Analysis
-
max time kernel
152s -
max time network
183s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
30-11-2022 19:21
Static task
static1
Behavioral task
behavioral1
Sample
0c43a9120385afddeb7173a6c93572c50c49b1e0fb44b219e0ee492e70ed14d5.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
0c43a9120385afddeb7173a6c93572c50c49b1e0fb44b219e0ee492e70ed14d5.exe
Resource
win10v2004-20221111-en
General
-
Target
0c43a9120385afddeb7173a6c93572c50c49b1e0fb44b219e0ee492e70ed14d5.exe
-
Size
524KB
-
MD5
b8b75b9d85c2525bf6a279ee38e1fbe3
-
SHA1
8cd035cc00557063f695569f7156b67634c5f1ae
-
SHA256
0c43a9120385afddeb7173a6c93572c50c49b1e0fb44b219e0ee492e70ed14d5
-
SHA512
b2fffd8cfae10bfc15aab7c6792579294ffb6c3209b49f03d8b0e91bea24ffca1b87dc5a7bcf92ab73464d16a1ce8de3388ec935f7959cb1eada1f935df73a9c
-
SSDEEP
12288:X4uMhMNY9dr8PxljcYeRGkv7TuaOEjIp:OhMNYfQPHOO
Malware Config
Extracted
nanocore
1.2.2.0
ella666.duckdns.org:31833
second54321.ddns.net:31833
15e30443-b8b9-4837-95fa-542ed5b1078a
-
activate_away_mode
true
-
backup_connection_host
second54321.ddns.net
-
backup_dns_server
second54321.ddns.net
-
buffer_size
65535
-
build_time
2020-11-07T09:26:13.196540636Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
31833
-
default_group
31833
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
15e30443-b8b9-4837-95fa-542ed5b1078a
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
ella666.duckdns.org
-
primary_dns_server
ella666.duckdns.org
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Processes:
0c43a9120385afddeb7173a6c93572c50c49b1e0fb44b219e0ee492e70ed14d5.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 0c43a9120385afddeb7173a6c93572c50c49b1e0fb44b219e0ee492e70ed14d5.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
0c43a9120385afddeb7173a6c93572c50c49b1e0fb44b219e0ee492e70ed14d5.exedescription pid process target process PID 1628 set thread context of 580 1628 0c43a9120385afddeb7173a6c93572c50c49b1e0fb44b219e0ee492e70ed14d5.exe 0c43a9120385afddeb7173a6c93572c50c49b1e0fb44b219e0ee492e70ed14d5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
0c43a9120385afddeb7173a6c93572c50c49b1e0fb44b219e0ee492e70ed14d5.exepid process 580 0c43a9120385afddeb7173a6c93572c50c49b1e0fb44b219e0ee492e70ed14d5.exe 580 0c43a9120385afddeb7173a6c93572c50c49b1e0fb44b219e0ee492e70ed14d5.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0c43a9120385afddeb7173a6c93572c50c49b1e0fb44b219e0ee492e70ed14d5.exedescription pid process Token: SeDebugPrivilege 580 0c43a9120385afddeb7173a6c93572c50c49b1e0fb44b219e0ee492e70ed14d5.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
0c43a9120385afddeb7173a6c93572c50c49b1e0fb44b219e0ee492e70ed14d5.exedescription pid process target process PID 1628 wrote to memory of 764 1628 0c43a9120385afddeb7173a6c93572c50c49b1e0fb44b219e0ee492e70ed14d5.exe schtasks.exe PID 1628 wrote to memory of 764 1628 0c43a9120385afddeb7173a6c93572c50c49b1e0fb44b219e0ee492e70ed14d5.exe schtasks.exe PID 1628 wrote to memory of 764 1628 0c43a9120385afddeb7173a6c93572c50c49b1e0fb44b219e0ee492e70ed14d5.exe schtasks.exe PID 1628 wrote to memory of 764 1628 0c43a9120385afddeb7173a6c93572c50c49b1e0fb44b219e0ee492e70ed14d5.exe schtasks.exe PID 1628 wrote to memory of 580 1628 0c43a9120385afddeb7173a6c93572c50c49b1e0fb44b219e0ee492e70ed14d5.exe 0c43a9120385afddeb7173a6c93572c50c49b1e0fb44b219e0ee492e70ed14d5.exe PID 1628 wrote to memory of 580 1628 0c43a9120385afddeb7173a6c93572c50c49b1e0fb44b219e0ee492e70ed14d5.exe 0c43a9120385afddeb7173a6c93572c50c49b1e0fb44b219e0ee492e70ed14d5.exe PID 1628 wrote to memory of 580 1628 0c43a9120385afddeb7173a6c93572c50c49b1e0fb44b219e0ee492e70ed14d5.exe 0c43a9120385afddeb7173a6c93572c50c49b1e0fb44b219e0ee492e70ed14d5.exe PID 1628 wrote to memory of 580 1628 0c43a9120385afddeb7173a6c93572c50c49b1e0fb44b219e0ee492e70ed14d5.exe 0c43a9120385afddeb7173a6c93572c50c49b1e0fb44b219e0ee492e70ed14d5.exe PID 1628 wrote to memory of 580 1628 0c43a9120385afddeb7173a6c93572c50c49b1e0fb44b219e0ee492e70ed14d5.exe 0c43a9120385afddeb7173a6c93572c50c49b1e0fb44b219e0ee492e70ed14d5.exe PID 1628 wrote to memory of 580 1628 0c43a9120385afddeb7173a6c93572c50c49b1e0fb44b219e0ee492e70ed14d5.exe 0c43a9120385afddeb7173a6c93572c50c49b1e0fb44b219e0ee492e70ed14d5.exe PID 1628 wrote to memory of 580 1628 0c43a9120385afddeb7173a6c93572c50c49b1e0fb44b219e0ee492e70ed14d5.exe 0c43a9120385afddeb7173a6c93572c50c49b1e0fb44b219e0ee492e70ed14d5.exe PID 1628 wrote to memory of 580 1628 0c43a9120385afddeb7173a6c93572c50c49b1e0fb44b219e0ee492e70ed14d5.exe 0c43a9120385afddeb7173a6c93572c50c49b1e0fb44b219e0ee492e70ed14d5.exe PID 1628 wrote to memory of 580 1628 0c43a9120385afddeb7173a6c93572c50c49b1e0fb44b219e0ee492e70ed14d5.exe 0c43a9120385afddeb7173a6c93572c50c49b1e0fb44b219e0ee492e70ed14d5.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c43a9120385afddeb7173a6c93572c50c49b1e0fb44b219e0ee492e70ed14d5.exe"C:\Users\Admin\AppData\Local\Temp\0c43a9120385afddeb7173a6c93572c50c49b1e0fb44b219e0ee492e70ed14d5.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AcGIkkp" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA8CE.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\0c43a9120385afddeb7173a6c93572c50c49b1e0fb44b219e0ee492e70ed14d5.exe"C:\Users\Admin\AppData\Local\Temp\0c43a9120385afddeb7173a6c93572c50c49b1e0fb44b219e0ee492e70ed14d5.exe"2⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpA8CE.tmpFilesize
1KB
MD5439b960e0b71792d1aa82c9a11f85ac3
SHA16b71dba96809a7db88fa430e67e08989bfb78440
SHA256338e2351f595461862aff9aeda94b32992ef6b16c4531ae3c89f427cb03f7c1e
SHA512bf3a50b9c9124a08313bc9a79b289f73afa010f8e00a9966df2e9a91f5e2088db0ddbcba4042ae7ba922f69c0e7b8b5e5ba9a9e28b44bee4c67156b78ed30fad
-
memory/580-69-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/580-61-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/580-75-0x0000000000450000-0x000000000045A000-memory.dmpFilesize
40KB
-
memory/580-74-0x0000000000460000-0x000000000047E000-memory.dmpFilesize
120KB
-
memory/580-64-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/580-60-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/580-73-0x0000000000440000-0x000000000044A000-memory.dmpFilesize
40KB
-
memory/580-63-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/580-71-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/580-66-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/580-67-0x000000000041E792-mapping.dmp
-
memory/764-58-0x0000000000000000-mapping.dmp
-
memory/1628-54-0x0000000000B00000-0x0000000000B8A000-memory.dmpFilesize
552KB
-
memory/1628-55-0x00000000757B1000-0x00000000757B3000-memory.dmpFilesize
8KB
-
memory/1628-56-0x0000000000600000-0x000000000060A000-memory.dmpFilesize
40KB
-
memory/1628-57-0x0000000004F70000-0x0000000004FD8000-memory.dmpFilesize
416KB