Analysis
-
max time kernel
140s -
max time network
197s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
26-11-2022 08:29
Static task
static1
Behavioral task
behavioral1
Sample
ccd8fc18705b53aca63ce82b944858323498512cf5087696aed7fee39358cc2f.exe
Resource
win7-20221111-en
General
-
Target
ccd8fc18705b53aca63ce82b944858323498512cf5087696aed7fee39358cc2f.exe
-
Size
521KB
-
MD5
87ff74c6fc7166d9365f6376fa260026
-
SHA1
a91a2e81a4cd43dbe12aa1219bd0585ffd555002
-
SHA256
ccd8fc18705b53aca63ce82b944858323498512cf5087696aed7fee39358cc2f
-
SHA512
1186569a4655486cecbb3067ac2d480a1a7fca9926e1a6764325b4a477b829ee97e07e32119b8c9998a15caff6feecca7e477ccfba1fe64e52aac20c397c2b6f
-
SSDEEP
12288:mJZrZfSXwNFqo4R3Zbs4ys7U7cgt/GFr1PIxW1qM:sVFTAJFA/t/YRPIxxM
Malware Config
Extracted
nanocore
1.2.1.1
87.231.21.54:4242
192.168.0.18:4242
cb32a65b-351e-4743-9439-5a68c0b610bb
-
activate_away_mode
true
-
backup_connection_host
192.168.0.18
- backup_dns_server
-
buffer_size
65535
-
build_time
2014-10-30T07:51:34.058785536Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
4242
-
default_group
Owww
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
cb32a65b-351e-4743-9439-5a68c0b610bb
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
87.231.21.54
- primary_dns_server
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.1.1
-
wan_timeout
8000
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FolderName\\file.exe" reg.exe -
Executes dropped EXE 1 IoCs
Processes:
notepad .exepid process 752 notepad .exe -
Loads dropped DLL 1 IoCs
Processes:
ccd8fc18705b53aca63ce82b944858323498512cf5087696aed7fee39358cc2f.exepid process 2032 ccd8fc18705b53aca63ce82b944858323498512cf5087696aed7fee39358cc2f.exe -
Processes:
notepad .exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA notepad .exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ccd8fc18705b53aca63ce82b944858323498512cf5087696aed7fee39358cc2f.exedescription pid process target process PID 2032 set thread context of 752 2032 ccd8fc18705b53aca63ce82b944858323498512cf5087696aed7fee39358cc2f.exe notepad .exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
ccd8fc18705b53aca63ce82b944858323498512cf5087696aed7fee39358cc2f.exenotepad .exepid process 2032 ccd8fc18705b53aca63ce82b944858323498512cf5087696aed7fee39358cc2f.exe 2032 ccd8fc18705b53aca63ce82b944858323498512cf5087696aed7fee39358cc2f.exe 2032 ccd8fc18705b53aca63ce82b944858323498512cf5087696aed7fee39358cc2f.exe 2032 ccd8fc18705b53aca63ce82b944858323498512cf5087696aed7fee39358cc2f.exe 2032 ccd8fc18705b53aca63ce82b944858323498512cf5087696aed7fee39358cc2f.exe 752 notepad .exe 752 notepad .exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
notepad .exepid process 752 notepad .exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
ccd8fc18705b53aca63ce82b944858323498512cf5087696aed7fee39358cc2f.exenotepad .exedescription pid process Token: SeDebugPrivilege 2032 ccd8fc18705b53aca63ce82b944858323498512cf5087696aed7fee39358cc2f.exe Token: 33 2032 ccd8fc18705b53aca63ce82b944858323498512cf5087696aed7fee39358cc2f.exe Token: SeIncBasePriorityPrivilege 2032 ccd8fc18705b53aca63ce82b944858323498512cf5087696aed7fee39358cc2f.exe Token: SeDebugPrivilege 752 notepad .exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
ccd8fc18705b53aca63ce82b944858323498512cf5087696aed7fee39358cc2f.execmd.exewscript.execmd.exedescription pid process target process PID 2032 wrote to memory of 1368 2032 ccd8fc18705b53aca63ce82b944858323498512cf5087696aed7fee39358cc2f.exe cmd.exe PID 2032 wrote to memory of 1368 2032 ccd8fc18705b53aca63ce82b944858323498512cf5087696aed7fee39358cc2f.exe cmd.exe PID 2032 wrote to memory of 1368 2032 ccd8fc18705b53aca63ce82b944858323498512cf5087696aed7fee39358cc2f.exe cmd.exe PID 2032 wrote to memory of 1368 2032 ccd8fc18705b53aca63ce82b944858323498512cf5087696aed7fee39358cc2f.exe cmd.exe PID 2032 wrote to memory of 752 2032 ccd8fc18705b53aca63ce82b944858323498512cf5087696aed7fee39358cc2f.exe notepad .exe PID 2032 wrote to memory of 752 2032 ccd8fc18705b53aca63ce82b944858323498512cf5087696aed7fee39358cc2f.exe notepad .exe PID 2032 wrote to memory of 752 2032 ccd8fc18705b53aca63ce82b944858323498512cf5087696aed7fee39358cc2f.exe notepad .exe PID 2032 wrote to memory of 752 2032 ccd8fc18705b53aca63ce82b944858323498512cf5087696aed7fee39358cc2f.exe notepad .exe PID 2032 wrote to memory of 752 2032 ccd8fc18705b53aca63ce82b944858323498512cf5087696aed7fee39358cc2f.exe notepad .exe PID 2032 wrote to memory of 752 2032 ccd8fc18705b53aca63ce82b944858323498512cf5087696aed7fee39358cc2f.exe notepad .exe PID 2032 wrote to memory of 752 2032 ccd8fc18705b53aca63ce82b944858323498512cf5087696aed7fee39358cc2f.exe notepad .exe PID 2032 wrote to memory of 752 2032 ccd8fc18705b53aca63ce82b944858323498512cf5087696aed7fee39358cc2f.exe notepad .exe PID 2032 wrote to memory of 752 2032 ccd8fc18705b53aca63ce82b944858323498512cf5087696aed7fee39358cc2f.exe notepad .exe PID 1368 wrote to memory of 1916 1368 cmd.exe wscript.exe PID 1368 wrote to memory of 1916 1368 cmd.exe wscript.exe PID 1368 wrote to memory of 1916 1368 cmd.exe wscript.exe PID 1368 wrote to memory of 1916 1368 cmd.exe wscript.exe PID 1916 wrote to memory of 704 1916 wscript.exe cmd.exe PID 1916 wrote to memory of 704 1916 wscript.exe cmd.exe PID 1916 wrote to memory of 704 1916 wscript.exe cmd.exe PID 1916 wrote to memory of 704 1916 wscript.exe cmd.exe PID 704 wrote to memory of 1056 704 cmd.exe reg.exe PID 704 wrote to memory of 1056 704 cmd.exe reg.exe PID 704 wrote to memory of 1056 704 cmd.exe reg.exe PID 704 wrote to memory of 1056 704 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ccd8fc18705b53aca63ce82b944858323498512cf5087696aed7fee39358cc2f.exe"C:\Users\Admin\AppData\Local\Temp\ccd8fc18705b53aca63ce82b944858323498512cf5087696aed7fee39358cc2f.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\FolderName\mata.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\FolderName\invs.vbs" "C:\Users\Admin\AppData\Local\Temp\FolderName\mata2.bat"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FolderName\mata2.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderName\file.exe" /f5⤵
- Modifies WinLogon for persistence
-
C:\Users\Admin\AppData\Local\Temp\notepad .exe"C:\Users\Admin\AppData\Local\Temp\notepad .exe"2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\FolderName\file.exeFilesize
521KB
MD587ff74c6fc7166d9365f6376fa260026
SHA1a91a2e81a4cd43dbe12aa1219bd0585ffd555002
SHA256ccd8fc18705b53aca63ce82b944858323498512cf5087696aed7fee39358cc2f
SHA5121186569a4655486cecbb3067ac2d480a1a7fca9926e1a6764325b4a477b829ee97e07e32119b8c9998a15caff6feecca7e477ccfba1fe64e52aac20c397c2b6f
-
C:\Users\Admin\AppData\Local\Temp\FolderName\invs.vbsFilesize
78B
MD5c578d9653b22800c3eb6b6a51219bbb8
SHA1a97aa251901bbe179a48dbc7a0c1872e163b1f2d
SHA25620a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2
SHA5123ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d
-
C:\Users\Admin\AppData\Local\Temp\FolderName\mata.batFilesize
70B
MD523f72401196919748c14cb64c1d55c3b
SHA1869e3809cb4391e6f5aee5349a871e40a1e1fb22
SHA256d09c4054568f89c5de2bd9bae9cbcbcb3ef2dda9a9ded0153e29da26dc405d11
SHA5122ab844717c31c4819d8773d7604dfc831e950ae9e38fe311acf8178d46f39fafb54b448ebb6b9cf5d1edd47ed36eae11d649c1be346b0a35d380dd07101c79f1
-
C:\Users\Admin\AppData\Local\Temp\FolderName\mata2.batFilesize
264B
MD5d7166ea756390e4e16c5176350bf6003
SHA1ff236999834b796b9c6b2eb34279639e26648e32
SHA2569d9d8433939149503dc16d674b1975cc688a0f7e48457bc3f93bf26f1c89726d
SHA51204b99b8dacbd2198e50e33b687f4f3dda2769f3e55ef9bd290a4b18f8b45af03baca46bb476c3ea025c9fd313f64e1fee02392b182dae3a4da34b60d725a48ba
-
C:\Users\Admin\AppData\Local\Temp\notepad .exeFilesize
52KB
MD5278edbd499374bf73621f8c1f969d894
SHA1a81170af14747781c5f5f51bb1215893136f0bc0
SHA256c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391
SHA51293b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9
-
C:\Users\Admin\AppData\Local\Temp\notepad .exeFilesize
52KB
MD5278edbd499374bf73621f8c1f969d894
SHA1a81170af14747781c5f5f51bb1215893136f0bc0
SHA256c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391
SHA51293b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9
-
\Users\Admin\AppData\Local\Temp\notepad .exeFilesize
52KB
MD5278edbd499374bf73621f8c1f969d894
SHA1a81170af14747781c5f5f51bb1215893136f0bc0
SHA256c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391
SHA51293b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9
-
memory/704-78-0x0000000000000000-mapping.dmp
-
memory/752-60-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/752-66-0x000000000041EDAE-mapping.dmp
-
memory/752-62-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/752-69-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/752-71-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/752-63-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/752-83-0x0000000074130000-0x00000000746DB000-memory.dmpFilesize
5.7MB
-
memory/752-80-0x0000000074130000-0x00000000746DB000-memory.dmpFilesize
5.7MB
-
memory/752-59-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/752-65-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1056-79-0x0000000000000000-mapping.dmp
-
memory/1368-56-0x0000000000000000-mapping.dmp
-
memory/1916-74-0x0000000000000000-mapping.dmp
-
memory/2032-54-0x00000000753F1000-0x00000000753F3000-memory.dmpFilesize
8KB
-
memory/2032-55-0x0000000074130000-0x00000000746DB000-memory.dmpFilesize
5.7MB
-
memory/2032-82-0x0000000074130000-0x00000000746DB000-memory.dmpFilesize
5.7MB