Analysis
-
max time kernel
146s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
27-03-2023 05:08
Static task
static1
Behavioral task
behavioral1
Sample
E0E80715B69BE95F22D58F621C8E1AA0787FE7975FFA8.exe
Resource
win7-20230220-en
General
-
Target
E0E80715B69BE95F22D58F621C8E1AA0787FE7975FFA8.exe
-
Size
370KB
-
MD5
ccd867cfc63db17919a2f33ad9f62c12
-
SHA1
59c080b507881b4eabbc6cd8cd017aa00efe51f2
-
SHA256
e0e80715b69be95f22d58f621c8e1aa0787fe7975ffa826276f4f5372418f554
-
SHA512
a90a4ab3bf79d1655a87840f0f2096eba68e895e9b1e9b84f2473ebcf076798f5e296b260c937e8e7f7d7d3a69cda928722818521116972d5da60c2dc5429f5a
-
SSDEEP
6144:tld+RZFkKF5SQBqZq80T4vzTvhM2dOEpPOBVZcA3NjXgU9lKKrsypc/xlf:tldKZeYwfbX3d5O1R9jXdlKOTmf
Malware Config
Extracted
nanocore
1.2.2.0
jeffserver.duckdns.org:7788
d42d2ae0-373b-4f39-a3bc-ff7b345278dd
-
activate_away_mode
true
-
backup_connection_host
jeffserver.duckdns.org
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2019-08-03T22:28:43.558185736Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
7788
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
d42d2ae0-373b-4f39-a3bc-ff7b345278dd
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
jeffserver.duckdns.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
E0E80715B69BE95F22D58F621C8E1AA0787FE7975FFA8.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation E0E80715B69BE95F22D58F621C8E1AA0787FE7975FFA8.exe -
Processes:
E0E80715B69BE95F22D58F621C8E1AA0787FE7975FFA8.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA E0E80715B69BE95F22D58F621C8E1AA0787FE7975FFA8.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
E0E80715B69BE95F22D58F621C8E1AA0787FE7975FFA8.exedescription pid process target process PID 1484 set thread context of 1832 1484 E0E80715B69BE95F22D58F621C8E1AA0787FE7975FFA8.exe E0E80715B69BE95F22D58F621C8E1AA0787FE7975FFA8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
E0E80715B69BE95F22D58F621C8E1AA0787FE7975FFA8.exepid process 1832 E0E80715B69BE95F22D58F621C8E1AA0787FE7975FFA8.exe 1832 E0E80715B69BE95F22D58F621C8E1AA0787FE7975FFA8.exe 1832 E0E80715B69BE95F22D58F621C8E1AA0787FE7975FFA8.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
E0E80715B69BE95F22D58F621C8E1AA0787FE7975FFA8.exepid process 1832 E0E80715B69BE95F22D58F621C8E1AA0787FE7975FFA8.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
E0E80715B69BE95F22D58F621C8E1AA0787FE7975FFA8.exedescription pid process Token: SeDebugPrivilege 1832 E0E80715B69BE95F22D58F621C8E1AA0787FE7975FFA8.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
E0E80715B69BE95F22D58F621C8E1AA0787FE7975FFA8.exedescription pid process target process PID 1484 wrote to memory of 2592 1484 E0E80715B69BE95F22D58F621C8E1AA0787FE7975FFA8.exe schtasks.exe PID 1484 wrote to memory of 2592 1484 E0E80715B69BE95F22D58F621C8E1AA0787FE7975FFA8.exe schtasks.exe PID 1484 wrote to memory of 2592 1484 E0E80715B69BE95F22D58F621C8E1AA0787FE7975FFA8.exe schtasks.exe PID 1484 wrote to memory of 1832 1484 E0E80715B69BE95F22D58F621C8E1AA0787FE7975FFA8.exe E0E80715B69BE95F22D58F621C8E1AA0787FE7975FFA8.exe PID 1484 wrote to memory of 1832 1484 E0E80715B69BE95F22D58F621C8E1AA0787FE7975FFA8.exe E0E80715B69BE95F22D58F621C8E1AA0787FE7975FFA8.exe PID 1484 wrote to memory of 1832 1484 E0E80715B69BE95F22D58F621C8E1AA0787FE7975FFA8.exe E0E80715B69BE95F22D58F621C8E1AA0787FE7975FFA8.exe PID 1484 wrote to memory of 1832 1484 E0E80715B69BE95F22D58F621C8E1AA0787FE7975FFA8.exe E0E80715B69BE95F22D58F621C8E1AA0787FE7975FFA8.exe PID 1484 wrote to memory of 1832 1484 E0E80715B69BE95F22D58F621C8E1AA0787FE7975FFA8.exe E0E80715B69BE95F22D58F621C8E1AA0787FE7975FFA8.exe PID 1484 wrote to memory of 1832 1484 E0E80715B69BE95F22D58F621C8E1AA0787FE7975FFA8.exe E0E80715B69BE95F22D58F621C8E1AA0787FE7975FFA8.exe PID 1484 wrote to memory of 1832 1484 E0E80715B69BE95F22D58F621C8E1AA0787FE7975FFA8.exe E0E80715B69BE95F22D58F621C8E1AA0787FE7975FFA8.exe PID 1484 wrote to memory of 1832 1484 E0E80715B69BE95F22D58F621C8E1AA0787FE7975FFA8.exe E0E80715B69BE95F22D58F621C8E1AA0787FE7975FFA8.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\E0E80715B69BE95F22D58F621C8E1AA0787FE7975FFA8.exe"C:\Users\Admin\AppData\Local\Temp\E0E80715B69BE95F22D58F621C8E1AA0787FE7975FFA8.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NUNVjrF" /XML "C:\Users\Admin\AppData\Local\Temp\tmp83D6.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\E0E80715B69BE95F22D58F621C8E1AA0787FE7975FFA8.exe"C:\Users\Admin\AppData\Local\Temp\E0E80715B69BE95F22D58F621C8E1AA0787FE7975FFA8.exe"2⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\E0E80715B69BE95F22D58F621C8E1AA0787FE7975FFA8.exe.logFilesize
599B
MD54c035bcf4ab1fbbc9de8a5ed5be5dfb8
SHA1180299ba8c06ed922f515b8cdb2409edd8b432d0
SHA25675b9a0f2298151bbbf388dd94b9f13d5c5ec174891f0c76b07b8cd8bbd1273c1
SHA5120166b2b1b0d79f366d3ae8b9e76b2fff9648c85b3cf883120b23355ca484337cee6e0462e7d8cd52654506ff739f195bff9e1b4d4617b882ec9943dc31abde4d
-
C:\Users\Admin\AppData\Local\Temp\tmp83D6.tmpFilesize
1KB
MD5ffbcb1f497fb62db9f45ed3ddac1b0f0
SHA156b6cee36309d2372b51808c429635837fbcddea
SHA25696dfdbe4b2d3458593cb5f9df3814d9ee4d6f60308912e0338782bba818a7769
SHA51236c8fea8445f564f4705f691ba40f71debcceff02414194f1ad89ba7dcd463e3351077d7c93c11005490c37620a9af6a25d23a048b8f9befdb03847abbc4ae10
-
memory/1484-135-0x00000000059F0000-0x0000000005A8C000-memory.dmpFilesize
624KB
-
memory/1484-136-0x0000000005560000-0x0000000005570000-memory.dmpFilesize
64KB
-
memory/1484-137-0x0000000005560000-0x0000000005570000-memory.dmpFilesize
64KB
-
memory/1484-138-0x00000000081B0000-0x0000000008216000-memory.dmpFilesize
408KB
-
memory/1484-133-0x0000000000BD0000-0x0000000000C32000-memory.dmpFilesize
392KB
-
memory/1484-144-0x0000000008F30000-0x00000000094D4000-memory.dmpFilesize
5.6MB
-
memory/1484-134-0x00000000055A0000-0x0000000005632000-memory.dmpFilesize
584KB
-
memory/1832-145-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1832-148-0x0000000005350000-0x000000000535A000-memory.dmpFilesize
40KB
-
memory/1832-150-0x0000000005300000-0x0000000005310000-memory.dmpFilesize
64KB
-
memory/1832-151-0x0000000005300000-0x0000000005310000-memory.dmpFilesize
64KB