Analysis
-
max time kernel
146s -
max time network
154s -
platform
windows7_x64 -
resource
win7 -
submitted
30-06-2020 19:24
Static task
static1
Behavioral task
behavioral1
Sample
wndll.exe
Resource
win7
General
-
Target
wndll.exe
-
Size
310KB
-
MD5
4e0966f48e6fe2451eae96f7696dcab9
-
SHA1
f37c0ca9db58a784cf77712bcfaa6cf18233b495
-
SHA256
5b27db23756f4ddbd30a3875e30cdbff6cdcc1650a46e3c5a032da6f85cfdceb
-
SHA512
19eb88285c79a199ae9ff0ccc2696973185b66f1b7bf06a6b9c4aebb269eb0da71e37a39017403e4b66adbd4071911febe08dd44e3f8c0f4adb10dfe661e9b9f
Malware Config
Extracted
nanocore
1.2.2.0
gold1.dnsupdate.info:4777
gold080.ooguy.com:4777
de1252d0-fd95-4cdc-abb5-7b12ebb4706f
-
activate_away_mode
true
-
backup_connection_host
gold080.ooguy.com
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-04-10T22:11:42.883905836Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
4777
-
default_group
TMT
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
de1252d0-fd95-4cdc-abb5-7b12ebb4706f
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
gold1.dnsupdate.info
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
wndll.exesvhost.exedescription pid process Token: SeDebugPrivilege 1668 wndll.exe Token: SeDebugPrivilege 1784 svhost.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
wndll.exesvhost.exepid process 1668 wndll.exe 1668 wndll.exe 1784 svhost.exe 1784 svhost.exe 1784 svhost.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
wndll.exedescription pid process target process PID 1668 wrote to memory of 1784 1668 wndll.exe svhost.exe PID 1668 wrote to memory of 1784 1668 wndll.exe svhost.exe PID 1668 wrote to memory of 1784 1668 wndll.exe svhost.exe PID 1668 wrote to memory of 1784 1668 wndll.exe svhost.exe PID 1668 wrote to memory of 1784 1668 wndll.exe svhost.exe PID 1668 wrote to memory of 1784 1668 wndll.exe svhost.exe PID 1668 wrote to memory of 1784 1668 wndll.exe svhost.exe PID 1668 wrote to memory of 1784 1668 wndll.exe svhost.exe PID 1668 wrote to memory of 1784 1668 wndll.exe svhost.exe PID 1668 wrote to memory of 1872 1668 wndll.exe cmd.exe PID 1668 wrote to memory of 1872 1668 wndll.exe cmd.exe PID 1668 wrote to memory of 1872 1668 wndll.exe cmd.exe PID 1668 wrote to memory of 1872 1668 wndll.exe cmd.exe PID 1668 wrote to memory of 1924 1668 wndll.exe cmd.exe PID 1668 wrote to memory of 1924 1668 wndll.exe cmd.exe PID 1668 wrote to memory of 1924 1668 wndll.exe cmd.exe PID 1668 wrote to memory of 1924 1668 wndll.exe cmd.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
wndll.exedescription pid process target process PID 1668 set thread context of 1784 1668 wndll.exe svhost.exe -
Executes dropped EXE 1 IoCs
Processes:
svhost.exepid process 1784 svhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
svhost.exepid process 1784 svhost.exe -
Drops startup file 1 IoCs
Processes:
wndll.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.exe.lnk wndll.exe -
Loads dropped DLL 3 IoCs
Processes:
wndll.exepid process 1668 wndll.exe 1668 wndll.exe 1668 wndll.exe -
NTFS ADS 1 IoCs
Processes:
cmd.exedescription ioc process File created C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier cmd.exe -
Processes:
svhost.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA svhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\wndll.exe"C:\Users\Admin\AppData\Local\Temp\wndll.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Drops startup file
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\svhost.exe"C:\Users\Admin\AppData\Local\Temp\svhost.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/wndll.exe" "%temp%\FolderN\name.exe" /Y2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier2⤵
- NTFS ADS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe
-
C:\Users\Admin\AppData\Local\Temp\svhost.exe
-
C:\Users\Admin\AppData\Local\Temp\svhost.exe
-
\Users\Admin\AppData\Local\Temp\FolderN\name.exe
-
\Users\Admin\AppData\Local\Temp\FolderN\name.exe
-
\Users\Admin\AppData\Local\Temp\svhost.exe
-
memory/1784-1-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1784-2-0x000000000041E792-mapping.dmp
-
memory/1784-4-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1784-5-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1872-7-0x0000000000000000-mapping.dmp
-
memory/1924-11-0x0000000000000000-mapping.dmp