Analysis
-
max time kernel
170s -
max time network
173s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30-11-2022 18:11
Static task
static1
Behavioral task
behavioral1
Sample
78098846a197b5b8a1d18c8d63bb6d3ddbf63721a1362530a382fbba5a0e0b34.exe
Resource
win7-20220812-en
General
-
Target
78098846a197b5b8a1d18c8d63bb6d3ddbf63721a1362530a382fbba5a0e0b34.exe
-
Size
1.3MB
-
MD5
a11ab784e6d3546992d20dd689053590
-
SHA1
efb53ba66291154d758e033d24ad19a1567918db
-
SHA256
78098846a197b5b8a1d18c8d63bb6d3ddbf63721a1362530a382fbba5a0e0b34
-
SHA512
73b093e8fcf0c9c8b4d8bf83f1b210b10ced13b093482f63f771a41774a72e3bbfe0e617255f869be54cecdd0d356856af000e61cdd02a890f89e798c49091a2
-
SSDEEP
24576:3u6J33O0c+JY5UZ+XC0kGso6FaUngm/MmiTv5WYk:Ru0c++OCvkGs9FaoiTMYk
Malware Config
Extracted
nanocore
1.2.2.0
microsoft.btc-crypto-rewards.cash:3020
91.192.100.7:3020
8f96fcee-6a12-4372-9c82-ebf284f80be1
-
activate_away_mode
true
-
backup_connection_host
91.192.100.7
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2018-12-17T05:15:58.097142536Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
3020
-
default_group
macro doc pop up
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
8f96fcee-6a12-4372-9c82-ebf284f80be1
-
mutex_timeout
5000
-
prevent_system_sleep
true
-
primary_connection_host
microsoft.btc-crypto-rewards.cash
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
qprocess.exeqprocess.exepid process 3696 qprocess.exe 616 qprocess.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
78098846a197b5b8a1d18c8d63bb6d3ddbf63721a1362530a382fbba5a0e0b34.exeqprocess.exeqprocess.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 78098846a197b5b8a1d18c8d63bb6d3ddbf63721a1362530a382fbba5a0e0b34.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation qprocess.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation qprocess.exe -
Processes:
RegAsm.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegAsm.exe -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AuthHostProxy\qprocess.exe autoit_exe C:\Users\Admin\AuthHostProxy\qprocess.exe autoit_exe C:\Users\Admin\AuthHostProxy\qprocess.exe autoit_exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
78098846a197b5b8a1d18c8d63bb6d3ddbf63721a1362530a382fbba5a0e0b34.exeqprocess.exeqprocess.exedescription pid process target process PID 4204 set thread context of 4828 4204 78098846a197b5b8a1d18c8d63bb6d3ddbf63721a1362530a382fbba5a0e0b34.exe RegAsm.exe PID 3696 set thread context of 60 3696 qprocess.exe RegAsm.exe PID 616 set thread context of 4396 616 qprocess.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 4560 schtasks.exe 1132 schtasks.exe 4692 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
RegAsm.exepid process 4828 RegAsm.exe 4828 RegAsm.exe 4828 RegAsm.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegAsm.exepid process 4828 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegAsm.exedescription pid process Token: SeDebugPrivilege 4828 RegAsm.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
78098846a197b5b8a1d18c8d63bb6d3ddbf63721a1362530a382fbba5a0e0b34.exeqprocess.exeqprocess.exedescription pid process target process PID 4204 wrote to memory of 4828 4204 78098846a197b5b8a1d18c8d63bb6d3ddbf63721a1362530a382fbba5a0e0b34.exe RegAsm.exe PID 4204 wrote to memory of 4828 4204 78098846a197b5b8a1d18c8d63bb6d3ddbf63721a1362530a382fbba5a0e0b34.exe RegAsm.exe PID 4204 wrote to memory of 4828 4204 78098846a197b5b8a1d18c8d63bb6d3ddbf63721a1362530a382fbba5a0e0b34.exe RegAsm.exe PID 4204 wrote to memory of 4828 4204 78098846a197b5b8a1d18c8d63bb6d3ddbf63721a1362530a382fbba5a0e0b34.exe RegAsm.exe PID 4204 wrote to memory of 4828 4204 78098846a197b5b8a1d18c8d63bb6d3ddbf63721a1362530a382fbba5a0e0b34.exe RegAsm.exe PID 4204 wrote to memory of 4692 4204 78098846a197b5b8a1d18c8d63bb6d3ddbf63721a1362530a382fbba5a0e0b34.exe schtasks.exe PID 4204 wrote to memory of 4692 4204 78098846a197b5b8a1d18c8d63bb6d3ddbf63721a1362530a382fbba5a0e0b34.exe schtasks.exe PID 4204 wrote to memory of 4692 4204 78098846a197b5b8a1d18c8d63bb6d3ddbf63721a1362530a382fbba5a0e0b34.exe schtasks.exe PID 3696 wrote to memory of 60 3696 qprocess.exe RegAsm.exe PID 3696 wrote to memory of 60 3696 qprocess.exe RegAsm.exe PID 3696 wrote to memory of 60 3696 qprocess.exe RegAsm.exe PID 3696 wrote to memory of 60 3696 qprocess.exe RegAsm.exe PID 3696 wrote to memory of 60 3696 qprocess.exe RegAsm.exe PID 3696 wrote to memory of 4560 3696 qprocess.exe schtasks.exe PID 3696 wrote to memory of 4560 3696 qprocess.exe schtasks.exe PID 3696 wrote to memory of 4560 3696 qprocess.exe schtasks.exe PID 616 wrote to memory of 4396 616 qprocess.exe RegAsm.exe PID 616 wrote to memory of 4396 616 qprocess.exe RegAsm.exe PID 616 wrote to memory of 4396 616 qprocess.exe RegAsm.exe PID 616 wrote to memory of 4396 616 qprocess.exe RegAsm.exe PID 616 wrote to memory of 4396 616 qprocess.exe RegAsm.exe PID 616 wrote to memory of 1132 616 qprocess.exe schtasks.exe PID 616 wrote to memory of 1132 616 qprocess.exe schtasks.exe PID 616 wrote to memory of 1132 616 qprocess.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\78098846a197b5b8a1d18c8d63bb6d3ddbf63721a1362530a382fbba5a0e0b34.exe"C:\Users\Admin\AppData\Local\Temp\78098846a197b5b8a1d18c8d63bb6d3ddbf63721a1362530a382fbba5a0e0b34.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn WUDFHost /tr "C:\Users\Admin\AuthHostProxy\qprocess.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AuthHostProxy\qprocess.exeC:\Users\Admin\AuthHostProxy\qprocess.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn WUDFHost /tr "C:\Users\Admin\AuthHostProxy\qprocess.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AuthHostProxy\qprocess.exeC:\Users\Admin\AuthHostProxy\qprocess.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn WUDFHost /tr "C:\Users\Admin\AuthHostProxy\qprocess.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RegAsm.exe.logFilesize
496B
MD55b4789d01bb4d7483b71e1a35bce6a8b
SHA1de083f2131c9a763c0d1810c97a38732146cffbf
SHA256e248cef9500ed6e0c9f99d72a2a6a36955a5f0cfc0725748ef25a733cc8282f6
SHA512357e18ef30430e4b9cc4f2569b9735b1cd12f934c83162e4de78ac29ba9703b63ddb624ccc22afd5a5868f6e9d91a3c64581846abac22e9625f5b2e3d80b3ede
-
C:\Users\Admin\AuthHostProxy\qprocess.exeFilesize
1.3MB
MD54d0722defbb8a3f729bd0c7b9e44339e
SHA1c74e896d288bcc6ed53e5ad7b6f1b3f40d3e8ce2
SHA256ce6a85992da8f1df53973d0f8706ca30344fa4a2a914024b325611c25dd198d7
SHA512479bdf7bd259d554c8c21619232e0cedfd5ca649389ff12ac2e6f7adcf77c83658aa3bece20edbd690d0f39cda5d535961c330d1fe38af9ca2408aa883daaf44
-
C:\Users\Admin\AuthHostProxy\qprocess.exeFilesize
1.3MB
MD54d0722defbb8a3f729bd0c7b9e44339e
SHA1c74e896d288bcc6ed53e5ad7b6f1b3f40d3e8ce2
SHA256ce6a85992da8f1df53973d0f8706ca30344fa4a2a914024b325611c25dd198d7
SHA512479bdf7bd259d554c8c21619232e0cedfd5ca649389ff12ac2e6f7adcf77c83658aa3bece20edbd690d0f39cda5d535961c330d1fe38af9ca2408aa883daaf44
-
C:\Users\Admin\AuthHostProxy\qprocess.exeFilesize
1.3MB
MD54d0722defbb8a3f729bd0c7b9e44339e
SHA1c74e896d288bcc6ed53e5ad7b6f1b3f40d3e8ce2
SHA256ce6a85992da8f1df53973d0f8706ca30344fa4a2a914024b325611c25dd198d7
SHA512479bdf7bd259d554c8c21619232e0cedfd5ca649389ff12ac2e6f7adcf77c83658aa3bece20edbd690d0f39cda5d535961c330d1fe38af9ca2408aa883daaf44
-
memory/60-144-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/60-143-0x0000000000000000-mapping.dmp
-
memory/60-149-0x0000000073AC0000-0x0000000074071000-memory.dmpFilesize
5.7MB
-
memory/60-150-0x0000000073AC0000-0x0000000074071000-memory.dmpFilesize
5.7MB
-
memory/1132-162-0x0000000000000000-mapping.dmp
-
memory/4396-160-0x0000000073AC0000-0x0000000074071000-memory.dmpFilesize
5.7MB
-
memory/4396-161-0x0000000073AC0000-0x0000000074071000-memory.dmpFilesize
5.7MB
-
memory/4396-153-0x0000000000000000-mapping.dmp
-
memory/4560-151-0x0000000000000000-mapping.dmp
-
memory/4692-140-0x0000000000000000-mapping.dmp
-
memory/4828-132-0x0000000000000000-mapping.dmp
-
memory/4828-133-0x0000000000500000-0x0000000000538000-memory.dmpFilesize
224KB
-
memory/4828-138-0x0000000073AC0000-0x0000000074071000-memory.dmpFilesize
5.7MB
-
memory/4828-139-0x0000000073AC0000-0x0000000074071000-memory.dmpFilesize
5.7MB