Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
26/11/2022, 23:55
Static task
static1
Behavioral task
behavioral1
Sample
img_0928211.exe
Resource
win7-20220812-en
General
-
Target
img_0928211.exe
-
Size
921KB
-
MD5
5672794169f1beab73201234b407f8f9
-
SHA1
19b9763d26c8466d6092ecc41318710f549f5886
-
SHA256
fe5439378961e964d35e1e079c5675111def39ec03f5e87db38132313a618a2f
-
SHA512
5dd83345e9f2aec11587bcc1a04bd8fecb86206d2f990bf9a754768a207ad011a90a299192bc94c2e38b204d08f484ac6d607c3700b28ad6c12c18d07b7e7c44
-
SSDEEP
24576:O20gPgFK8vO9SlDGNON2Y2Dd0PiHXBhqB:3KOQlDUXDCPi3BhqB
Malware Config
Extracted
nanocore
1.2.1.1
nattyma.no-ip.biz:9035
45d17d9c-c36c-4d6f-93b8-abc9b59cd8a6
-
activate_away_mode
true
-
backup_connection_host
nattyma.no-ip.biz
- backup_dns_server
-
buffer_size
65535
-
build_time
2014-09-28T06:15:02.698339236Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
true
-
connect_delay
4000
-
connection_port
9035
-
default_group
NEROSMART
-
enable_debug_mode
true
-
gc_threshold
1.0448576e+08
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
9.9948576e+08
-
mutex
45d17d9c-c36c-4d6f-93b8-abc9b59cd8a6
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
nattyma.no-ip.biz
- primary_dns_server
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.1.1
-
wan_timeout
8000
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" gfcbk.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" gfcbk.exe -
Executes dropped EXE 2 IoCs
pid Process 1656 gfcbk.exe 3540 gfcbk.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation img_0928211.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation gfcbk.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation WScript.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\99o623u41dw = "C:\\Users\\Admin\\99o623u41dw\\slimnvmimjjkbr.vbs" gfcbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DHCP Subsystem = "C:\\Program Files (x86)\\DHCP Subsystem\\dhcpss.exe" RegSvcs.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce gfcbk.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\99o623u41dw = "C:\\Users\\Admin\\99o623u41dw\\slimnvmimjjkbr.vbs" gfcbk.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce gfcbk.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gfcbk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gfcbk.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1656 set thread context of 1660 1656 gfcbk.exe 83 PID 3540 set thread context of 1580 3540 gfcbk.exe 88 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\DHCP Subsystem\dhcpss.exe RegSvcs.exe File opened for modification C:\Program Files (x86)\DHCP Subsystem\dhcpss.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 4052 1660 WerFault.exe 83 -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings gfcbk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ WScript.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1656 gfcbk.exe 1656 gfcbk.exe 1656 gfcbk.exe 1656 gfcbk.exe 1656 gfcbk.exe 1656 gfcbk.exe 1656 gfcbk.exe 1656 gfcbk.exe 1656 gfcbk.exe 1656 gfcbk.exe 1656 gfcbk.exe 1656 gfcbk.exe 1656 gfcbk.exe 1656 gfcbk.exe 1656 gfcbk.exe 1656 gfcbk.exe 1656 gfcbk.exe 1656 gfcbk.exe 1656 gfcbk.exe 1656 gfcbk.exe 1656 gfcbk.exe 1656 gfcbk.exe 1656 gfcbk.exe 1656 gfcbk.exe 1656 gfcbk.exe 1656 gfcbk.exe 1656 gfcbk.exe 1656 gfcbk.exe 1656 gfcbk.exe 1656 gfcbk.exe 1656 gfcbk.exe 1656 gfcbk.exe 1656 gfcbk.exe 1656 gfcbk.exe 1656 gfcbk.exe 1656 gfcbk.exe 1656 gfcbk.exe 1656 gfcbk.exe 1656 gfcbk.exe 1656 gfcbk.exe 1656 gfcbk.exe 1656 gfcbk.exe 1656 gfcbk.exe 1656 gfcbk.exe 1656 gfcbk.exe 1656 gfcbk.exe 3540 gfcbk.exe 3540 gfcbk.exe 3540 gfcbk.exe 3540 gfcbk.exe 3540 gfcbk.exe 3540 gfcbk.exe 3540 gfcbk.exe 3540 gfcbk.exe 3540 gfcbk.exe 3540 gfcbk.exe 3540 gfcbk.exe 3540 gfcbk.exe 3540 gfcbk.exe 3540 gfcbk.exe 3540 gfcbk.exe 3540 gfcbk.exe 3540 gfcbk.exe 3540 gfcbk.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1580 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1656 gfcbk.exe Token: SeDebugPrivilege 1656 gfcbk.exe Token: SeDebugPrivilege 1656 gfcbk.exe Token: SeDebugPrivilege 1656 gfcbk.exe Token: SeDebugPrivilege 1656 gfcbk.exe Token: SeDebugPrivilege 1656 gfcbk.exe Token: SeDebugPrivilege 1656 gfcbk.exe Token: SeDebugPrivilege 1656 gfcbk.exe Token: SeDebugPrivilege 1656 gfcbk.exe Token: SeDebugPrivilege 3540 gfcbk.exe Token: SeDebugPrivilege 3540 gfcbk.exe Token: SeDebugPrivilege 3540 gfcbk.exe Token: SeDebugPrivilege 3540 gfcbk.exe Token: SeDebugPrivilege 1580 RegSvcs.exe Token: SeDebugPrivilege 3540 gfcbk.exe Token: SeDebugPrivilege 3540 gfcbk.exe Token: SeDebugPrivilege 3540 gfcbk.exe Token: SeDebugPrivilege 3540 gfcbk.exe Token: SeDebugPrivilege 3540 gfcbk.exe Token: SeDebugPrivilege 3540 gfcbk.exe Token: SeDebugPrivilege 3540 gfcbk.exe Token: SeDebugPrivilege 3540 gfcbk.exe Token: SeDebugPrivilege 3540 gfcbk.exe Token: SeDebugPrivilege 3540 gfcbk.exe Token: SeDebugPrivilege 3540 gfcbk.exe Token: SeDebugPrivilege 3540 gfcbk.exe Token: SeDebugPrivilege 3540 gfcbk.exe Token: SeDebugPrivilege 3540 gfcbk.exe Token: SeDebugPrivilege 3540 gfcbk.exe Token: SeDebugPrivilege 3540 gfcbk.exe Token: SeDebugPrivilege 3540 gfcbk.exe Token: SeDebugPrivilege 3540 gfcbk.exe Token: SeDebugPrivilege 3540 gfcbk.exe Token: SeDebugPrivilege 3540 gfcbk.exe Token: SeDebugPrivilege 3540 gfcbk.exe Token: SeDebugPrivilege 3540 gfcbk.exe Token: SeDebugPrivilege 3540 gfcbk.exe Token: SeDebugPrivilege 3540 gfcbk.exe Token: SeDebugPrivilege 3540 gfcbk.exe Token: SeDebugPrivilege 3540 gfcbk.exe Token: SeDebugPrivilege 3540 gfcbk.exe Token: SeDebugPrivilege 3540 gfcbk.exe Token: SeDebugPrivilege 3540 gfcbk.exe Token: SeDebugPrivilege 3540 gfcbk.exe Token: SeDebugPrivilege 3540 gfcbk.exe Token: SeDebugPrivilege 3540 gfcbk.exe Token: SeDebugPrivilege 3540 gfcbk.exe Token: SeDebugPrivilege 3540 gfcbk.exe Token: SeDebugPrivilege 3540 gfcbk.exe Token: SeDebugPrivilege 3540 gfcbk.exe Token: SeDebugPrivilege 3540 gfcbk.exe Token: SeDebugPrivilege 3540 gfcbk.exe Token: SeDebugPrivilege 3540 gfcbk.exe Token: SeDebugPrivilege 3540 gfcbk.exe Token: SeDebugPrivilege 3540 gfcbk.exe Token: SeDebugPrivilege 3540 gfcbk.exe Token: SeDebugPrivilege 3540 gfcbk.exe Token: SeDebugPrivilege 3540 gfcbk.exe Token: SeDebugPrivilege 3540 gfcbk.exe Token: SeDebugPrivilege 3540 gfcbk.exe Token: SeDebugPrivilege 3540 gfcbk.exe Token: SeDebugPrivilege 3540 gfcbk.exe Token: SeDebugPrivilege 3540 gfcbk.exe Token: SeDebugPrivilege 3540 gfcbk.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 4788 wrote to memory of 1656 4788 img_0928211.exe 81 PID 4788 wrote to memory of 1656 4788 img_0928211.exe 81 PID 4788 wrote to memory of 1656 4788 img_0928211.exe 81 PID 1656 wrote to memory of 1660 1656 gfcbk.exe 83 PID 1656 wrote to memory of 1660 1656 gfcbk.exe 83 PID 1656 wrote to memory of 1660 1656 gfcbk.exe 83 PID 1656 wrote to memory of 1660 1656 gfcbk.exe 83 PID 1656 wrote to memory of 4312 1656 gfcbk.exe 86 PID 1656 wrote to memory of 4312 1656 gfcbk.exe 86 PID 1656 wrote to memory of 4312 1656 gfcbk.exe 86 PID 4312 wrote to memory of 3540 4312 WScript.exe 87 PID 4312 wrote to memory of 3540 4312 WScript.exe 87 PID 4312 wrote to memory of 3540 4312 WScript.exe 87 PID 3540 wrote to memory of 1580 3540 gfcbk.exe 88 PID 3540 wrote to memory of 1580 3540 gfcbk.exe 88 PID 3540 wrote to memory of 1580 3540 gfcbk.exe 88 PID 3540 wrote to memory of 1580 3540 gfcbk.exe 88 PID 3540 wrote to memory of 1580 3540 gfcbk.exe 88 PID 3540 wrote to memory of 1580 3540 gfcbk.exe 88 PID 3540 wrote to memory of 1580 3540 gfcbk.exe 88 PID 3540 wrote to memory of 1580 3540 gfcbk.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\img_0928211.exe"C:\Users\Admin\AppData\Local\Temp\img_0928211.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\Users\Admin\99o623u41dw\gfcbk.exe"C:\Users\Admin\99o623u41dw\gfcbk.exe" arjegv2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵PID:1660
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1660 -s 804⤵
- Program crash
PID:4052
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\99O623~1\run.vbs"3⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4312 -
C:\Users\Admin\99o623u41dw\gfcbk.exe"C:\Users\Admin\99o623u41dw\gfcbk.exe" arjegv4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"5⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1580
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1660 -ip 16601⤵PID:4356
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
204KB
MD55af78a7ae95dc6dbf695b7c467d8b5cf
SHA110f23008204410a796b973d9650640d8b741fee2
SHA25609eaa6dc4de1fac152662f4a2b50e724a7835b3c7883c3cd41fb67ee1e1fe04d
SHA51239b7d5931a7c2a0d8176fdaa5b4af4a8d1a4d5baac0865fac40d984b890e9ee9748c64361e50d2c4ce4fdc8a7f3503ca0ad9c311faba09e9e40a843dc35431ce
-
Filesize
200B
MD5e7ed5b3ce727a6a3b2880c5425635a53
SHA19d7cc91df067969232fdd914eab9c72cb2f8227e
SHA256ec00d718336b97497192c9b919e1a3704db4e2bfdef7ddcf69abddf46269fdbc
SHA512d6a8d1b93a17bb11efbfcf996cae9568cd8d4dda7f91d137875bec67b164c4b36a2f6a744cfafc8f194825133b0feaac1b49b457c928becc8ea732bd6a0b9bab
-
Filesize
84B
MD5e691daeccb1a1cfd97689d488a259a58
SHA116ce3499fed564101753295fabab38c5a4cea107
SHA2562229da69670276efbccb36d4fb72c17b532841c16a735e8e8aa3701a8bf3ebaf
SHA51220ef3fb0d139ceed038e5b98aed9673ca737506b8f9bdab8e727b62f2dcf38300ec5a1cc8a657e64854e5e1abc926f3707b7ade085bc3a6c0d8c45199ef947a4
-
Filesize
280.5MB
MD5e8a49826e98e50df869a51cd31781079
SHA1451437b6d6cc7cb287e114e7beca6ce74fb39d57
SHA256fc22c9533e7109817e21d9a4e6cf1dd800ec8f531914757ffc79f1d7d6886263
SHA51280e3c9b86b35a7ed815d6f16f5869f1d172a2f38b3528ece2ca208df3406aca245517771d408aafeae8fba97a328aadf95a675e305b330f0614cfce6f441c4a1
-
Filesize
807KB
MD5205e802415422fa581afd6973e61d0e4
SHA1aa9abf929198f24af7e57f1864a6d370649e2af2
SHA2563c529e81cd390f8d0163131e8a2b2b32fcc8feb465cbdd1680e54be05691ab8c
SHA5128273b63c1d879d73c3f92e4c5bab1469744f2db56f095e826fcdc392d62815e4e4247e46fcab8d90cea59444fd5c61120b674ef74b851b3282507d48113feb59
-
Filesize
807KB
MD5205e802415422fa581afd6973e61d0e4
SHA1aa9abf929198f24af7e57f1864a6d370649e2af2
SHA2563c529e81cd390f8d0163131e8a2b2b32fcc8feb465cbdd1680e54be05691ab8c
SHA5128273b63c1d879d73c3f92e4c5bab1469744f2db56f095e826fcdc392d62815e4e4247e46fcab8d90cea59444fd5c61120b674ef74b851b3282507d48113feb59
-
Filesize
807KB
MD5205e802415422fa581afd6973e61d0e4
SHA1aa9abf929198f24af7e57f1864a6d370649e2af2
SHA2563c529e81cd390f8d0163131e8a2b2b32fcc8feb465cbdd1680e54be05691ab8c
SHA5128273b63c1d879d73c3f92e4c5bab1469744f2db56f095e826fcdc392d62815e4e4247e46fcab8d90cea59444fd5c61120b674ef74b851b3282507d48113feb59