Analysis
-
max time kernel
157s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
06-12-2022 02:30
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Variant.Jaik.107269.14963.14248.exe
Resource
win7-20220812-en
General
-
Target
SecuriteInfo.com.Variant.Jaik.107269.14963.14248.exe
-
Size
333KB
-
MD5
f60ddb063158118801e8bc835266ea7e
-
SHA1
4ccbee5a06c414a0cb8eac6d7122ecfcee1664e8
-
SHA256
e3349de58511c7211afb99fb2a84322b78d6c1cad075655cad938ac3e36b2be4
-
SHA512
33e1608f1206b02beb1c26e10ea4464eaf63f5de4e69eecc86bc7f069a9e4e92ad6d4115f5126a0adcbf4e6e9cbf287f69de4c5a7d7f75a5e928d683927b4953
-
SSDEEP
6144:NBn0TUrq5HDcPhznpItqrsLOXh04vnZWSDHso6Rzodfq6RiSAlfzV:ET2SAPnxrsyXhnZdDHso6podfQBlfR
Malware Config
Extracted
nanocore
1.2.2.0
albertsamco76.ddns.net:7480
79.134.225.71:7480
595ac7be-87a8-4935-8bed-199af086cae8
-
activate_away_mode
true
-
backup_connection_host
79.134.225.71
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2022-07-15T18:29:52.126272236Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
5000
-
connection_port
7480
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
595ac7be-87a8-4935-8bed-199af086cae8
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
albertsamco76.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
false
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
hzeuuxn.exehzeuuxn.exepid process 4144 hzeuuxn.exe 1996 hzeuuxn.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
hzeuuxn.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DDP Host = "C:\\Program Files (x86)\\DDP Host\\ddphost.exe" hzeuuxn.exe -
Processes:
hzeuuxn.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA hzeuuxn.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
hzeuuxn.exedescription pid process target process PID 4144 set thread context of 1996 4144 hzeuuxn.exe hzeuuxn.exe -
Drops file in Program Files directory 2 IoCs
Processes:
hzeuuxn.exedescription ioc process File created C:\Program Files (x86)\DDP Host\ddphost.exe hzeuuxn.exe File opened for modification C:\Program Files (x86)\DDP Host\ddphost.exe hzeuuxn.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
hzeuuxn.exepid process 1996 hzeuuxn.exe 1996 hzeuuxn.exe 1996 hzeuuxn.exe 1996 hzeuuxn.exe 1996 hzeuuxn.exe 1996 hzeuuxn.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
hzeuuxn.exepid process 1996 hzeuuxn.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
hzeuuxn.exepid process 4144 hzeuuxn.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
hzeuuxn.exedescription pid process Token: SeDebugPrivilege 1996 hzeuuxn.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
SecuriteInfo.com.Variant.Jaik.107269.14963.14248.exehzeuuxn.exehzeuuxn.exedescription pid process target process PID 1252 wrote to memory of 4144 1252 SecuriteInfo.com.Variant.Jaik.107269.14963.14248.exe hzeuuxn.exe PID 1252 wrote to memory of 4144 1252 SecuriteInfo.com.Variant.Jaik.107269.14963.14248.exe hzeuuxn.exe PID 1252 wrote to memory of 4144 1252 SecuriteInfo.com.Variant.Jaik.107269.14963.14248.exe hzeuuxn.exe PID 4144 wrote to memory of 1996 4144 hzeuuxn.exe hzeuuxn.exe PID 4144 wrote to memory of 1996 4144 hzeuuxn.exe hzeuuxn.exe PID 4144 wrote to memory of 1996 4144 hzeuuxn.exe hzeuuxn.exe PID 4144 wrote to memory of 1996 4144 hzeuuxn.exe hzeuuxn.exe PID 1996 wrote to memory of 1436 1996 hzeuuxn.exe schtasks.exe PID 1996 wrote to memory of 1436 1996 hzeuuxn.exe schtasks.exe PID 1996 wrote to memory of 1436 1996 hzeuuxn.exe schtasks.exe PID 1996 wrote to memory of 628 1996 hzeuuxn.exe schtasks.exe PID 1996 wrote to memory of 628 1996 hzeuuxn.exe schtasks.exe PID 1996 wrote to memory of 628 1996 hzeuuxn.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Jaik.107269.14963.14248.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Jaik.107269.14963.14248.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\hzeuuxn.exe"C:\Users\Admin\AppData\Local\Temp\hzeuuxn.exe" C:\Users\Admin\AppData\Local\Temp\fwbjwtfkqen.uqk2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\hzeuuxn.exe"C:\Users\Admin\AppData\Local\Temp\hzeuuxn.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DDP Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmpA993.tmp"4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DDP Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpAA6F.tmp"4⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\fwbjwtfkqen.uqkFilesize
5KB
MD508875b77581bfdffb421974fdcd91db6
SHA1c511c0e14034f4187395b3d0d5c635c0f4327419
SHA2562336f9c11b1666a84ee2f441b14d8a3a72280d6e14e097c495fd38bcd84b3b25
SHA512c4e8e5f8b957787fe9eea80acbbe6b89b2736b7e50d79a3b18b84b6d7dd2a0b921ee21219d30c2e52eb0cb8264accaab35362c5224871ad9873fe00a05d6fcda
-
C:\Users\Admin\AppData\Local\Temp\hzeuuxn.exeFilesize
13KB
MD5d8dd6afef3fad2c4601acfe8de308988
SHA1be3c3f4c82b8e1d9791de91a6afb56b1eb282a3c
SHA2565076d195545d7e1e2a76322858ff8f2938efd073f85f07cc6fb6d0817fb13a77
SHA512007e0c731766d6958f90e5f04dfc1492eb787df83e04f8ab233b8e458d4e8d39bea5cbd10ef5baa63dd13b95cb6bb7169d543468abf6b9ef5a781ee5dfc5278a
-
C:\Users\Admin\AppData\Local\Temp\hzeuuxn.exeFilesize
13KB
MD5d8dd6afef3fad2c4601acfe8de308988
SHA1be3c3f4c82b8e1d9791de91a6afb56b1eb282a3c
SHA2565076d195545d7e1e2a76322858ff8f2938efd073f85f07cc6fb6d0817fb13a77
SHA512007e0c731766d6958f90e5f04dfc1492eb787df83e04f8ab233b8e458d4e8d39bea5cbd10ef5baa63dd13b95cb6bb7169d543468abf6b9ef5a781ee5dfc5278a
-
C:\Users\Admin\AppData\Local\Temp\hzeuuxn.exeFilesize
13KB
MD5d8dd6afef3fad2c4601acfe8de308988
SHA1be3c3f4c82b8e1d9791de91a6afb56b1eb282a3c
SHA2565076d195545d7e1e2a76322858ff8f2938efd073f85f07cc6fb6d0817fb13a77
SHA512007e0c731766d6958f90e5f04dfc1492eb787df83e04f8ab233b8e458d4e8d39bea5cbd10ef5baa63dd13b95cb6bb7169d543468abf6b9ef5a781ee5dfc5278a
-
C:\Users\Admin\AppData\Local\Temp\lahlkxvksg.uzFilesize
281KB
MD510ac85c858fdf8eaa7d2b877f7b844db
SHA1fef49be1242834cc83ceede136b780f45d02e4ba
SHA2560cbc09c9b12e4508cb043f382392b73d63f39457af21e3232935d01664314977
SHA512ff94ff8d8abee6751ce79fe9b09e150add3b0761129785812a5b94bb3a1fb114c64385c7f29b48a4dca241fcc71ad555b2b654039ec427c9ddef548f6fc41e57
-
C:\Users\Admin\AppData\Local\Temp\tmpA993.tmpFilesize
1KB
MD53a1a90a554de66ea61438aaeab76cad2
SHA12000d734321bbdfd56c13bd4f7dc5017328131b5
SHA256d2fbdc8ec019bc26c6c70ed6a09cf30a5bca679c492faf727e988cd2c413da8a
SHA512f25345da6ffe6ff1a0b6981169a3f289cf3f0640c09f429263ac586c5b117316527231510fbbc524b171d05f0ac4471a0c27e9e6e37c2cb5fcaf334232ecaf6e
-
C:\Users\Admin\AppData\Local\Temp\tmpAA6F.tmpFilesize
1KB
MD52271642ca970891700e3f48439739ed8
SHA1cd472df2349f7db9e1e460d0ee28acd97b8a8793
SHA2567aba66abbcb0b13455609174db23aed495a9adbef0e0acd28baa9c92445eda68
SHA5124669a4ef8ec28cdb852ffc1401576b1bf9a9d837797d7d92bc88c18b3097404f36854e50167b309706fef400cabc43c876569ce2797ba85eb169a2783b8fe807
-
memory/628-146-0x0000000000000000-mapping.dmp
-
memory/1436-144-0x0000000000000000-mapping.dmp
-
memory/1996-141-0x0000000005410000-0x00000000054AC000-memory.dmpFilesize
624KB
-
memory/1996-142-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/1996-143-0x0000000002E00000-0x0000000002E0A000-memory.dmpFilesize
40KB
-
memory/1996-140-0x0000000002D30000-0x0000000002DC2000-memory.dmpFilesize
584KB
-
memory/1996-139-0x0000000005AC0000-0x0000000006064000-memory.dmpFilesize
5.6MB
-
memory/1996-137-0x0000000000000000-mapping.dmp
-
memory/4144-132-0x0000000000000000-mapping.dmp