.exe 1348 InstallUtil.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
InstallUtil.exepid process 1348 InstallUtil.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
SecuriteInfo.com.W32.MSIL_Kryptik.DSR.gen.Eldorado.17895.exebil.exeInstallUtil.exedescription pid process Token: SeDebugPrivilege 4236 SecuriteInfo.com.W32.MSIL_Kryptik.DSR.gen.Eldorado.17895.exe Token: SeDebugPrivilege 2232 bil.exe Token: SeDebugPrivilege 1348 InstallUtil.exe -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
SecuriteInfo.com.W32.MSIL_Kryptik.DSR.gen.Eldorado.17895.execmd.execmd.exebil.exeInstallUtil.exedescription pid process target process PID 4236 wrote to memory of 3024 4236 SecuriteInfo.com.W32.MSIL_Kryptik.DSR.gen.Eldorado.17895.exe cmd.exe PID 4236 wrote to memory of 3024 4236 SecuriteInfo.com.W32.MSIL_Kryptik.DSR.gen.Eldorado.17895.exe cmd.exe PID 4236 wrote to memory of 3024 4236 SecuriteInfo.com.W32.MSIL_Kryptik.DSR.gen.Eldorado.17895.exe cmd.exe PID 3024 wrote to memory of 3552 3024 cmd.exe PING.EXE PID 3024 wrote to memory of 3552 3024 cmd.exe PING.EXE PID 3024 wrote to memory of 3552 3024 cmd.exe PING.EXE PID 4236 wrote to memory of 820 4236 SecuriteInfo.com.W32.MSIL_Kryptik.DSR.gen.Eldorado.17895.exe cmd.exe PID 4236 wrote to memory of 820 4236 SecuriteInfo.com.W32.MSIL_Kryptik.DSR.gen.Eldorado.17895.exe cmd.exe PID 4236 wrote to memory of 820 4236 SecuriteInfo.com.W32.MSIL_Kryptik.DSR.gen.Eldorado.17895.exe cmd.exe PID 820 wrote to memory of 3368 820 cmd.exe PING.EXE PID 820 wrote to memory of 3368 820 cmd.exe PING.EXE PID 820 wrote to memory of 3368 820 cmd.exe PING.EXE PID 3024 wrote to memory of 948 3024 cmd.exe reg.exe PID 3024 wrote to memory of 948 3024 cmd.exe reg.exe PID 3024 wrote to memory of 948 3024 cmd.exe reg.exe PID 820 wrote to memory of 3580 820 cmd.exe PING.EXE PID 820 wrote to memory of 3580 820 cmd.exe PING.EXE PID 820 wrote to memory of 3580 820 cmd.exe PING.EXE PID 820 wrote to memory of 2232 820 cmd.exe bil.exe PID 820 wrote to memory of 2232 820 cmd.exe bil.exe PID 820 wrote to memory of 2232 820 cmd.exe bil.exe PID 2232 wrote to memory of 1348 2232 bil.exe InstallUtil.exe PID 2232 wrote to memory of 1348 2232 bil.exe InstallUtil.exe PID 2232 wrote to memory of 1348 2232 bil.exe InstallUtil.exe PID 2232 wrote to memory of 1348 2232 bil.exe InstallUtil.exe PID 2232 wrote to memory of 1348 2232 bil.exe InstallUtil.exe PID 2232 wrote to memory of 1348 2232 bil.exe InstallUtil.exe PID 2232 wrote to memory of 1348 2232 bil.exe InstallUtil.exe PID 2232 wrote to memory of 1348 2232 bil.exe InstallUtil.exe PID 1348 wrote to memory of 2820 1348 InstallUtil.exe schtasks.exe PID 1348 wrote to memory of 2820 1348 InstallUtil.exe schtasks.exe PID 1348 wrote to memory of 2820 1348 InstallUtil.exe schtasks.exe PID 1348 wrote to memory of 4116 1348 InstallUtil.exe schtasks.exe PID 1348 wrote to memory of 4116 1348 InstallUtil.exe schtasks.exe PID 1348 wrote to memory of 4116 1348 InstallUtil.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Kryptik.DSR.gen.Eldorado.17895.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Kryptik.DSR.gen.Eldorado.17895.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 11 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "bil" /t REG_SZ /d "C:\Users\Admin\AppData\Local\bil.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 113⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "bil" /t REG_SZ /d "C:\Users\Admin\AppData\Local\bil.exe"3⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 15 > nul && copy "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Kryptik.DSR.gen.Eldorado.17895.exe" "C:\Users\Admin\AppData\Local\bil.exe" && ping 127.0.0.1 -n 15 > nul && "C:\Users\Admin\AppData\Local\bil.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 153⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 153⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\bil.exe"C:\Users\Admin\AppData\Local\bil.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"4⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DDP Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmp1BFF.tmp"5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DDP Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp1E13.tmp"5⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp1BFF.tmpFilesize
1KB
MD5576bbaf398045c3843d452ec83208236
SHA18ed5b2500ae7a40cbfa6e9018a1d1f1e70cb1374
SHA25633c0c2d72fa383e5988ce640febc5ac6a2bd71d4ae660b99e52234952e17467b
SHA512e7cc0ea0b351c6a8618e14f03c00e88ef83e2f169e0b4d66513f580f0a9352fbfe429e57186362b69407150d566bbdadca2f7b574fc748cc140b3249be67f96a
-
C:\Users\Admin\AppData\Local\Temp\tmp1E13.tmpFilesize
1KB
MD5677848190631e19222304d1982aa2e1b
SHA1bed6cf97d3458e4ea59ff9823375d915a9b3d682
SHA2568bcf16c788d228932fa707bb4250c05151e099bdf7040adc717e53680601be3d
SHA512f5d41e150011bc63f4c95799e21fe91ffaa25eb05f4ca46ea89f3a3ca5325413ba4e0b7b5d69c0bc189955f3308c4928016a7cc1d6f7c2352639106952e92b1e
-
C:\Users\Admin\AppData\Local\bil.exeFilesize
1.5MB
MD53f2e73870793bf2c359618739bd46d7d
SHA12b484126a9f2239de3485bb517b6c12a144c1a1f
SHA2561bc9fc8588f7db4618c9a65e672f3ee0e1bc15f4265b727b75c5a22f1d7b54d5
SHA512db98cfba58b208c5556d527c7082e573f2557395901c6a6a284ce848f7a2037aee2eda04d1940d1f79b7f24bf4d32e5ea7c45982eb8a10e5d9d7e556346dce25
-
C:\Users\Admin\AppData\Local\bil.exeFilesize
1.5MB
MD53f2e73870793bf2c359618739bd46d7d
SHA12b484126a9f2239de3485bb517b6c12a144c1a1f
SHA2561bc9fc8588f7db4618c9a65e672f3ee0e1bc15f4265b727b75c5a22f1d7b54d5
SHA512db98cfba58b208c5556d527c7082e573f2557395901c6a6a284ce848f7a2037aee2eda04d1940d1f79b7f24bf4d32e5ea7c45982eb8a10e5d9d7e556346dce25
-
memory/820-139-0x0000000000000000-mapping.dmp
-
memory/948-141-0x0000000000000000-mapping.dmp
-
memory/1348-153-0x0000000007340000-0x00000000073A6000-memory.dmpFilesize
408KB
-
memory/1348-148-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1348-147-0x0000000000000000-mapping.dmp
-
memory/2232-146-0x0000000000660000-0x00000000007EE000-memory.dmpFilesize
1.6MB
-
memory/2232-143-0x0000000000000000-mapping.dmp
-
memory/2820-149-0x0000000000000000-mapping.dmp
-
memory/3024-137-0x0000000000000000-mapping.dmp
-
memory/3368-140-0x0000000000000000-mapping.dmp
-
memory/3552-138-0x0000000000000000-mapping.dmp
-
memory/3580-142-0x0000000000000000-mapping.dmp
-
memory/4116-151-0x0000000000000000-mapping.dmp
-
memory/4236-132-0x0000000000900000-0x0000000000A8E000-memory.dmpFilesize
1.6MB
-
memory/4236-136-0x0000000006680000-0x000000000668A000-memory.dmpFilesize
40KB
-
memory/4236-135-0x00000000064D0000-0x0000000006562000-memory.dmpFilesize
584KB
-
memory/4236-134-0x00000000068A0000-0x0000000006E44000-memory.dmpFilesize
5.6MB
-
memory/4236-133-0x0000000005630000-0x00000000056CC000-memory.dmpFilesize
624KB