Analysis
-
max time kernel
143s -
max time network
154s -
platform
windows7_x64 -
resource
win7 -
submitted
30-06-2020 05:28
Static task
static1
Behavioral task
behavioral1
Sample
IePZajh9fm9DACV.exe
Resource
win7
Behavioral task
behavioral2
Sample
IePZajh9fm9DACV.exe
Resource
win10
General
-
Target
IePZajh9fm9DACV.exe
-
Size
362KB
-
MD5
82c01db6ccaa1c602b77c59b3ed64d71
-
SHA1
71ca9deefc3a678bf7fde895978ff5ff5a67691a
-
SHA256
70a3e3040e47398629957e35100380def41b1ab5b4ac73e777051b6e85c60b19
-
SHA512
0ae49f96a29e21bf8d4e29f7d93f79870b006e0b639bf49565cb7cffca2ad2d7fd26c76d84f777e4aa77a00b91a546dd7a9b957fb326a707f727bb6b76648f59
Malware Config
Extracted
nanocore
1.2.2.0
u870797.nvpn.to:3119
f813c4e2-fc76-409a-b46f-571ed35f6a5f
-
activate_away_mode
true
-
backup_connection_host
u870797.nvpn.to
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-03-29T11:52:57.396056536Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
3119
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
f813c4e2-fc76-409a-b46f-571ed35f6a5f
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
u870797.nvpn.to
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
IePZajh9fm9DACV.exedescription pid process Token: SeDebugPrivilege 836 IePZajh9fm9DACV.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
IePZajh9fm9DACV.exepid process 836 IePZajh9fm9DACV.exe 836 IePZajh9fm9DACV.exe 836 IePZajh9fm9DACV.exe 836 IePZajh9fm9DACV.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
IePZajh9fm9DACV.exepid process 836 IePZajh9fm9DACV.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Processes:
IePZajh9fm9DACV.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA IePZajh9fm9DACV.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
IePZajh9fm9DACV.exeIePZajh9fm9DACV.exedescription pid process target process PID 608 wrote to memory of 876 608 IePZajh9fm9DACV.exe schtasks.exe PID 608 wrote to memory of 876 608 IePZajh9fm9DACV.exe schtasks.exe PID 608 wrote to memory of 876 608 IePZajh9fm9DACV.exe schtasks.exe PID 608 wrote to memory of 876 608 IePZajh9fm9DACV.exe schtasks.exe PID 608 wrote to memory of 836 608 IePZajh9fm9DACV.exe IePZajh9fm9DACV.exe PID 608 wrote to memory of 836 608 IePZajh9fm9DACV.exe IePZajh9fm9DACV.exe PID 608 wrote to memory of 836 608 IePZajh9fm9DACV.exe IePZajh9fm9DACV.exe PID 608 wrote to memory of 836 608 IePZajh9fm9DACV.exe IePZajh9fm9DACV.exe PID 608 wrote to memory of 836 608 IePZajh9fm9DACV.exe IePZajh9fm9DACV.exe PID 608 wrote to memory of 836 608 IePZajh9fm9DACV.exe IePZajh9fm9DACV.exe PID 608 wrote to memory of 836 608 IePZajh9fm9DACV.exe IePZajh9fm9DACV.exe PID 608 wrote to memory of 836 608 IePZajh9fm9DACV.exe IePZajh9fm9DACV.exe PID 608 wrote to memory of 836 608 IePZajh9fm9DACV.exe IePZajh9fm9DACV.exe PID 836 wrote to memory of 1052 836 IePZajh9fm9DACV.exe schtasks.exe PID 836 wrote to memory of 1052 836 IePZajh9fm9DACV.exe schtasks.exe PID 836 wrote to memory of 1052 836 IePZajh9fm9DACV.exe schtasks.exe PID 836 wrote to memory of 1052 836 IePZajh9fm9DACV.exe schtasks.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
IePZajh9fm9DACV.exedescription pid process target process PID 608 set thread context of 836 608 IePZajh9fm9DACV.exe IePZajh9fm9DACV.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\IePZajh9fm9DACV.exe"C:\Users\Admin\AppData\Local\Temp\IePZajh9fm9DACV.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wooVhqIljofc" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8B1F.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\IePZajh9fm9DACV.exe"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "WAN Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp8F24.tmp"3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp8B1F.tmp
-
C:\Users\Admin\AppData\Local\Temp\tmp8F24.tmp
-
memory/608-1-0x0000000000000000-0x0000000000000000-disk.dmp
-
memory/836-4-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/836-5-0x000000000041E792-mapping.dmp
-
memory/836-6-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/836-7-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/876-2-0x0000000000000000-mapping.dmp
-
memory/1052-8-0x0000000000000000-mapping.dmp