Analysis
-
max time kernel
85s -
max time network
154s -
platform
windows7_x64 -
resource
win7 -
submitted
30-06-2020 13:02
Static task
static1
Behavioral task
behavioral1
Sample
ZtwPj90AM5uNjVx.exe
Resource
win7
General
-
Target
ZtwPj90AM5uNjVx.exe
-
Size
390KB
-
MD5
4c05e57f9047e2206f9e1d168fa06481
-
SHA1
6346ac10485dfb99bbf1a2570d306feacda3f7ba
-
SHA256
dd02cb85d94d9d687d5de330f198abd8f1a84720947c03dfad880526830986f3
-
SHA512
3f09c8173095b5fff64a43b0ba8259d9f358a27b55ab6fec637d93683f7abfb949edf89937481d3b15920329b1e41f34544203cc22976da6f6dc3334935a43fd
Malware Config
Extracted
nanocore
1.2.2.0
91.193.75.58:1985
596c2bb9-90b7-4362-af9a-082627ebed15
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-03-30T21:40:30.911959536Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
false
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
1985
-
default_group
official
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
596c2bb9-90b7-4362-af9a-082627ebed15
-
mutex_timeout
5000
-
prevent_system_sleep
true
-
primary_connection_host
91.193.75.58
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Adds Run entry to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WAN Subsystem = "C:\\Program Files (x86)\\WAN Subsystem\\wanss.exe" RegSvcs.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
ZtwPj90AM5uNjVx.exedescription pid process target process PID 1496 wrote to memory of 740 1496 ZtwPj90AM5uNjVx.exe schtasks.exe PID 1496 wrote to memory of 740 1496 ZtwPj90AM5uNjVx.exe schtasks.exe PID 1496 wrote to memory of 740 1496 ZtwPj90AM5uNjVx.exe schtasks.exe PID 1496 wrote to memory of 740 1496 ZtwPj90AM5uNjVx.exe schtasks.exe PID 1496 wrote to memory of 732 1496 ZtwPj90AM5uNjVx.exe RegSvcs.exe PID 1496 wrote to memory of 732 1496 ZtwPj90AM5uNjVx.exe RegSvcs.exe PID 1496 wrote to memory of 732 1496 ZtwPj90AM5uNjVx.exe RegSvcs.exe PID 1496 wrote to memory of 732 1496 ZtwPj90AM5uNjVx.exe RegSvcs.exe PID 1496 wrote to memory of 732 1496 ZtwPj90AM5uNjVx.exe RegSvcs.exe PID 1496 wrote to memory of 732 1496 ZtwPj90AM5uNjVx.exe RegSvcs.exe PID 1496 wrote to memory of 732 1496 ZtwPj90AM5uNjVx.exe RegSvcs.exe PID 1496 wrote to memory of 732 1496 ZtwPj90AM5uNjVx.exe RegSvcs.exe PID 1496 wrote to memory of 732 1496 ZtwPj90AM5uNjVx.exe RegSvcs.exe PID 1496 wrote to memory of 732 1496 ZtwPj90AM5uNjVx.exe RegSvcs.exe PID 1496 wrote to memory of 732 1496 ZtwPj90AM5uNjVx.exe RegSvcs.exe PID 1496 wrote to memory of 732 1496 ZtwPj90AM5uNjVx.exe RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ZtwPj90AM5uNjVx.exedescription pid process target process PID 1496 set thread context of 732 1496 ZtwPj90AM5uNjVx.exe RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 732 RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
RegSvcs.exepid process 732 RegSvcs.exe 732 RegSvcs.exe 732 RegSvcs.exe 732 RegSvcs.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegSvcs.exepid process 732 RegSvcs.exe -
Processes:
RegSvcs.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegSvcs.exe -
Drops file in Program Files directory 2 IoCs
Processes:
RegSvcs.exedescription ioc process File created C:\Program Files (x86)\WAN Subsystem\wanss.exe RegSvcs.exe File opened for modification C:\Program Files (x86)\WAN Subsystem\wanss.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ZtwPj90AM5uNjVx.exe"C:\Users\Admin\AppData\Local\Temp\ZtwPj90AM5uNjVx.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EmEIYFCwLYSPp" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9B54.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"{path}"2⤵
- Adds Run entry to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Checks whether UAC is enabled
- Drops file in Program Files directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp9B54.tmp
-
memory/732-2-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/732-3-0x000000000041E792-mapping.dmp
-
memory/732-4-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/732-5-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/740-0-0x0000000000000000-mapping.dmp