Analysis
-
max time kernel
131s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
16/11/2022, 06:51
Static task
static1
Behavioral task
behavioral1
Sample
from-imgML1.EXE1.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
from-imgML1.EXE1.exe
Resource
win10v2004-20221111-en
General
-
Target
from-imgML1.EXE1.exe
-
Size
320KB
-
MD5
8575d49bab12b0c2895e45f0827378c5
-
SHA1
b04d0b981bb72e0ae73e9dc727ef7e913ddbb19e
-
SHA256
64c51e8596ab37cfd98095e97ed384143354721a5e27dba94ffe877232966572
-
SHA512
dea86dc0be4caa8c7bb4fd297f5cff48b34277bcd9719fa9de6ea3faac2349ca33d3097f87744a678a48755ab2a226586c05a7604af697d70c6725609b3dea40
-
SSDEEP
6144:QEa0Ot9Y94kVWQKdT401yxzINr5b7A+vZZYVPxmTYvHtsgLoAeu:ctK9ohapwbc+BUmTYh
Malware Config
Extracted
nanocore
1.2.2.0
nanomalay23.hopto.org:6932
6bd890d1-3408-4922-8966-5f83f82f18cb
-
activate_away_mode
true
-
backup_connection_host
nanomalay23.hopto.org
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2022-08-28T04:28:03.334276736Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
6932
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
6bd890d1-3408-4922-8966-5f83f82f18cb
-
mutex_timeout
5000
-
prevent_system_sleep
false
- primary_connection_host
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
NirSoft MailPassView 3 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/memory/920-151-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/920-153-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/920-154-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
Nirsoft 3 IoCs
resource yara_rule behavioral2/memory/920-151-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/920-153-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/920-154-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft -
Executes dropped EXE 2 IoCs
pid Process 1392 eyyqrt.exe 2532 eyyqrt.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lgso = "C:\\Users\\Admin\\AppData\\Roaming\\rhrggiixd\\mscnrw.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\eyyqrt.exe\"" eyyqrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UPNP Monitor = "C:\\Program Files (x86)\\UPNP Monitor\\upnpmon.exe" eyyqrt.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA eyyqrt.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1392 set thread context of 2532 1392 eyyqrt.exe 84 PID 2532 set thread context of 920 2532 eyyqrt.exe 92 PID 2532 set thread context of 4912 2532 eyyqrt.exe 94 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\UPNP Monitor\upnpmon.exe eyyqrt.exe File opened for modification C:\Program Files (x86)\UPNP Monitor\upnpmon.exe eyyqrt.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4216 schtasks.exe 208 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 2532 eyyqrt.exe 2532 eyyqrt.exe 2532 eyyqrt.exe 2532 eyyqrt.exe 2532 eyyqrt.exe 2532 eyyqrt.exe 2532 eyyqrt.exe 2532 eyyqrt.exe 2532 eyyqrt.exe 2532 eyyqrt.exe 4912 vbc.exe 4912 vbc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2532 eyyqrt.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1392 eyyqrt.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2532 eyyqrt.exe -
Suspicious use of WriteProcessMemory 37 IoCs
description pid Process procid_target PID 3352 wrote to memory of 1392 3352 from-imgML1.EXE1.exe 83 PID 3352 wrote to memory of 1392 3352 from-imgML1.EXE1.exe 83 PID 3352 wrote to memory of 1392 3352 from-imgML1.EXE1.exe 83 PID 1392 wrote to memory of 2532 1392 eyyqrt.exe 84 PID 1392 wrote to memory of 2532 1392 eyyqrt.exe 84 PID 1392 wrote to memory of 2532 1392 eyyqrt.exe 84 PID 1392 wrote to memory of 2532 1392 eyyqrt.exe 84 PID 2532 wrote to memory of 4216 2532 eyyqrt.exe 85 PID 2532 wrote to memory of 4216 2532 eyyqrt.exe 85 PID 2532 wrote to memory of 4216 2532 eyyqrt.exe 85 PID 2532 wrote to memory of 208 2532 eyyqrt.exe 87 PID 2532 wrote to memory of 208 2532 eyyqrt.exe 87 PID 2532 wrote to memory of 208 2532 eyyqrt.exe 87 PID 2532 wrote to memory of 3140 2532 eyyqrt.exe 91 PID 2532 wrote to memory of 3140 2532 eyyqrt.exe 91 PID 2532 wrote to memory of 3140 2532 eyyqrt.exe 91 PID 2532 wrote to memory of 920 2532 eyyqrt.exe 92 PID 2532 wrote to memory of 920 2532 eyyqrt.exe 92 PID 2532 wrote to memory of 920 2532 eyyqrt.exe 92 PID 2532 wrote to memory of 920 2532 eyyqrt.exe 92 PID 2532 wrote to memory of 920 2532 eyyqrt.exe 92 PID 2532 wrote to memory of 920 2532 eyyqrt.exe 92 PID 2532 wrote to memory of 920 2532 eyyqrt.exe 92 PID 2532 wrote to memory of 920 2532 eyyqrt.exe 92 PID 2532 wrote to memory of 920 2532 eyyqrt.exe 92 PID 2532 wrote to memory of 4620 2532 eyyqrt.exe 93 PID 2532 wrote to memory of 4620 2532 eyyqrt.exe 93 PID 2532 wrote to memory of 4620 2532 eyyqrt.exe 93 PID 2532 wrote to memory of 4912 2532 eyyqrt.exe 94 PID 2532 wrote to memory of 4912 2532 eyyqrt.exe 94 PID 2532 wrote to memory of 4912 2532 eyyqrt.exe 94 PID 2532 wrote to memory of 4912 2532 eyyqrt.exe 94 PID 2532 wrote to memory of 4912 2532 eyyqrt.exe 94 PID 2532 wrote to memory of 4912 2532 eyyqrt.exe 94 PID 2532 wrote to memory of 4912 2532 eyyqrt.exe 94 PID 2532 wrote to memory of 4912 2532 eyyqrt.exe 94 PID 2532 wrote to memory of 4912 2532 eyyqrt.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\from-imgML1.EXE1.exe"C:\Users\Admin\AppData\Local\Temp\from-imgML1.EXE1.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3352 -
C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe"C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe"C:\Users\Admin\AppData\Local\Temp\eyyqrt.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "UPNP Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmp88CC.tmp"4⤵
- Creates scheduled task(s)
PID:4216
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "UPNP Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp8A25.tmp"4⤵
- Creates scheduled task(s)
PID:208
-
-
\??\c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe"c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe" /shtml "C:\Users\Admin\AppData\Local\Temp\eteu2r1v.yu1"4⤵PID:3140
-
-
\??\c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe"c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe" /shtml "C:\Users\Admin\AppData\Local\Temp\eteu2r1v.yu1"4⤵
- Accesses Microsoft Outlook accounts
PID:920
-
-
\??\c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe"c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe" /shtml "C:\Users\Admin\AppData\Local\Temp\dju0gs15.i14"4⤵PID:4620
-
-
\??\c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe"c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe" /shtml "C:\Users\Admin\AppData\Local\Temp\dju0gs15.i14"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4912
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD5dac1eb49b88de22d36af72e81ccced77
SHA17a60169c4ac6382c1aceb3b3f3bc3361f8676597
SHA256fd25495c55c46bf8c6eb3b8acf9aa09f664decb2a3e6694bbf403011e49a2f3b
SHA5127dd2f0969a25c948c29340992f62c8548eaf470513eed3a6e8f91896f9fac1c978128ec5fd301cf5d5de403271a35527f111a86bdcf5964cb7e042e1f4c52f1f
-
Filesize
3KB
MD502524418240369b25b988e9884cd1c54
SHA142a33322d952edf6d8431d4cd788bbc863d2b890
SHA25680b2a0874c2f734dfe1196d7ae2a7bc6ccb30df2d9281513ac33edc529a71a37
SHA5127c5bbe911f7f0b072d6fdb89ea5759655c2b5cf9ebfddff8f2f67f956141b8ed3697ab0504f60c3992849afbbc79434043a6c04d7cf6ddd958e23354fd3a698f
-
Filesize
523B
MD569b2a2e17e78d24abee9f1de2f04811a
SHA1d19c109704e83876ab3527457f9418a7d053aa33
SHA2561b1491f21e64681f8fdc27b2265e2274fb7813eecb6ad8b446d2e431f6300edd
SHA512eb7269979bc4187520636fe3d7b3089f2c7c02e81c4ce2a738ade680f72c61c67fe9577eeaa09d3ca93f34b60be8c434d2cfbfed6566e783f6611279f056150f
-
Filesize
9KB
MD5559cba07d143656673e152b138c083c4
SHA184d7c8d67b191dcc61355150f19431075122df31
SHA25650b0b183def0f09d9f98006931f35c3595d94d27d678372bfd550a613bbc4b01
SHA512def61830e30ec7bb94c3bdc196c01d54ed284341063d7d2e8ec501ef19d6e280149c6a8c8874f2f11ae42f197084dcd6e979c4fcca941e20a31daaccc14d33dd
-
Filesize
9KB
MD5559cba07d143656673e152b138c083c4
SHA184d7c8d67b191dcc61355150f19431075122df31
SHA25650b0b183def0f09d9f98006931f35c3595d94d27d678372bfd550a613bbc4b01
SHA512def61830e30ec7bb94c3bdc196c01d54ed284341063d7d2e8ec501ef19d6e280149c6a8c8874f2f11ae42f197084dcd6e979c4fcca941e20a31daaccc14d33dd
-
Filesize
9KB
MD5559cba07d143656673e152b138c083c4
SHA184d7c8d67b191dcc61355150f19431075122df31
SHA25650b0b183def0f09d9f98006931f35c3595d94d27d678372bfd550a613bbc4b01
SHA512def61830e30ec7bb94c3bdc196c01d54ed284341063d7d2e8ec501ef19d6e280149c6a8c8874f2f11ae42f197084dcd6e979c4fcca941e20a31daaccc14d33dd
-
Filesize
281KB
MD53b0e37cc36b6ad56ebc4df099f57d83d
SHA1b77a8b37a343bfd51868fd6eb9fd3e96ac02f6a6
SHA256965cd0c1822e538e6d2ec273f8817a3d48c21add51034203fe1b6a6c304bf839
SHA5125ef8a815e3d7fb7ebaae832d6aa1b8cc1b8bc1392563d1783631b3b74198dc0572e5de971716c74ba6f06545169d0efb70d710d62e4bd02fa960de6d335e4580
-
Filesize
1KB
MD59ee60333aa25733020c9902afb222008
SHA198064f5644019e39a7a5230943b248f0d66b05db
SHA25622c0da1ba1296b531734d24317e03008fbb3eea28ac8c4d8667972e59b9c44ad
SHA51218ae16776024031ef9539565e3d3654d4131e00bccae18b44c31937d2cf7fd4de629159de69143f8c23667102d9e6e999f7c24f84b2bc11f65a27cd130e8bd97
-
Filesize
1KB
MD5c9a4c783d2e18eea86e071de92f36f02
SHA14cb02db05386ccb70a23fa89dbadfddfc8f7b6af
SHA25621d669a674eb23538f38f6822429d797e69e0685d18c0e6e03ec6801098b240a
SHA512b6d5198d9ca83687fcc491c02ad8b417e02dff0150b514c3d39d13b8de9ffba6f3779ee7bb6350b087474fb6e0d1bd10b8fdd5c8f48a46c9cfd183d9045b80ef