Analysis
-
max time kernel
45s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
16/11/2022, 06:51
Static task
static1
Behavioral task
behavioral1
Sample
from-imgML1.EXE1.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
from-imgML1.EXE1.exe
Resource
win10v2004-20221111-en
General
-
Target
from-imgML1.EXE1.exe
-
Size
320KB
-
MD5
8575d49bab12b0c2895e45f0827378c5
-
SHA1
b04d0b981bb72e0ae73e9dc727ef7e913ddbb19e
-
SHA256
64c51e8596ab37cfd98095e97ed384143354721a5e27dba94ffe877232966572
-
SHA512
dea86dc0be4caa8c7bb4fd297f5cff48b34277bcd9719fa9de6ea3faac2349ca33d3097f87744a678a48755ab2a226586c05a7604af697d70c6725609b3dea40
-
SSDEEP
6144:QEa0Ot9Y94kVWQKdT401yxzINr5b7A+vZZYVPxmTYvHtsgLoAeu:ctK9ohapwbc+BUmTYh
Malware Config
Extracted
nanocore
1.2.2.0
nanomalay23.hopto.org:6932
6bd890d1-3408-4922-8966-5f83f82f18cb
-
activate_away_mode
true
-
backup_connection_host
nanomalay23.hopto.org
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2022-08-28T04:28:03.334276736Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
6932
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
6bd890d1-3408-4922-8966-5f83f82f18cb
-
mutex_timeout
5000
-
prevent_system_sleep
false
- primary_connection_host
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 304 eyyqrt.exe 984 eyyqrt.exe -
Loads dropped DLL 2 IoCs
pid Process 1480 from-imgML1.EXE1.exe 304 eyyqrt.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\lgso = "C:\\Users\\Admin\\AppData\\Roaming\\rhrggiixd\\mscnrw.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\eyyqrt.exe\"" eyyqrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NTFS Monitor = "C:\\Program Files (x86)\\NTFS Monitor\\ntfsmon.exe" eyyqrt.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA eyyqrt.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 304 set thread context of 984 304 eyyqrt.exe 28 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\NTFS Monitor\ntfsmon.exe eyyqrt.exe File opened for modification C:\Program Files (x86)\NTFS Monitor\ntfsmon.exe eyyqrt.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1484 schtasks.exe 2024 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 984 eyyqrt.exe 984 eyyqrt.exe 984 eyyqrt.exe 984 eyyqrt.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 984 eyyqrt.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 304 eyyqrt.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 984 eyyqrt.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1480 wrote to memory of 304 1480 from-imgML1.EXE1.exe 27 PID 1480 wrote to memory of 304 1480 from-imgML1.EXE1.exe 27 PID 1480 wrote to memory of 304 1480 from-imgML1.EXE1.exe 27 PID 1480 wrote to memory of 304 1480 from-imgML1.EXE1.exe 27 PID 304 wrote to memory of 984 304 eyyqrt.exe 28 PID 304 wrote to memory of 984 304 eyyqrt.exe 28 PID 304 wrote to memory of 984 304 eyyqrt.exe 28 PID 304 wrote to memory of 984 304 eyyqrt.exe 28 PID 304 wrote to memory of 984 304 eyyqrt.exe 28 PID 984 wrote to memory of 1484 984 eyyqrt.exe 29 PID 984 wrote to memory of 1484 984 eyyqrt.exe 29 PID 984 wrote to memory of 1484 984 eyyqrt.exe 29 PID 984 wrote to memory of 1484 984 eyyqrt.exe 29 PID 984 wrote to memory of 2024 984 eyyqrt.exe 31 PID 984 wrote to memory of 2024 984 eyyqrt.exe 31 PID 984 wrote to memory of 2024 984 eyyqrt.exe 31 PID 984 wrote to memory of 2024 984 eyyqrt.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\from-imgML1.EXE1.exe"C:\Users\Admin\AppData\Local\Temp\from-imgML1.EXE1.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe"C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:304 -
C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe"C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:984 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "NTFS Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmp501.tmp"4⤵
- Creates scheduled task(s)
PID:1484
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "NTFS Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp6F5.tmp"4⤵
- Creates scheduled task(s)
PID:2024
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD5dac1eb49b88de22d36af72e81ccced77
SHA17a60169c4ac6382c1aceb3b3f3bc3361f8676597
SHA256fd25495c55c46bf8c6eb3b8acf9aa09f664decb2a3e6694bbf403011e49a2f3b
SHA5127dd2f0969a25c948c29340992f62c8548eaf470513eed3a6e8f91896f9fac1c978128ec5fd301cf5d5de403271a35527f111a86bdcf5964cb7e042e1f4c52f1f
-
Filesize
9KB
MD5559cba07d143656673e152b138c083c4
SHA184d7c8d67b191dcc61355150f19431075122df31
SHA25650b0b183def0f09d9f98006931f35c3595d94d27d678372bfd550a613bbc4b01
SHA512def61830e30ec7bb94c3bdc196c01d54ed284341063d7d2e8ec501ef19d6e280149c6a8c8874f2f11ae42f197084dcd6e979c4fcca941e20a31daaccc14d33dd
-
Filesize
9KB
MD5559cba07d143656673e152b138c083c4
SHA184d7c8d67b191dcc61355150f19431075122df31
SHA25650b0b183def0f09d9f98006931f35c3595d94d27d678372bfd550a613bbc4b01
SHA512def61830e30ec7bb94c3bdc196c01d54ed284341063d7d2e8ec501ef19d6e280149c6a8c8874f2f11ae42f197084dcd6e979c4fcca941e20a31daaccc14d33dd
-
Filesize
9KB
MD5559cba07d143656673e152b138c083c4
SHA184d7c8d67b191dcc61355150f19431075122df31
SHA25650b0b183def0f09d9f98006931f35c3595d94d27d678372bfd550a613bbc4b01
SHA512def61830e30ec7bb94c3bdc196c01d54ed284341063d7d2e8ec501ef19d6e280149c6a8c8874f2f11ae42f197084dcd6e979c4fcca941e20a31daaccc14d33dd
-
Filesize
281KB
MD53b0e37cc36b6ad56ebc4df099f57d83d
SHA1b77a8b37a343bfd51868fd6eb9fd3e96ac02f6a6
SHA256965cd0c1822e538e6d2ec273f8817a3d48c21add51034203fe1b6a6c304bf839
SHA5125ef8a815e3d7fb7ebaae832d6aa1b8cc1b8bc1392563d1783631b3b74198dc0572e5de971716c74ba6f06545169d0efb70d710d62e4bd02fa960de6d335e4580
-
Filesize
1KB
MD59ee60333aa25733020c9902afb222008
SHA198064f5644019e39a7a5230943b248f0d66b05db
SHA25622c0da1ba1296b531734d24317e03008fbb3eea28ac8c4d8667972e59b9c44ad
SHA51218ae16776024031ef9539565e3d3654d4131e00bccae18b44c31937d2cf7fd4de629159de69143f8c23667102d9e6e999f7c24f84b2bc11f65a27cd130e8bd97
-
Filesize
1KB
MD5981e126601526eaa5b0ad45c496c4465
SHA1d610d6a21a8420cc73fcd3e54ddae75a5897b28b
SHA25611ae277dfa39e7038b782ca6557339e7fe88533fe83705c356a1500a1402d527
SHA512a59fb704d931ccb7e1ec1a7b98e24ccd8708be529066c6de4b673098cdebef539f7f50d9e051c43954b5a8e7f810862b3a4ede170f131e080dadc3e763ed4bdb
-
Filesize
9KB
MD5559cba07d143656673e152b138c083c4
SHA184d7c8d67b191dcc61355150f19431075122df31
SHA25650b0b183def0f09d9f98006931f35c3595d94d27d678372bfd550a613bbc4b01
SHA512def61830e30ec7bb94c3bdc196c01d54ed284341063d7d2e8ec501ef19d6e280149c6a8c8874f2f11ae42f197084dcd6e979c4fcca941e20a31daaccc14d33dd
-
Filesize
9KB
MD5559cba07d143656673e152b138c083c4
SHA184d7c8d67b191dcc61355150f19431075122df31
SHA25650b0b183def0f09d9f98006931f35c3595d94d27d678372bfd550a613bbc4b01
SHA512def61830e30ec7bb94c3bdc196c01d54ed284341063d7d2e8ec501ef19d6e280149c6a8c8874f2f11ae42f197084dcd6e979c4fcca941e20a31daaccc14d33dd