Analysis
-
max time kernel
177s -
max time network
188s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
30-11-2022 18:12
Static task
static1
Behavioral task
behavioral1
Sample
def61d4f51f9e74dd472f3d3a815ab228d40fd4ff1b9fcc51c56f291270bcf27.exe
Resource
win7-20220901-en
General
-
Target
def61d4f51f9e74dd472f3d3a815ab228d40fd4ff1b9fcc51c56f291270bcf27.exe
-
Size
1.2MB
-
MD5
ab97523c0c284868c08c9120d921ba06
-
SHA1
0c79283dff6d22f7cf85561f33ff8f2753de880a
-
SHA256
def61d4f51f9e74dd472f3d3a815ab228d40fd4ff1b9fcc51c56f291270bcf27
-
SHA512
06c09f00cc60e682453b5317f23f9c1d36a1535b0f5de10e491dc587953d43345e41dd50acfc7019487180f48e504cd8a6d4b10029c1508b367ba9609e96f554
-
SSDEEP
24576:ZAHnh+eWsN3skA4RV1Hom2KXMmHa+erpr3rzzF5:gh+ZkldoPK8Ya+WL
Malware Config
Extracted
nanocore
1.2.2.0
185.162.88.16:2359
dish123newpro.publicvm.com:2359
c253fe26-7f15-444b-bcbf-bdaaa6a4fb19
-
activate_away_mode
true
-
backup_connection_host
dish123newpro.publicvm.com
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2018-12-27T16:33:42.242053636Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
2359
-
default_group
NANO17032019
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
c253fe26-7f15-444b-bcbf-bdaaa6a4fb19
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
185.162.88.16
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
osk.exeosk.exeosk.exepid process 796 osk.exe 4884 osk.exe 2696 osk.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
osk.exedef61d4f51f9e74dd472f3d3a815ab228d40fd4ff1b9fcc51c56f291270bcf27.exeosk.exeosk.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation osk.exe Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation def61d4f51f9e74dd472f3d3a815ab228d40fd4ff1b9fcc51c56f291270bcf27.exe Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation osk.exe Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation osk.exe -
Processes:
RegAsm.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegAsm.exe -
AutoIT Executable 4 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\authfwcfg\osk.exe autoit_exe C:\Users\Admin\authfwcfg\osk.exe autoit_exe C:\Users\Admin\authfwcfg\osk.exe autoit_exe C:\Users\Admin\authfwcfg\osk.exe autoit_exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
def61d4f51f9e74dd472f3d3a815ab228d40fd4ff1b9fcc51c56f291270bcf27.exeosk.exeosk.exeosk.exedescription pid process target process PID 4260 set thread context of 3228 4260 def61d4f51f9e74dd472f3d3a815ab228d40fd4ff1b9fcc51c56f291270bcf27.exe RegAsm.exe PID 796 set thread context of 4132 796 osk.exe RegAsm.exe PID 4884 set thread context of 3400 4884 osk.exe RegAsm.exe PID 2696 set thread context of 4348 2696 osk.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 532 schtasks.exe 1280 schtasks.exe 2224 schtasks.exe 4904 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
RegAsm.exepid process 3228 RegAsm.exe 3228 RegAsm.exe 3228 RegAsm.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegAsm.exepid process 3228 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegAsm.exedescription pid process Token: SeDebugPrivilege 3228 RegAsm.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
def61d4f51f9e74dd472f3d3a815ab228d40fd4ff1b9fcc51c56f291270bcf27.exeosk.exeosk.exeosk.exedescription pid process target process PID 4260 wrote to memory of 3228 4260 def61d4f51f9e74dd472f3d3a815ab228d40fd4ff1b9fcc51c56f291270bcf27.exe RegAsm.exe PID 4260 wrote to memory of 3228 4260 def61d4f51f9e74dd472f3d3a815ab228d40fd4ff1b9fcc51c56f291270bcf27.exe RegAsm.exe PID 4260 wrote to memory of 3228 4260 def61d4f51f9e74dd472f3d3a815ab228d40fd4ff1b9fcc51c56f291270bcf27.exe RegAsm.exe PID 4260 wrote to memory of 3228 4260 def61d4f51f9e74dd472f3d3a815ab228d40fd4ff1b9fcc51c56f291270bcf27.exe RegAsm.exe PID 4260 wrote to memory of 3228 4260 def61d4f51f9e74dd472f3d3a815ab228d40fd4ff1b9fcc51c56f291270bcf27.exe RegAsm.exe PID 4260 wrote to memory of 532 4260 def61d4f51f9e74dd472f3d3a815ab228d40fd4ff1b9fcc51c56f291270bcf27.exe schtasks.exe PID 4260 wrote to memory of 532 4260 def61d4f51f9e74dd472f3d3a815ab228d40fd4ff1b9fcc51c56f291270bcf27.exe schtasks.exe PID 4260 wrote to memory of 532 4260 def61d4f51f9e74dd472f3d3a815ab228d40fd4ff1b9fcc51c56f291270bcf27.exe schtasks.exe PID 796 wrote to memory of 4132 796 osk.exe RegAsm.exe PID 796 wrote to memory of 4132 796 osk.exe RegAsm.exe PID 796 wrote to memory of 4132 796 osk.exe RegAsm.exe PID 796 wrote to memory of 4132 796 osk.exe RegAsm.exe PID 796 wrote to memory of 4132 796 osk.exe RegAsm.exe PID 796 wrote to memory of 1280 796 osk.exe schtasks.exe PID 796 wrote to memory of 1280 796 osk.exe schtasks.exe PID 796 wrote to memory of 1280 796 osk.exe schtasks.exe PID 4884 wrote to memory of 3400 4884 osk.exe RegAsm.exe PID 4884 wrote to memory of 3400 4884 osk.exe RegAsm.exe PID 4884 wrote to memory of 3400 4884 osk.exe RegAsm.exe PID 4884 wrote to memory of 3400 4884 osk.exe RegAsm.exe PID 4884 wrote to memory of 3400 4884 osk.exe RegAsm.exe PID 4884 wrote to memory of 2224 4884 osk.exe schtasks.exe PID 4884 wrote to memory of 2224 4884 osk.exe schtasks.exe PID 4884 wrote to memory of 2224 4884 osk.exe schtasks.exe PID 2696 wrote to memory of 4348 2696 osk.exe RegAsm.exe PID 2696 wrote to memory of 4348 2696 osk.exe RegAsm.exe PID 2696 wrote to memory of 4348 2696 osk.exe RegAsm.exe PID 2696 wrote to memory of 4348 2696 osk.exe RegAsm.exe PID 2696 wrote to memory of 4348 2696 osk.exe RegAsm.exe PID 2696 wrote to memory of 4904 2696 osk.exe schtasks.exe PID 2696 wrote to memory of 4904 2696 osk.exe schtasks.exe PID 2696 wrote to memory of 4904 2696 osk.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\def61d4f51f9e74dd472f3d3a815ab228d40fd4ff1b9fcc51c56f291270bcf27.exe"C:\Users\Admin\AppData\Local\Temp\def61d4f51f9e74dd472f3d3a815ab228d40fd4ff1b9fcc51c56f291270bcf27.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn SystemPropertiesHardware /tr "C:\Users\Admin\authfwcfg\osk.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\authfwcfg\osk.exeC:\Users\Admin\authfwcfg\osk.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn SystemPropertiesHardware /tr "C:\Users\Admin\authfwcfg\osk.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\authfwcfg\osk.exeC:\Users\Admin\authfwcfg\osk.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn SystemPropertiesHardware /tr "C:\Users\Admin\authfwcfg\osk.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\authfwcfg\osk.exeC:\Users\Admin\authfwcfg\osk.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn SystemPropertiesHardware /tr "C:\Users\Admin\authfwcfg\osk.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RegAsm.exe.logFilesize
496B
MD55b4789d01bb4d7483b71e1a35bce6a8b
SHA1de083f2131c9a763c0d1810c97a38732146cffbf
SHA256e248cef9500ed6e0c9f99d72a2a6a36955a5f0cfc0725748ef25a733cc8282f6
SHA512357e18ef30430e4b9cc4f2569b9735b1cd12f934c83162e4de78ac29ba9703b63ddb624ccc22afd5a5868f6e9d91a3c64581846abac22e9625f5b2e3d80b3ede
-
C:\Users\Admin\authfwcfg\osk.exeFilesize
1.2MB
MD5d792111c6517fc19fb42fe2bab7fabc6
SHA1210fd073132655fed6abbb3140807ee4c644dac7
SHA2565d70f34e80726852aa55cf699730baf63448f9d71876a7cc16ae82720dda6a35
SHA51287f17bd8c360cf923a3c6ddafb339d3838e6a096364cec30c17863a99d943fb32626a6a8b10661d2f21a57c9a68a75c0e5c7286138698027558df2e00543b131
-
C:\Users\Admin\authfwcfg\osk.exeFilesize
1.2MB
MD5d792111c6517fc19fb42fe2bab7fabc6
SHA1210fd073132655fed6abbb3140807ee4c644dac7
SHA2565d70f34e80726852aa55cf699730baf63448f9d71876a7cc16ae82720dda6a35
SHA51287f17bd8c360cf923a3c6ddafb339d3838e6a096364cec30c17863a99d943fb32626a6a8b10661d2f21a57c9a68a75c0e5c7286138698027558df2e00543b131
-
C:\Users\Admin\authfwcfg\osk.exeFilesize
1.2MB
MD5d792111c6517fc19fb42fe2bab7fabc6
SHA1210fd073132655fed6abbb3140807ee4c644dac7
SHA2565d70f34e80726852aa55cf699730baf63448f9d71876a7cc16ae82720dda6a35
SHA51287f17bd8c360cf923a3c6ddafb339d3838e6a096364cec30c17863a99d943fb32626a6a8b10661d2f21a57c9a68a75c0e5c7286138698027558df2e00543b131
-
C:\Users\Admin\authfwcfg\osk.exeFilesize
1.2MB
MD5d792111c6517fc19fb42fe2bab7fabc6
SHA1210fd073132655fed6abbb3140807ee4c644dac7
SHA2565d70f34e80726852aa55cf699730baf63448f9d71876a7cc16ae82720dda6a35
SHA51287f17bd8c360cf923a3c6ddafb339d3838e6a096364cec30c17863a99d943fb32626a6a8b10661d2f21a57c9a68a75c0e5c7286138698027558df2e00543b131
-
memory/532-138-0x0000000000000000-mapping.dmp
-
memory/1280-150-0x0000000000000000-mapping.dmp
-
memory/2224-161-0x0000000000000000-mapping.dmp
-
memory/3228-140-0x0000000073780000-0x0000000073D31000-memory.dmpFilesize
5.7MB
-
memory/3228-133-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/3228-132-0x0000000000000000-mapping.dmp
-
memory/3228-139-0x0000000073780000-0x0000000073D31000-memory.dmpFilesize
5.7MB
-
memory/3400-163-0x0000000073780000-0x0000000073D31000-memory.dmpFilesize
5.7MB
-
memory/3400-154-0x0000000000000000-mapping.dmp
-
memory/3400-162-0x0000000073780000-0x0000000073D31000-memory.dmpFilesize
5.7MB
-
memory/4132-152-0x0000000073780000-0x0000000073D31000-memory.dmpFilesize
5.7MB
-
memory/4132-151-0x0000000073780000-0x0000000073D31000-memory.dmpFilesize
5.7MB
-
memory/4132-149-0x0000000073780000-0x0000000073D31000-memory.dmpFilesize
5.7MB
-
memory/4132-143-0x0000000000000000-mapping.dmp
-
memory/4348-166-0x0000000000700000-0x0000000000738000-memory.dmpFilesize
224KB
-
memory/4348-165-0x0000000000000000-mapping.dmp
-
memory/4348-172-0x0000000073780000-0x0000000073D31000-memory.dmpFilesize
5.7MB
-
memory/4904-171-0x0000000000000000-mapping.dmp