Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30-11-2022 18:12
Static task
static1
Behavioral task
behavioral1
Sample
d0fe97a770e2046435a4cabbafbc6738171ee6d436478192bf7bffeea57f4337.exe
Resource
win7-20221111-en
General
-
Target
d0fe97a770e2046435a4cabbafbc6738171ee6d436478192bf7bffeea57f4337.exe
-
Size
2.2MB
-
MD5
5f947b7e7798b0a66d4fa58171d7e688
-
SHA1
67f196b2cdf63dd5719a7b89e8e23097b73ffcf9
-
SHA256
d0fe97a770e2046435a4cabbafbc6738171ee6d436478192bf7bffeea57f4337
-
SHA512
4e26a8efa6ec3b3fceb23dd69041b8e6609f5b3878ea2c71e850e40daae0886e56a246281da318b0e96e30df7e4a6585ccb5069475e1e9cd87f4c4eef4218953
-
SSDEEP
24576:uAHnh+eWsN3skA4RV1Hom2KXMmHaNKuZtncFYj7uurNYvj+4c0JnCPcd5m:Zh+ZkldoPK8YaNDYvdcEC+m
Malware Config
Extracted
nanocore
1.2.2.0
shamim.zapto.org:11457
tost.dynamic-dns.net:11457
8017d58d-7b7f-4b91-b6de-613adf085a1e
-
activate_away_mode
false
-
backup_connection_host
tost.dynamic-dns.net
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2018-12-01T22:40:08.386446536Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
11457
-
default_group
ALPHA
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
8017d58d-7b7f-4b91-b6de-613adf085a1e
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
shamim.zapto.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Extracted
lokibot
http://directmalta.com/blye.directmalta.com/wp-admin/css/colors/blue/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
hhu.exehhu.exepid process 2980 hhu.exe 348 hhu.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
hhu.exed0fe97a770e2046435a4cabbafbc6738171ee6d436478192bf7bffeea57f4337.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation hhu.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation d0fe97a770e2046435a4cabbafbc6738171ee6d436478192bf7bffeea57f4337.exe -
Drops startup file 1 IoCs
Processes:
d0fe97a770e2046435a4cabbafbc6738171ee6d436478192bf7bffeea57f4337.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BingMaps.url d0fe97a770e2046435a4cabbafbc6738171ee6d436478192bf7bffeea57f4337.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
hhu.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook hhu.exe Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook hhu.exe Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook hhu.exe -
Processes:
RegAsm.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegAsm.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
d0fe97a770e2046435a4cabbafbc6738171ee6d436478192bf7bffeea57f4337.exehhu.exedescription pid process target process PID 3564 set thread context of 4960 3564 d0fe97a770e2046435a4cabbafbc6738171ee6d436478192bf7bffeea57f4337.exe RegAsm.exe PID 2980 set thread context of 348 2980 hhu.exe hhu.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NTFS ADS 2 IoCs
Processes:
cmd.execmd.exedescription ioc process File created C:\Users\Admin\AppData\Local\Temp\hhu.exe:Zone.Identifier cmd.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\hhu.exe:Zone.Identifier cmd.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
RegAsm.exepid process 4960 RegAsm.exe 4960 RegAsm.exe 4960 RegAsm.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegAsm.exepid process 4960 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
RegAsm.exehhu.exehhu.exedescription pid process Token: SeDebugPrivilege 4960 RegAsm.exe Token: SeDebugPrivilege 2980 hhu.exe Token: SeDebugPrivilege 348 hhu.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
d0fe97a770e2046435a4cabbafbc6738171ee6d436478192bf7bffeea57f4337.exepid process 3564 d0fe97a770e2046435a4cabbafbc6738171ee6d436478192bf7bffeea57f4337.exe 3564 d0fe97a770e2046435a4cabbafbc6738171ee6d436478192bf7bffeea57f4337.exe 3564 d0fe97a770e2046435a4cabbafbc6738171ee6d436478192bf7bffeea57f4337.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
d0fe97a770e2046435a4cabbafbc6738171ee6d436478192bf7bffeea57f4337.exepid process 3564 d0fe97a770e2046435a4cabbafbc6738171ee6d436478192bf7bffeea57f4337.exe 3564 d0fe97a770e2046435a4cabbafbc6738171ee6d436478192bf7bffeea57f4337.exe 3564 d0fe97a770e2046435a4cabbafbc6738171ee6d436478192bf7bffeea57f4337.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
d0fe97a770e2046435a4cabbafbc6738171ee6d436478192bf7bffeea57f4337.exehhu.exedescription pid process target process PID 3564 wrote to memory of 2980 3564 d0fe97a770e2046435a4cabbafbc6738171ee6d436478192bf7bffeea57f4337.exe hhu.exe PID 3564 wrote to memory of 2980 3564 d0fe97a770e2046435a4cabbafbc6738171ee6d436478192bf7bffeea57f4337.exe hhu.exe PID 3564 wrote to memory of 2980 3564 d0fe97a770e2046435a4cabbafbc6738171ee6d436478192bf7bffeea57f4337.exe hhu.exe PID 3564 wrote to memory of 4960 3564 d0fe97a770e2046435a4cabbafbc6738171ee6d436478192bf7bffeea57f4337.exe RegAsm.exe PID 3564 wrote to memory of 4960 3564 d0fe97a770e2046435a4cabbafbc6738171ee6d436478192bf7bffeea57f4337.exe RegAsm.exe PID 3564 wrote to memory of 4960 3564 d0fe97a770e2046435a4cabbafbc6738171ee6d436478192bf7bffeea57f4337.exe RegAsm.exe PID 3564 wrote to memory of 4960 3564 d0fe97a770e2046435a4cabbafbc6738171ee6d436478192bf7bffeea57f4337.exe RegAsm.exe PID 3564 wrote to memory of 4960 3564 d0fe97a770e2046435a4cabbafbc6738171ee6d436478192bf7bffeea57f4337.exe RegAsm.exe PID 2980 wrote to memory of 1332 2980 hhu.exe cmd.exe PID 2980 wrote to memory of 1332 2980 hhu.exe cmd.exe PID 2980 wrote to memory of 1332 2980 hhu.exe cmd.exe PID 2980 wrote to memory of 3192 2980 hhu.exe cmd.exe PID 2980 wrote to memory of 3192 2980 hhu.exe cmd.exe PID 2980 wrote to memory of 3192 2980 hhu.exe cmd.exe PID 2980 wrote to memory of 348 2980 hhu.exe hhu.exe PID 2980 wrote to memory of 348 2980 hhu.exe hhu.exe PID 2980 wrote to memory of 348 2980 hhu.exe hhu.exe PID 2980 wrote to memory of 348 2980 hhu.exe hhu.exe PID 2980 wrote to memory of 348 2980 hhu.exe hhu.exe PID 2980 wrote to memory of 348 2980 hhu.exe hhu.exe PID 2980 wrote to memory of 348 2980 hhu.exe hhu.exe PID 2980 wrote to memory of 348 2980 hhu.exe hhu.exe PID 2980 wrote to memory of 348 2980 hhu.exe hhu.exe -
outlook_office_path 1 IoCs
Processes:
hhu.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook hhu.exe -
outlook_win_path 1 IoCs
Processes:
hhu.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook hhu.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d0fe97a770e2046435a4cabbafbc6738171ee6d436478192bf7bffeea57f4337.exe"C:\Users\Admin\AppData\Local\Temp\d0fe97a770e2046435a4cabbafbc6738171ee6d436478192bf7bffeea57f4337.exe"1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\hhu.exe"C:\Users\Admin\AppData\Local\Temp\hhu.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\hhu.exe:Zone.Identifier"3⤵
- NTFS ADS
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\hhu.exe:Zone.Identifier"3⤵
- NTFS ADS
-
C:\Users\Admin\AppData\Local\Temp\hhu.exe"C:\Users\Admin\AppData\Local\Temp\hhu.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\hhu.exeFilesize
404KB
MD558a99ccc2bac6833f830bcd461fbe3f5
SHA10a46a1a6bac05f7f3b25919ab1481bb587bba1cd
SHA25648aecd9b5733eb20157253c4b800d40d6b20db690fd45abf65e4ed3c6e59dff5
SHA512193313f5372800c1d62854d9b067f6b56658277f4478da52974dbdd888fec0edb962ee22950886c60d23389f6ad7618e9fcd34985867ddfe108432e5eb8b2cfe
-
C:\Users\Admin\AppData\Local\Temp\hhu.exeFilesize
404KB
MD558a99ccc2bac6833f830bcd461fbe3f5
SHA10a46a1a6bac05f7f3b25919ab1481bb587bba1cd
SHA25648aecd9b5733eb20157253c4b800d40d6b20db690fd45abf65e4ed3c6e59dff5
SHA512193313f5372800c1d62854d9b067f6b56658277f4478da52974dbdd888fec0edb962ee22950886c60d23389f6ad7618e9fcd34985867ddfe108432e5eb8b2cfe
-
C:\Users\Admin\AppData\Local\Temp\hhu.exeFilesize
404KB
MD558a99ccc2bac6833f830bcd461fbe3f5
SHA10a46a1a6bac05f7f3b25919ab1481bb587bba1cd
SHA25648aecd9b5733eb20157253c4b800d40d6b20db690fd45abf65e4ed3c6e59dff5
SHA512193313f5372800c1d62854d9b067f6b56658277f4478da52974dbdd888fec0edb962ee22950886c60d23389f6ad7618e9fcd34985867ddfe108432e5eb8b2cfe
-
memory/348-159-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/348-158-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/348-157-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/348-156-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/348-153-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/348-152-0x0000000000000000-mapping.dmp
-
memory/1332-147-0x0000000000000000-mapping.dmp
-
memory/2980-146-0x0000000007F20000-0x00000000080E2000-memory.dmpFilesize
1.8MB
-
memory/2980-132-0x0000000000000000-mapping.dmp
-
memory/2980-148-0x00000000083A0000-0x0000000008406000-memory.dmpFilesize
408KB
-
memory/2980-150-0x0000000008BE0000-0x0000000008C02000-memory.dmpFilesize
136KB
-
memory/2980-151-0x0000000008CB0000-0x0000000008D4C000-memory.dmpFilesize
624KB
-
memory/2980-137-0x0000000007290000-0x0000000007322000-memory.dmpFilesize
584KB
-
memory/2980-136-0x00000000077A0000-0x0000000007D44000-memory.dmpFilesize
5.6MB
-
memory/2980-135-0x0000000000130000-0x000000000019C000-memory.dmpFilesize
432KB
-
memory/3192-149-0x0000000000000000-mapping.dmp
-
memory/4960-145-0x0000000071090000-0x0000000071641000-memory.dmpFilesize
5.7MB
-
memory/4960-144-0x0000000071090000-0x0000000071641000-memory.dmpFilesize
5.7MB
-
memory/4960-139-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/4960-138-0x0000000000000000-mapping.dmp