Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
11-10-2022 14:58
Static task
static1
Behavioral task
behavioral1
Sample
1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe
Resource
win7-20220901-en
General
-
Target
1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe
-
Size
1.0MB
-
MD5
44e15865e8faf1d7cf63be6698efa0b0
-
SHA1
221894e4d3c882b5d04df5b3fdb3efead3bf4925
-
SHA256
1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5
-
SHA512
3beefa6fde825a57fabae832a41f55614254848a7d82e424fa42d683002c7a66feb488b2c8bf5d1803bef8a705bcaba18234a818b7e3e3e65dd4706bb74c0414
-
SSDEEP
12288:Stb20Qc3lT7af41ePBRYuQLKpqeUhbTv5OFgNuPPpHSgaK6NSYFIDOB7lOSMO6A:Stb20pkaCqT5TBWgNQ7aKP+7lWO6A
Malware Config
Extracted
nanocore
-
activate_away_mode
false
- backup_connection_host
- backup_dns_server
-
buffer_size
0
-
build_time
0001-01-01T00:00:00Z
-
bypass_user_account_control
false
- bypass_user_account_control_data
-
clear_access_control
false
-
clear_zone_identifier
false
-
connect_delay
0
-
connection_port
0
- default_group
-
enable_debug_mode
false
-
gc_threshold
0
-
keep_alive_timeout
0
-
keyboard_logging
false
-
lan_timeout
0
-
max_packet_size
0
- mutex
-
mutex_timeout
0
-
prevent_system_sleep
false
- primary_connection_host
- primary_dns_server
-
request_elevation
false
-
restart_delay
0
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
false
-
timeout_interval
0
-
use_custom_dns_server
false
- version
-
wan_timeout
0
Signatures
-
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe" 1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exedescription pid process target process PID 2012 set thread context of 2020 2012 1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exepid process 2012 1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe 2012 1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe 2012 1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe 2012 1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe 2012 1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe 2012 1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe 2012 1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe 2012 1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe 2012 1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe 2012 1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe 2012 1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe 2012 1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe 2012 1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe 2012 1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe 2012 1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe 2012 1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe 2012 1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe 2012 1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe 2012 1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe 2012 1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe 2012 1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe 2012 1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe 2012 1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe 2012 1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe 2012 1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe 2012 1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe 2012 1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe 2012 1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe 2012 1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe 2012 1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe 2012 1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe 2012 1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe 2012 1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe 2012 1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe 2012 1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe 2012 1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe 2012 1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe 2012 1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe 2012 1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe 2012 1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe 2012 1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe 2012 1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe 2012 1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe 2012 1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe 2012 1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe 2012 1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe 2012 1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe 2012 1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe 2012 1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe 2012 1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe 2012 1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe 2012 1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe 2012 1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe 2012 1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe 2012 1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe 2012 1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe 2012 1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe 2012 1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe 2012 1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe 2012 1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe 2012 1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe 2012 1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe 2012 1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe 2012 1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exepid process 1700 1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe 1700 1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe 1700 1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe 1700 1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exepid process 1700 1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe 1700 1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe 1700 1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe 1700 1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exedescription pid process target process PID 1700 wrote to memory of 2012 1700 1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe 1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe PID 1700 wrote to memory of 2012 1700 1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe 1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe PID 1700 wrote to memory of 2012 1700 1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe 1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe PID 1700 wrote to memory of 2012 1700 1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe 1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe PID 2012 wrote to memory of 2020 2012 1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe vbc.exe PID 2012 wrote to memory of 2020 2012 1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe vbc.exe PID 2012 wrote to memory of 2020 2012 1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe vbc.exe PID 2012 wrote to memory of 2020 2012 1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe vbc.exe PID 2012 wrote to memory of 2020 2012 1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe vbc.exe PID 2012 wrote to memory of 2020 2012 1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe"C:\Users\Admin\AppData\Local\Temp\1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe"1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe"C:\Users\Admin\AppData\Local\Temp\1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe" /AutoIt3ExecuteScript "C:\Users\Admin\AppData\Local\Temp\592305" "C:\Users\Admin\AppData\Local\Temp\1ca85aac72a8f791f34e4c2f100ae6f41a067b8cb7b97d5a8f7f8090ceec53a5.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\592305Filesize
18KB
MD5734247e41b3f3770ad86bc5c63c830bb
SHA1c152ed8a5c6f8571157e290996d033810915d864
SHA256e8ff2446a7e309970502b1906097c2c3beaf929bc079e9e48ab51161339250b1
SHA512441db01448888aa2a325cdef7260fef59871be7353c76a02fb59a47e6f0079be4a220c740406ba4e6dd41b3615e760c009d9f3bf2868e90a908e3093d119757e
-
C:\Users\Admin\AppData\Local\Temp\incl1Filesize
13KB
MD5f68121f66e91a2daa1d92537185633a1
SHA146e67a45a7e95075870edc779ed10c9adee01b68
SHA2560d8e09973bec0dd7e8b2d73a0cd05c9eab6348441671b3a47b4c73dd4e5434f2
SHA51243e3b333fca032dcc8720fece14b46001db0d26e3be5aa9ceab3b52dd072e344664abfdbc6e338d9b3e57f886a394ef9d1d9611cc58ecae1d2d86c8874fa0a05
-
C:\Users\Admin\AppData\Local\Temp\incl2Filesize
116KB
MD59b9b4fb01f7cdf9337cd984b58becb7b
SHA19f19773112a3a8442e966011c7274a84fa4c064e
SHA25671f639d86b847d412ee5516fe0d9604e1abfe50142d155349c7bb934ba11e3ea
SHA512d84012c13d35ed14a158ad0a51109ce4580573174d77f8336c9aeee659e021f08bd47712d0ef2a4a1b3e992fdeb079bc91fc3a1a165c8218d625a0505f3a94f1
-
memory/1700-54-0x0000000076BA1000-0x0000000076BA3000-memory.dmpFilesize
8KB
-
memory/2012-55-0x0000000000000000-mapping.dmp
-
memory/2020-60-0x0000000000080000-0x00000000000A4000-memory.dmpFilesize
144KB
-
memory/2020-62-0x0000000000080000-0x00000000000A4000-memory.dmpFilesize
144KB
-
memory/2020-63-0x000000000009E792-mapping.dmp
-
memory/2020-65-0x0000000000080000-0x00000000000A4000-memory.dmpFilesize
144KB
-
memory/2020-67-0x0000000000080000-0x00000000000A4000-memory.dmpFilesize
144KB