Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
03-10-2022 01:02
Static task
static1
Behavioral task
behavioral1
Sample
805858e3f9bbe0408705aa14a4f7f496da20ceae892546b751e8e54b06596168.exe
Resource
win7-20220901-en
General
-
Target
805858e3f9bbe0408705aa14a4f7f496da20ceae892546b751e8e54b06596168.exe
-
Size
1.0MB
-
MD5
6479bab24edb6fcbf6a9e30f1ede5350
-
SHA1
074aa404d459bedd54f1458ff050425d3b13595d
-
SHA256
805858e3f9bbe0408705aa14a4f7f496da20ceae892546b751e8e54b06596168
-
SHA512
0b8d169265288303846863a387f736c83105beba498b3f6a6a13df0daefb00a8ea5a97cc162e943973c9677c2171c659e06fc2fc5c8b1f0992358a21121af6f0
-
SSDEEP
24576:WTyR+/tkb+5aXDpguXYyeQ+uAjOyRmc2J+5fM:WmR+EuaX2uXUzDOyRh2I5
Malware Config
Extracted
nanocore
1.2.2.2
333.icodework.com:333
ee78121e-0e59-4e43-80a8-77aa27911566
-
activate_away_mode
true
-
backup_connection_host
333.icodework.com
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2015-04-09T09:30:24.848521036Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
333
-
default_group
Unused
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
ee78121e-0e59-4e43-80a8-77aa27911566
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
333.icodework.com
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.2
-
wan_timeout
8000
Signatures
-
Executes dropped EXE 5 IoCs
Processes:
Setupx.exechrome.exeSetup.exeSetup.tmpchrome.exepid process 1260 Setupx.exe 2040 chrome.exe 580 Setup.exe 520 Setup.tmp 1636 chrome.exe -
Loads dropped DLL 8 IoCs
Processes:
Setupx.exeSetup.exeSetup.tmpchrome.exepid process 1260 Setupx.exe 1260 Setupx.exe 1260 Setupx.exe 1260 Setupx.exe 580 Setup.exe 520 Setup.tmp 520 Setup.tmp 2040 chrome.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
chrome.exe805858e3f9bbe0408705aa14a4f7f496da20ceae892546b751e8e54b06596168.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Update = "C:\\Users\\Admin\\AppData\\Roaming\\Googlr\\chrome.exe" chrome.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce 805858e3f9bbe0408705aa14a4f7f496da20ceae892546b751e8e54b06596168.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 805858e3f9bbe0408705aa14a4f7f496da20ceae892546b751e8e54b06596168.exe -
Processes:
chrome.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA chrome.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
chrome.exedescription pid process target process PID 2040 set thread context of 1636 2040 chrome.exe chrome.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
chrome.exepid process 1636 chrome.exe 1636 chrome.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
chrome.exepid process 1636 chrome.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
chrome.exedescription pid process Token: SeDebugPrivilege 1636 chrome.exe -
Suspicious use of WriteProcessMemory 40 IoCs
Processes:
805858e3f9bbe0408705aa14a4f7f496da20ceae892546b751e8e54b06596168.exeSetupx.exeSetup.exechrome.exedescription pid process target process PID 832 wrote to memory of 1260 832 805858e3f9bbe0408705aa14a4f7f496da20ceae892546b751e8e54b06596168.exe Setupx.exe PID 832 wrote to memory of 1260 832 805858e3f9bbe0408705aa14a4f7f496da20ceae892546b751e8e54b06596168.exe Setupx.exe PID 832 wrote to memory of 1260 832 805858e3f9bbe0408705aa14a4f7f496da20ceae892546b751e8e54b06596168.exe Setupx.exe PID 832 wrote to memory of 1260 832 805858e3f9bbe0408705aa14a4f7f496da20ceae892546b751e8e54b06596168.exe Setupx.exe PID 832 wrote to memory of 1260 832 805858e3f9bbe0408705aa14a4f7f496da20ceae892546b751e8e54b06596168.exe Setupx.exe PID 832 wrote to memory of 1260 832 805858e3f9bbe0408705aa14a4f7f496da20ceae892546b751e8e54b06596168.exe Setupx.exe PID 832 wrote to memory of 1260 832 805858e3f9bbe0408705aa14a4f7f496da20ceae892546b751e8e54b06596168.exe Setupx.exe PID 1260 wrote to memory of 2040 1260 Setupx.exe chrome.exe PID 1260 wrote to memory of 2040 1260 Setupx.exe chrome.exe PID 1260 wrote to memory of 2040 1260 Setupx.exe chrome.exe PID 1260 wrote to memory of 2040 1260 Setupx.exe chrome.exe PID 1260 wrote to memory of 2040 1260 Setupx.exe chrome.exe PID 1260 wrote to memory of 2040 1260 Setupx.exe chrome.exe PID 1260 wrote to memory of 2040 1260 Setupx.exe chrome.exe PID 832 wrote to memory of 580 832 805858e3f9bbe0408705aa14a4f7f496da20ceae892546b751e8e54b06596168.exe Setup.exe PID 832 wrote to memory of 580 832 805858e3f9bbe0408705aa14a4f7f496da20ceae892546b751e8e54b06596168.exe Setup.exe PID 832 wrote to memory of 580 832 805858e3f9bbe0408705aa14a4f7f496da20ceae892546b751e8e54b06596168.exe Setup.exe PID 832 wrote to memory of 580 832 805858e3f9bbe0408705aa14a4f7f496da20ceae892546b751e8e54b06596168.exe Setup.exe PID 832 wrote to memory of 580 832 805858e3f9bbe0408705aa14a4f7f496da20ceae892546b751e8e54b06596168.exe Setup.exe PID 832 wrote to memory of 580 832 805858e3f9bbe0408705aa14a4f7f496da20ceae892546b751e8e54b06596168.exe Setup.exe PID 832 wrote to memory of 580 832 805858e3f9bbe0408705aa14a4f7f496da20ceae892546b751e8e54b06596168.exe Setup.exe PID 580 wrote to memory of 520 580 Setup.exe Setup.tmp PID 580 wrote to memory of 520 580 Setup.exe Setup.tmp PID 580 wrote to memory of 520 580 Setup.exe Setup.tmp PID 580 wrote to memory of 520 580 Setup.exe Setup.tmp PID 580 wrote to memory of 520 580 Setup.exe Setup.tmp PID 580 wrote to memory of 520 580 Setup.exe Setup.tmp PID 580 wrote to memory of 520 580 Setup.exe Setup.tmp PID 2040 wrote to memory of 1636 2040 chrome.exe chrome.exe PID 2040 wrote to memory of 1636 2040 chrome.exe chrome.exe PID 2040 wrote to memory of 1636 2040 chrome.exe chrome.exe PID 2040 wrote to memory of 1636 2040 chrome.exe chrome.exe PID 2040 wrote to memory of 1636 2040 chrome.exe chrome.exe PID 2040 wrote to memory of 1636 2040 chrome.exe chrome.exe PID 2040 wrote to memory of 1636 2040 chrome.exe chrome.exe PID 2040 wrote to memory of 1636 2040 chrome.exe chrome.exe PID 2040 wrote to memory of 1636 2040 chrome.exe chrome.exe PID 2040 wrote to memory of 1636 2040 chrome.exe chrome.exe PID 2040 wrote to memory of 1636 2040 chrome.exe chrome.exe PID 2040 wrote to memory of 1636 2040 chrome.exe chrome.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\805858e3f9bbe0408705aa14a4f7f496da20ceae892546b751e8e54b06596168.exe"C:\Users\Admin\AppData\Local\Temp\805858e3f9bbe0408705aa14a4f7f496da20ceae892546b751e8e54b06596168.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Setupx.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Setupx.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Googlr\chrome.exe"C:\Users\Admin\AppData\Roaming\Googlr\chrome.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Googlr\chrome.exe"C:\Users\Admin\AppData\Roaming\Googlr\chrome.exe"4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Setup.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Setup.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-94559.tmp\Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-94559.tmp\Setup.tmp" /SL5="$80120,161280,0,C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Setup.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Setup.exeFilesize
652KB
MD5bc4f968b1813215e9f92943a226ac021
SHA19dfc83eee341a6657e57be8397b19ed13b9e9af0
SHA256f270fde71d7ba34e1af716606f607a9e18db9c3b53f82b6ff32d6389cbc637e4
SHA512f201997727df4ec0b5c5007f5779a57281982eef4a76469b18122399488cbaaf959fedbf9cffdaa597cbc6eb663ae1bcca068243a504dc047478beb55ffd4adb
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Setup.exeFilesize
652KB
MD5bc4f968b1813215e9f92943a226ac021
SHA19dfc83eee341a6657e57be8397b19ed13b9e9af0
SHA256f270fde71d7ba34e1af716606f607a9e18db9c3b53f82b6ff32d6389cbc637e4
SHA512f201997727df4ec0b5c5007f5779a57281982eef4a76469b18122399488cbaaf959fedbf9cffdaa597cbc6eb663ae1bcca068243a504dc047478beb55ffd4adb
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Setupx.exeFilesize
521KB
MD58df64f35b96bd65186b515edd8ce6225
SHA1ee69ea1443fb0ad3fcd0148c3778fb2856ee2ae1
SHA2562ba8f77e6ab2950ec530d6c766ac49d3116e6edf86b1d5f61ea5643d3852d372
SHA512de7ae72cc03bfb2fc13ee784582adbc7c0b2c3307ca85ee54c46a5a28a6934baf54dc040963eb8df751ce4e3fc33834c0fed354cfaf0e6b5e2ac3ede7b1770a9
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Setupx.exeFilesize
521KB
MD58df64f35b96bd65186b515edd8ce6225
SHA1ee69ea1443fb0ad3fcd0148c3778fb2856ee2ae1
SHA2562ba8f77e6ab2950ec530d6c766ac49d3116e6edf86b1d5f61ea5643d3852d372
SHA512de7ae72cc03bfb2fc13ee784582adbc7c0b2c3307ca85ee54c46a5a28a6934baf54dc040963eb8df751ce4e3fc33834c0fed354cfaf0e6b5e2ac3ede7b1770a9
-
C:\Users\Admin\AppData\Local\Temp\is-94559.tmp\Setup.tmpFilesize
1.2MB
MD5719be85f31c91590e100af7b519fc925
SHA14de2833297efa60dbbfed238d83e5250fdf504b8
SHA256b1a84898d2764002f8d4db7ba229facaef1796706864c068ccfb298c14d198cf
SHA5128cb123b840427e9a30a8c0a312b62388c92b8ff7f657d336196e4d77309b1d7c756f511427e008687c69dca5dd3825926795aa4c1caab4179ccd6a6ccc9ef864
-
C:\Users\Admin\AppData\Roaming\Googlr\chrome.exeFilesize
315KB
MD5018a269bbc04adc31df96d5fe3d83827
SHA1f5cf468c4c7edd1a1f4889dcd38f6d9f09b7cd76
SHA256e3d78b0d9001bc61a38de11ce414bd70f58b89d742a6a439a1c0eb4425a5cf95
SHA512834326268f309d803c60a106b9a85f4c9e84c42925049c903712d0e22269774673e0648c0b2ef1a2bdcd599cab6810fd6e2407d268818320d8d12852b1d675f8
-
C:\Users\Admin\AppData\Roaming\Googlr\chrome.exeFilesize
315KB
MD5018a269bbc04adc31df96d5fe3d83827
SHA1f5cf468c4c7edd1a1f4889dcd38f6d9f09b7cd76
SHA256e3d78b0d9001bc61a38de11ce414bd70f58b89d742a6a439a1c0eb4425a5cf95
SHA512834326268f309d803c60a106b9a85f4c9e84c42925049c903712d0e22269774673e0648c0b2ef1a2bdcd599cab6810fd6e2407d268818320d8d12852b1d675f8
-
C:\Users\Admin\AppData\Roaming\Googlr\chrome.exeFilesize
315KB
MD5018a269bbc04adc31df96d5fe3d83827
SHA1f5cf468c4c7edd1a1f4889dcd38f6d9f09b7cd76
SHA256e3d78b0d9001bc61a38de11ce414bd70f58b89d742a6a439a1c0eb4425a5cf95
SHA512834326268f309d803c60a106b9a85f4c9e84c42925049c903712d0e22269774673e0648c0b2ef1a2bdcd599cab6810fd6e2407d268818320d8d12852b1d675f8
-
C:\Users\Admin\AppData\Roaming\Googlr\chrome.exe.configFilesize
153B
MD571b937bf243c20e451b482dba7e9cdca
SHA1607c0296581ec60b61792136e07987d120a6092a
SHA256fb2d50d4766fc31153e47bfa9c1d92ea46825f3c5c16331b15da9ff03387d78d
SHA512f5e3a67f08271f5e59c247388a9424a5cee30e852e85486f0193d322e576b384f6184e26fd967c6f7af4d358fec0207e7f0664aefe5daeedea516b9e406f4a37
-
\Users\Admin\AppData\Local\Temp\is-94559.tmp\Setup.tmpFilesize
1.2MB
MD5719be85f31c91590e100af7b519fc925
SHA14de2833297efa60dbbfed238d83e5250fdf504b8
SHA256b1a84898d2764002f8d4db7ba229facaef1796706864c068ccfb298c14d198cf
SHA5128cb123b840427e9a30a8c0a312b62388c92b8ff7f657d336196e4d77309b1d7c756f511427e008687c69dca5dd3825926795aa4c1caab4179ccd6a6ccc9ef864
-
\Users\Admin\AppData\Local\Temp\is-K8T63.tmp\_isetup\_shfoldr.dllFilesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
\Users\Admin\AppData\Local\Temp\is-K8T63.tmp\_isetup\_shfoldr.dllFilesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
\Users\Admin\AppData\Roaming\Googlr\chrome.exeFilesize
315KB
MD5018a269bbc04adc31df96d5fe3d83827
SHA1f5cf468c4c7edd1a1f4889dcd38f6d9f09b7cd76
SHA256e3d78b0d9001bc61a38de11ce414bd70f58b89d742a6a439a1c0eb4425a5cf95
SHA512834326268f309d803c60a106b9a85f4c9e84c42925049c903712d0e22269774673e0648c0b2ef1a2bdcd599cab6810fd6e2407d268818320d8d12852b1d675f8
-
\Users\Admin\AppData\Roaming\Googlr\chrome.exeFilesize
315KB
MD5018a269bbc04adc31df96d5fe3d83827
SHA1f5cf468c4c7edd1a1f4889dcd38f6d9f09b7cd76
SHA256e3d78b0d9001bc61a38de11ce414bd70f58b89d742a6a439a1c0eb4425a5cf95
SHA512834326268f309d803c60a106b9a85f4c9e84c42925049c903712d0e22269774673e0648c0b2ef1a2bdcd599cab6810fd6e2407d268818320d8d12852b1d675f8
-
\Users\Admin\AppData\Roaming\Googlr\chrome.exeFilesize
315KB
MD5018a269bbc04adc31df96d5fe3d83827
SHA1f5cf468c4c7edd1a1f4889dcd38f6d9f09b7cd76
SHA256e3d78b0d9001bc61a38de11ce414bd70f58b89d742a6a439a1c0eb4425a5cf95
SHA512834326268f309d803c60a106b9a85f4c9e84c42925049c903712d0e22269774673e0648c0b2ef1a2bdcd599cab6810fd6e2407d268818320d8d12852b1d675f8
-
\Users\Admin\AppData\Roaming\Googlr\chrome.exeFilesize
315KB
MD5018a269bbc04adc31df96d5fe3d83827
SHA1f5cf468c4c7edd1a1f4889dcd38f6d9f09b7cd76
SHA256e3d78b0d9001bc61a38de11ce414bd70f58b89d742a6a439a1c0eb4425a5cf95
SHA512834326268f309d803c60a106b9a85f4c9e84c42925049c903712d0e22269774673e0648c0b2ef1a2bdcd599cab6810fd6e2407d268818320d8d12852b1d675f8
-
\Users\Admin\AppData\Roaming\Googlr\chrome.exeFilesize
315KB
MD5018a269bbc04adc31df96d5fe3d83827
SHA1f5cf468c4c7edd1a1f4889dcd38f6d9f09b7cd76
SHA256e3d78b0d9001bc61a38de11ce414bd70f58b89d742a6a439a1c0eb4425a5cf95
SHA512834326268f309d803c60a106b9a85f4c9e84c42925049c903712d0e22269774673e0648c0b2ef1a2bdcd599cab6810fd6e2407d268818320d8d12852b1d675f8
-
memory/520-75-0x0000000000000000-mapping.dmp
-
memory/580-67-0x0000000000000000-mapping.dmp
-
memory/580-72-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/580-81-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/832-54-0x000007FEFC611000-0x000007FEFC613000-memory.dmpFilesize
8KB
-
memory/1260-55-0x0000000000000000-mapping.dmp
-
memory/1260-57-0x0000000076BA1000-0x0000000076BA3000-memory.dmpFilesize
8KB
-
memory/1636-86-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1636-83-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1636-84-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1636-88-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1636-91-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1636-93-0x000000000041E73A-mapping.dmp
-
memory/1636-97-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1636-99-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1636-101-0x0000000073C30000-0x00000000741DB000-memory.dmpFilesize
5.7MB
-
memory/1636-102-0x0000000073C30000-0x00000000741DB000-memory.dmpFilesize
5.7MB
-
memory/2040-80-0x00000000749D0000-0x0000000074F7B000-memory.dmpFilesize
5.7MB
-
memory/2040-63-0x0000000000000000-mapping.dmp
-
memory/2040-96-0x00000000749D0000-0x0000000074F7B000-memory.dmpFilesize
5.7MB