Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
14/11/2022, 18:59
Static task
static1
Behavioral task
behavioral1
Sample
96edcd46e58edf1240c2e4873fcdb388.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
96edcd46e58edf1240c2e4873fcdb388.exe
Resource
win10v2004-20220901-en
General
-
Target
96edcd46e58edf1240c2e4873fcdb388.exe
-
Size
2.1MB
-
MD5
3ea3298d807b865a2efd07a9fb0f3d3b
-
SHA1
6f5fe17c8077679be4c5f0f03e4565dc981e6ae5
-
SHA256
954d2c18ef0e7d5dbbded7e1a565e6eeb9007347ab22a1448000363d2269fb8a
-
SHA512
728eecbd2f4c47cfcc5fd82dc3673fd3a965e76212233ea2228285100fb2c680d4269b70e7ccc03eb54d532512fbc97edc232aeed80b39d7a657b0c1ac935aa4
-
SSDEEP
49152:prY2CCChx9+7Wll5qqTg0lvgtsfzdj2RJhrdQ:prYiAx9Rll53TgIH7dj25hQ
Malware Config
Extracted
nanocore
1.2.2.0
rze6.sytes.net:8000
0aeffa29-f3e3-4c27-b5c4-5ee7e27a451f
-
activate_away_mode
true
- backup_connection_host
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2022-07-19T10:27:50.574421636Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
8000
-
default_group
OCT
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
0aeffa29-f3e3-4c27-b5c4-5ee7e27a451f
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
rze6.sytes.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 272 dsfg.exe 912 ixvxuwek.exe 1204 hege.exe 1628 RegSvcs.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk hege.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk hege.exe -
Loads dropped DLL 7 IoCs
pid Process 1280 96edcd46e58edf1240c2e4873fcdb388.exe 1280 96edcd46e58edf1240c2e4873fcdb388.exe 1280 96edcd46e58edf1240c2e4873fcdb388.exe 1756 WScript.exe 1644 WScript.exe 912 ixvxuwek.exe 1204 hege.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\1_36 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1_36\\start.vbs" hege.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run hege.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1_36\\hege.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\1_36\\mnqlt.wgc" hege.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce hege.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 912 set thread context of 1628 912 ixvxuwek.exe 33 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 1204 hege.exe 1204 hege.exe 1204 hege.exe 1204 hege.exe 1204 hege.exe 1204 hege.exe 1628 RegSvcs.exe 1628 RegSvcs.exe 1628 RegSvcs.exe 1628 RegSvcs.exe 1628 RegSvcs.exe 1628 RegSvcs.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1628 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1628 RegSvcs.exe -
Suspicious use of WriteProcessMemory 37 IoCs
description pid Process procid_target PID 1280 wrote to memory of 272 1280 96edcd46e58edf1240c2e4873fcdb388.exe 28 PID 1280 wrote to memory of 272 1280 96edcd46e58edf1240c2e4873fcdb388.exe 28 PID 1280 wrote to memory of 272 1280 96edcd46e58edf1240c2e4873fcdb388.exe 28 PID 1280 wrote to memory of 272 1280 96edcd46e58edf1240c2e4873fcdb388.exe 28 PID 1280 wrote to memory of 1756 1280 96edcd46e58edf1240c2e4873fcdb388.exe 29 PID 1280 wrote to memory of 1756 1280 96edcd46e58edf1240c2e4873fcdb388.exe 29 PID 1280 wrote to memory of 1756 1280 96edcd46e58edf1240c2e4873fcdb388.exe 29 PID 1280 wrote to memory of 1756 1280 96edcd46e58edf1240c2e4873fcdb388.exe 29 PID 272 wrote to memory of 1644 272 dsfg.exe 30 PID 272 wrote to memory of 1644 272 dsfg.exe 30 PID 272 wrote to memory of 1644 272 dsfg.exe 30 PID 272 wrote to memory of 1644 272 dsfg.exe 30 PID 1756 wrote to memory of 1204 1756 WScript.exe 32 PID 1756 wrote to memory of 1204 1756 WScript.exe 32 PID 1756 wrote to memory of 1204 1756 WScript.exe 32 PID 1756 wrote to memory of 1204 1756 WScript.exe 32 PID 1644 wrote to memory of 912 1644 WScript.exe 31 PID 1644 wrote to memory of 912 1644 WScript.exe 31 PID 1644 wrote to memory of 912 1644 WScript.exe 31 PID 1644 wrote to memory of 912 1644 WScript.exe 31 PID 912 wrote to memory of 1628 912 ixvxuwek.exe 33 PID 912 wrote to memory of 1628 912 ixvxuwek.exe 33 PID 912 wrote to memory of 1628 912 ixvxuwek.exe 33 PID 912 wrote to memory of 1628 912 ixvxuwek.exe 33 PID 912 wrote to memory of 1628 912 ixvxuwek.exe 33 PID 912 wrote to memory of 1628 912 ixvxuwek.exe 33 PID 912 wrote to memory of 1628 912 ixvxuwek.exe 33 PID 912 wrote to memory of 1628 912 ixvxuwek.exe 33 PID 912 wrote to memory of 1628 912 ixvxuwek.exe 33 PID 1204 wrote to memory of 1276 1204 hege.exe 34 PID 1204 wrote to memory of 1276 1204 hege.exe 34 PID 1204 wrote to memory of 1276 1204 hege.exe 34 PID 1204 wrote to memory of 1276 1204 hege.exe 34 PID 1204 wrote to memory of 1276 1204 hege.exe 34 PID 1204 wrote to memory of 1276 1204 hege.exe 34 PID 1204 wrote to memory of 1276 1204 hege.exe 34 PID 1204 wrote to memory of 1276 1204 hege.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\96edcd46e58edf1240c2e4873fcdb388.exe"C:\Users\Admin\AppData\Local\Temp\96edcd46e58edf1240c2e4873fcdb388.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Users\Admin\AppData\Local\temp\1_36\dsfg.exe"C:\Users\Admin\AppData\Local\temp\1_36\dsfg.exe" Paul E. Patton (born May 26, 1937) is an American politician who served as the 59th governor of Kentucky from 1995 to 2003.2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:272 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\temp\8_51\jdwqn.vbe"3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Users\Admin\AppData\Local\Temp\8_51\ixvxuwek.exe"C:\Users\Admin\AppData\Local\Temp\8_51\ixvxuwek.exe" fucfmk.qxw4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:912 -
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"5⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1628
-
-
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\temp\1_36\ufmf.vbe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Users\Admin\AppData\Local\Temp\1_36\hege.exe"C:\Users\Admin\AppData\Local\Temp\1_36\hege.exe" mnqlt.wgc3⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"4⤵PID:1276
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5c8e5ca487ff6781d2ec035c761b19b76
SHA1c18bf2cd15ad9ff04f127fcc2b62791894f4de1e
SHA256dcff2133f606823c5704cde43408c1d49f76fec97a1fcc973d4d3dc69651a4ed
SHA5122de7bf70b892b151ea13aeffc76150c5ed54f2e9b2c0724971729b4b04b702aad25c092b49e572bb3c706e87048b6ccc844158009bd7eb8ff3a95fbbef9db7ea
-
Filesize
1.1MB
MD544feac1004f49cb51e6f1bd87c1cb84e
SHA1fac794576fe8136cbd4e11a75b567d32bb7c70ec
SHA256666927280f6e1e15276a471722f6cd6c2da204fb0c399e80d8d3a617fdf4c8fc
SHA512432f180ef8c864c70d9acefc796a9d05f576f5d5f4ddb31dcd633441c276d99e6bfe95191f210fca59ea9fd5c0336aa4d6f78a6a7f3e6675435544ee4ba586f2
-
Filesize
1.1MB
MD544feac1004f49cb51e6f1bd87c1cb84e
SHA1fac794576fe8136cbd4e11a75b567d32bb7c70ec
SHA256666927280f6e1e15276a471722f6cd6c2da204fb0c399e80d8d3a617fdf4c8fc
SHA512432f180ef8c864c70d9acefc796a9d05f576f5d5f4ddb31dcd633441c276d99e6bfe95191f210fca59ea9fd5c0336aa4d6f78a6a7f3e6675435544ee4ba586f2
-
Filesize
418KB
MD59e4a8690483334efebb30c429d6fc40b
SHA19614746bbf68eb7f7bd33a66a3303df6f41c07a9
SHA256a2828b554e7b93d1df47d3edc54446f018dac886ae7536a9bc3a486af1e4ee0f
SHA5126e62f212bd523bbd7836ca17960c440a2503564b10d74c82827c11aec5f91fc144d3506051e2f4001eb4293eb21136f649ef7915a72e80e0ea0c22b6fd9f02cd
-
Filesize
108.1MB
MD5898af92a3eeeae416191d38caa837a46
SHA163d1b35d2d39530a60bf975be479878ba0f2b2a9
SHA25652f6d5aa3bb72c018b49d3cdc7b451e337b420cf684444dc8c510ce92fa5482a
SHA51203e923aa1ca0ed7c0f6eaa46cc29cdf1d9cb82993265a4919585bb8b494c61721b37abe5bfe3e6fa05d6649b9ca04d3debc0e94099c2528030118f25f7147aa2
-
Filesize
55KB
MD5569a476fd4914959b107f46ff369fa5b
SHA13bd88989da2d75d13823def81d57deb65d1a3be3
SHA256af9ba53689747783e7de72fbf649a04fdbe1015f66c75156c389824a8c13cf85
SHA51286d6ca086734aa961024eea47c9b321705767dba9fe90b1f82fd0b514f0dc7ace168da68bcf7d4e756c5693a6bc760eb44f02f295a1b1c1fb517bdf2c6742bf3
-
Filesize
48KB
MD5e8904ec1444f4527fb8faf41e4f0cfbd
SHA16da7aceeeae8659f8eab1ef2f2660fa130cbfb7b
SHA25698599b441a53b35e4992625a53fa22db0337579de0ba06157d6c0326d8b816a0
SHA5127b118b32cce927eb311c5226c6deb4500df19b5f210651df6c9341248ecea5e93c8bb5169e1c6be6cdbc3704bbfcd45287ccf96683c2d623fd619f462f512470
-
Filesize
99.8MB
MD5d067a5c5a84af23f9380a2b59c8c8006
SHA14ba393ded67d3b5784244a0d2d033797696e8cc5
SHA256c63f38a89c95cab7a0d8a8432ce60c57a3ec64031da4e9f0f0d5d096bd901568
SHA5126ffff543660117af9acf7cbe3a6ff317badc53c9fa9dfb31d98820ac5b6b53494d87853bdb6b9359aa03513e7ac4a9a6eae0ecf48e10df43460d58bd21dfff34
-
Filesize
405KB
MD5c748255ddb2d951339a6bbceea40eb78
SHA180c026ffa166f786b795f3926c1ed2420fc61e6c
SHA25696151c55ca3b38e413efa9c8c15522db9e8c3769c5445711a9e1c3b1a689febb
SHA51211380298aaa369b1211bb29ad1d29224ae137865058123f52be88a3ade9fec7c6ecc3e823b839e57ff5ae8b3b92d49facc4cf0099a89bc8079e885fa83e62032
-
Filesize
1.1MB
MD52eacb18ce33c4c5a9070233449518081
SHA155820bec82c368a425f31019ea90844bb33ef200
SHA256db45ed618a503121b6fced25bf5bfd3dc2c0d2ba6e3baa704447dbcf0c56c568
SHA512c6f5866fca3a0f67f9a59b2c2d107a3ebce5a35975786789a157072b2ab96663bd04067cfcd26d93640d08ff4fe9bacad06d74ba361748e48717754075582264
-
Filesize
1.1MB
MD52eacb18ce33c4c5a9070233449518081
SHA155820bec82c368a425f31019ea90844bb33ef200
SHA256db45ed618a503121b6fced25bf5bfd3dc2c0d2ba6e3baa704447dbcf0c56c568
SHA512c6f5866fca3a0f67f9a59b2c2d107a3ebce5a35975786789a157072b2ab96663bd04067cfcd26d93640d08ff4fe9bacad06d74ba361748e48717754075582264
-
Filesize
44KB
MD50e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
Filesize
44KB
MD50e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
Filesize
1.1MB
MD5c8e5ca487ff6781d2ec035c761b19b76
SHA1c18bf2cd15ad9ff04f127fcc2b62791894f4de1e
SHA256dcff2133f606823c5704cde43408c1d49f76fec97a1fcc973d4d3dc69651a4ed
SHA5122de7bf70b892b151ea13aeffc76150c5ed54f2e9b2c0724971729b4b04b702aad25c092b49e572bb3c706e87048b6ccc844158009bd7eb8ff3a95fbbef9db7ea
-
Filesize
28KB
MD5268e04d7485e8be575fe6746a64801ab
SHA1eeee374259d4d185cbe8dff17c72fed35dfcbf2e
SHA256698780161fbd70fc2e5522f14bd173382852ae7f1b7ddb640d0528136d23d695
SHA5121ad27bb53eb1d53fbb19b5cf2b7838874d3b1e25ec63ea1bf13588098cbdc69467e79fbe60f8b47a763e03bc6998a72fdc7e0d2496dfb2072bd8ed79236fd788
-
Filesize
34KB
MD52b68f8d475481dd68bebaa0536b1eb7b
SHA1d32e444134f3826bc705b1bbda6f3662901d876a
SHA2561d0a8c3f9adeb45ee84311d1da67a378cf9a2d8c0ada2788fe12111741523376
SHA512047ef190579e5edd5ce8c53af15cbd599e8b4ca2daa5e41f7e60b0c5bde312e06f158a71cd09f83f4df9897dc1b701264ca7f411d04777808303a4bf73fb9cc1
-
Filesize
1.1MB
MD5c8e5ca487ff6781d2ec035c761b19b76
SHA1c18bf2cd15ad9ff04f127fcc2b62791894f4de1e
SHA256dcff2133f606823c5704cde43408c1d49f76fec97a1fcc973d4d3dc69651a4ed
SHA5122de7bf70b892b151ea13aeffc76150c5ed54f2e9b2c0724971729b4b04b702aad25c092b49e572bb3c706e87048b6ccc844158009bd7eb8ff3a95fbbef9db7ea
-
Filesize
1.1MB
MD5c8e5ca487ff6781d2ec035c761b19b76
SHA1c18bf2cd15ad9ff04f127fcc2b62791894f4de1e
SHA256dcff2133f606823c5704cde43408c1d49f76fec97a1fcc973d4d3dc69651a4ed
SHA5122de7bf70b892b151ea13aeffc76150c5ed54f2e9b2c0724971729b4b04b702aad25c092b49e572bb3c706e87048b6ccc844158009bd7eb8ff3a95fbbef9db7ea
-
Filesize
1.1MB
MD5c8e5ca487ff6781d2ec035c761b19b76
SHA1c18bf2cd15ad9ff04f127fcc2b62791894f4de1e
SHA256dcff2133f606823c5704cde43408c1d49f76fec97a1fcc973d4d3dc69651a4ed
SHA5122de7bf70b892b151ea13aeffc76150c5ed54f2e9b2c0724971729b4b04b702aad25c092b49e572bb3c706e87048b6ccc844158009bd7eb8ff3a95fbbef9db7ea
-
Filesize
1.1MB
MD544feac1004f49cb51e6f1bd87c1cb84e
SHA1fac794576fe8136cbd4e11a75b567d32bb7c70ec
SHA256666927280f6e1e15276a471722f6cd6c2da204fb0c399e80d8d3a617fdf4c8fc
SHA512432f180ef8c864c70d9acefc796a9d05f576f5d5f4ddb31dcd633441c276d99e6bfe95191f210fca59ea9fd5c0336aa4d6f78a6a7f3e6675435544ee4ba586f2
-
Filesize
1.1MB
MD52eacb18ce33c4c5a9070233449518081
SHA155820bec82c368a425f31019ea90844bb33ef200
SHA256db45ed618a503121b6fced25bf5bfd3dc2c0d2ba6e3baa704447dbcf0c56c568
SHA512c6f5866fca3a0f67f9a59b2c2d107a3ebce5a35975786789a157072b2ab96663bd04067cfcd26d93640d08ff4fe9bacad06d74ba361748e48717754075582264
-
Filesize
44KB
MD50e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
Filesize
44KB
MD50e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215