Analysis
-
max time kernel
153s -
max time network
175s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 22:59
Static task
static1
Behavioral task
behavioral1
Sample
38e14f1ab8dab71a76cbbc260d5c43d41023f2b23e8955f29dc81213454660f2.exe
Resource
win7-20220812-en
General
-
Target
38e14f1ab8dab71a76cbbc260d5c43d41023f2b23e8955f29dc81213454660f2.exe
-
Size
247KB
-
MD5
9deae9ea695e8e5fdab35294f848e6b2
-
SHA1
73314c20de4b46a6ddb5c9b224e22c1c20ef0183
-
SHA256
38e14f1ab8dab71a76cbbc260d5c43d41023f2b23e8955f29dc81213454660f2
-
SHA512
89b70646c7789b81c029829a47888b93af8033b92665104e0513446b4ca08fb3e04579480a5d00ef50817104742ff747b20c0b03f9ab82d6c8cf5738bf369d76
-
SSDEEP
6144:6HVBccB9DtCftfZSmijPZtWVbOV9s2W4A375ySgMz0TRn4w:orybOV9ssi5NgM4T
Malware Config
Extracted
nanocore
1.2.0.0
informer.ddns.net:9033
f26b04ec-d813-46f5-a7c2-6b8110394025
-
activate_away_mode
true
-
backup_connection_host
informer.ddns.net
- backup_dns_server
-
buffer_size
65535
-
build_time
2014-08-13T12:19:06.373609236Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
9033
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
f26b04ec-d813-46f5-a7c2-6b8110394025
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
informer.ddns.net
- primary_dns_server
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.0.0
-
wan_timeout
8000
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Users\\Admin\\AppData\\Roaming\\x4c6lpG5\\MGDvRNf.exe,explorer.exe" reg.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
38e14f1ab8dab71a76cbbc260d5c43d41023f2b23e8955f29dc81213454660f2.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation 38e14f1ab8dab71a76cbbc260d5c43d41023f2b23e8955f29dc81213454660f2.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
MSBuild.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DSL Manager = "C:\\Program Files (x86)\\DSL Manager\\dslmgr.exe" MSBuild.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
38e14f1ab8dab71a76cbbc260d5c43d41023f2b23e8955f29dc81213454660f2.exedescription pid process target process PID 3104 set thread context of 4996 3104 38e14f1ab8dab71a76cbbc260d5c43d41023f2b23e8955f29dc81213454660f2.exe MSBuild.exe -
Drops file in Program Files directory 2 IoCs
Processes:
MSBuild.exedescription ioc process File created C:\Program Files (x86)\DSL Manager\dslmgr.exe MSBuild.exe File opened for modification C:\Program Files (x86)\DSL Manager\dslmgr.exe MSBuild.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
38e14f1ab8dab71a76cbbc260d5c43d41023f2b23e8955f29dc81213454660f2.exeMSBuild.exepid process 3104 38e14f1ab8dab71a76cbbc260d5c43d41023f2b23e8955f29dc81213454660f2.exe 3104 38e14f1ab8dab71a76cbbc260d5c43d41023f2b23e8955f29dc81213454660f2.exe 4996 MSBuild.exe 4996 MSBuild.exe 4996 MSBuild.exe 4996 MSBuild.exe 4996 MSBuild.exe 4996 MSBuild.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
MSBuild.exepid process 4996 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
38e14f1ab8dab71a76cbbc260d5c43d41023f2b23e8955f29dc81213454660f2.exeMSBuild.exedescription pid process Token: SeDebugPrivilege 3104 38e14f1ab8dab71a76cbbc260d5c43d41023f2b23e8955f29dc81213454660f2.exe Token: SeDebugPrivilege 4996 MSBuild.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
38e14f1ab8dab71a76cbbc260d5c43d41023f2b23e8955f29dc81213454660f2.execmd.exedescription pid process target process PID 3104 wrote to memory of 3548 3104 38e14f1ab8dab71a76cbbc260d5c43d41023f2b23e8955f29dc81213454660f2.exe cmd.exe PID 3104 wrote to memory of 3548 3104 38e14f1ab8dab71a76cbbc260d5c43d41023f2b23e8955f29dc81213454660f2.exe cmd.exe PID 3104 wrote to memory of 3548 3104 38e14f1ab8dab71a76cbbc260d5c43d41023f2b23e8955f29dc81213454660f2.exe cmd.exe PID 3548 wrote to memory of 1268 3548 cmd.exe reg.exe PID 3548 wrote to memory of 1268 3548 cmd.exe reg.exe PID 3548 wrote to memory of 1268 3548 cmd.exe reg.exe PID 3104 wrote to memory of 4996 3104 38e14f1ab8dab71a76cbbc260d5c43d41023f2b23e8955f29dc81213454660f2.exe MSBuild.exe PID 3104 wrote to memory of 4996 3104 38e14f1ab8dab71a76cbbc260d5c43d41023f2b23e8955f29dc81213454660f2.exe MSBuild.exe PID 3104 wrote to memory of 4996 3104 38e14f1ab8dab71a76cbbc260d5c43d41023f2b23e8955f29dc81213454660f2.exe MSBuild.exe PID 3104 wrote to memory of 4996 3104 38e14f1ab8dab71a76cbbc260d5c43d41023f2b23e8955f29dc81213454660f2.exe MSBuild.exe PID 3104 wrote to memory of 4996 3104 38e14f1ab8dab71a76cbbc260d5c43d41023f2b23e8955f29dc81213454660f2.exe MSBuild.exe PID 3104 wrote to memory of 4996 3104 38e14f1ab8dab71a76cbbc260d5c43d41023f2b23e8955f29dc81213454660f2.exe MSBuild.exe PID 3104 wrote to memory of 4996 3104 38e14f1ab8dab71a76cbbc260d5c43d41023f2b23e8955f29dc81213454660f2.exe MSBuild.exe PID 3104 wrote to memory of 4996 3104 38e14f1ab8dab71a76cbbc260d5c43d41023f2b23e8955f29dc81213454660f2.exe MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\38e14f1ab8dab71a76cbbc260d5c43d41023f2b23e8955f29dc81213454660f2.exe"C:\Users\Admin\AppData\Local\Temp\38e14f1ab8dab71a76cbbc260d5c43d41023f2b23e8955f29dc81213454660f2.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\x4c6lpG5\MGDvRNf.exe,explorer.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\x4c6lpG5\MGDvRNf.exe,explorer.exe"3⤵
- Modifies WinLogon for persistence
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"2⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1268-135-0x0000000000000000-mapping.dmp
-
memory/3104-132-0x0000000074DE0000-0x0000000075391000-memory.dmpFilesize
5.7MB
-
memory/3104-133-0x0000000074DE0000-0x0000000075391000-memory.dmpFilesize
5.7MB
-
memory/3104-138-0x0000000074DE0000-0x0000000075391000-memory.dmpFilesize
5.7MB
-
memory/3548-134-0x0000000000000000-mapping.dmp
-
memory/4996-136-0x0000000000000000-mapping.dmp
-
memory/4996-137-0x0000000000400000-0x0000000000436000-memory.dmpFilesize
216KB
-
memory/4996-139-0x0000000074DE0000-0x0000000075391000-memory.dmpFilesize
5.7MB
-
memory/4996-140-0x0000000074DE0000-0x0000000075391000-memory.dmpFilesize
5.7MB