Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
13-07-2020 06:41
Static task
static1
Behavioral task
behavioral1
Sample
IMG_0005_2020.exe
Resource
win7
General
-
Target
IMG_0005_2020.exe
-
Size
968KB
-
MD5
d74a9763b4943ad54b0daefa5287709b
-
SHA1
1675428f1f56ec47e93c2cea80b137d4d7f8a9ec
-
SHA256
d1d26e5c1f43753746f62ef30a1ceaeb9c1309893999ffde6d1371db4e82ada8
-
SHA512
bc17173959faf0b7fa4d175237261f6a5a38d52512cffd072e81f8460d9cda3a413848df749a8c85d80f0ca2bf459fee1b2798971c71b4ffe286027121a7c143
Malware Config
Extracted
nanocore
1.2.2.0
urualla.duckdns.org:3999
urualla3.duckdns.org:3999
d15035f6-d9d3-4e8b-9141-2ca7d3ee51bb
-
activate_away_mode
true
-
backup_connection_host
urualla3.duckdns.org
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2019-11-15T10:43:13.463487336Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
3999
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
d15035f6-d9d3-4e8b-9141-2ca7d3ee51bb
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
urualla.duckdns.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
NTFS ADS 1 IoCs
Processes:
notepad.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\startup\skype.exe:ZoneIdentifier notepad.exe -
Drops startup file 1 IoCs
Processes:
notepad.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skpye.exe.vbs notepad.exe -
Suspicious behavior: EnumeratesProcesses 2708 IoCs
Processes:
IMG_0005_2020.exeskype.exeskype.exeskype.exepid process 636 IMG_0005_2020.exe 636 IMG_0005_2020.exe 904 skype.exe 904 skype.exe 1036 skype.exe 1036 skype.exe 1036 skype.exe 1036 skype.exe 1036 skype.exe 1036 skype.exe 1036 skype.exe 1036 skype.exe 1036 skype.exe 1036 skype.exe 1036 skype.exe 1036 skype.exe 1036 skype.exe 1036 skype.exe 1036 skype.exe 1036 skype.exe 1036 skype.exe 1036 skype.exe 1036 skype.exe 1036 skype.exe 1036 skype.exe 1036 skype.exe 1036 skype.exe 1036 skype.exe 1036 skype.exe 1036 skype.exe 1036 skype.exe 1036 skype.exe 1036 skype.exe 1036 skype.exe 1036 skype.exe 1036 skype.exe 1036 skype.exe 1036 skype.exe 1036 skype.exe 1036 skype.exe 1036 skype.exe 1036 skype.exe 1036 skype.exe 1036 skype.exe 1036 skype.exe 1036 skype.exe 1036 skype.exe 1036 skype.exe 1036 skype.exe 1036 skype.exe 1036 skype.exe 1036 skype.exe 1036 skype.exe 1036 skype.exe 1036 skype.exe 1036 skype.exe 688 skype.exe 688 skype.exe 688 skype.exe 1036 skype.exe 1036 skype.exe 1036 skype.exe 1036 skype.exe 1036 skype.exe -
Executes dropped EXE 3 IoCs
Processes:
skype.exeskype.exeskype.exepid process 904 skype.exe 688 skype.exe 1036 skype.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
skype.exedescription pid process target process PID 904 set thread context of 688 904 skype.exe skype.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
skype.exepid process 688 skype.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
IMG_0005_2020.exenotepad.exeskype.exedescription pid process target process PID 636 wrote to memory of 816 636 IMG_0005_2020.exe notepad.exe PID 636 wrote to memory of 816 636 IMG_0005_2020.exe notepad.exe PID 636 wrote to memory of 816 636 IMG_0005_2020.exe notepad.exe PID 636 wrote to memory of 816 636 IMG_0005_2020.exe notepad.exe PID 636 wrote to memory of 816 636 IMG_0005_2020.exe notepad.exe PID 816 wrote to memory of 904 816 notepad.exe skype.exe PID 816 wrote to memory of 904 816 notepad.exe skype.exe PID 816 wrote to memory of 904 816 notepad.exe skype.exe PID 904 wrote to memory of 688 904 skype.exe skype.exe PID 904 wrote to memory of 688 904 skype.exe skype.exe PID 904 wrote to memory of 688 904 skype.exe skype.exe PID 904 wrote to memory of 1036 904 skype.exe skype.exe PID 904 wrote to memory of 1036 904 skype.exe skype.exe PID 904 wrote to memory of 1036 904 skype.exe skype.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
skype.exepid process 904 skype.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
skype.exedescription pid process Token: SeDebugPrivilege 688 skype.exe -
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
Processes:
resource yara_rule behavioral2/memory/688-4-0x0000000000400000-0x000000000047F000-memory.dmp upx behavioral2/memory/688-8-0x0000000000400000-0x000000000047F000-memory.dmp upx behavioral2/memory/688-10-0x0000000000400000-0x000000000047F000-memory.dmp upx -
Processes:
skype.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA skype.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\IMG_0005_2020.exe"C:\Users\Admin\AppData\Local\Temp\IMG_0005_2020.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"2⤵
- NTFS ADS
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\startup\skype.exe"C:\Users\Admin\AppData\Roaming\startup\skype.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\startup\skype.exe"C:\Users\Admin\AppData\Roaming\startup\skype.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Roaming\startup\skype.exe"C:\Users\Admin\AppData\Roaming\startup\skype.exe" 2 688 1160314⤵
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\startup\skype.exe
-
C:\Users\Admin\AppData\Roaming\startup\skype.exe
-
C:\Users\Admin\AppData\Roaming\startup\skype.exe
-
C:\Users\Admin\AppData\Roaming\startup\skype.exe
-
memory/688-4-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/688-5-0x000000000047D4B0-mapping.dmp
-
memory/688-8-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/688-10-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/688-11-0x0000000002110000-0x0000000002148000-memory.dmpFilesize
224KB
-
memory/816-0-0x0000000000000000-mapping.dmp
-
memory/904-1-0x0000000000000000-mapping.dmp
-
memory/1036-6-0x0000000000000000-mapping.dmp