Analysis
-
max time kernel
55s -
max time network
155s -
platform
windows7_x64 -
resource
win7 -
submitted
30-06-2020 06:37
Static task
static1
Behavioral task
behavioral1
Sample
b6fb3e01b32130297ac61b8c33f3bdde.exe
Resource
win7
General
-
Target
b6fb3e01b32130297ac61b8c33f3bdde.exe
-
Size
310KB
-
MD5
b6fb3e01b32130297ac61b8c33f3bdde
-
SHA1
34c52204bf26caf614b3b0177b2cf6b3f1e1be25
-
SHA256
e583f88a5a2f0078444fa97cfd8b4357bce832202ec6140ade6239e7687c1850
-
SHA512
049b6c286f4787357344325df639e03a9eb4590fd3a2d03069c1b4cffec69c5df3da3d5f5ca02306134cd1fc4fcba7245f56a96b5309f0496c6d24b73f4b3d12
Malware Config
Extracted
nanocore
1.2.2.0
gold1.dnsupdate.info:4777
gold080.ooguy.com:4777
de1252d0-fd95-4cdc-abb5-7b12ebb4706f
-
activate_away_mode
true
-
backup_connection_host
gold080.ooguy.com
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-04-10T22:11:42.883905836Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
4777
-
default_group
TMT
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
de1252d0-fd95-4cdc-abb5-7b12ebb4706f
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
gold1.dnsupdate.info
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
svhost.exepid process 780 svhost.exe -
Processes:
svhost.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA svhost.exe -
Drops startup file 1 IoCs
Processes:
b6fb3e01b32130297ac61b8c33f3bdde.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\namde.exe.lnk b6fb3e01b32130297ac61b8c33f3bdde.exe -
NTFS ADS 1 IoCs
Processes:
cmd.exedescription ioc process File created C:\Users\Admin\AppData\Local\Temp\FolderN\namde.exe:Zone.Identifier cmd.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
b6fb3e01b32130297ac61b8c33f3bdde.exesvhost.exedescription pid process Token: SeDebugPrivilege 112 b6fb3e01b32130297ac61b8c33f3bdde.exe Token: SeDebugPrivilege 780 svhost.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
b6fb3e01b32130297ac61b8c33f3bdde.exesvhost.exepid process 112 b6fb3e01b32130297ac61b8c33f3bdde.exe 112 b6fb3e01b32130297ac61b8c33f3bdde.exe 780 svhost.exe 780 svhost.exe 780 svhost.exe 780 svhost.exe -
Loads dropped DLL 3 IoCs
Processes:
b6fb3e01b32130297ac61b8c33f3bdde.exepid process 112 b6fb3e01b32130297ac61b8c33f3bdde.exe 112 b6fb3e01b32130297ac61b8c33f3bdde.exe 112 b6fb3e01b32130297ac61b8c33f3bdde.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
b6fb3e01b32130297ac61b8c33f3bdde.exedescription pid process target process PID 112 wrote to memory of 780 112 b6fb3e01b32130297ac61b8c33f3bdde.exe svhost.exe PID 112 wrote to memory of 780 112 b6fb3e01b32130297ac61b8c33f3bdde.exe svhost.exe PID 112 wrote to memory of 780 112 b6fb3e01b32130297ac61b8c33f3bdde.exe svhost.exe PID 112 wrote to memory of 780 112 b6fb3e01b32130297ac61b8c33f3bdde.exe svhost.exe PID 112 wrote to memory of 780 112 b6fb3e01b32130297ac61b8c33f3bdde.exe svhost.exe PID 112 wrote to memory of 780 112 b6fb3e01b32130297ac61b8c33f3bdde.exe svhost.exe PID 112 wrote to memory of 780 112 b6fb3e01b32130297ac61b8c33f3bdde.exe svhost.exe PID 112 wrote to memory of 780 112 b6fb3e01b32130297ac61b8c33f3bdde.exe svhost.exe PID 112 wrote to memory of 780 112 b6fb3e01b32130297ac61b8c33f3bdde.exe svhost.exe PID 112 wrote to memory of 1048 112 b6fb3e01b32130297ac61b8c33f3bdde.exe cmd.exe PID 112 wrote to memory of 1048 112 b6fb3e01b32130297ac61b8c33f3bdde.exe cmd.exe PID 112 wrote to memory of 1048 112 b6fb3e01b32130297ac61b8c33f3bdde.exe cmd.exe PID 112 wrote to memory of 1048 112 b6fb3e01b32130297ac61b8c33f3bdde.exe cmd.exe PID 112 wrote to memory of 1804 112 b6fb3e01b32130297ac61b8c33f3bdde.exe cmd.exe PID 112 wrote to memory of 1804 112 b6fb3e01b32130297ac61b8c33f3bdde.exe cmd.exe PID 112 wrote to memory of 1804 112 b6fb3e01b32130297ac61b8c33f3bdde.exe cmd.exe PID 112 wrote to memory of 1804 112 b6fb3e01b32130297ac61b8c33f3bdde.exe cmd.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
b6fb3e01b32130297ac61b8c33f3bdde.exedescription pid process target process PID 112 set thread context of 780 112 b6fb3e01b32130297ac61b8c33f3bdde.exe svhost.exe -
Executes dropped EXE 1 IoCs
Processes:
svhost.exepid process 780 svhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b6fb3e01b32130297ac61b8c33f3bdde.exe"C:\Users\Admin\AppData\Local\Temp\b6fb3e01b32130297ac61b8c33f3bdde.exe"1⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\svhost.exe"C:\Users\Admin\AppData\Local\Temp\svhost.exe"2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/b6fb3e01b32130297ac61b8c33f3bdde.exe" "%temp%\FolderN\namde.exe" /Y2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\namde.exe:Zone.Identifier2⤵
- NTFS ADS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\FolderN\namde.exe
-
C:\Users\Admin\AppData\Local\Temp\svhost.exe
-
C:\Users\Admin\AppData\Local\Temp\svhost.exe
-
\Users\Admin\AppData\Local\Temp\FolderN\namde.exe
-
\Users\Admin\AppData\Local\Temp\FolderN\namde.exe
-
\Users\Admin\AppData\Local\Temp\svhost.exe
-
memory/780-1-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/780-2-0x000000000041E792-mapping.dmp
-
memory/780-4-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/780-5-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1048-7-0x0000000000000000-mapping.dmp
-
memory/1804-11-0x0000000000000000-mapping.dmp