Analysis
-
max time kernel
151s -
max time network
93s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
26/11/2022, 23:36
Static task
static1
Behavioral task
behavioral1
Sample
9d14c92b681adb658c040d08c098e8adb277ca37ec9850eff15cb1161335cfdb.exe
Resource
win7-20220812-en
General
-
Target
9d14c92b681adb658c040d08c098e8adb277ca37ec9850eff15cb1161335cfdb.exe
-
Size
677KB
-
MD5
2a73e0d44381ae381096e16fe65bf261
-
SHA1
c3d74e27272eebdaab0ff7e9da176a6038803809
-
SHA256
9d14c92b681adb658c040d08c098e8adb277ca37ec9850eff15cb1161335cfdb
-
SHA512
646ea95c2b12e1b9030c0bcdf967380e8eb3c3b40b7174f8a3d4b84171b609fba1339610f21e01b14a1062d52a6fafbd499924dbdc082df3cfef2d8ae9c9b1c0
-
SSDEEP
12288:PaCS+UAgUwBx8QshoIjrmeJNZ+k/EwjOMeEB0LMDPfLFigRg+KbSB0Df7:CCS+UPUwBmogDJNwkJjOMe2PjRg7SuD
Malware Config
Extracted
nanocore
1.2.1.1
asusdriverupdate.no-ip.org:58010
5151db03-9ae5-4edf-9ae4-275f9e70f68f
-
activate_away_mode
true
- backup_connection_host
- backup_dns_server
-
buffer_size
65535
-
build_time
2014-10-14T05:42:06.265609536Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
58010
-
default_group
Wave Tavu
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
5151db03-9ae5-4edf-9ae4-275f9e70f68f
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
asusdriverupdate.no-ip.org
- primary_dns_server
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.1.1
-
wan_timeout
8000
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1956 SixEngine.exe 1672 SixEngine.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASUS Live Update.com.url SixEngine.exe -
Loads dropped DLL 2 IoCs
pid Process 1388 9d14c92b681adb658c040d08c098e8adb277ca37ec9850eff15cb1161335cfdb.exe 1388 9d14c92b681adb658c040d08c098e8adb277ca37ec9850eff15cb1161335cfdb.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ASUS Live Update = "C:\\ProgramData\\SixEngine.exe" reg.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SixEngine.exe -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 9d14c92b681adb658c040d08c098e8adb277ca37ec9850eff15cb1161335cfdb.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 9d14c92b681adb658c040d08c098e8adb277ca37ec9850eff15cb1161335cfdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum SixEngine.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 SixEngine.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1956 set thread context of 1672 1956 SixEngine.exe 31 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 17 IoCs
pid Process 1956 SixEngine.exe 1956 SixEngine.exe 1956 SixEngine.exe 1672 SixEngine.exe 1672 SixEngine.exe 1956 SixEngine.exe 1956 SixEngine.exe 1956 SixEngine.exe 1956 SixEngine.exe 1956 SixEngine.exe 1956 SixEngine.exe 1956 SixEngine.exe 1956 SixEngine.exe 1956 SixEngine.exe 1956 SixEngine.exe 1956 SixEngine.exe 1956 SixEngine.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1388 9d14c92b681adb658c040d08c098e8adb277ca37ec9850eff15cb1161335cfdb.exe Token: SeDebugPrivilege 1956 SixEngine.exe Token: SeDebugPrivilege 1672 SixEngine.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 1388 wrote to memory of 952 1388 9d14c92b681adb658c040d08c098e8adb277ca37ec9850eff15cb1161335cfdb.exe 27 PID 1388 wrote to memory of 952 1388 9d14c92b681adb658c040d08c098e8adb277ca37ec9850eff15cb1161335cfdb.exe 27 PID 1388 wrote to memory of 952 1388 9d14c92b681adb658c040d08c098e8adb277ca37ec9850eff15cb1161335cfdb.exe 27 PID 1388 wrote to memory of 952 1388 9d14c92b681adb658c040d08c098e8adb277ca37ec9850eff15cb1161335cfdb.exe 27 PID 952 wrote to memory of 1732 952 cmd.exe 29 PID 952 wrote to memory of 1732 952 cmd.exe 29 PID 952 wrote to memory of 1732 952 cmd.exe 29 PID 952 wrote to memory of 1732 952 cmd.exe 29 PID 1388 wrote to memory of 1956 1388 9d14c92b681adb658c040d08c098e8adb277ca37ec9850eff15cb1161335cfdb.exe 30 PID 1388 wrote to memory of 1956 1388 9d14c92b681adb658c040d08c098e8adb277ca37ec9850eff15cb1161335cfdb.exe 30 PID 1388 wrote to memory of 1956 1388 9d14c92b681adb658c040d08c098e8adb277ca37ec9850eff15cb1161335cfdb.exe 30 PID 1388 wrote to memory of 1956 1388 9d14c92b681adb658c040d08c098e8adb277ca37ec9850eff15cb1161335cfdb.exe 30 PID 1956 wrote to memory of 1672 1956 SixEngine.exe 31 PID 1956 wrote to memory of 1672 1956 SixEngine.exe 31 PID 1956 wrote to memory of 1672 1956 SixEngine.exe 31 PID 1956 wrote to memory of 1672 1956 SixEngine.exe 31 PID 1956 wrote to memory of 1672 1956 SixEngine.exe 31 PID 1956 wrote to memory of 1672 1956 SixEngine.exe 31 PID 1956 wrote to memory of 1672 1956 SixEngine.exe 31 PID 1956 wrote to memory of 1672 1956 SixEngine.exe 31 PID 1956 wrote to memory of 1672 1956 SixEngine.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\9d14c92b681adb658c040d08c098e8adb277ca37ec9850eff15cb1161335cfdb.exe"C:\Users\Admin\AppData\Local\Temp\9d14c92b681adb658c040d08c098e8adb277ca37ec9850eff15cb1161335cfdb.exe"1⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ASUS Live Update" /t REG_SZ /d "C:\ProgramData\SixEngine.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ASUS Live Update" /t REG_SZ /d "C:\ProgramData\SixEngine.exe"3⤵
- Adds Run key to start application
PID:1732
-
-
-
C:\ProgramData\SixEngine.exeC:\ProgramData\SixEngine.exe2⤵
- Executes dropped EXE
- Drops startup file
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\ProgramData\SixEngine.exe"C:\ProgramData\SixEngine.exe"3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1672
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
677KB
MD52a73e0d44381ae381096e16fe65bf261
SHA1c3d74e27272eebdaab0ff7e9da176a6038803809
SHA2569d14c92b681adb658c040d08c098e8adb277ca37ec9850eff15cb1161335cfdb
SHA512646ea95c2b12e1b9030c0bcdf967380e8eb3c3b40b7174f8a3d4b84171b609fba1339610f21e01b14a1062d52a6fafbd499924dbdc082df3cfef2d8ae9c9b1c0
-
Filesize
677KB
MD52a73e0d44381ae381096e16fe65bf261
SHA1c3d74e27272eebdaab0ff7e9da176a6038803809
SHA2569d14c92b681adb658c040d08c098e8adb277ca37ec9850eff15cb1161335cfdb
SHA512646ea95c2b12e1b9030c0bcdf967380e8eb3c3b40b7174f8a3d4b84171b609fba1339610f21e01b14a1062d52a6fafbd499924dbdc082df3cfef2d8ae9c9b1c0
-
Filesize
677KB
MD52a73e0d44381ae381096e16fe65bf261
SHA1c3d74e27272eebdaab0ff7e9da176a6038803809
SHA2569d14c92b681adb658c040d08c098e8adb277ca37ec9850eff15cb1161335cfdb
SHA512646ea95c2b12e1b9030c0bcdf967380e8eb3c3b40b7174f8a3d4b84171b609fba1339610f21e01b14a1062d52a6fafbd499924dbdc082df3cfef2d8ae9c9b1c0
-
Filesize
677KB
MD52a73e0d44381ae381096e16fe65bf261
SHA1c3d74e27272eebdaab0ff7e9da176a6038803809
SHA2569d14c92b681adb658c040d08c098e8adb277ca37ec9850eff15cb1161335cfdb
SHA512646ea95c2b12e1b9030c0bcdf967380e8eb3c3b40b7174f8a3d4b84171b609fba1339610f21e01b14a1062d52a6fafbd499924dbdc082df3cfef2d8ae9c9b1c0
-
Filesize
677KB
MD52a73e0d44381ae381096e16fe65bf261
SHA1c3d74e27272eebdaab0ff7e9da176a6038803809
SHA2569d14c92b681adb658c040d08c098e8adb277ca37ec9850eff15cb1161335cfdb
SHA512646ea95c2b12e1b9030c0bcdf967380e8eb3c3b40b7174f8a3d4b84171b609fba1339610f21e01b14a1062d52a6fafbd499924dbdc082df3cfef2d8ae9c9b1c0