Analysis
-
max time kernel
149s -
max time network
205s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
26/11/2022, 23:00
Static task
static1
Behavioral task
behavioral1
Sample
IMG_88967569.exe
Resource
win7-20221111-en
General
-
Target
IMG_88967569.exe
-
Size
247KB
-
MD5
9deae9ea695e8e5fdab35294f848e6b2
-
SHA1
73314c20de4b46a6ddb5c9b224e22c1c20ef0183
-
SHA256
38e14f1ab8dab71a76cbbc260d5c43d41023f2b23e8955f29dc81213454660f2
-
SHA512
89b70646c7789b81c029829a47888b93af8033b92665104e0513446b4ca08fb3e04579480a5d00ef50817104742ff747b20c0b03f9ab82d6c8cf5738bf369d76
-
SSDEEP
6144:6HVBccB9DtCftfZSmijPZtWVbOV9s2W4A375ySgMz0TRn4w:orybOV9ssi5NgM4T
Malware Config
Extracted
nanocore
1.2.0.0
informer.ddns.net:9033
f26b04ec-d813-46f5-a7c2-6b8110394025
-
activate_away_mode
true
-
backup_connection_host
informer.ddns.net
- backup_dns_server
-
buffer_size
65535
-
build_time
2014-08-13T12:19:06.373609236Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
9033
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
f26b04ec-d813-46f5-a7c2-6b8110394025
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
informer.ddns.net
- primary_dns_server
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.0.0
-
wan_timeout
8000
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Users\\Admin\\AppData\\Roaming\\x4c6lpG5\\MGDvRNf.exe,explorer.exe" reg.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation IMG_88967569.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DSL Manager = "C:\\Program Files (x86)\\DSL Manager\\dslmgr.exe" MSBuild.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4600 set thread context of 4008 4600 IMG_88967569.exe 90 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\DSL Manager\dslmgr.exe MSBuild.exe File opened for modification C:\Program Files (x86)\DSL Manager\dslmgr.exe MSBuild.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 4600 IMG_88967569.exe 4600 IMG_88967569.exe 4008 MSBuild.exe 4008 MSBuild.exe 4008 MSBuild.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4008 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4600 IMG_88967569.exe Token: SeDebugPrivilege 4008 MSBuild.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 4600 wrote to memory of 3716 4600 IMG_88967569.exe 87 PID 4600 wrote to memory of 3716 4600 IMG_88967569.exe 87 PID 4600 wrote to memory of 3716 4600 IMG_88967569.exe 87 PID 3716 wrote to memory of 4424 3716 cmd.exe 89 PID 3716 wrote to memory of 4424 3716 cmd.exe 89 PID 3716 wrote to memory of 4424 3716 cmd.exe 89 PID 4600 wrote to memory of 4008 4600 IMG_88967569.exe 90 PID 4600 wrote to memory of 4008 4600 IMG_88967569.exe 90 PID 4600 wrote to memory of 4008 4600 IMG_88967569.exe 90 PID 4600 wrote to memory of 4008 4600 IMG_88967569.exe 90 PID 4600 wrote to memory of 4008 4600 IMG_88967569.exe 90 PID 4600 wrote to memory of 4008 4600 IMG_88967569.exe 90 PID 4600 wrote to memory of 4008 4600 IMG_88967569.exe 90 PID 4600 wrote to memory of 4008 4600 IMG_88967569.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\IMG_88967569.exe"C:\Users\Admin\AppData\Local\Temp\IMG_88967569.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\x4c6lpG5\MGDvRNf.exe,explorer.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3716 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\x4c6lpG5\MGDvRNf.exe,explorer.exe"3⤵
- Modifies WinLogon for persistence
PID:4424
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"2⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4008
-