Analysis
-
max time kernel
166s -
max time network
180s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
05-12-2022 20:36
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.FileRepMalware.26932.14920.exe
Resource
win7-20221111-en
General
-
Target
SecuriteInfo.com.FileRepMalware.26932.14920.exe
-
Size
332KB
-
MD5
28c9e35edb678e3ef43a7c0337675e52
-
SHA1
7b5f141844a73d05ea664de248f694c08ab8236f
-
SHA256
4b88ed1cdf4f5cec567da602c8ed79512856ae6a3c7fe70739628a1346151bd9
-
SHA512
854d47fd7d032af9431369e503c5e145c7936ea253a92396f1ebdc89107b21c7e94afc14a76b5c514e303a3ab29d8349bbc7d1410f66dc67e2abf0159a7ce0d6
-
SSDEEP
6144:NBn0/iQer/89iaoLlvoia6G8dyful+xHiiZSMBijO:EtdelvoiaF84RZzBijO
Malware Config
Extracted
nanocore
1.2.2.0
albertsamco76.ddns.net:7480
79.134.225.71:7480
595ac7be-87a8-4935-8bed-199af086cae8
-
activate_away_mode
true
-
backup_connection_host
79.134.225.71
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2022-07-15T18:29:52.126272236Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
5000
-
connection_port
7480
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
595ac7be-87a8-4935-8bed-199af086cae8
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
albertsamco76.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
false
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
iehlje.exeiehlje.exeiehlje.exepid process 1272 iehlje.exe 1572 iehlje.exe 1548 iehlje.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
iehlje.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UPNP Monitor = "C:\\Program Files (x86)\\UPNP Monitor\\upnpmon.exe" iehlje.exe -
Processes:
iehlje.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA iehlje.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
iehlje.exedescription pid process target process PID 1272 set thread context of 1548 1272 iehlje.exe iehlje.exe -
Drops file in Program Files directory 2 IoCs
Processes:
iehlje.exedescription ioc process File created C:\Program Files (x86)\UPNP Monitor\upnpmon.exe iehlje.exe File opened for modification C:\Program Files (x86)\UPNP Monitor\upnpmon.exe iehlje.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 3692 schtasks.exe 3548 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
iehlje.exepid process 1548 iehlje.exe 1548 iehlje.exe 1548 iehlje.exe 1548 iehlje.exe 1548 iehlje.exe 1548 iehlje.exe 1548 iehlje.exe 1548 iehlje.exe 1548 iehlje.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
iehlje.exepid process 1548 iehlje.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
iehlje.exepid process 1272 iehlje.exe 1272 iehlje.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
iehlje.exedescription pid process Token: SeDebugPrivilege 1548 iehlje.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
SecuriteInfo.com.FileRepMalware.26932.14920.exeiehlje.exeiehlje.exedescription pid process target process PID 1644 wrote to memory of 1272 1644 SecuriteInfo.com.FileRepMalware.26932.14920.exe iehlje.exe PID 1644 wrote to memory of 1272 1644 SecuriteInfo.com.FileRepMalware.26932.14920.exe iehlje.exe PID 1644 wrote to memory of 1272 1644 SecuriteInfo.com.FileRepMalware.26932.14920.exe iehlje.exe PID 1272 wrote to memory of 1572 1272 iehlje.exe iehlje.exe PID 1272 wrote to memory of 1572 1272 iehlje.exe iehlje.exe PID 1272 wrote to memory of 1572 1272 iehlje.exe iehlje.exe PID 1272 wrote to memory of 1548 1272 iehlje.exe iehlje.exe PID 1272 wrote to memory of 1548 1272 iehlje.exe iehlje.exe PID 1272 wrote to memory of 1548 1272 iehlje.exe iehlje.exe PID 1272 wrote to memory of 1548 1272 iehlje.exe iehlje.exe PID 1548 wrote to memory of 3692 1548 iehlje.exe schtasks.exe PID 1548 wrote to memory of 3692 1548 iehlje.exe schtasks.exe PID 1548 wrote to memory of 3692 1548 iehlje.exe schtasks.exe PID 1548 wrote to memory of 3548 1548 iehlje.exe schtasks.exe PID 1548 wrote to memory of 3548 1548 iehlje.exe schtasks.exe PID 1548 wrote to memory of 3548 1548 iehlje.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.26932.14920.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.26932.14920.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\iehlje.exe"C:\Users\Admin\AppData\Local\Temp\iehlje.exe" C:\Users\Admin\AppData\Local\Temp\kkrbfp.guk2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\iehlje.exe"C:\Users\Admin\AppData\Local\Temp\iehlje.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\iehlje.exe"C:\Users\Admin\AppData\Local\Temp\iehlje.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "UPNP Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmp6580.tmp"4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "UPNP Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp852F.tmp"4⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\iehlje.exeFilesize
11KB
MD569fd49d17c4f87ffd7dc8b522221f0b7
SHA11390e8826e287fe76c123f09268d1f1c4f017efd
SHA2566b17a260683b2b992a0e9e3a6fd416ead80aaf3939f80cf069669aff9bf4484d
SHA512cc74d015dbe80f5da2106d54d26d73341bc7f665d99f633828347442e87a4fc12323c47d5ca910e6404a325639180b2915605e7b4d352f56159af449047facb5
-
C:\Users\Admin\AppData\Local\Temp\iehlje.exeFilesize
11KB
MD569fd49d17c4f87ffd7dc8b522221f0b7
SHA11390e8826e287fe76c123f09268d1f1c4f017efd
SHA2566b17a260683b2b992a0e9e3a6fd416ead80aaf3939f80cf069669aff9bf4484d
SHA512cc74d015dbe80f5da2106d54d26d73341bc7f665d99f633828347442e87a4fc12323c47d5ca910e6404a325639180b2915605e7b4d352f56159af449047facb5
-
C:\Users\Admin\AppData\Local\Temp\iehlje.exeFilesize
11KB
MD569fd49d17c4f87ffd7dc8b522221f0b7
SHA11390e8826e287fe76c123f09268d1f1c4f017efd
SHA2566b17a260683b2b992a0e9e3a6fd416ead80aaf3939f80cf069669aff9bf4484d
SHA512cc74d015dbe80f5da2106d54d26d73341bc7f665d99f633828347442e87a4fc12323c47d5ca910e6404a325639180b2915605e7b4d352f56159af449047facb5
-
C:\Users\Admin\AppData\Local\Temp\iehlje.exeFilesize
11KB
MD569fd49d17c4f87ffd7dc8b522221f0b7
SHA11390e8826e287fe76c123f09268d1f1c4f017efd
SHA2566b17a260683b2b992a0e9e3a6fd416ead80aaf3939f80cf069669aff9bf4484d
SHA512cc74d015dbe80f5da2106d54d26d73341bc7f665d99f633828347442e87a4fc12323c47d5ca910e6404a325639180b2915605e7b4d352f56159af449047facb5
-
C:\Users\Admin\AppData\Local\Temp\kkrbfp.gukFilesize
6KB
MD5ee09c608402f65f96cf7e8b1a84ba3b1
SHA1d5ae47bfa8f0c035110581294b0c772e43685c48
SHA256372409d121cfc5c12645b2bf2801d3d1d482ba33af2a274dca0fe442c993fb7b
SHA512ae8d8c450a346cabd4668f7621a6a94e5f4c7bf8c91e52fb525e1f350d60c836a89f6c49bb22391b1c5db86ae0e573c0287ee5bdbdf0d4c3e6326e4ca92e6b7d
-
C:\Users\Admin\AppData\Local\Temp\tmp6580.tmpFilesize
1KB
MD552f6ff682f378d3ac9cbaefef4bfee0b
SHA112d439af02e1b043a39ffa8163d79e42880bf4e4
SHA2567ee7025da30a0f55ca1c8e1af0d16db21c44825b568418f3e631c388c20f327a
SHA512c946ece69845d329cd80a431291bd0c803d70dbad5a2e2d5b370b2d8c3756859f649fec263f9651d7dd96267466e2722cd33ac4fbcbe826e75f7401923797546
-
C:\Users\Admin\AppData\Local\Temp\tmp852F.tmpFilesize
1KB
MD5c9a4c783d2e18eea86e071de92f36f02
SHA14cb02db05386ccb70a23fa89dbadfddfc8f7b6af
SHA25621d669a674eb23538f38f6822429d797e69e0685d18c0e6e03ec6801098b240a
SHA512b6d5198d9ca83687fcc491c02ad8b417e02dff0150b514c3d39d13b8de9ffba6f3779ee7bb6350b087474fb6e0d1bd10b8fdd5c8f48a46c9cfd183d9045b80ef
-
C:\Users\Admin\AppData\Local\Temp\veoyrfcdoj.uqmFilesize
281KB
MD5762db5edde9cdabd1e9f086bbc2d9f76
SHA18309bebd34da8135074565da1793c24e3fa6d07a
SHA256aa76c099b7c3e186615da56b48036a191fb2a37e5fc37258cb0c9d23945b2dd4
SHA5120996aadcaf1de6d52d6a2f321e760a8ea0c595d1cda8d860831b515743993ce8c6d3f35aac82df58016593e7fb5c93d9d7adde7a0a8ae375028548a89bf0d79f
-
memory/1272-132-0x0000000000000000-mapping.dmp
-
memory/1548-139-0x0000000000000000-mapping.dmp
-
memory/1548-141-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/1548-142-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/1548-143-0x0000000005C50000-0x00000000061F4000-memory.dmpFilesize
5.6MB
-
memory/1548-144-0x00000000055F0000-0x0000000005682000-memory.dmpFilesize
584KB
-
memory/1548-145-0x0000000005740000-0x00000000057DC000-memory.dmpFilesize
624KB
-
memory/1548-146-0x0000000005700000-0x000000000570A000-memory.dmpFilesize
40KB
-
memory/1572-137-0x0000000000000000-mapping.dmp
-
memory/3548-149-0x0000000000000000-mapping.dmp
-
memory/3692-147-0x0000000000000000-mapping.dmp