Analysis
-
max time kernel
156s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
26/11/2022, 23:49
Static task
static1
Behavioral task
behavioral1
Sample
d7cb77d326fe4234083d91674f2cfae0aacee10c93554d4ca2565ecbe4e39c4b.exe
Resource
win7-20221111-en
General
-
Target
d7cb77d326fe4234083d91674f2cfae0aacee10c93554d4ca2565ecbe4e39c4b.exe
-
Size
1.3MB
-
MD5
756db4e0cf3709be976c2a5a60f46c94
-
SHA1
1f6f46832eae245197f430a8fad2050da2f289f6
-
SHA256
d7cb77d326fe4234083d91674f2cfae0aacee10c93554d4ca2565ecbe4e39c4b
-
SHA512
b80d636c74ffa84e6478a457b091d7f3da1d216593a19e357ce4be3c31c6d4ac1d8c59b0f3fa1548e585e8a5245225177ed83a657eaf3df2eefb72f20336df02
-
SSDEEP
24576:z2O/Gl3V7aIeMVCDRnrsf7g6zwzMgh/20xt:rMVA25kIx6t
Malware Config
Extracted
nanocore
1.2.2.0
apananco.no-ip.biz:1177
5.254.112.21:1177
0e1fb9df-1b4f-4517-a8e6-9035c916355d
-
activate_away_mode
false
-
backup_connection_host
5.254.112.21
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2015-01-24T14:36:48.256723236Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
false
-
clear_zone_identifier
true
-
connect_delay
4000
-
connection_port
1177
-
default_group
LightCore
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
0e1fb9df-1b4f-4517-a8e6-9035c916355d
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
apananco.no-ip.biz
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4892 iyrf.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation d7cb77d326fe4234083d91674f2cfae0aacee10c93554d4ca2565ecbe4e39c4b.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce iyrf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\C:\Users\Admin\W4KGOI~1 = "C:\\Users\\Admin\\W4KGOI~1\\krnagboyghfo.vbs" iyrf.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA iyrf.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4892 set thread context of 2508 4892 iyrf.exe 85 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4892 iyrf.exe 4892 iyrf.exe 4892 iyrf.exe 4892 iyrf.exe 4892 iyrf.exe 4892 iyrf.exe 4892 iyrf.exe 4892 iyrf.exe 4892 iyrf.exe 4892 iyrf.exe 4892 iyrf.exe 4892 iyrf.exe 4892 iyrf.exe 4892 iyrf.exe 4892 iyrf.exe 4892 iyrf.exe 4892 iyrf.exe 4892 iyrf.exe 4892 iyrf.exe 4892 iyrf.exe 4892 iyrf.exe 4892 iyrf.exe 4892 iyrf.exe 4892 iyrf.exe 4892 iyrf.exe 4892 iyrf.exe 4892 iyrf.exe 4892 iyrf.exe 4892 iyrf.exe 4892 iyrf.exe 4892 iyrf.exe 4892 iyrf.exe 4892 iyrf.exe 4892 iyrf.exe 4892 iyrf.exe 4892 iyrf.exe 4892 iyrf.exe 4892 iyrf.exe 4892 iyrf.exe 4892 iyrf.exe 4892 iyrf.exe 4892 iyrf.exe 4892 iyrf.exe 4892 iyrf.exe 4892 iyrf.exe 4892 iyrf.exe 4892 iyrf.exe 4892 iyrf.exe 4892 iyrf.exe 4892 iyrf.exe 4892 iyrf.exe 4892 iyrf.exe 4892 iyrf.exe 4892 iyrf.exe 4892 iyrf.exe 4892 iyrf.exe 4892 iyrf.exe 4892 iyrf.exe 4892 iyrf.exe 4892 iyrf.exe 4892 iyrf.exe 4892 iyrf.exe 4892 iyrf.exe 4892 iyrf.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2508 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2508 RegSvcs.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4216 wrote to memory of 4892 4216 d7cb77d326fe4234083d91674f2cfae0aacee10c93554d4ca2565ecbe4e39c4b.exe 80 PID 4216 wrote to memory of 4892 4216 d7cb77d326fe4234083d91674f2cfae0aacee10c93554d4ca2565ecbe4e39c4b.exe 80 PID 4216 wrote to memory of 4892 4216 d7cb77d326fe4234083d91674f2cfae0aacee10c93554d4ca2565ecbe4e39c4b.exe 80 PID 4892 wrote to memory of 2508 4892 iyrf.exe 85 PID 4892 wrote to memory of 2508 4892 iyrf.exe 85 PID 4892 wrote to memory of 2508 4892 iyrf.exe 85 PID 4892 wrote to memory of 2508 4892 iyrf.exe 85 PID 4892 wrote to memory of 2508 4892 iyrf.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\d7cb77d326fe4234083d91674f2cfae0aacee10c93554d4ca2565ecbe4e39c4b.exe"C:\Users\Admin\AppData\Local\Temp\d7cb77d326fe4234083d91674f2cfae0aacee10c93554d4ca2565ecbe4e39c4b.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4216 -
C:\Users\Admin\w4kgoi6994\iyrf.exe"C:\Users\Admin\w4kgoi6994\iyrf.exe" xqilbqxcfsa2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2508
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
475KB
MD5d0dd7979a608f9f3fe5f659cf5d8d91f
SHA1d024262f5daddf1aec13b0fbb8443d3576fb3291
SHA25664fb9b94c9cc1224f232371fd790ac6ff92cc216e8828d5701acf37415c03222
SHA5120139ec01e90154ea0adef87381677cbe77aeca7d0d5f481862cbfaeface5628a98dd9a497a80038f0056a365857b9a9a781ee4e94e8ca96b0c08ff88dfd8c460
-
Filesize
87B
MD5032a73d538cf904ceb16feb2f316d122
SHA194c953f3a69836e95172f851ffde4afd788bf31a
SHA25601e4a41502a51e5afaa3ca4d262359c73bc04a23a15479fe60b727e105da7cf2
SHA5129923e2a5a399cd6ad7f969c1515b34ebc9c92203affdcdeff19565abd1b7887ffaf316b6b8097d721239435328f2675f0af02b1ccb61b038b3be65f00aa71d8d
-
Filesize
732KB
MD571d8f6d5dc35517275bc38ebcc815f9f
SHA1cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA5124826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59
-
Filesize
732KB
MD571d8f6d5dc35517275bc38ebcc815f9f
SHA1cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA5124826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59
-
Filesize
674.6MB
MD5fc69e314bb5ad845ae2b81d726bd2e19
SHA1fec0b584913e276a692de2599737e2cf0ac506b2
SHA256e56b1f8e00007744395262afb4289d054b3a39b1f313e1a9461032492d44f16e
SHA512d316d7e5f091f4d00b91181c78b3e11e7732ec3442df460749aace73be82eb6d1a2be9207af9668a44f0b7865231e5c1edae827f1ef3f3a2d6d661dabde83b01