Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
05-09-2022 16:27
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.W32.MSIL_Kryptik.AIK.gen.Eldorado.31910.exe
Resource
win7-20220812-en
General
-
Target
SecuriteInfo.com.W32.MSIL_Kryptik.AIK.gen.Eldorado.31910.exe
-
Size
1.5MB
-
MD5
fe7ed9839a56c49edf10dd32c562f1cc
-
SHA1
6c78f76065014ddd8341730b1506be5795987648
-
SHA256
50a0b8864a2c4f0f8e325c97d832c747601fb84593a4b74fc705fe18c09da732
-
SHA512
e81601c6ceb7159315a0ef657a8068fedc3fec1fe1710c05f79c5215b3b22b1ac82338553f912beb201021f95471361ec4f3a782f99503c78a0447230bf7e2da
-
SSDEEP
49152:ml7s93A2eXs63aQ7k1ng7BqgxNskFET3RQloe:ml7s93JeqQ7Qg7zWki3RAb
Malware Config
Extracted
nanocore
1.2.2.0
brewsterchristophe.ddns.net:5899
194,147,5,75:5899
b8aebc29-8c64-444f-99e6-dc4122e9bbfc
-
activate_away_mode
true
-
backup_connection_host
194,147,5,75
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2022-04-29T03:26:40.572298236Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
5899
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
b8aebc29-8c64-444f-99e6-dc4122e9bbfc
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
brewsterchristophe.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
bin.exepid process 1960 bin.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
reg.exeRegAsm.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bin = "C:\\Users\\Admin\\AppData\\Local\\bin.exe" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DDP Host = "C:\\Program Files (x86)\\DDP Host\\ddphost.exe" RegAsm.exe -
Processes:
RegAsm.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
bin.exedescription pid process target process PID 1960 set thread context of 3736 1960 bin.exe RegAsm.exe -
Drops file in Program Files directory 2 IoCs
Processes:
RegAsm.exedescription ioc process File created C:\Program Files (x86)\DDP Host\ddphost.exe RegAsm.exe File opened for modification C:\Program Files (x86)\DDP Host\ddphost.exe RegAsm.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1948 schtasks.exe 1776 schtasks.exe -
Runs ping.exe 1 TTPs 3 IoCs
Processes:
PING.EXEPING.EXEPING.EXEpid process 3816 PING.EXE 3892 PING.EXE 4616 PING.EXE -
Suspicious behavior: EnumeratesProcesses 33 IoCs
Processes:
SecuriteInfo.com.W32.MSIL_Kryptik.AIK.gen.Eldorado.31910.exebin.exeRegAsm.exepid process 3740 SecuriteInfo.com.W32.MSIL_Kryptik.AIK.gen.Eldorado.31910.exe 3740 SecuriteInfo.com.W32.MSIL_Kryptik.AIK.gen.Eldorado.31910.exe 3740 SecuriteInfo.com.W32.MSIL_Kryptik.AIK.gen.Eldorado.31910.exe 3740 SecuriteInfo.com.W32.MSIL_Kryptik.AIK.gen.Eldorado.31910.exe 3740 SecuriteInfo.com.W32.MSIL_Kryptik.AIK.gen.Eldorado.31910.exe 3740 SecuriteInfo.com.W32.MSIL_Kryptik.AIK.gen.Eldorado.31910.exe 3740 SecuriteInfo.com.W32.MSIL_Kryptik.AIK.gen.Eldorado.31910.exe 3740 SecuriteInfo.com.W32.MSIL_Kryptik.AIK.gen.Eldorado.31910.exe 3740 SecuriteInfo.com.W32.MSIL_Kryptik.AIK.gen.Eldorado.31910.exe 3740 SecuriteInfo.com.W32.MSIL_Kryptik.AIK.gen.Eldorado.31910.exe 3740 SecuriteInfo.com.W32.MSIL_Kryptik.AIK.gen.Eldorado.31910.exe 3740 SecuriteInfo.com.W32.MSIL_Kryptik.AIK.gen.Eldorado.31910.exe 3740 SecuriteInfo.com.W32.MSIL_Kryptik.AIK.gen.Eldorado.31910.exe 3740 SecuriteInfo.com.W32.MSIL_Kryptik.AIK.gen.Eldorado.31910.exe 3740 SecuriteInfo.com.W32.MSIL_Kryptik.AIK.gen.Eldorado.31910.exe 3740 SecuriteInfo.com.W32.MSIL_Kryptik.AIK.gen.Eldorado.31910.exe 3740 SecuriteInfo.com.W32.MSIL_Kryptik.AIK.gen.Eldorado.31910.exe 3740 SecuriteInfo.com.W32.MSIL_Kryptik.AIK.gen.Eldorado.31910.exe 3740 SecuriteInfo.com.W32.MSIL_Kryptik.AIK.gen.Eldorado.31910.exe 3740 SecuriteInfo.com.W32.MSIL_Kryptik.AIK.gen.Eldorado.31910.exe 3740 SecuriteInfo.com.W32.MSIL_Kryptik.AIK.gen.Eldorado.31910.exe 3740 SecuriteInfo.com.W32.MSIL_Kryptik.AIK.gen.Eldorado.31910.exe 3740 SecuriteInfo.com.W32.MSIL_Kryptik.AIK.gen.Eldorado.31910.exe 3740 SecuriteInfo.com.W32.MSIL_Kryptik.AIK.gen.Eldorado.31910.exe 3740 SecuriteInfo.com.W32.MSIL_Kryptik.AIK.gen.Eldorado.31910.exe 1960 bin.exe 1960 bin.exe 3736 RegAsm.exe 3736 RegAsm.exe 3736 RegAsm.exe 3736 RegAsm.exe 3736 RegAsm.exe 3736 RegAsm.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegAsm.exepid process 3736 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
SecuriteInfo.com.W32.MSIL_Kryptik.AIK.gen.Eldorado.31910.exebin.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 3740 SecuriteInfo.com.W32.MSIL_Kryptik.AIK.gen.Eldorado.31910.exe Token: SeDebugPrivilege 1960 bin.exe Token: SeDebugPrivilege 3736 RegAsm.exe -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
SecuriteInfo.com.W32.MSIL_Kryptik.AIK.gen.Eldorado.31910.execmd.execmd.exebin.exeRegAsm.exedescription pid process target process PID 3740 wrote to memory of 3628 3740 SecuriteInfo.com.W32.MSIL_Kryptik.AIK.gen.Eldorado.31910.exe cmd.exe PID 3740 wrote to memory of 3628 3740 SecuriteInfo.com.W32.MSIL_Kryptik.AIK.gen.Eldorado.31910.exe cmd.exe PID 3740 wrote to memory of 3628 3740 SecuriteInfo.com.W32.MSIL_Kryptik.AIK.gen.Eldorado.31910.exe cmd.exe PID 3628 wrote to memory of 3816 3628 cmd.exe PING.EXE PID 3628 wrote to memory of 3816 3628 cmd.exe PING.EXE PID 3628 wrote to memory of 3816 3628 cmd.exe PING.EXE PID 3740 wrote to memory of 4528 3740 SecuriteInfo.com.W32.MSIL_Kryptik.AIK.gen.Eldorado.31910.exe cmd.exe PID 3740 wrote to memory of 4528 3740 SecuriteInfo.com.W32.MSIL_Kryptik.AIK.gen.Eldorado.31910.exe cmd.exe PID 3740 wrote to memory of 4528 3740 SecuriteInfo.com.W32.MSIL_Kryptik.AIK.gen.Eldorado.31910.exe cmd.exe PID 4528 wrote to memory of 3892 4528 cmd.exe PING.EXE PID 4528 wrote to memory of 3892 4528 cmd.exe PING.EXE PID 4528 wrote to memory of 3892 4528 cmd.exe PING.EXE PID 3628 wrote to memory of 1508 3628 cmd.exe reg.exe PID 3628 wrote to memory of 1508 3628 cmd.exe reg.exe PID 3628 wrote to memory of 1508 3628 cmd.exe reg.exe PID 4528 wrote to memory of 4616 4528 cmd.exe PING.EXE PID 4528 wrote to memory of 4616 4528 cmd.exe PING.EXE PID 4528 wrote to memory of 4616 4528 cmd.exe PING.EXE PID 4528 wrote to memory of 1960 4528 cmd.exe bin.exe PID 4528 wrote to memory of 1960 4528 cmd.exe bin.exe PID 4528 wrote to memory of 1960 4528 cmd.exe bin.exe PID 1960 wrote to memory of 3736 1960 bin.exe RegAsm.exe PID 1960 wrote to memory of 3736 1960 bin.exe RegAsm.exe PID 1960 wrote to memory of 3736 1960 bin.exe RegAsm.exe PID 1960 wrote to memory of 3736 1960 bin.exe RegAsm.exe PID 1960 wrote to memory of 3736 1960 bin.exe RegAsm.exe PID 1960 wrote to memory of 3736 1960 bin.exe RegAsm.exe PID 1960 wrote to memory of 3736 1960 bin.exe RegAsm.exe PID 1960 wrote to memory of 3736 1960 bin.exe RegAsm.exe PID 3736 wrote to memory of 1948 3736 RegAsm.exe schtasks.exe PID 3736 wrote to memory of 1948 3736 RegAsm.exe schtasks.exe PID 3736 wrote to memory of 1948 3736 RegAsm.exe schtasks.exe PID 3736 wrote to memory of 1776 3736 RegAsm.exe schtasks.exe PID 3736 wrote to memory of 1776 3736 RegAsm.exe schtasks.exe PID 3736 wrote to memory of 1776 3736 RegAsm.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Kryptik.AIK.gen.Eldorado.31910.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Kryptik.AIK.gen.Eldorado.31910.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 11 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "bin" /t REG_SZ /d "C:\Users\Admin\AppData\Local\bin.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 113⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "bin" /t REG_SZ /d "C:\Users\Admin\AppData\Local\bin.exe"3⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 21 > nul && copy "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Kryptik.AIK.gen.Eldorado.31910.exe" "C:\Users\Admin\AppData\Local\bin.exe" && ping 127.0.0.1 -n 21 > nul && "C:\Users\Admin\AppData\Local\bin.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 213⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 213⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\bin.exe"C:\Users\Admin\AppData\Local\bin.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DDP Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmpE5DC.tmp"5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DDP Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpE679.tmp"5⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpE5DC.tmpFilesize
1KB
MD548ef7fa9033389ad7929d7a6b9d10298
SHA19db6cb7325c8bdf66a15f7b5f34703709a45aeb6
SHA2560c1b5f67eeb276d1d4205b138ce32bc6149924e02281a2db8e4623a700e88f15
SHA512ac8bd104ecbacc9bccce9e087f67e5b18072d59367ccd31d4e66132b6baaea520cba5b9b59464483d86abf74826b382c402f12e9a586c99bda8c78a0de33944e
-
C:\Users\Admin\AppData\Local\Temp\tmpE679.tmpFilesize
1KB
MD52271642ca970891700e3f48439739ed8
SHA1cd472df2349f7db9e1e460d0ee28acd97b8a8793
SHA2567aba66abbcb0b13455609174db23aed495a9adbef0e0acd28baa9c92445eda68
SHA5124669a4ef8ec28cdb852ffc1401576b1bf9a9d837797d7d92bc88c18b3097404f36854e50167b309706fef400cabc43c876569ce2797ba85eb169a2783b8fe807
-
C:\Users\Admin\AppData\Local\bin.exeFilesize
1.5MB
MD5fe7ed9839a56c49edf10dd32c562f1cc
SHA16c78f76065014ddd8341730b1506be5795987648
SHA25650a0b8864a2c4f0f8e325c97d832c747601fb84593a4b74fc705fe18c09da732
SHA512e81601c6ceb7159315a0ef657a8068fedc3fec1fe1710c05f79c5215b3b22b1ac82338553f912beb201021f95471361ec4f3a782f99503c78a0447230bf7e2da
-
C:\Users\Admin\AppData\Local\bin.exeFilesize
1.5MB
MD5fe7ed9839a56c49edf10dd32c562f1cc
SHA16c78f76065014ddd8341730b1506be5795987648
SHA25650a0b8864a2c4f0f8e325c97d832c747601fb84593a4b74fc705fe18c09da732
SHA512e81601c6ceb7159315a0ef657a8068fedc3fec1fe1710c05f79c5215b3b22b1ac82338553f912beb201021f95471361ec4f3a782f99503c78a0447230bf7e2da
-
memory/1508-141-0x0000000000000000-mapping.dmp
-
memory/1776-151-0x0000000000000000-mapping.dmp
-
memory/1948-149-0x0000000000000000-mapping.dmp
-
memory/1960-143-0x0000000000000000-mapping.dmp
-
memory/1960-146-0x00000000003A0000-0x000000000052E000-memory.dmpFilesize
1.6MB
-
memory/3628-137-0x0000000000000000-mapping.dmp
-
memory/3736-147-0x0000000000000000-mapping.dmp
-
memory/3736-148-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/3736-153-0x0000000006DB0000-0x0000000006E16000-memory.dmpFilesize
408KB
-
memory/3740-132-0x00000000002F0000-0x000000000047E000-memory.dmpFilesize
1.6MB
-
memory/3740-136-0x0000000006540000-0x000000000654A000-memory.dmpFilesize
40KB
-
memory/3740-135-0x00000000063A0000-0x0000000006432000-memory.dmpFilesize
584KB
-
memory/3740-134-0x0000000006760000-0x0000000006D04000-memory.dmpFilesize
5.6MB
-
memory/3740-133-0x0000000005550000-0x00000000055EC000-memory.dmpFilesize
624KB
-
memory/3816-138-0x0000000000000000-mapping.dmp
-
memory/3892-140-0x0000000000000000-mapping.dmp
-
memory/4528-139-0x0000000000000000-mapping.dmp
-
memory/4616-142-0x0000000000000000-mapping.dmp