Analysis
-
max time kernel
119s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03-12-2022 23:21
Static task
static1
Behavioral task
behavioral1
Sample
18cd96c07ff82aa2d322d0e66426734b.exe
Resource
win7-20220812-en
General
-
Target
18cd96c07ff82aa2d322d0e66426734b.exe
-
Size
336KB
-
MD5
18cd96c07ff82aa2d322d0e66426734b
-
SHA1
83feb91f4a28e5b3c01fa2b86d9cbf9926ad6583
-
SHA256
62ef85b80d921282ea82b900e2d2663d75e433470a3236146adeddabd3ac6a38
-
SHA512
e1a8f585e5ebc80d501f614c65e63f1d24829169cc3af6d41fd154ce35b0b7f89c56c3b7cc9d598448b77c7d5465596d76f3a96771fcc284f154a51241dde319
-
SSDEEP
6144:oECmDimAbetPUu/femoEv7a48wn87QMH3xXjqdzUgSpIFaJ7LqwIrF3:Jivy2MfL8wNM4vaJfqwIJ
Malware Config
Extracted
nanocore
1.2.2.0
nasim1.duckdns.org:22102
winter-dew-56140.pktriot.net:22102
aaf67717-0374-4dd5-b84e-fb1bb826519c
-
activate_away_mode
true
-
backup_connection_host
winter-dew-56140.pktriot.net
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2022-09-09T21:16:41.136666036Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
22102
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
aaf67717-0374-4dd5-b84e-fb1bb826519c
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
nasim1.duckdns.org
-
primary_dns_server
8.8.8.8
-
request_elevation
false
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
test.exepid process 948 test.exe -
Loads dropped DLL 2 IoCs
Processes:
18cd96c07ff82aa2d322d0e66426734b.exepid process 1652 18cd96c07ff82aa2d322d0e66426734b.exe 1652 18cd96c07ff82aa2d322d0e66426734b.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
test.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NTFS Monitor = "C:\\Program Files (x86)\\NTFS Monitor\\ntfsmon.exe" test.exe -
Processes:
test.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA test.exe -
Drops file in Program Files directory 2 IoCs
Processes:
test.exedescription ioc process File created C:\Program Files (x86)\NTFS Monitor\ntfsmon.exe test.exe File opened for modification C:\Program Files (x86)\NTFS Monitor\ntfsmon.exe test.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
test.exepid process 948 test.exe 948 test.exe 948 test.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
test.exepid process 948 test.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
18cd96c07ff82aa2d322d0e66426734b.exetest.exedescription pid process Token: SeDebugPrivilege 1652 18cd96c07ff82aa2d322d0e66426734b.exe Token: SeDebugPrivilege 948 test.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
DllHost.exepid process 1512 DllHost.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
18cd96c07ff82aa2d322d0e66426734b.exetest.exedescription pid process target process PID 1652 wrote to memory of 948 1652 18cd96c07ff82aa2d322d0e66426734b.exe test.exe PID 1652 wrote to memory of 948 1652 18cd96c07ff82aa2d322d0e66426734b.exe test.exe PID 1652 wrote to memory of 948 1652 18cd96c07ff82aa2d322d0e66426734b.exe test.exe PID 1652 wrote to memory of 948 1652 18cd96c07ff82aa2d322d0e66426734b.exe test.exe PID 948 wrote to memory of 580 948 test.exe schtasks.exe PID 948 wrote to memory of 580 948 test.exe schtasks.exe PID 948 wrote to memory of 580 948 test.exe schtasks.exe PID 948 wrote to memory of 580 948 test.exe schtasks.exe PID 948 wrote to memory of 740 948 test.exe schtasks.exe PID 948 wrote to memory of 740 948 test.exe schtasks.exe PID 948 wrote to memory of 740 948 test.exe schtasks.exe PID 948 wrote to memory of 740 948 test.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\18cd96c07ff82aa2d322d0e66426734b.exe"C:\Users\Admin\AppData\Local\Temp\18cd96c07ff82aa2d322d0e66426734b.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "NTFS Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmp7AF.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "NTFS Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp3268.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\salary.pngFilesize
26KB
MD5b88420e659e03bbc7ded3fa1b242195a
SHA167fff491240927e7ee6bde83a7a660b3e666bb5b
SHA256e6b4706c75cf50021bfa7a9ce3a6945c79e72f06d0b7de4e71299f5d003bad31
SHA512f9ab477a19787f18e11b67191cb1996a403c7cfe4670cd3f6f7702015c797c123cb79b3736b1b177481de6e8a2019923872a11d055d016701d9b1a4fc4bcf72c
-
C:\Users\Admin\AppData\Local\Temp\test.exeFilesize
203KB
MD55106b627ddc082155764efe6d0b56882
SHA1b6040cbf5a9751b830322d5972be98c125792e0c
SHA256c756bc7453a57b22def34496d8902b23f4976d8a4f2f3c539607e06130644384
SHA512e2fe5cb3cfb7183ff8c44b4e15db8e458f86c4665e729d8711fc08cb15ffcd1d4d8c19e28d4575068f792647cd23579e664b0693570188b81fa8853c03b0d094
-
C:\Users\Admin\AppData\Local\Temp\test.exeFilesize
203KB
MD55106b627ddc082155764efe6d0b56882
SHA1b6040cbf5a9751b830322d5972be98c125792e0c
SHA256c756bc7453a57b22def34496d8902b23f4976d8a4f2f3c539607e06130644384
SHA512e2fe5cb3cfb7183ff8c44b4e15db8e458f86c4665e729d8711fc08cb15ffcd1d4d8c19e28d4575068f792647cd23579e664b0693570188b81fa8853c03b0d094
-
C:\Users\Admin\AppData\Local\Temp\tmp7AF.tmpFilesize
1KB
MD5daa959fa3888b5436fb93b6796bc803b
SHA143b8b749c623daede8374165806b8354655fa06c
SHA256da87a4088b0f1dce79ca8128c8275cb6eaf527e571c68a6fb3a0b56576d38344
SHA512aba76a0d311ad0466c64aac0d8f6ed483d2006dc0f14ac78af6af33b9db920a3735fa9478bb6fc5535f4b5eb9621479ec6f8172e05089c27872016ae08f896f0
-
\Users\Admin\AppData\Local\Temp\test.exeFilesize
203KB
MD55106b627ddc082155764efe6d0b56882
SHA1b6040cbf5a9751b830322d5972be98c125792e0c
SHA256c756bc7453a57b22def34496d8902b23f4976d8a4f2f3c539607e06130644384
SHA512e2fe5cb3cfb7183ff8c44b4e15db8e458f86c4665e729d8711fc08cb15ffcd1d4d8c19e28d4575068f792647cd23579e664b0693570188b81fa8853c03b0d094
-
\Users\Admin\AppData\Local\Temp\test.exeFilesize
203KB
MD55106b627ddc082155764efe6d0b56882
SHA1b6040cbf5a9751b830322d5972be98c125792e0c
SHA256c756bc7453a57b22def34496d8902b23f4976d8a4f2f3c539607e06130644384
SHA512e2fe5cb3cfb7183ff8c44b4e15db8e458f86c4665e729d8711fc08cb15ffcd1d4d8c19e28d4575068f792647cd23579e664b0693570188b81fa8853c03b0d094
-
memory/580-64-0x0000000000000000-mapping.dmp
-
memory/740-67-0x0000000000000000-mapping.dmp
-
memory/948-58-0x0000000000000000-mapping.dmp
-
memory/948-65-0x000000006F4B0000-0x000000006FA5B000-memory.dmpFilesize
5.7MB
-
memory/948-68-0x000000006F4B0000-0x000000006FA5B000-memory.dmpFilesize
5.7MB
-
memory/1652-54-0x0000000000DA0000-0x0000000000DAE000-memory.dmpFilesize
56KB
-
memory/1652-55-0x0000000076041000-0x0000000076043000-memory.dmpFilesize
8KB