Analysis
-
max time kernel
61s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
28-09-2022 10:39
Static task
static1
Behavioral task
behavioral1
Sample
attached PI.exe
Resource
win7-20220901-en
General
-
Target
attached PI.exe
-
Size
1.1MB
-
MD5
238b41e834f3b663584d4788493bc75f
-
SHA1
006efa65c3a4c5b4ee2402ab5e6d789fc95e0b9c
-
SHA256
e0b3c7281dd3488df3c71ee35dde8fe321e5aae4d3f200d2f63dfef64a97daff
-
SHA512
23a862d13b143d37328e8055d99329e0ec5caaa0a554706eb18ad3e0ac298bb5e10141f9101019223bfe77f2abcadfe90e27b91a453c5cf6cb8fe37396af956d
-
SSDEEP
12288:c3mY2iNw0+9MKvADqjJ5nr9fAn/CoE2g++sn3Qwon89AGPEAbVNqPKvmvuoZ2aVc:c3x1Ieyjrrm/C72g2QFnE7P5
Malware Config
Extracted
nanocore
1.2.2.0
brightnano1.ddns.net:1989
171.22.30.97:1989
fba1bbc6-2cc8-4c94-b6c0-dda5a12fd7fe
-
activate_away_mode
true
-
backup_connection_host
171.22.30.97
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2022-06-10T14:34:05.030247036Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
1989
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
fba1bbc6-2cc8-4c94-b6c0-dda5a12fd7fe
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
brightnano1.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
attached PI.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation attached PI.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
attached PI.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AGP Monitor = "C:\\Program Files (x86)\\AGP Monitor\\agpmon.exe" attached PI.exe -
Processes:
attached PI.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA attached PI.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
attached PI.exedescription pid process target process PID 1472 set thread context of 3712 1472 attached PI.exe attached PI.exe -
Drops file in Program Files directory 2 IoCs
Processes:
attached PI.exedescription ioc process File created C:\Program Files (x86)\AGP Monitor\agpmon.exe attached PI.exe File opened for modification C:\Program Files (x86)\AGP Monitor\agpmon.exe attached PI.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 1488 schtasks.exe 4584 schtasks.exe 1984 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
attached PI.exepid process 3712 attached PI.exe 3712 attached PI.exe 3712 attached PI.exe 3712 attached PI.exe 3712 attached PI.exe 3712 attached PI.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
attached PI.exepid process 3712 attached PI.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
attached PI.exedescription pid process Token: SeDebugPrivilege 3712 attached PI.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
attached PI.exeattached PI.exedescription pid process target process PID 1472 wrote to memory of 1488 1472 attached PI.exe schtasks.exe PID 1472 wrote to memory of 1488 1472 attached PI.exe schtasks.exe PID 1472 wrote to memory of 1488 1472 attached PI.exe schtasks.exe PID 1472 wrote to memory of 3712 1472 attached PI.exe attached PI.exe PID 1472 wrote to memory of 3712 1472 attached PI.exe attached PI.exe PID 1472 wrote to memory of 3712 1472 attached PI.exe attached PI.exe PID 1472 wrote to memory of 3712 1472 attached PI.exe attached PI.exe PID 1472 wrote to memory of 3712 1472 attached PI.exe attached PI.exe PID 1472 wrote to memory of 3712 1472 attached PI.exe attached PI.exe PID 1472 wrote to memory of 3712 1472 attached PI.exe attached PI.exe PID 1472 wrote to memory of 3712 1472 attached PI.exe attached PI.exe PID 3712 wrote to memory of 4584 3712 attached PI.exe schtasks.exe PID 3712 wrote to memory of 4584 3712 attached PI.exe schtasks.exe PID 3712 wrote to memory of 4584 3712 attached PI.exe schtasks.exe PID 3712 wrote to memory of 1984 3712 attached PI.exe schtasks.exe PID 3712 wrote to memory of 1984 3712 attached PI.exe schtasks.exe PID 3712 wrote to memory of 1984 3712 attached PI.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\attached PI.exe"C:\Users\Admin\AppData\Local\Temp\attached PI.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ecCUXmnB" /XML "C:\Users\Admin\AppData\Local\Temp\tmp511.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\attached PI.exe"{path}"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "AGP Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmp8E9.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "AGP Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp938.tmp"3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\attached PI.exe.logFilesize
1KB
MD584e77a587d94307c0ac1357eb4d3d46f
SHA183cc900f9401f43d181207d64c5adba7a85edc1e
SHA256e16024b092a026a9dc00df69d4b9bbcab7b2dc178dc5291fc308a1abc9304a99
SHA512aefb5c62200b3ed97718d20a89990954d4d8acdc0a6a73c5a420f1bba619cb79e70c2cd0a579b9f52dc6b09e1de2cea6cd6cac4376cfee92d94e2c01d310f691
-
C:\Users\Admin\AppData\Local\Temp\tmp511.tmpFilesize
1KB
MD5764a7b1943ddf33fe87d606f7a6e338a
SHA11878421b5e79a214651a6b239b1dd84bf3e268ff
SHA256788f439bb447144af2e37cf7450f0bd44fa72a01d80946902529d6e534b9edc4
SHA512edc78b02366d75140876b79c42f20b8f57d64187ac073f6bc3a6a3236ad07ff2ebd595b18801825a4bc8a8ba82211fc0aa0834b2fdb86f275543fc9f7d2a397b
-
C:\Users\Admin\AppData\Local\Temp\tmp8E9.tmpFilesize
1KB
MD5d972ae1e12347e96f6777c07e092f28c
SHA1dc26b4d6a4d7a860fd0cdf7e03a1ea7459fc289b
SHA2564d80f0dcb044aa6276a43d60b6ffcbf5128bdcf46d5366fa4cc9bbecc6a94a7c
SHA5122670e29df8104d858cd88d011687511db702135100fdd66ffffa1600a67dbaad656950b178d393246ab63f67920c0293bb1632fa5a355d1471eecb1b6c510720
-
C:\Users\Admin\AppData\Local\Temp\tmp938.tmpFilesize
1KB
MD5157cd55403665c49c9fd3ca1196c4397
SHA14feed6e606b41bb617274471349582963182756b
SHA25649d903f84313feb16bd189c58b6c206f98b05da00ea0da881e2ff0c893b6ba5e
SHA512bea7e3caa9c37cadd772a6d3ee0d9ed47de6b3e880cd58649be2939cacd00f70d4edc1ad177e432539267bb520094d9cda3f781cdfc69122f3775242321c11b8
-
memory/1472-133-0x0000000005610000-0x0000000005BB4000-memory.dmpFilesize
5.6MB
-
memory/1472-135-0x0000000005100000-0x000000000519C000-memory.dmpFilesize
624KB
-
memory/1472-136-0x0000000004FE0000-0x0000000004FEA000-memory.dmpFilesize
40KB
-
memory/1472-134-0x0000000004F40000-0x0000000004FD2000-memory.dmpFilesize
584KB
-
memory/1472-132-0x0000000000490000-0x00000000005AA000-memory.dmpFilesize
1.1MB
-
memory/1488-137-0x0000000000000000-mapping.dmp
-
memory/1984-144-0x0000000000000000-mapping.dmp
-
memory/3712-140-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/3712-139-0x0000000000000000-mapping.dmp
-
memory/3712-146-0x0000000007590000-0x00000000075F6000-memory.dmpFilesize
408KB
-
memory/4584-142-0x0000000000000000-mapping.dmp