Analysis
-
max time kernel
146s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
12-10-2022 15:49
Static task
static1
Behavioral task
behavioral1
Sample
26a26eb8f02e73198e75453ca06445d45da4a11914011d545c7da0964323043b.exe
Resource
win7-20220812-en
General
-
Target
26a26eb8f02e73198e75453ca06445d45da4a11914011d545c7da0964323043b.exe
-
Size
357KB
-
MD5
84c86b461afe2a2a02392beee58313e1
-
SHA1
f362a9be8a825e0940c18fe9139c2517f6728575
-
SHA256
26a26eb8f02e73198e75453ca06445d45da4a11914011d545c7da0964323043b
-
SHA512
f0486af628753ca2a5fe8cad4f8139a11604361764db9840c9171b266d22aff0a942a9c92d0a252e5dc81c7e1388d0fa17e0212b9e29f4a82e893d4a6490de33
-
SSDEEP
6144:HNeZmC8pMv7OibcWkF+MeXbYpBpMqEVv138KeHMk7mP/9so2UL0dNCjJfGLR0:HNljJERMyEpNEVvcgwdNCjtGS
Malware Config
Extracted
nanocore
1.2.2.0
194.5.98.148:5050
dcf8e560-2496-44cb-9ddb-90ff3f0546bf
-
activate_away_mode
true
- backup_connection_host
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2022-07-23T00:32:21.206554236Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
5050
-
default_group
wedding
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
dcf8e560-2496-44cb-9ddb-90ff3f0546bf
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
194.5.98.148
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
ragbwalbdm.exeragbwalbdm.exepid process 1860 ragbwalbdm.exe 1940 ragbwalbdm.exe -
Loads dropped DLL 4 IoCs
Processes:
26a26eb8f02e73198e75453ca06445d45da4a11914011d545c7da0964323043b.exeragbwalbdm.exeragbwalbdm.exepid process 1184 26a26eb8f02e73198e75453ca06445d45da4a11914011d545c7da0964323043b.exe 1860 ragbwalbdm.exe 1860 ragbwalbdm.exe 900 ragbwalbdm.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ragbwalbdm.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\hituptjfikw = "C:\\Users\\Admin\\AppData\\Roaming\\myniqcs\\qkhbxqocpo.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\ragbwalbdm.exe\"" ragbwalbdm.exe -
Processes:
ragbwalbdm.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ragbwalbdm.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ragbwalbdm.exedescription pid process target process PID 1860 set thread context of 900 1860 ragbwalbdm.exe ragbwalbdm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
ragbwalbdm.exepid process 900 ragbwalbdm.exe 900 ragbwalbdm.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
ragbwalbdm.exepid process 900 ragbwalbdm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ragbwalbdm.exedescription pid process Token: SeDebugPrivilege 900 ragbwalbdm.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
26a26eb8f02e73198e75453ca06445d45da4a11914011d545c7da0964323043b.exeragbwalbdm.exedescription pid process target process PID 1184 wrote to memory of 1860 1184 26a26eb8f02e73198e75453ca06445d45da4a11914011d545c7da0964323043b.exe ragbwalbdm.exe PID 1184 wrote to memory of 1860 1184 26a26eb8f02e73198e75453ca06445d45da4a11914011d545c7da0964323043b.exe ragbwalbdm.exe PID 1184 wrote to memory of 1860 1184 26a26eb8f02e73198e75453ca06445d45da4a11914011d545c7da0964323043b.exe ragbwalbdm.exe PID 1184 wrote to memory of 1860 1184 26a26eb8f02e73198e75453ca06445d45da4a11914011d545c7da0964323043b.exe ragbwalbdm.exe PID 1860 wrote to memory of 1940 1860 ragbwalbdm.exe ragbwalbdm.exe PID 1860 wrote to memory of 1940 1860 ragbwalbdm.exe ragbwalbdm.exe PID 1860 wrote to memory of 1940 1860 ragbwalbdm.exe ragbwalbdm.exe PID 1860 wrote to memory of 1940 1860 ragbwalbdm.exe ragbwalbdm.exe PID 1860 wrote to memory of 900 1860 ragbwalbdm.exe ragbwalbdm.exe PID 1860 wrote to memory of 900 1860 ragbwalbdm.exe ragbwalbdm.exe PID 1860 wrote to memory of 900 1860 ragbwalbdm.exe ragbwalbdm.exe PID 1860 wrote to memory of 900 1860 ragbwalbdm.exe ragbwalbdm.exe PID 1860 wrote to memory of 900 1860 ragbwalbdm.exe ragbwalbdm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\26a26eb8f02e73198e75453ca06445d45da4a11914011d545c7da0964323043b.exe"C:\Users\Admin\AppData\Local\Temp\26a26eb8f02e73198e75453ca06445d45da4a11914011d545c7da0964323043b.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ragbwalbdm.exe"C:\Users\Admin\AppData\Local\Temp\ragbwalbdm.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ragbwalbdm.exe"C:\Users\Admin\AppData\Local\Temp\ragbwalbdm.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\ragbwalbdm.exe"C:\Users\Admin\AppData\Local\Temp\ragbwalbdm.exe"3⤵
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\nrxpksviur.kyyFilesize
6KB
MD5bce5ca75820b0d5e1279b9067c05da4f
SHA19248b8e6d81b49b7d58cc19468b8a63b0e79800b
SHA256400fa3bf5cbcb75ec1319f40dd58d96f1409f32786090eab95c6a6639e881da7
SHA512d12fcc8e54bcaaac93c092eb97e6a8668b7c6d40fc8f9cbca65a77014a1afa0cc82ea5fc8a84a9b34b8e3a807cf3bd76e919af35730768787d66a527c1cee1d0
-
C:\Users\Admin\AppData\Local\Temp\ragbwalbdm.exeFilesize
124KB
MD56c30bd1abe8602165d89ac12bc7b5dc3
SHA16a523a2244b1eeba57416dc3b8f91ea166d84c1b
SHA256454ac440b820c6fc22867037aae0b963c323da63d116b4abc0a23b3d361c8aad
SHA5125283b8177defe8f8bd5da87619d18b2518951ab3654a506363e4fb2bec0888d7ce2704fb5dc6cb8fde3964c722c44b5a4dc89c4e4df91ef5d217c28e093e6dac
-
C:\Users\Admin\AppData\Local\Temp\ragbwalbdm.exeFilesize
124KB
MD56c30bd1abe8602165d89ac12bc7b5dc3
SHA16a523a2244b1eeba57416dc3b8f91ea166d84c1b
SHA256454ac440b820c6fc22867037aae0b963c323da63d116b4abc0a23b3d361c8aad
SHA5125283b8177defe8f8bd5da87619d18b2518951ab3654a506363e4fb2bec0888d7ce2704fb5dc6cb8fde3964c722c44b5a4dc89c4e4df91ef5d217c28e093e6dac
-
C:\Users\Admin\AppData\Local\Temp\ragbwalbdm.exeFilesize
124KB
MD56c30bd1abe8602165d89ac12bc7b5dc3
SHA16a523a2244b1eeba57416dc3b8f91ea166d84c1b
SHA256454ac440b820c6fc22867037aae0b963c323da63d116b4abc0a23b3d361c8aad
SHA5125283b8177defe8f8bd5da87619d18b2518951ab3654a506363e4fb2bec0888d7ce2704fb5dc6cb8fde3964c722c44b5a4dc89c4e4df91ef5d217c28e093e6dac
-
C:\Users\Admin\AppData\Local\Temp\ragbwalbdm.exeFilesize
124KB
MD56c30bd1abe8602165d89ac12bc7b5dc3
SHA16a523a2244b1eeba57416dc3b8f91ea166d84c1b
SHA256454ac440b820c6fc22867037aae0b963c323da63d116b4abc0a23b3d361c8aad
SHA5125283b8177defe8f8bd5da87619d18b2518951ab3654a506363e4fb2bec0888d7ce2704fb5dc6cb8fde3964c722c44b5a4dc89c4e4df91ef5d217c28e093e6dac
-
C:\Users\Admin\AppData\Local\Temp\zqveubhtu.poFilesize
280KB
MD57f6cbb6cfcda91ec274aa12c5119cf5f
SHA1bcc5c4e09c371ff75bcb299bab60045588a4389f
SHA2568461f62bc8bf1b2f9cef9e6947ac1d519f5810151f0040f27eca3001fd42b641
SHA5128831f5dc6fe4da76b15d48c36e4c6b86396ebd5337fa10c382cf9a82fe0d5fdaffb8c8b62a8cdf7bf9fc140221cba2eac64eaf755e2ff38b73f60d726ec93d1f
-
\Users\Admin\AppData\Local\Temp\ragbwalbdm.exeFilesize
124KB
MD56c30bd1abe8602165d89ac12bc7b5dc3
SHA16a523a2244b1eeba57416dc3b8f91ea166d84c1b
SHA256454ac440b820c6fc22867037aae0b963c323da63d116b4abc0a23b3d361c8aad
SHA5125283b8177defe8f8bd5da87619d18b2518951ab3654a506363e4fb2bec0888d7ce2704fb5dc6cb8fde3964c722c44b5a4dc89c4e4df91ef5d217c28e093e6dac
-
\Users\Admin\AppData\Local\Temp\ragbwalbdm.exeFilesize
124KB
MD56c30bd1abe8602165d89ac12bc7b5dc3
SHA16a523a2244b1eeba57416dc3b8f91ea166d84c1b
SHA256454ac440b820c6fc22867037aae0b963c323da63d116b4abc0a23b3d361c8aad
SHA5125283b8177defe8f8bd5da87619d18b2518951ab3654a506363e4fb2bec0888d7ce2704fb5dc6cb8fde3964c722c44b5a4dc89c4e4df91ef5d217c28e093e6dac
-
\Users\Admin\AppData\Local\Temp\ragbwalbdm.exeFilesize
124KB
MD56c30bd1abe8602165d89ac12bc7b5dc3
SHA16a523a2244b1eeba57416dc3b8f91ea166d84c1b
SHA256454ac440b820c6fc22867037aae0b963c323da63d116b4abc0a23b3d361c8aad
SHA5125283b8177defe8f8bd5da87619d18b2518951ab3654a506363e4fb2bec0888d7ce2704fb5dc6cb8fde3964c722c44b5a4dc89c4e4df91ef5d217c28e093e6dac
-
memory/900-65-0x0000000000401896-mapping.dmp
-
memory/900-68-0x0000000000360000-0x0000000000398000-memory.dmpFilesize
224KB
-
memory/900-69-0x0000000000620000-0x000000000062A000-memory.dmpFilesize
40KB
-
memory/900-70-0x0000000000710000-0x000000000072E000-memory.dmpFilesize
120KB
-
memory/900-71-0x0000000000630000-0x000000000063A000-memory.dmpFilesize
40KB
-
memory/1184-54-0x0000000074BB1000-0x0000000074BB3000-memory.dmpFilesize
8KB
-
memory/1860-56-0x0000000000000000-mapping.dmp