Analysis
-
max time kernel
142s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
05-09-2022 16:27
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.W32.MSIL_Kryptik.AIK.gen.Eldorado.31910.exe
Resource
win7-20220812-en
General
-
Target
SecuriteInfo.com.W32.MSIL_Kryptik.AIK.gen.Eldorado.31910.exe
-
Size
1.5MB
-
MD5
fe7ed9839a56c49edf10dd32c562f1cc
-
SHA1
6c78f76065014ddd8341730b1506be5795987648
-
SHA256
50a0b8864a2c4f0f8e325c97d832c747601fb84593a4b74fc705fe18c09da732
-
SHA512
e81601c6ceb7159315a0ef657a8068fedc3fec1fe1710c05f79c5215b3b22b1ac82338553f912beb201021f95471361ec4f3a782f99503c78a0447230bf7e2da
-
SSDEEP
49152:ml7s93A2eXs63aQ7k1ng7BqgxNskFET3RQloe:ml7s93JeqQ7Qg7zWki3RAb
Malware Config
Extracted
nanocore
1.2.2.0
brewsterchristophe.ddns.net:5899
194,147,5,75:5899
b8aebc29-8c64-444f-99e6-dc4122e9bbfc
-
activate_away_mode
true
-
backup_connection_host
194,147,5,75
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2022-04-29T03:26:40.572298236Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
5899
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
b8aebc29-8c64-444f-99e6-dc4122e9bbfc
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
brewsterchristophe.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
bin.exepid process 1628 bin.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 1456 cmd.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
reg.exeRegAsm.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\bin = "C:\\Users\\Admin\\AppData\\Local\\bin.exe" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NTFS Monitor = "C:\\Program Files (x86)\\NTFS Monitor\\ntfsmon.exe" RegAsm.exe -
Processes:
RegAsm.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
bin.exedescription pid process target process PID 1628 set thread context of 1268 1628 bin.exe RegAsm.exe -
Drops file in Program Files directory 2 IoCs
Processes:
RegAsm.exedescription ioc process File created C:\Program Files (x86)\NTFS Monitor\ntfsmon.exe RegAsm.exe File opened for modification C:\Program Files (x86)\NTFS Monitor\ntfsmon.exe RegAsm.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Runs ping.exe 1 TTPs 3 IoCs
Processes:
PING.EXEPING.EXEPING.EXEpid process 1548 PING.EXE 1956 PING.EXE 636 PING.EXE -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
SecuriteInfo.com.W32.MSIL_Kryptik.AIK.gen.Eldorado.31910.exebin.exeRegAsm.exepid process 1684 SecuriteInfo.com.W32.MSIL_Kryptik.AIK.gen.Eldorado.31910.exe 1684 SecuriteInfo.com.W32.MSIL_Kryptik.AIK.gen.Eldorado.31910.exe 1684 SecuriteInfo.com.W32.MSIL_Kryptik.AIK.gen.Eldorado.31910.exe 1628 bin.exe 1628 bin.exe 1268 RegAsm.exe 1268 RegAsm.exe 1268 RegAsm.exe 1268 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
SecuriteInfo.com.W32.MSIL_Kryptik.AIK.gen.Eldorado.31910.exebin.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 1684 SecuriteInfo.com.W32.MSIL_Kryptik.AIK.gen.Eldorado.31910.exe Token: SeDebugPrivilege 1628 bin.exe Token: SeDebugPrivilege 1268 RegAsm.exe -
Suspicious use of WriteProcessMemory 48 IoCs
Processes:
SecuriteInfo.com.W32.MSIL_Kryptik.AIK.gen.Eldorado.31910.execmd.execmd.exebin.exeRegAsm.exedescription pid process target process PID 1684 wrote to memory of 2024 1684 SecuriteInfo.com.W32.MSIL_Kryptik.AIK.gen.Eldorado.31910.exe cmd.exe PID 1684 wrote to memory of 2024 1684 SecuriteInfo.com.W32.MSIL_Kryptik.AIK.gen.Eldorado.31910.exe cmd.exe PID 1684 wrote to memory of 2024 1684 SecuriteInfo.com.W32.MSIL_Kryptik.AIK.gen.Eldorado.31910.exe cmd.exe PID 1684 wrote to memory of 2024 1684 SecuriteInfo.com.W32.MSIL_Kryptik.AIK.gen.Eldorado.31910.exe cmd.exe PID 2024 wrote to memory of 1956 2024 cmd.exe PING.EXE PID 2024 wrote to memory of 1956 2024 cmd.exe PING.EXE PID 2024 wrote to memory of 1956 2024 cmd.exe PING.EXE PID 2024 wrote to memory of 1956 2024 cmd.exe PING.EXE PID 1684 wrote to memory of 1456 1684 SecuriteInfo.com.W32.MSIL_Kryptik.AIK.gen.Eldorado.31910.exe cmd.exe PID 1684 wrote to memory of 1456 1684 SecuriteInfo.com.W32.MSIL_Kryptik.AIK.gen.Eldorado.31910.exe cmd.exe PID 1684 wrote to memory of 1456 1684 SecuriteInfo.com.W32.MSIL_Kryptik.AIK.gen.Eldorado.31910.exe cmd.exe PID 1684 wrote to memory of 1456 1684 SecuriteInfo.com.W32.MSIL_Kryptik.AIK.gen.Eldorado.31910.exe cmd.exe PID 1456 wrote to memory of 636 1456 cmd.exe PING.EXE PID 1456 wrote to memory of 636 1456 cmd.exe PING.EXE PID 1456 wrote to memory of 636 1456 cmd.exe PING.EXE PID 1456 wrote to memory of 636 1456 cmd.exe PING.EXE PID 2024 wrote to memory of 1632 2024 cmd.exe reg.exe PID 2024 wrote to memory of 1632 2024 cmd.exe reg.exe PID 2024 wrote to memory of 1632 2024 cmd.exe reg.exe PID 2024 wrote to memory of 1632 2024 cmd.exe reg.exe PID 1456 wrote to memory of 1548 1456 cmd.exe PING.EXE PID 1456 wrote to memory of 1548 1456 cmd.exe PING.EXE PID 1456 wrote to memory of 1548 1456 cmd.exe PING.EXE PID 1456 wrote to memory of 1548 1456 cmd.exe PING.EXE PID 1456 wrote to memory of 1628 1456 cmd.exe bin.exe PID 1456 wrote to memory of 1628 1456 cmd.exe bin.exe PID 1456 wrote to memory of 1628 1456 cmd.exe bin.exe PID 1456 wrote to memory of 1628 1456 cmd.exe bin.exe PID 1628 wrote to memory of 1268 1628 bin.exe RegAsm.exe PID 1628 wrote to memory of 1268 1628 bin.exe RegAsm.exe PID 1628 wrote to memory of 1268 1628 bin.exe RegAsm.exe PID 1628 wrote to memory of 1268 1628 bin.exe RegAsm.exe PID 1628 wrote to memory of 1268 1628 bin.exe RegAsm.exe PID 1628 wrote to memory of 1268 1628 bin.exe RegAsm.exe PID 1628 wrote to memory of 1268 1628 bin.exe RegAsm.exe PID 1628 wrote to memory of 1268 1628 bin.exe RegAsm.exe PID 1628 wrote to memory of 1268 1628 bin.exe RegAsm.exe PID 1628 wrote to memory of 1268 1628 bin.exe RegAsm.exe PID 1628 wrote to memory of 1268 1628 bin.exe RegAsm.exe PID 1628 wrote to memory of 1268 1628 bin.exe RegAsm.exe PID 1268 wrote to memory of 432 1268 RegAsm.exe schtasks.exe PID 1268 wrote to memory of 432 1268 RegAsm.exe schtasks.exe PID 1268 wrote to memory of 432 1268 RegAsm.exe schtasks.exe PID 1268 wrote to memory of 432 1268 RegAsm.exe schtasks.exe PID 1268 wrote to memory of 940 1268 RegAsm.exe schtasks.exe PID 1268 wrote to memory of 940 1268 RegAsm.exe schtasks.exe PID 1268 wrote to memory of 940 1268 RegAsm.exe schtasks.exe PID 1268 wrote to memory of 940 1268 RegAsm.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Kryptik.AIK.gen.Eldorado.31910.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Kryptik.AIK.gen.Eldorado.31910.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 13 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "bin" /t REG_SZ /d "C:\Users\Admin\AppData\Local\bin.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 133⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "bin" /t REG_SZ /d "C:\Users\Admin\AppData\Local\bin.exe"3⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 14 > nul && copy "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Kryptik.AIK.gen.Eldorado.31910.exe" "C:\Users\Admin\AppData\Local\bin.exe" && ping 127.0.0.1 -n 14 > nul && "C:\Users\Admin\AppData\Local\bin.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 143⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 143⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\bin.exe"C:\Users\Admin\AppData\Local\bin.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "NTFS Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmp1C29.tmp"5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "NTFS Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp1D04.tmp"5⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp1C29.tmpFilesize
1KB
MD548ef7fa9033389ad7929d7a6b9d10298
SHA19db6cb7325c8bdf66a15f7b5f34703709a45aeb6
SHA2560c1b5f67eeb276d1d4205b138ce32bc6149924e02281a2db8e4623a700e88f15
SHA512ac8bd104ecbacc9bccce9e087f67e5b18072d59367ccd31d4e66132b6baaea520cba5b9b59464483d86abf74826b382c402f12e9a586c99bda8c78a0de33944e
-
C:\Users\Admin\AppData\Local\Temp\tmp1D04.tmpFilesize
1KB
MD5981e126601526eaa5b0ad45c496c4465
SHA1d610d6a21a8420cc73fcd3e54ddae75a5897b28b
SHA25611ae277dfa39e7038b782ca6557339e7fe88533fe83705c356a1500a1402d527
SHA512a59fb704d931ccb7e1ec1a7b98e24ccd8708be529066c6de4b673098cdebef539f7f50d9e051c43954b5a8e7f810862b3a4ede170f131e080dadc3e763ed4bdb
-
C:\Users\Admin\AppData\Local\bin.exeFilesize
1.5MB
MD5fe7ed9839a56c49edf10dd32c562f1cc
SHA16c78f76065014ddd8341730b1506be5795987648
SHA25650a0b8864a2c4f0f8e325c97d832c747601fb84593a4b74fc705fe18c09da732
SHA512e81601c6ceb7159315a0ef657a8068fedc3fec1fe1710c05f79c5215b3b22b1ac82338553f912beb201021f95471361ec4f3a782f99503c78a0447230bf7e2da
-
C:\Users\Admin\AppData\Local\bin.exeFilesize
1.5MB
MD5fe7ed9839a56c49edf10dd32c562f1cc
SHA16c78f76065014ddd8341730b1506be5795987648
SHA25650a0b8864a2c4f0f8e325c97d832c747601fb84593a4b74fc705fe18c09da732
SHA512e81601c6ceb7159315a0ef657a8068fedc3fec1fe1710c05f79c5215b3b22b1ac82338553f912beb201021f95471361ec4f3a782f99503c78a0447230bf7e2da
-
\Users\Admin\AppData\Local\bin.exeFilesize
1.5MB
MD5fe7ed9839a56c49edf10dd32c562f1cc
SHA16c78f76065014ddd8341730b1506be5795987648
SHA25650a0b8864a2c4f0f8e325c97d832c747601fb84593a4b74fc705fe18c09da732
SHA512e81601c6ceb7159315a0ef657a8068fedc3fec1fe1710c05f79c5215b3b22b1ac82338553f912beb201021f95471361ec4f3a782f99503c78a0447230bf7e2da
-
memory/432-86-0x0000000000000000-mapping.dmp
-
memory/636-61-0x0000000000000000-mapping.dmp
-
memory/940-88-0x0000000000000000-mapping.dmp
-
memory/1268-93-0x0000000000830000-0x0000000000842000-memory.dmpFilesize
72KB
-
memory/1268-96-0x0000000000FD0000-0x0000000000FE2000-memory.dmpFilesize
72KB
-
memory/1268-105-0x0000000001045000-0x0000000001056000-memory.dmpFilesize
68KB
-
memory/1268-104-0x00000000011A0000-0x00000000011B4000-memory.dmpFilesize
80KB
-
memory/1268-103-0x0000000004620000-0x000000000464E000-memory.dmpFilesize
184KB
-
memory/1268-102-0x0000000001140000-0x000000000114E000-memory.dmpFilesize
56KB
-
memory/1268-101-0x00000000010E0000-0x00000000010F4000-memory.dmpFilesize
80KB
-
memory/1268-100-0x00000000010D0000-0x00000000010E0000-memory.dmpFilesize
64KB
-
memory/1268-99-0x0000000001080000-0x0000000001094000-memory.dmpFilesize
80KB
-
memory/1268-98-0x0000000001030000-0x000000000103E000-memory.dmpFilesize
56KB
-
memory/1268-74-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1268-73-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1268-77-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1268-76-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1268-79-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1268-80-0x000000000041E792-mapping.dmp
-
memory/1268-82-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1268-84-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1268-97-0x0000000001020000-0x000000000102C000-memory.dmpFilesize
48KB
-
memory/1268-95-0x0000000000860000-0x000000000086E000-memory.dmpFilesize
56KB
-
memory/1268-94-0x00000000009F0000-0x0000000000A0A000-memory.dmpFilesize
104KB
-
memory/1268-92-0x00000000006B0000-0x00000000006BA000-memory.dmpFilesize
40KB
-
memory/1268-90-0x0000000000460000-0x000000000046A000-memory.dmpFilesize
40KB
-
memory/1268-91-0x00000000004B0000-0x00000000004CE000-memory.dmpFilesize
120KB
-
memory/1456-60-0x0000000000000000-mapping.dmp
-
memory/1548-63-0x0000000000000000-mapping.dmp
-
memory/1628-68-0x00000000013B0000-0x000000000153E000-memory.dmpFilesize
1.6MB
-
memory/1628-72-0x0000000000DF0000-0x0000000000DF6000-memory.dmpFilesize
24KB
-
memory/1628-71-0x0000000000F60000-0x0000000000F7A000-memory.dmpFilesize
104KB
-
memory/1628-70-0x00000000005E0000-0x0000000000614000-memory.dmpFilesize
208KB
-
memory/1628-65-0x0000000000000000-mapping.dmp
-
memory/1632-62-0x0000000000000000-mapping.dmp
-
memory/1684-57-0x0000000000AC0000-0x0000000000AD8000-memory.dmpFilesize
96KB
-
memory/1684-56-0x00000000009B0000-0x00000000009E4000-memory.dmpFilesize
208KB
-
memory/1684-55-0x0000000076401000-0x0000000076403000-memory.dmpFilesize
8KB
-
memory/1684-54-0x0000000000B50000-0x0000000000CDE000-memory.dmpFilesize
1.6MB
-
memory/1956-59-0x0000000000000000-mapping.dmp
-
memory/2024-58-0x0000000000000000-mapping.dmp