Analysis
-
max time kernel
167s -
max time network
196s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
21-10-2022 20:05
Static task
static1
Behavioral task
behavioral1
Sample
17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48.exe
Resource
win7-20220812-en
General
-
Target
17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48.exe
-
Size
143KB
-
MD5
917ab8733f840d052d552bb3766fd926
-
SHA1
bf71e255ec62cc497796e4a030f221407efeece9
-
SHA256
17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48
-
SHA512
56f533cb1fafbb647510424d4affd6dbe6725d0350176086db41ab8b51998efeeda2a03b8458e35c7a8aef86177aff7138f732aa89e702ffd9cd1c61f366fcc3
-
SSDEEP
3072:runHgXqb+ixUyl/Gojn3TQNh71B3JkLrB:Y+Y7njn3Tst3CL
Malware Config
Extracted
nanocore
-
activate_away_mode
false
- backup_connection_host
- backup_dns_server
-
buffer_size
0
-
build_time
0001-01-01T00:00:00Z
-
bypass_user_account_control
false
- bypass_user_account_control_data
-
clear_access_control
false
-
clear_zone_identifier
false
-
connect_delay
0
-
connection_port
0
- default_group
-
enable_debug_mode
false
-
gc_threshold
0
-
keep_alive_timeout
0
-
keyboard_logging
false
-
lan_timeout
0
-
max_packet_size
0
- mutex
-
mutex_timeout
0
-
prevent_system_sleep
false
- primary_connection_host
- primary_dns_server
-
request_elevation
false
-
restart_delay
0
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
false
-
timeout_interval
0
-
use_custom_dns_server
false
- version
-
wan_timeout
0
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jFEvaD5IuXm.lnk 17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48.exe -
Unexpected DNS network traffic destination 7 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 37.235.1.174 Destination IP 37.235.1.174 Destination IP 37.235.1.174 Destination IP 37.235.1.177 Destination IP 37.235.1.177 Destination IP 37.235.1.174 Destination IP 37.235.1.177 -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4748 set thread context of 736 4748 17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48.exe 82 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4748 17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48.exe 4748 17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4748 17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4748 wrote to memory of 736 4748 17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48.exe 82 PID 4748 wrote to memory of 736 4748 17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48.exe 82 PID 4748 wrote to memory of 736 4748 17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48.exe 82 PID 4748 wrote to memory of 736 4748 17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48.exe 82 PID 4748 wrote to memory of 736 4748 17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48.exe 82 PID 4748 wrote to memory of 736 4748 17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48.exe 82 PID 4748 wrote to memory of 736 4748 17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48.exe 82 PID 4748 wrote to memory of 736 4748 17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48.exe"C:\Users\Admin\AppData\Local\Temp\17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Checks whether UAC is enabled
PID:736
-