Analysis
-
max time kernel
66s -
max time network
141s -
platform
windows10_x64 -
resource
win10 -
submitted
30-06-2020 06:40
Static task
static1
Behavioral task
behavioral1
Sample
37644826d7e2bef8f742bd5b63a76ce5.exe
Resource
win7v200430
General
-
Target
37644826d7e2bef8f742bd5b63a76ce5.exe
-
Size
328KB
-
MD5
37644826d7e2bef8f742bd5b63a76ce5
-
SHA1
7d9c9cab9e6dd190166580eec188358f1aa0f1c2
-
SHA256
e5f63380b0e4ad92c5e1827b4e72e307ea1d0928ee8a223ee041495923acacac
-
SHA512
c8116a34a775d7adf2eb6209d448e7a6443462041cf17a9af8b8bf1ac9fc2aea3f233a92f0c78dc2812ce8d08f6d0f8c9e1237d219892b4bec6b77fef4823c51
Malware Config
Extracted
nanocore
1.2.2.0
185.140.53.9:9124
abee0a6e-9120-44aa-a70c-1e32c9a07128
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-04-05T19:51:22.629259936Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
true
-
connect_delay
4000
-
connection_port
9124
-
default_group
Wish
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
abee0a6e-9120-44aa-a70c-1e32c9a07128
-
mutex_timeout
5000
-
prevent_system_sleep
true
-
primary_connection_host
185.140.53.9
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Processes:
MSBuild.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MSBuild.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
37644826d7e2bef8f742bd5b63a76ce5.exedescription pid process target process PID 3920 wrote to memory of 3500 3920 37644826d7e2bef8f742bd5b63a76ce5.exe schtasks.exe PID 3920 wrote to memory of 3500 3920 37644826d7e2bef8f742bd5b63a76ce5.exe schtasks.exe PID 3920 wrote to memory of 3500 3920 37644826d7e2bef8f742bd5b63a76ce5.exe schtasks.exe PID 3920 wrote to memory of 3328 3920 37644826d7e2bef8f742bd5b63a76ce5.exe MSBuild.exe PID 3920 wrote to memory of 3328 3920 37644826d7e2bef8f742bd5b63a76ce5.exe MSBuild.exe PID 3920 wrote to memory of 3328 3920 37644826d7e2bef8f742bd5b63a76ce5.exe MSBuild.exe PID 3920 wrote to memory of 4028 3920 37644826d7e2bef8f742bd5b63a76ce5.exe MSBuild.exe PID 3920 wrote to memory of 4028 3920 37644826d7e2bef8f742bd5b63a76ce5.exe MSBuild.exe PID 3920 wrote to memory of 4028 3920 37644826d7e2bef8f742bd5b63a76ce5.exe MSBuild.exe PID 3920 wrote to memory of 4028 3920 37644826d7e2bef8f742bd5b63a76ce5.exe MSBuild.exe PID 3920 wrote to memory of 4028 3920 37644826d7e2bef8f742bd5b63a76ce5.exe MSBuild.exe PID 3920 wrote to memory of 4028 3920 37644826d7e2bef8f742bd5b63a76ce5.exe MSBuild.exe PID 3920 wrote to memory of 4028 3920 37644826d7e2bef8f742bd5b63a76ce5.exe MSBuild.exe PID 3920 wrote to memory of 4028 3920 37644826d7e2bef8f742bd5b63a76ce5.exe MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
37644826d7e2bef8f742bd5b63a76ce5.exeMSBuild.exedescription pid process Token: SeDebugPrivilege 3920 37644826d7e2bef8f742bd5b63a76ce5.exe Token: SeDebugPrivilege 4028 MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
37644826d7e2bef8f742bd5b63a76ce5.exeMSBuild.exepid process 3920 37644826d7e2bef8f742bd5b63a76ce5.exe 3920 37644826d7e2bef8f742bd5b63a76ce5.exe 3920 37644826d7e2bef8f742bd5b63a76ce5.exe 4028 MSBuild.exe 4028 MSBuild.exe 4028 MSBuild.exe 4028 MSBuild.exe 4028 MSBuild.exe 4028 MSBuild.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
37644826d7e2bef8f742bd5b63a76ce5.exedescription pid process target process PID 3920 set thread context of 4028 3920 37644826d7e2bef8f742bd5b63a76ce5.exe MSBuild.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
MSBuild.exepid process 4028 MSBuild.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes
-
C:\Users\Admin\AppData\Local\Temp\37644826d7e2bef8f742bd5b63a76ce5.exe"C:\Users\Admin\AppData\Local\Temp\37644826d7e2bef8f742bd5b63a76ce5.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JOmRZHpjh" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9A95.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"{path}"2⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"{path}"2⤵
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam