Analysis
-
max time kernel
207s -
max time network
217s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
26/11/2022, 23:34
Static task
static1
Behavioral task
behavioral1
Sample
a91a05b74b2d81e3c08103ae753a2d5c85b49388af5e65016254a650971d4627.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
a91a05b74b2d81e3c08103ae753a2d5c85b49388af5e65016254a650971d4627.exe
Resource
win10v2004-20221111-en
General
-
Target
a91a05b74b2d81e3c08103ae753a2d5c85b49388af5e65016254a650971d4627.exe
-
Size
1.3MB
-
MD5
27cc743b428c3a5409c465aa21e0edb8
-
SHA1
bcd2ea710d17c15c61ce0b5c03c9bf17404fb6c8
-
SHA256
a91a05b74b2d81e3c08103ae753a2d5c85b49388af5e65016254a650971d4627
-
SHA512
49cd55f3a0053f03129aa0a946730274d447ed4b1d8f33019e9657990571f050f3e5e8d39a4661e63934e8dff8ba803f56fcb97fc78a6dc44082ba597b46438a
-
SSDEEP
24576:z2O/Gl39TYSk7apyJEGuKzQVWCLpoWI7g6zwzMgh/2Vse:gH7gJKVWIoWI5kIxOe
Malware Config
Extracted
nanocore
1.2.2.0
bravebizzle.no-ip.biz:1177
23.105.131.183:1177
3db538fe-5a97-4435-ad66-0511ec2d3127
-
activate_away_mode
false
-
backup_connection_host
23.105.131.183
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2015-03-05T17:08:27.905109536Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
true
-
connect_delay
4000
-
connection_port
1177
-
default_group
GOODLUCK
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
3db538fe-5a97-4435-ad66-0511ec2d3127
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
bravebizzle.no-ip.biz
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1092 oxglqmghppn.exe -
Loads dropped DLL 4 IoCs
pid Process 1224 a91a05b74b2d81e3c08103ae753a2d5c85b49388af5e65016254a650971d4627.exe 1224 a91a05b74b2d81e3c08103ae753a2d5c85b49388af5e65016254a650971d4627.exe 1224 a91a05b74b2d81e3c08103ae753a2d5c85b49388af5e65016254a650971d4627.exe 1224 a91a05b74b2d81e3c08103ae753a2d5c85b49388af5e65016254a650971d4627.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PCI Subsystem = "C:\\Program Files (x86)\\PCI Subsystem\\pciss.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1092 set thread context of 340 1092 oxglqmghppn.exe 29 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\PCI Subsystem\pciss.exe RegSvcs.exe File opened for modification C:\Program Files (x86)\PCI Subsystem\pciss.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1092 oxglqmghppn.exe 1092 oxglqmghppn.exe 1092 oxglqmghppn.exe 1092 oxglqmghppn.exe 1092 oxglqmghppn.exe 1092 oxglqmghppn.exe 1092 oxglqmghppn.exe 1092 oxglqmghppn.exe 1092 oxglqmghppn.exe 1092 oxglqmghppn.exe 1092 oxglqmghppn.exe 1092 oxglqmghppn.exe 1092 oxglqmghppn.exe 1092 oxglqmghppn.exe 1092 oxglqmghppn.exe 1092 oxglqmghppn.exe 1092 oxglqmghppn.exe 1092 oxglqmghppn.exe 1092 oxglqmghppn.exe 1092 oxglqmghppn.exe 1092 oxglqmghppn.exe 1092 oxglqmghppn.exe 1092 oxglqmghppn.exe 1092 oxglqmghppn.exe 1092 oxglqmghppn.exe 1092 oxglqmghppn.exe 1092 oxglqmghppn.exe 1092 oxglqmghppn.exe 1092 oxglqmghppn.exe 1092 oxglqmghppn.exe 1092 oxglqmghppn.exe 1092 oxglqmghppn.exe 1092 oxglqmghppn.exe 340 RegSvcs.exe 340 RegSvcs.exe 1092 oxglqmghppn.exe 340 RegSvcs.exe 340 RegSvcs.exe 1092 oxglqmghppn.exe 1092 oxglqmghppn.exe 1092 oxglqmghppn.exe 1092 oxglqmghppn.exe 1092 oxglqmghppn.exe 1092 oxglqmghppn.exe 1092 oxglqmghppn.exe 1092 oxglqmghppn.exe 1092 oxglqmghppn.exe 1092 oxglqmghppn.exe 1092 oxglqmghppn.exe 1092 oxglqmghppn.exe 1092 oxglqmghppn.exe 1092 oxglqmghppn.exe 1092 oxglqmghppn.exe 1092 oxglqmghppn.exe 1092 oxglqmghppn.exe 1092 oxglqmghppn.exe 1092 oxglqmghppn.exe 1092 oxglqmghppn.exe 1092 oxglqmghppn.exe 1092 oxglqmghppn.exe 1092 oxglqmghppn.exe 1092 oxglqmghppn.exe 1092 oxglqmghppn.exe 1092 oxglqmghppn.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 340 RegSvcs.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1224 wrote to memory of 1092 1224 a91a05b74b2d81e3c08103ae753a2d5c85b49388af5e65016254a650971d4627.exe 28 PID 1224 wrote to memory of 1092 1224 a91a05b74b2d81e3c08103ae753a2d5c85b49388af5e65016254a650971d4627.exe 28 PID 1224 wrote to memory of 1092 1224 a91a05b74b2d81e3c08103ae753a2d5c85b49388af5e65016254a650971d4627.exe 28 PID 1224 wrote to memory of 1092 1224 a91a05b74b2d81e3c08103ae753a2d5c85b49388af5e65016254a650971d4627.exe 28 PID 1224 wrote to memory of 1092 1224 a91a05b74b2d81e3c08103ae753a2d5c85b49388af5e65016254a650971d4627.exe 28 PID 1224 wrote to memory of 1092 1224 a91a05b74b2d81e3c08103ae753a2d5c85b49388af5e65016254a650971d4627.exe 28 PID 1224 wrote to memory of 1092 1224 a91a05b74b2d81e3c08103ae753a2d5c85b49388af5e65016254a650971d4627.exe 28 PID 1092 wrote to memory of 340 1092 oxglqmghppn.exe 29 PID 1092 wrote to memory of 340 1092 oxglqmghppn.exe 29 PID 1092 wrote to memory of 340 1092 oxglqmghppn.exe 29 PID 1092 wrote to memory of 340 1092 oxglqmghppn.exe 29 PID 1092 wrote to memory of 340 1092 oxglqmghppn.exe 29 PID 1092 wrote to memory of 340 1092 oxglqmghppn.exe 29 PID 1092 wrote to memory of 340 1092 oxglqmghppn.exe 29 PID 1092 wrote to memory of 340 1092 oxglqmghppn.exe 29 PID 1092 wrote to memory of 340 1092 oxglqmghppn.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\a91a05b74b2d81e3c08103ae753a2d5c85b49388af5e65016254a650971d4627.exe"C:\Users\Admin\AppData\Local\Temp\a91a05b74b2d81e3c08103ae753a2d5c85b49388af5e65016254a650971d4627.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Users\Admin\67txe32ttuv2bg\oxglqmghppn.exe"C:\Users\Admin\67txe32ttuv2bg\oxglqmghppn.exe" scmwrrzoij2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:340
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
475KB
MD56a5abf9b5dc57110ea8ef9bd64ab4851
SHA1a50e297ebea757da559938cfa0f677acb1bd2c20
SHA2560c689d6e066060550a35297e6f18cb5c01b0d3bad976bd0be5fbc271234fe4f5
SHA5129c4286019f56203e4a37530ba4a2defd77789132250739230f4cf46286f7ec7d269e3ef98ea89714bf5b417ae0e217324f3720ac3c7ecaedb0ef2f0e171cea92
-
Filesize
63B
MD500fcb14d3ec891ef487d8f4618b7b45c
SHA19f4f046a8aa1fdd374e252f9eadd51a4ce682ce4
SHA256f9102f75119180dd0f1b28d5336849fdce20df1265ce68bead27191d9f794fce
SHA512364c63b1b974f3aecbbd073fa01ed6032f734713cd14ec11ac86f6eebe401ecefce13b18e96f0e98ab200b17186706dad04c5a6dccefd8df736c3b8f3650b90f
-
Filesize
732KB
MD571d8f6d5dc35517275bc38ebcc815f9f
SHA1cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA5124826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59
-
Filesize
674.7MB
MD53eb4279899ba49dbc6244b644bb0a156
SHA142062100d29ebb74a5c50d3dc2150789db06cc58
SHA25680003ff0e0ef09ba55b497f3e157e887a4c998e323cbcd83d276573f2beccfcf
SHA5123c705600d7f9bf7c0f9baccc587793d051f601c7d8588a0ea33c185eaa8d93f04e52b7b33b5b44fdb27633c0af33ed802c5fc66e9d56c17032d424eb74407974
-
Filesize
732KB
MD571d8f6d5dc35517275bc38ebcc815f9f
SHA1cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA5124826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59
-
Filesize
732KB
MD571d8f6d5dc35517275bc38ebcc815f9f
SHA1cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA5124826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59
-
Filesize
732KB
MD571d8f6d5dc35517275bc38ebcc815f9f
SHA1cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA5124826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59
-
Filesize
732KB
MD571d8f6d5dc35517275bc38ebcc815f9f
SHA1cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA5124826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59