Analysis
-
max time kernel
184s -
max time network
195s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
21-10-2022 20:05
Static task
static1
Behavioral task
behavioral1
Sample
17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48.exe
Resource
win7-20220812-en
General
-
Target
17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48.exe
-
Size
143KB
-
MD5
917ab8733f840d052d552bb3766fd926
-
SHA1
bf71e255ec62cc497796e4a030f221407efeece9
-
SHA256
17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48
-
SHA512
56f533cb1fafbb647510424d4affd6dbe6725d0350176086db41ab8b51998efeeda2a03b8458e35c7a8aef86177aff7138f732aa89e702ffd9cd1c61f366fcc3
-
SSDEEP
3072:runHgXqb+ixUyl/Gojn3TQNh71B3JkLrB:Y+Y7njn3Tst3CL
Malware Config
Extracted
nanocore
-
activate_away_mode
false
- backup_connection_host
- backup_dns_server
-
buffer_size
0
-
build_time
0001-01-01T00:00:00Z
-
bypass_user_account_control
false
- bypass_user_account_control_data
-
clear_access_control
false
-
clear_zone_identifier
false
-
connect_delay
0
-
connection_port
0
- default_group
-
enable_debug_mode
false
-
gc_threshold
0
-
keep_alive_timeout
0
-
keyboard_logging
false
-
lan_timeout
0
-
max_packet_size
0
- mutex
-
mutex_timeout
0
-
prevent_system_sleep
false
- primary_connection_host
- primary_dns_server
-
request_elevation
false
-
restart_delay
0
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
false
-
timeout_interval
0
-
use_custom_dns_server
false
- version
-
wan_timeout
0
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jFEvaD5IuXm.lnk 17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48.exe -
Loads dropped DLL 1 IoCs
pid Process 1092 17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48.exe -
Unexpected DNS network traffic destination 7 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 37.235.1.177 Destination IP 37.235.1.174 Destination IP 37.235.1.174 Destination IP 37.235.1.174 Destination IP 37.235.1.177 Destination IP 37.235.1.177 Destination IP 37.235.1.174 -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1092 set thread context of 668 1092 17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48.exe 28 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1092 17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48.exe 1092 17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1092 17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1092 wrote to memory of 668 1092 17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48.exe 28 PID 1092 wrote to memory of 668 1092 17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48.exe 28 PID 1092 wrote to memory of 668 1092 17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48.exe 28 PID 1092 wrote to memory of 668 1092 17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48.exe 28 PID 1092 wrote to memory of 668 1092 17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48.exe 28 PID 1092 wrote to memory of 668 1092 17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48.exe 28 PID 1092 wrote to memory of 668 1092 17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48.exe 28 PID 1092 wrote to memory of 668 1092 17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48.exe 28 PID 1092 wrote to memory of 668 1092 17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48.exe 28 PID 1092 wrote to memory of 668 1092 17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48.exe 28 PID 1092 wrote to memory of 668 1092 17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48.exe 28 PID 1092 wrote to memory of 668 1092 17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48.exe"C:\Users\Admin\AppData\Local\Temp\17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Checks whether UAC is enabled
PID:668
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
143KB
MD5917ab8733f840d052d552bb3766fd926
SHA1bf71e255ec62cc497796e4a030f221407efeece9
SHA25617a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48
SHA51256f533cb1fafbb647510424d4affd6dbe6725d0350176086db41ab8b51998efeeda2a03b8458e35c7a8aef86177aff7138f732aa89e702ffd9cd1c61f366fcc3