Analysis
-
max time kernel
146s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
13-10-2022 13:08
Static task
static1
Behavioral task
behavioral1
Sample
2O SAI MYO AUNG HTIKE ALL CERT.exe
Resource
win7-20220812-en
General
-
Target
2O SAI MYO AUNG HTIKE ALL CERT.exe
-
Size
777KB
-
MD5
c3498d32397993862fb68d38f7169274
-
SHA1
5111b2b2f4faaa11f2d01c95c543b987d9c4ab30
-
SHA256
e299c9fefb47c0e66cedf01eddb79eb63741608b8decf4b3c125eced1469fa92
-
SHA512
dfe2efbbb9410a7d413748724e6f42986fc6aec6d136bc8f58c0d27ab223d2b89fe3e7a169b8ac930837f67663d9329af22eaba5914943774e9aef0de1d27ce3
-
SSDEEP
12288:CMb3dWTM2SO3GyYyBioFL0Nm0vV+omsmBu31gdVxgvcsBTkV96AUbZAK:CScUvyYyB2NmOyI8+vnBwgVAK
Malware Config
Extracted
nanocore
1.2.2.0
dera5nano.ddns.net:1010
107.182.129.248:1010
5a26bcef-e67f-486a-8e48-1748cc7891a2
-
activate_away_mode
true
-
backup_connection_host
107.182.129.248
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2022-06-06T12:07:01.612898436Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
1010
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
5a26bcef-e67f-486a-8e48-1748cc7891a2
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
dera5nano.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2O SAI MYO AUNG HTIKE ALL CERT.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 2O SAI MYO AUNG HTIKE ALL CERT.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
2O SAI MYO AUNG HTIKE ALL CERT.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DDP Host = "C:\\Program Files (x86)\\DDP Host\\ddphost.exe" 2O SAI MYO AUNG HTIKE ALL CERT.exe -
Processes:
2O SAI MYO AUNG HTIKE ALL CERT.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 2O SAI MYO AUNG HTIKE ALL CERT.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
2O SAI MYO AUNG HTIKE ALL CERT.exedescription pid process target process PID 1728 set thread context of 1808 1728 2O SAI MYO AUNG HTIKE ALL CERT.exe 2O SAI MYO AUNG HTIKE ALL CERT.exe -
Drops file in Program Files directory 2 IoCs
Processes:
2O SAI MYO AUNG HTIKE ALL CERT.exedescription ioc process File opened for modification C:\Program Files (x86)\DDP Host\ddphost.exe 2O SAI MYO AUNG HTIKE ALL CERT.exe File created C:\Program Files (x86)\DDP Host\ddphost.exe 2O SAI MYO AUNG HTIKE ALL CERT.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 4724 schtasks.exe 4588 schtasks.exe 1384 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
2O SAI MYO AUNG HTIKE ALL CERT.exe2O SAI MYO AUNG HTIKE ALL CERT.exepid process 1728 2O SAI MYO AUNG HTIKE ALL CERT.exe 1728 2O SAI MYO AUNG HTIKE ALL CERT.exe 1808 2O SAI MYO AUNG HTIKE ALL CERT.exe 1808 2O SAI MYO AUNG HTIKE ALL CERT.exe 1808 2O SAI MYO AUNG HTIKE ALL CERT.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
2O SAI MYO AUNG HTIKE ALL CERT.exe2O SAI MYO AUNG HTIKE ALL CERT.exedescription pid process Token: SeDebugPrivilege 1728 2O SAI MYO AUNG HTIKE ALL CERT.exe Token: SeDebugPrivilege 1808 2O SAI MYO AUNG HTIKE ALL CERT.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
2O SAI MYO AUNG HTIKE ALL CERT.exepid process 1728 2O SAI MYO AUNG HTIKE ALL CERT.exe 1728 2O SAI MYO AUNG HTIKE ALL CERT.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
2O SAI MYO AUNG HTIKE ALL CERT.exe2O SAI MYO AUNG HTIKE ALL CERT.exedescription pid process target process PID 1728 wrote to memory of 1384 1728 2O SAI MYO AUNG HTIKE ALL CERT.exe schtasks.exe PID 1728 wrote to memory of 1384 1728 2O SAI MYO AUNG HTIKE ALL CERT.exe schtasks.exe PID 1728 wrote to memory of 1384 1728 2O SAI MYO AUNG HTIKE ALL CERT.exe schtasks.exe PID 1728 wrote to memory of 2392 1728 2O SAI MYO AUNG HTIKE ALL CERT.exe 2O SAI MYO AUNG HTIKE ALL CERT.exe PID 1728 wrote to memory of 2392 1728 2O SAI MYO AUNG HTIKE ALL CERT.exe 2O SAI MYO AUNG HTIKE ALL CERT.exe PID 1728 wrote to memory of 2392 1728 2O SAI MYO AUNG HTIKE ALL CERT.exe 2O SAI MYO AUNG HTIKE ALL CERT.exe PID 1728 wrote to memory of 1808 1728 2O SAI MYO AUNG HTIKE ALL CERT.exe 2O SAI MYO AUNG HTIKE ALL CERT.exe PID 1728 wrote to memory of 1808 1728 2O SAI MYO AUNG HTIKE ALL CERT.exe 2O SAI MYO AUNG HTIKE ALL CERT.exe PID 1728 wrote to memory of 1808 1728 2O SAI MYO AUNG HTIKE ALL CERT.exe 2O SAI MYO AUNG HTIKE ALL CERT.exe PID 1728 wrote to memory of 1808 1728 2O SAI MYO AUNG HTIKE ALL CERT.exe 2O SAI MYO AUNG HTIKE ALL CERT.exe PID 1728 wrote to memory of 1808 1728 2O SAI MYO AUNG HTIKE ALL CERT.exe 2O SAI MYO AUNG HTIKE ALL CERT.exe PID 1728 wrote to memory of 1808 1728 2O SAI MYO AUNG HTIKE ALL CERT.exe 2O SAI MYO AUNG HTIKE ALL CERT.exe PID 1728 wrote to memory of 1808 1728 2O SAI MYO AUNG HTIKE ALL CERT.exe 2O SAI MYO AUNG HTIKE ALL CERT.exe PID 1728 wrote to memory of 1808 1728 2O SAI MYO AUNG HTIKE ALL CERT.exe 2O SAI MYO AUNG HTIKE ALL CERT.exe PID 1808 wrote to memory of 4724 1808 2O SAI MYO AUNG HTIKE ALL CERT.exe schtasks.exe PID 1808 wrote to memory of 4724 1808 2O SAI MYO AUNG HTIKE ALL CERT.exe schtasks.exe PID 1808 wrote to memory of 4724 1808 2O SAI MYO AUNG HTIKE ALL CERT.exe schtasks.exe PID 1808 wrote to memory of 4588 1808 2O SAI MYO AUNG HTIKE ALL CERT.exe schtasks.exe PID 1808 wrote to memory of 4588 1808 2O SAI MYO AUNG HTIKE ALL CERT.exe schtasks.exe PID 1808 wrote to memory of 4588 1808 2O SAI MYO AUNG HTIKE ALL CERT.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2O SAI MYO AUNG HTIKE ALL CERT.exe"C:\Users\Admin\AppData\Local\Temp\2O SAI MYO AUNG HTIKE ALL CERT.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pwEJIZUeb" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF09A.tmp"2⤵
- Creates scheduled task(s)
PID:1384 -
C:\Users\Admin\AppData\Local\Temp\2O SAI MYO AUNG HTIKE ALL CERT.exe"{path}"2⤵PID:2392
-
C:\Users\Admin\AppData\Local\Temp\2O SAI MYO AUNG HTIKE ALL CERT.exe"{path}"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DDP Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmp81FC.tmp"3⤵
- Creates scheduled task(s)
PID:4724 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DDP Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpA91D.tmp"3⤵
- Creates scheduled task(s)
PID:4588
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD584e77a587d94307c0ac1357eb4d3d46f
SHA183cc900f9401f43d181207d64c5adba7a85edc1e
SHA256e16024b092a026a9dc00df69d4b9bbcab7b2dc178dc5291fc308a1abc9304a99
SHA512aefb5c62200b3ed97718d20a89990954d4d8acdc0a6a73c5a420f1bba619cb79e70c2cd0a579b9f52dc6b09e1de2cea6cd6cac4376cfee92d94e2c01d310f691
-
Filesize
1KB
MD54c4781aa435dff44f0e66c3bfd7e77ab
SHA116529453700d651dbf2dd52207718ac421577fbb
SHA2569b57115ba1eb11415566159660904b8bb2fe5615dd3db4f246c12259aadcdf04
SHA5126aad32af98592c66bed389b4007dba43a27c0907a78a4cfa7e6d49b02f40d115f332b5f3bedee889025863b151ea66a1e95d61a8597b466869d37c03b9d382f0
-
Filesize
1KB
MD52271642ca970891700e3f48439739ed8
SHA1cd472df2349f7db9e1e460d0ee28acd97b8a8793
SHA2567aba66abbcb0b13455609174db23aed495a9adbef0e0acd28baa9c92445eda68
SHA5124669a4ef8ec28cdb852ffc1401576b1bf9a9d837797d7d92bc88c18b3097404f36854e50167b309706fef400cabc43c876569ce2797ba85eb169a2783b8fe807
-
Filesize
1KB
MD51bcf10fd66e0259afd36327fdcf5e189
SHA19a038182a0f84aca59add93b344490dadab0f46e
SHA256ef38de19f3ffa02f09744c71134e56a9ea6ea138916f9046156375e95489467d
SHA5121768c558930dfcc72db06a24b10a6e95610f76a759d5fb15c3724713925f4ee9c62c46508ff4f1d1158d8006f2fa6fffb481f56916a5013c5852e77021905071