Analysis
-
max time kernel
163s -
max time network
177s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
08-09-2022 05:13
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Win32.CrypterX-gen.26720.exe
Resource
win7-20220812-en
General
-
Target
SecuriteInfo.com.Win32.CrypterX-gen.26720.exe
-
Size
564KB
-
MD5
720d088da9cafaad486c347e0d09f696
-
SHA1
9b751c34f71bb40b050dab0592ff45be56a602ad
-
SHA256
a8eb775636faf8ab1f7083615f58d722b537467035be2f1e96360b3b700a1931
-
SHA512
44addb293e0f363244c0b1830e7d0047703aaa2dcd66e1ed2b005c8c25d87e7eee90781bc3838df37a94d5214a02f98976b1965a5b3c0664d7747252f6c8fd30
-
SSDEEP
12288:48l02b1zzUFFiRU9WnSmzxwTqZfs+0K+:TlfzzUFAKASmyTqY
Malware Config
Extracted
nanocore
1.2.2.0
dera5nano.ddns.net:1010
107.182.129.248:1010
5a26bcef-e67f-486a-8e48-1748cc7891a2
-
activate_away_mode
true
-
backup_connection_host
107.182.129.248
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2022-06-06T12:07:01.612898436Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
1010
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
5a26bcef-e67f-486a-8e48-1748cc7891a2
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
dera5nano.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Bin.exepid process 2212 Bin.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
reg.exeInstallUtil.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bin = "C:\\Users\\Admin\\AppData\\Local\\Bin.exe" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DDP Manager = "C:\\Program Files (x86)\\DDP Manager\\ddpmgr.exe" InstallUtil.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Bin.exedescription pid process target process PID 2212 set thread context of 480 2212 Bin.exe InstallUtil.exe -
Drops file in Program Files directory 2 IoCs
Processes:
InstallUtil.exedescription ioc process File created C:\Program Files (x86)\DDP Manager\ddpmgr.exe InstallUtil.exe File opened for modification C:\Program Files (x86)\DDP Manager\ddpmgr.exe InstallUtil.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Runs ping.exe 1 TTPs 3 IoCs
Processes:
PING.EXEPING.EXEPING.EXEpid process 3148 PING.EXE 2512 PING.EXE 3752 PING.EXE -
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
SecuriteInfo.com.Win32.CrypterX-gen.26720.exeBin.exeInstallUtil.exepid process 3464 SecuriteInfo.com.Win32.CrypterX-gen.26720.exe 3464 SecuriteInfo.com.Win32.CrypterX-gen.26720.exe 3464 SecuriteInfo.com.Win32.CrypterX-gen.26720.exe 3464 SecuriteInfo.com.Win32.CrypterX-gen.26720.exe 3464 SecuriteInfo.com.Win32.CrypterX-gen.26720.exe 3464 SecuriteInfo.com.Win32.CrypterX-gen.26720.exe 3464 SecuriteInfo.com.Win32.CrypterX-gen.26720.exe 3464 SecuriteInfo.com.Win32.CrypterX-gen.26720.exe 3464 SecuriteInfo.com.Win32.CrypterX-gen.26720.exe 3464 SecuriteInfo.com.Win32.CrypterX-gen.26720.exe 3464 SecuriteInfo.com.Win32.CrypterX-gen.26720.exe 3464 SecuriteInfo.com.Win32.CrypterX-gen.26720.exe 3464 SecuriteInfo.com.Win32.CrypterX-gen.26720.exe 3464 SecuriteInfo.com.Win32.CrypterX-gen.26720.exe 3464 SecuriteInfo.com.Win32.CrypterX-gen.26720.exe 3464 SecuriteInfo.com.Win32.CrypterX-gen.26720.exe 3464 SecuriteInfo.com.Win32.CrypterX-gen.26720.exe 3464 SecuriteInfo.com.Win32.CrypterX-gen.26720.exe 3464 SecuriteInfo.com.Win32.CrypterX-gen.26720.exe 3464 SecuriteInfo.com.Win32.CrypterX-gen.26720.exe 3464 SecuriteInfo.com.Win32.CrypterX-gen.26720.exe 3464 SecuriteInfo.com.Win32.CrypterX-gen.26720.exe 3464 SecuriteInfo.com.Win32.CrypterX-gen.26720.exe 2212 Bin.exe 2212 Bin.exe 2212 Bin.exe 2212 Bin.exe 480 InstallUtil.exe 480 InstallUtil.exe 480 InstallUtil.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
InstallUtil.exepid process 480 InstallUtil.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
SecuriteInfo.com.Win32.CrypterX-gen.26720.exeBin.exeInstallUtil.exedescription pid process Token: SeDebugPrivilege 3464 SecuriteInfo.com.Win32.CrypterX-gen.26720.exe Token: SeDebugPrivilege 2212 Bin.exe Token: SeDebugPrivilege 480 InstallUtil.exe -
Suspicious use of WriteProcessMemory 43 IoCs
Processes:
SecuriteInfo.com.Win32.CrypterX-gen.26720.execmd.execmd.exeBin.exeInstallUtil.exedescription pid process target process PID 3464 wrote to memory of 4784 3464 SecuriteInfo.com.Win32.CrypterX-gen.26720.exe cmd.exe PID 3464 wrote to memory of 4784 3464 SecuriteInfo.com.Win32.CrypterX-gen.26720.exe cmd.exe PID 3464 wrote to memory of 4784 3464 SecuriteInfo.com.Win32.CrypterX-gen.26720.exe cmd.exe PID 4784 wrote to memory of 3148 4784 cmd.exe PING.EXE PID 4784 wrote to memory of 3148 4784 cmd.exe PING.EXE PID 4784 wrote to memory of 3148 4784 cmd.exe PING.EXE PID 3464 wrote to memory of 4596 3464 SecuriteInfo.com.Win32.CrypterX-gen.26720.exe cmd.exe PID 3464 wrote to memory of 4596 3464 SecuriteInfo.com.Win32.CrypterX-gen.26720.exe cmd.exe PID 3464 wrote to memory of 4596 3464 SecuriteInfo.com.Win32.CrypterX-gen.26720.exe cmd.exe PID 4596 wrote to memory of 2512 4596 cmd.exe PING.EXE PID 4596 wrote to memory of 2512 4596 cmd.exe PING.EXE PID 4596 wrote to memory of 2512 4596 cmd.exe PING.EXE PID 4784 wrote to memory of 3520 4784 cmd.exe reg.exe PID 4784 wrote to memory of 3520 4784 cmd.exe reg.exe PID 4784 wrote to memory of 3520 4784 cmd.exe reg.exe PID 4596 wrote to memory of 3752 4596 cmd.exe PING.EXE PID 4596 wrote to memory of 3752 4596 cmd.exe PING.EXE PID 4596 wrote to memory of 3752 4596 cmd.exe PING.EXE PID 4596 wrote to memory of 2212 4596 cmd.exe Bin.exe PID 4596 wrote to memory of 2212 4596 cmd.exe Bin.exe PID 4596 wrote to memory of 2212 4596 cmd.exe Bin.exe PID 2212 wrote to memory of 4000 2212 Bin.exe InstallUtil.exe PID 2212 wrote to memory of 4000 2212 Bin.exe InstallUtil.exe PID 2212 wrote to memory of 4000 2212 Bin.exe InstallUtil.exe PID 2212 wrote to memory of 4000 2212 Bin.exe InstallUtil.exe PID 2212 wrote to memory of 4000 2212 Bin.exe InstallUtil.exe PID 2212 wrote to memory of 4000 2212 Bin.exe InstallUtil.exe PID 2212 wrote to memory of 4000 2212 Bin.exe InstallUtil.exe PID 2212 wrote to memory of 4000 2212 Bin.exe InstallUtil.exe PID 2212 wrote to memory of 480 2212 Bin.exe InstallUtil.exe PID 2212 wrote to memory of 480 2212 Bin.exe InstallUtil.exe PID 2212 wrote to memory of 480 2212 Bin.exe InstallUtil.exe PID 2212 wrote to memory of 480 2212 Bin.exe InstallUtil.exe PID 2212 wrote to memory of 480 2212 Bin.exe InstallUtil.exe PID 2212 wrote to memory of 480 2212 Bin.exe InstallUtil.exe PID 2212 wrote to memory of 480 2212 Bin.exe InstallUtil.exe PID 2212 wrote to memory of 480 2212 Bin.exe InstallUtil.exe PID 480 wrote to memory of 548 480 InstallUtil.exe schtasks.exe PID 480 wrote to memory of 548 480 InstallUtil.exe schtasks.exe PID 480 wrote to memory of 548 480 InstallUtil.exe schtasks.exe PID 480 wrote to memory of 1196 480 InstallUtil.exe schtasks.exe PID 480 wrote to memory of 1196 480 InstallUtil.exe schtasks.exe PID 480 wrote to memory of 1196 480 InstallUtil.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.26720.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.26720.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 10 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Bin" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Bin.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 103⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Bin" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Bin.exe"3⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 9 > nul && copy "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.26720.exe" "C:\Users\Admin\AppData\Local\Bin.exe" && ping 127.0.0.1 -n 9 > nul && "C:\Users\Admin\AppData\Local\Bin.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 93⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 93⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Bin.exe"C:\Users\Admin\AppData\Local\Bin.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"4⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DDP Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmpAF46.tmp"5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DDP Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpAFC4.tmp"5⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Bin.exeFilesize
564KB
MD5720d088da9cafaad486c347e0d09f696
SHA19b751c34f71bb40b050dab0592ff45be56a602ad
SHA256a8eb775636faf8ab1f7083615f58d722b537467035be2f1e96360b3b700a1931
SHA51244addb293e0f363244c0b1830e7d0047703aaa2dcd66e1ed2b005c8c25d87e7eee90781bc3838df37a94d5214a02f98976b1965a5b3c0664d7747252f6c8fd30
-
C:\Users\Admin\AppData\Local\Bin.exeFilesize
564KB
MD5720d088da9cafaad486c347e0d09f696
SHA19b751c34f71bb40b050dab0592ff45be56a602ad
SHA256a8eb775636faf8ab1f7083615f58d722b537467035be2f1e96360b3b700a1931
SHA51244addb293e0f363244c0b1830e7d0047703aaa2dcd66e1ed2b005c8c25d87e7eee90781bc3838df37a94d5214a02f98976b1965a5b3c0664d7747252f6c8fd30
-
C:\Users\Admin\AppData\Local\Temp\tmpAF46.tmpFilesize
1KB
MD5576bbaf398045c3843d452ec83208236
SHA18ed5b2500ae7a40cbfa6e9018a1d1f1e70cb1374
SHA25633c0c2d72fa383e5988ce640febc5ac6a2bd71d4ae660b99e52234952e17467b
SHA512e7cc0ea0b351c6a8618e14f03c00e88ef83e2f169e0b4d66513f580f0a9352fbfe429e57186362b69407150d566bbdadca2f7b574fc748cc140b3249be67f96a
-
C:\Users\Admin\AppData\Local\Temp\tmpAFC4.tmpFilesize
1KB
MD5677848190631e19222304d1982aa2e1b
SHA1bed6cf97d3458e4ea59ff9823375d915a9b3d682
SHA2568bcf16c788d228932fa707bb4250c05151e099bdf7040adc717e53680601be3d
SHA512f5d41e150011bc63f4c95799e21fe91ffaa25eb05f4ca46ea89f3a3ca5325413ba4e0b7b5d69c0bc189955f3308c4928016a7cc1d6f7c2352639106952e92b1e
-
memory/480-149-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/480-148-0x0000000000000000-mapping.dmp
-
memory/548-150-0x0000000000000000-mapping.dmp
-
memory/1196-152-0x0000000000000000-mapping.dmp
-
memory/2212-143-0x0000000000000000-mapping.dmp
-
memory/2212-146-0x0000000000880000-0x0000000000912000-memory.dmpFilesize
584KB
-
memory/2512-140-0x0000000000000000-mapping.dmp
-
memory/3148-138-0x0000000000000000-mapping.dmp
-
memory/3464-136-0x00000000060C0000-0x00000000060CA000-memory.dmpFilesize
40KB
-
memory/3464-132-0x0000000000F20000-0x0000000000FB2000-memory.dmpFilesize
584KB
-
memory/3464-135-0x0000000006010000-0x00000000060A2000-memory.dmpFilesize
584KB
-
memory/3464-134-0x00000000063E0000-0x0000000006984000-memory.dmpFilesize
5.6MB
-
memory/3464-133-0x0000000005180000-0x000000000521C000-memory.dmpFilesize
624KB
-
memory/3520-141-0x0000000000000000-mapping.dmp
-
memory/3752-142-0x0000000000000000-mapping.dmp
-
memory/4000-147-0x0000000000000000-mapping.dmp
-
memory/4596-139-0x0000000000000000-mapping.dmp
-
memory/4784-137-0x0000000000000000-mapping.dmp