Analysis
-
max time kernel
167s -
max time network
196s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
21-10-2022 20:05
Static task
static1
Behavioral task
behavioral1
Sample
17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48.exe
Resource
win7-20220812-en
General
-
Target
17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48.exe
-
Size
143KB
-
MD5
917ab8733f840d052d552bb3766fd926
-
SHA1
bf71e255ec62cc497796e4a030f221407efeece9
-
SHA256
17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48
-
SHA512
56f533cb1fafbb647510424d4affd6dbe6725d0350176086db41ab8b51998efeeda2a03b8458e35c7a8aef86177aff7138f732aa89e702ffd9cd1c61f366fcc3
-
SSDEEP
3072:runHgXqb+ixUyl/Gojn3TQNh71B3JkLrB:Y+Y7njn3Tst3CL
Malware Config
Extracted
nanocore
-
activate_away_mode
false
- backup_connection_host
- backup_dns_server
-
buffer_size
0
-
build_time
0001-01-01T00:00:00Z
-
bypass_user_account_control
false
- bypass_user_account_control_data
-
clear_access_control
false
-
clear_zone_identifier
false
-
connect_delay
0
-
connection_port
0
- default_group
-
enable_debug_mode
false
-
gc_threshold
0
-
keep_alive_timeout
0
-
keyboard_logging
false
-
lan_timeout
0
-
max_packet_size
0
- mutex
-
mutex_timeout
0
-
prevent_system_sleep
false
- primary_connection_host
- primary_dns_server
-
request_elevation
false
-
restart_delay
0
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
false
-
timeout_interval
0
-
use_custom_dns_server
false
- version
-
wan_timeout
0
Signatures
-
Drops startup file 1 IoCs
Processes:
17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jFEvaD5IuXm.lnk 17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48.exe -
Unexpected DNS network traffic destination 7 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 37.235.1.174 Destination IP 37.235.1.174 Destination IP 37.235.1.174 Destination IP 37.235.1.177 Destination IP 37.235.1.177 Destination IP 37.235.1.174 Destination IP 37.235.1.177 -
Processes:
RegAsm.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48.exedescription pid process target process PID 4748 set thread context of 736 4748 17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48.exepid process 4748 17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48.exe 4748 17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48.exedescription pid process Token: SeDebugPrivilege 4748 17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48.exedescription pid process target process PID 4748 wrote to memory of 736 4748 17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48.exe RegAsm.exe PID 4748 wrote to memory of 736 4748 17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48.exe RegAsm.exe PID 4748 wrote to memory of 736 4748 17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48.exe RegAsm.exe PID 4748 wrote to memory of 736 4748 17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48.exe RegAsm.exe PID 4748 wrote to memory of 736 4748 17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48.exe RegAsm.exe PID 4748 wrote to memory of 736 4748 17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48.exe RegAsm.exe PID 4748 wrote to memory of 736 4748 17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48.exe RegAsm.exe PID 4748 wrote to memory of 736 4748 17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48.exe"C:\Users\Admin\AppData\Local\Temp\17a2a95dfa55c776ca3851613c0e4cf34dccbc0a13f3f97c749d3d75e5845a48.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Checks whether UAC is enabled
PID:736