Analysis
-
max time kernel
152s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
01-10-2022 23:12
Static task
static1
Behavioral task
behavioral1
Sample
a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe
Resource
win7-20220812-en
General
-
Target
a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe
-
Size
1.0MB
-
MD5
02bf5a10f714bc458c2f72606e60f120
-
SHA1
3bdcb11ca4f88369dd0611a59c4d74a0adeb7a18
-
SHA256
a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8
-
SHA512
319eaa43b97d4f0bf7dc3071a4093838503700fd7ce1b9cc9e827225b91d108bc54a699c150132f3d988df5a8bfd2dfd6542d21dec146ce5c39ce53c9fcc5d37
-
SSDEEP
12288:9tb20Qc3lT7af41ePBRYuQLKpqeUhbTv5OFgNuPPpHSgaQluHUw5zoM5csnYT9M5:9tb20pkaCqT5TBWgNQ7aOuHj57nsM6A
Malware Config
Extracted
nanocore
1.2.2.0
adam150994.mooo.com:666
6b975470-a14f-4d2b-80ad-e81702c60910
-
activate_away_mode
true
- backup_connection_host
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2015-04-28T03:08:37.908955436Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
true
-
connect_delay
4000
-
connection_port
666
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
6b975470-a14f-4d2b-80ad-e81702c60910
-
mutex_timeout
5000
-
prevent_system_sleep
true
-
primary_connection_host
adam150994.mooo.com
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe" a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exedescription pid process target process PID 1372 set thread context of 2020 1372 a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exevbc.exepid process 1372 a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe 1372 a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe 2020 vbc.exe 2020 vbc.exe 1372 a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe 1372 a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe 1372 a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe 1372 a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe 1372 a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe 1372 a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe 1372 a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe 1372 a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe 1372 a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe 1372 a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe 1372 a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe 1372 a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe 1372 a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe 1372 a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe 1372 a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe 1372 a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe 1372 a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe 1372 a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe 1372 a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe 1372 a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe 1372 a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe 1372 a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe 1372 a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe 1372 a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe 1372 a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe 1372 a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe 1372 a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe 1372 a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe 1372 a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe 1372 a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe 1372 a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe 1372 a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe 1372 a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe 1372 a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe 1372 a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe 1372 a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe 1372 a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe 1372 a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe 1372 a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe 1372 a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe 1372 a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe 1372 a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe 1372 a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe 1372 a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe 1372 a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe 1372 a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe 1372 a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe 1372 a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe 1372 a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe 1372 a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe 1372 a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe 1372 a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe 1372 a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe 1372 a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe 1372 a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe 1372 a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe 1372 a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe 1372 a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe 1372 a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe 1372 a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
vbc.exepid process 2020 vbc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
vbc.exedescription pid process Token: SeDebugPrivilege 2020 vbc.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exepid process 1896 a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe 1896 a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe 1896 a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe 1896 a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exepid process 1896 a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe 1896 a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe 1896 a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe 1896 a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exea9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exedescription pid process target process PID 1896 wrote to memory of 1372 1896 a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe PID 1896 wrote to memory of 1372 1896 a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe PID 1896 wrote to memory of 1372 1896 a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe PID 1896 wrote to memory of 1372 1896 a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe PID 1372 wrote to memory of 2020 1372 a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe vbc.exe PID 1372 wrote to memory of 2020 1372 a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe vbc.exe PID 1372 wrote to memory of 2020 1372 a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe vbc.exe PID 1372 wrote to memory of 2020 1372 a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe vbc.exe PID 1372 wrote to memory of 2020 1372 a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe vbc.exe PID 1372 wrote to memory of 2020 1372 a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe"C:\Users\Admin\AppData\Local\Temp\a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe"1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe"C:\Users\Admin\AppData\Local\Temp\a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe" /AutoIt3ExecuteScript "C:\Users\Admin\AppData\Local\Temp\831971" "C:\Users\Admin\AppData\Local\Temp\a9c7db15a1a3040a8d1590389d4102c00f5f2fa05033f7d2f7c90e1e8a8ef8b8.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\831971Filesize
18KB
MD5b8df581538513e8dc3052de40ee5764e
SHA130e09b70983563c0401b8db0953a12dc21bbeab5
SHA256d41c297ec1a6a3a2abc17c2cdaf9773c4787aa61d9e35fc1341025e2a2a9a67f
SHA5125eb222ac1f42bba0877113e3c764c5f05954aacaa9cae58f131c8e8de1ed3573609078d7ffb765fac28f33ec93f8c1ea6a0289154f45826a0b74e47fae3679d7
-
C:\Users\Admin\AppData\Local\Temp\incl1Filesize
18KB
MD596eb2c8c62547aaacafbd0d8ec68931e
SHA18ae9e7f25074eea3bb4ed5eec88d16ec1bb46048
SHA256b7652e10104f152ab6bdbc7bdbb24b033c847d2fa0ed991e63175132b7756230
SHA512782e33c4d5be80727a71f1aa0618c859f2fd5c4ef3d0b51ab05270f9e0314b5a7b174814552a6bd0301621258d07e2a39ab92febd4e4f32606ca0249bc3c9bef
-
C:\Users\Admin\AppData\Local\Temp\incl2Filesize
202KB
MD5743d8650ff8c5ab85c3958426bb47314
SHA1394baba0c72046ac2694bb3d0a27bdfc5ba7156a
SHA256255cdfed3d0735bd7ffc8e4eca0a9b563a016c8dc2cb4165751f1adc0d977469
SHA512e0d37ce2c1f8bb4ac57283788c9cab870c622901987e334830a660fe61d0d34a94e9df4edba4f3a872dadb87082a55e9259ba0f55f2458530e6cc26a6720efb8
-
memory/1372-55-0x0000000000000000-mapping.dmp
-
memory/1896-54-0x00000000763F1000-0x00000000763F3000-memory.dmpFilesize
8KB
-
memory/2020-62-0x0000000000080000-0x00000000000B8000-memory.dmpFilesize
224KB
-
memory/2020-60-0x0000000000080000-0x00000000000B8000-memory.dmpFilesize
224KB
-
memory/2020-63-0x000000000009E792-mapping.dmp
-
memory/2020-65-0x0000000000080000-0x00000000000B8000-memory.dmpFilesize
224KB
-
memory/2020-67-0x0000000000080000-0x00000000000B8000-memory.dmpFilesize
224KB
-
memory/2020-69-0x00000000005F0000-0x00000000005FA000-memory.dmpFilesize
40KB
-
memory/2020-70-0x0000000000600000-0x000000000061E000-memory.dmpFilesize
120KB
-
memory/2020-71-0x0000000000620000-0x000000000062A000-memory.dmpFilesize
40KB
-
memory/2020-72-0x0000000004B15000-0x0000000004B26000-memory.dmpFilesize
68KB
-
memory/2020-73-0x0000000004B15000-0x0000000004B26000-memory.dmpFilesize
68KB