Analysis
-
max time kernel
190s -
max time network
207s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
27/11/2022, 00:01
Behavioral task
behavioral1
Sample
1b7ba0a5a26b2a0fe9d98fdddb8e2be089bd502daceaece542b91848e75d1062.exe
Resource
win7-20221111-en
General
-
Target
1b7ba0a5a26b2a0fe9d98fdddb8e2be089bd502daceaece542b91848e75d1062.exe
-
Size
615KB
-
MD5
0a8a66d67bf1c167885bffe3c2de2669
-
SHA1
3e8448cd135263dcf513e09cfcace9382dc577b1
-
SHA256
1b7ba0a5a26b2a0fe9d98fdddb8e2be089bd502daceaece542b91848e75d1062
-
SHA512
dcd1d0b1eeaaf789631303ad844fea65e7b5cdbe2e10a7d213a74720e84ff1651708f99724aa2e9f0b4c6a74def87847d0ed75085a295b3adc939f09724e1922
-
SSDEEP
12288:vOv5jKhsfoPA+yeVKUCUxP4C902bdRtJJPiIkDL6tNsFqYpwU35ZI:vq5TfcdHj4fmbUDL6nY935ZI
Malware Config
Extracted
nanocore
1.2.2.0
moftsvs.ig42.org:9045
212.7.192.242:9045
c7bf44a3-7212-4d60-9ee3-f0991c8392f8
-
activate_away_mode
false
-
backup_connection_host
212.7.192.242
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2015-03-06T14:55:41.478810836Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
false
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
9045
-
default_group
Default Team
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
c7bf44a3-7212-4d60-9ee3-f0991c8392f8
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
moftsvs.ig42.org
-
primary_dns_server
8.8.8.8
-
request_elevation
false
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
resource yara_rule behavioral1/memory/960-55-0x0000000000040000-0x00000000001A5000-memory.dmp upx behavioral1/memory/960-59-0x0000000000040000-0x00000000001A5000-memory.dmp upx behavioral1/memory/1768-71-0x0000000000040000-0x00000000001A5000-memory.dmp upx -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ISS Manager = "C:\\Program Files (x86)\\ISS Manager\\issmgr.exe" vbc.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 1b7ba0a5a26b2a0fe9d98fdddb8e2be089bd502daceaece542b91848e75d1062.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\1b7ba0a5a26b2a0fe9d98fdddb8e2be089bd502daceaece542b91848e75d1062.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1b7ba0a5a26b2a0fe9d98fdddb8e2be089bd502daceaece542b91848e75d1062.exe" 1b7ba0a5a26b2a0fe9d98fdddb8e2be089bd502daceaece542b91848e75d1062.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/960-55-0x0000000000040000-0x00000000001A5000-memory.dmp autoit_exe behavioral1/memory/960-59-0x0000000000040000-0x00000000001A5000-memory.dmp autoit_exe behavioral1/memory/1768-71-0x0000000000040000-0x00000000001A5000-memory.dmp autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1768 set thread context of 844 1768 1b7ba0a5a26b2a0fe9d98fdddb8e2be089bd502daceaece542b91848e75d1062.exe 29 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\ISS Manager\issmgr.exe vbc.exe File opened for modification C:\Program Files (x86)\ISS Manager\issmgr.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1768 1b7ba0a5a26b2a0fe9d98fdddb8e2be089bd502daceaece542b91848e75d1062.exe 844 vbc.exe 844 vbc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 844 vbc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 844 vbc.exe -
Suspicious use of FindShellTrayWindow 7 IoCs
pid Process 960 1b7ba0a5a26b2a0fe9d98fdddb8e2be089bd502daceaece542b91848e75d1062.exe 960 1b7ba0a5a26b2a0fe9d98fdddb8e2be089bd502daceaece542b91848e75d1062.exe 960 1b7ba0a5a26b2a0fe9d98fdddb8e2be089bd502daceaece542b91848e75d1062.exe 960 1b7ba0a5a26b2a0fe9d98fdddb8e2be089bd502daceaece542b91848e75d1062.exe 1768 1b7ba0a5a26b2a0fe9d98fdddb8e2be089bd502daceaece542b91848e75d1062.exe 1768 1b7ba0a5a26b2a0fe9d98fdddb8e2be089bd502daceaece542b91848e75d1062.exe 1768 1b7ba0a5a26b2a0fe9d98fdddb8e2be089bd502daceaece542b91848e75d1062.exe -
Suspicious use of SendNotifyMessage 7 IoCs
pid Process 960 1b7ba0a5a26b2a0fe9d98fdddb8e2be089bd502daceaece542b91848e75d1062.exe 960 1b7ba0a5a26b2a0fe9d98fdddb8e2be089bd502daceaece542b91848e75d1062.exe 960 1b7ba0a5a26b2a0fe9d98fdddb8e2be089bd502daceaece542b91848e75d1062.exe 960 1b7ba0a5a26b2a0fe9d98fdddb8e2be089bd502daceaece542b91848e75d1062.exe 1768 1b7ba0a5a26b2a0fe9d98fdddb8e2be089bd502daceaece542b91848e75d1062.exe 1768 1b7ba0a5a26b2a0fe9d98fdddb8e2be089bd502daceaece542b91848e75d1062.exe 1768 1b7ba0a5a26b2a0fe9d98fdddb8e2be089bd502daceaece542b91848e75d1062.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 960 wrote to memory of 1768 960 1b7ba0a5a26b2a0fe9d98fdddb8e2be089bd502daceaece542b91848e75d1062.exe 28 PID 960 wrote to memory of 1768 960 1b7ba0a5a26b2a0fe9d98fdddb8e2be089bd502daceaece542b91848e75d1062.exe 28 PID 960 wrote to memory of 1768 960 1b7ba0a5a26b2a0fe9d98fdddb8e2be089bd502daceaece542b91848e75d1062.exe 28 PID 960 wrote to memory of 1768 960 1b7ba0a5a26b2a0fe9d98fdddb8e2be089bd502daceaece542b91848e75d1062.exe 28 PID 1768 wrote to memory of 844 1768 1b7ba0a5a26b2a0fe9d98fdddb8e2be089bd502daceaece542b91848e75d1062.exe 29 PID 1768 wrote to memory of 844 1768 1b7ba0a5a26b2a0fe9d98fdddb8e2be089bd502daceaece542b91848e75d1062.exe 29 PID 1768 wrote to memory of 844 1768 1b7ba0a5a26b2a0fe9d98fdddb8e2be089bd502daceaece542b91848e75d1062.exe 29 PID 1768 wrote to memory of 844 1768 1b7ba0a5a26b2a0fe9d98fdddb8e2be089bd502daceaece542b91848e75d1062.exe 29 PID 1768 wrote to memory of 844 1768 1b7ba0a5a26b2a0fe9d98fdddb8e2be089bd502daceaece542b91848e75d1062.exe 29 PID 1768 wrote to memory of 844 1768 1b7ba0a5a26b2a0fe9d98fdddb8e2be089bd502daceaece542b91848e75d1062.exe 29 PID 1768 wrote to memory of 844 1768 1b7ba0a5a26b2a0fe9d98fdddb8e2be089bd502daceaece542b91848e75d1062.exe 29 PID 1768 wrote to memory of 844 1768 1b7ba0a5a26b2a0fe9d98fdddb8e2be089bd502daceaece542b91848e75d1062.exe 29 PID 1768 wrote to memory of 844 1768 1b7ba0a5a26b2a0fe9d98fdddb8e2be089bd502daceaece542b91848e75d1062.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\1b7ba0a5a26b2a0fe9d98fdddb8e2be089bd502daceaece542b91848e75d1062.exe"C:\Users\Admin\AppData\Local\Temp\1b7ba0a5a26b2a0fe9d98fdddb8e2be089bd502daceaece542b91848e75d1062.exe"1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Users\Admin\AppData\Local\Temp\1b7ba0a5a26b2a0fe9d98fdddb8e2be089bd502daceaece542b91848e75d1062.exe"C:\Users\Admin\AppData\Local\Temp\1b7ba0a5a26b2a0fe9d98fdddb8e2be089bd502daceaece542b91848e75d1062.exe" /AutoIt3ExecuteScript "C:\Users\Admin\AppData\Local\Temp\lf2" "C:\Users\Admin\AppData\Local\Temp\1b7ba0a5a26b2a0fe9d98fdddb8e2be089bd502daceaece542b91848e75d1062.exe" "1b7ba0a5a26b2a0fe9d98fdddb8e2be089bd502daceaece542b91848e75d1062.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:844
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
202KB
MD562cddffde88715a338548dbfa47b555c
SHA117d9eed664beee32f9fa62d61daaaac931885e51
SHA25606538639dc35c0781397871581f21949a11afd5080d0f6a69b5c09c8d278cb8a
SHA5120fe70f5fae9ca1fee043b00bd0119dc1c5a7055881c1ed91a725a8cf7476c365e0b0d621ce35b5e6ff9e07687e5fa8901c47c4496297723288b10b39bbaa5442
-
Filesize
5KB
MD5be7a4ea468b142994adae5c442dfdd06
SHA1606fb007510259993f4726a8d0b1f41fa1de23d9
SHA256d399db8ae87b1d97732184cd2bbf67d745c4146cf8d6d33e26bedcfd53384064
SHA512c55609f24408106a2e171cd7f691eeecb81b99be6023bdec672e578bf5bfc5ca787d94d9a5affff98a0c996771ba5da5d53d4b499240571b957a90c0e3059511