Analysis
-
max time kernel
240s -
max time network
336s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
26/11/2022, 23:00
Static task
static1
Behavioral task
behavioral1
Sample
IMG_88967569.exe
Resource
win7-20221111-en
General
-
Target
IMG_88967569.exe
-
Size
247KB
-
MD5
9deae9ea695e8e5fdab35294f848e6b2
-
SHA1
73314c20de4b46a6ddb5c9b224e22c1c20ef0183
-
SHA256
38e14f1ab8dab71a76cbbc260d5c43d41023f2b23e8955f29dc81213454660f2
-
SHA512
89b70646c7789b81c029829a47888b93af8033b92665104e0513446b4ca08fb3e04579480a5d00ef50817104742ff747b20c0b03f9ab82d6c8cf5738bf369d76
-
SSDEEP
6144:6HVBccB9DtCftfZSmijPZtWVbOV9s2W4A375ySgMz0TRn4w:orybOV9ssi5NgM4T
Malware Config
Extracted
nanocore
1.2.0.0
informer.ddns.net:9033
f26b04ec-d813-46f5-a7c2-6b8110394025
-
activate_away_mode
true
-
backup_connection_host
informer.ddns.net
- backup_dns_server
-
buffer_size
65535
-
build_time
2014-08-13T12:19:06.373609236Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
9033
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
f26b04ec-d813-46f5-a7c2-6b8110394025
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
informer.ddns.net
- primary_dns_server
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.0.0
-
wan_timeout
8000
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Users\\Admin\\AppData\\Roaming\\x4c6lpG5\\MGDvRNf.exe,explorer.exe" reg.exe -
Loads dropped DLL 1 IoCs
pid Process 520 IMG_88967569.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DDP Subsystem = "C:\\Program Files (x86)\\DDP Subsystem\\ddpss.exe" MSBuild.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 520 set thread context of 1440 520 IMG_88967569.exe 31 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\DDP Subsystem\ddpss.exe MSBuild.exe File opened for modification C:\Program Files (x86)\DDP Subsystem\ddpss.exe MSBuild.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 520 IMG_88967569.exe 1440 MSBuild.exe 1440 MSBuild.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1440 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 520 IMG_88967569.exe Token: SeDebugPrivilege 1440 MSBuild.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 520 wrote to memory of 572 520 IMG_88967569.exe 28 PID 520 wrote to memory of 572 520 IMG_88967569.exe 28 PID 520 wrote to memory of 572 520 IMG_88967569.exe 28 PID 520 wrote to memory of 572 520 IMG_88967569.exe 28 PID 572 wrote to memory of 1788 572 cmd.exe 30 PID 572 wrote to memory of 1788 572 cmd.exe 30 PID 572 wrote to memory of 1788 572 cmd.exe 30 PID 572 wrote to memory of 1788 572 cmd.exe 30 PID 520 wrote to memory of 1440 520 IMG_88967569.exe 31 PID 520 wrote to memory of 1440 520 IMG_88967569.exe 31 PID 520 wrote to memory of 1440 520 IMG_88967569.exe 31 PID 520 wrote to memory of 1440 520 IMG_88967569.exe 31 PID 520 wrote to memory of 1440 520 IMG_88967569.exe 31 PID 520 wrote to memory of 1440 520 IMG_88967569.exe 31 PID 520 wrote to memory of 1440 520 IMG_88967569.exe 31 PID 520 wrote to memory of 1440 520 IMG_88967569.exe 31 PID 520 wrote to memory of 1440 520 IMG_88967569.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\IMG_88967569.exe"C:\Users\Admin\AppData\Local\Temp\IMG_88967569.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:520 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\x4c6lpG5\MGDvRNf.exe,explorer.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:572 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\x4c6lpG5\MGDvRNf.exe,explorer.exe"3⤵
- Modifies WinLogon for persistence
PID:1788
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"2⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1440
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
247KB
MD59deae9ea695e8e5fdab35294f848e6b2
SHA173314c20de4b46a6ddb5c9b224e22c1c20ef0183
SHA25638e14f1ab8dab71a76cbbc260d5c43d41023f2b23e8955f29dc81213454660f2
SHA51289b70646c7789b81c029829a47888b93af8033b92665104e0513446b4ca08fb3e04579480a5d00ef50817104742ff747b20c0b03f9ab82d6c8cf5738bf369d76