Analysis
-
max time kernel
151s -
max time network
146s -
platform
windows7_x64 -
resource
win7 -
submitted
31-07-2020 08:32
Static task
static1
Behavioral task
behavioral1
Sample
bb4eb0cc2f31f248a9c2f38c0abbb252.exe
Resource
win7
General
-
Target
bb4eb0cc2f31f248a9c2f38c0abbb252.exe
-
Size
710KB
-
MD5
bb4eb0cc2f31f248a9c2f38c0abbb252
-
SHA1
562528a4a0ea3eefe8e5526ad68ffdf3df9b5e64
-
SHA256
5901a8e4a36574b8ca6cb3c899e64cdfc27395de606cd4a512431e6dd827196f
-
SHA512
07b33a80ce27fc9b3b4d01900d7a513f1900183ea484e07d79ad57093b94d6adf81006b52f3cc412bcc73c43b32eeba155bbd793d180fa2d3a1a372396fbae79
Malware Config
Extracted
nanocore
1.2.2.0
godisgood.hopto.org:2177
185.165.153.30:2177
adf7c98d-c26d-478d-b499-e4ca79cefdbc
-
activate_away_mode
true
-
backup_connection_host
185.165.153.30
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-05-04T01:35:20.350531836Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
2177
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
adf7c98d-c26d-478d-b499-e4ca79cefdbc
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
godisgood.hopto.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Loads dropped DLL 2 IoCs
Processes:
notepad.exepid process 1228 notepad.exe 1228 notepad.exe -
Processes:
hfsjrifske.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA hfsjrifske.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Executes dropped EXE 3 IoCs
Processes:
hfsjrifske.exehfsjrifske.exehfsjrifske.exepid process 616 hfsjrifske.exe 1408 hfsjrifske.exe 1432 hfsjrifske.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
hfsjrifske.exepid process 1408 hfsjrifske.exe -
NTFS ADS 2 IoCs
Processes:
notepad.exehfsjrifske.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\appdata\hfsjrifske.exe:ZoneIdentifier notepad.exe File created C:\Program Files (x86)\WAN Subsystem\wanss.exe\:ZoneIdentifier:$DATA hfsjrifske.exe -
Suspicious behavior: EnumeratesProcesses 1368 IoCs
Processes:
bb4eb0cc2f31f248a9c2f38c0abbb252.exehfsjrifske.exehfsjrifske.exehfsjrifske.exepid process 1100 bb4eb0cc2f31f248a9c2f38c0abbb252.exe 616 hfsjrifske.exe 1432 hfsjrifske.exe 1432 hfsjrifske.exe 1432 hfsjrifske.exe 1432 hfsjrifske.exe 1432 hfsjrifske.exe 1432 hfsjrifske.exe 1432 hfsjrifske.exe 1432 hfsjrifske.exe 1432 hfsjrifske.exe 1432 hfsjrifske.exe 1432 hfsjrifske.exe 1432 hfsjrifske.exe 1432 hfsjrifske.exe 1432 hfsjrifske.exe 1408 hfsjrifske.exe 1408 hfsjrifske.exe 1432 hfsjrifske.exe 1432 hfsjrifske.exe 1432 hfsjrifske.exe 1432 hfsjrifske.exe 1432 hfsjrifske.exe 1432 hfsjrifske.exe 1432 hfsjrifske.exe 1432 hfsjrifske.exe 1432 hfsjrifske.exe 1432 hfsjrifske.exe 1432 hfsjrifske.exe 1432 hfsjrifske.exe 1432 hfsjrifske.exe 1432 hfsjrifske.exe 1432 hfsjrifske.exe 1432 hfsjrifske.exe 1432 hfsjrifske.exe 1432 hfsjrifske.exe 1432 hfsjrifske.exe 1432 hfsjrifske.exe 1432 hfsjrifske.exe 1432 hfsjrifske.exe 1432 hfsjrifske.exe 1432 hfsjrifske.exe 1432 hfsjrifske.exe 1432 hfsjrifske.exe 1432 hfsjrifske.exe 1432 hfsjrifske.exe 1432 hfsjrifske.exe 1432 hfsjrifske.exe 1432 hfsjrifske.exe 1432 hfsjrifske.exe 1432 hfsjrifske.exe 1432 hfsjrifske.exe 1432 hfsjrifske.exe 1432 hfsjrifske.exe 1432 hfsjrifske.exe 1432 hfsjrifske.exe 1432 hfsjrifske.exe 1432 hfsjrifske.exe 1432 hfsjrifske.exe 1432 hfsjrifske.exe 1432 hfsjrifske.exe 1432 hfsjrifske.exe 1432 hfsjrifske.exe 1432 hfsjrifske.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
hfsjrifske.exepid process 616 hfsjrifske.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
hfsjrifske.exedescription pid process target process PID 616 set thread context of 1408 616 hfsjrifske.exe hfsjrifske.exe -
Drops file in Program Files directory 3 IoCs
Processes:
hfsjrifske.exedescription ioc process File created C:\Program Files (x86)\WAN Subsystem\wanss.exe\:ZoneIdentifier:$DATA hfsjrifske.exe File created C:\Program Files (x86)\WAN Subsystem\wanss.exe hfsjrifske.exe File opened for modification C:\Program Files (x86)\WAN Subsystem\wanss.exe hfsjrifske.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
hfsjrifske.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WAN Subsystem = "C:\\Program Files (x86)\\WAN Subsystem\\wanss.exe" hfsjrifske.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
bb4eb0cc2f31f248a9c2f38c0abbb252.exenotepad.exehfsjrifske.exehfsjrifske.exedescription pid process target process PID 1100 wrote to memory of 1228 1100 bb4eb0cc2f31f248a9c2f38c0abbb252.exe notepad.exe PID 1100 wrote to memory of 1228 1100 bb4eb0cc2f31f248a9c2f38c0abbb252.exe notepad.exe PID 1100 wrote to memory of 1228 1100 bb4eb0cc2f31f248a9c2f38c0abbb252.exe notepad.exe PID 1100 wrote to memory of 1228 1100 bb4eb0cc2f31f248a9c2f38c0abbb252.exe notepad.exe PID 1100 wrote to memory of 1228 1100 bb4eb0cc2f31f248a9c2f38c0abbb252.exe notepad.exe PID 1100 wrote to memory of 1228 1100 bb4eb0cc2f31f248a9c2f38c0abbb252.exe notepad.exe PID 1228 wrote to memory of 616 1228 notepad.exe hfsjrifske.exe PID 1228 wrote to memory of 616 1228 notepad.exe hfsjrifske.exe PID 1228 wrote to memory of 616 1228 notepad.exe hfsjrifske.exe PID 1228 wrote to memory of 616 1228 notepad.exe hfsjrifske.exe PID 616 wrote to memory of 1408 616 hfsjrifske.exe hfsjrifske.exe PID 616 wrote to memory of 1408 616 hfsjrifske.exe hfsjrifske.exe PID 616 wrote to memory of 1408 616 hfsjrifske.exe hfsjrifske.exe PID 616 wrote to memory of 1408 616 hfsjrifske.exe hfsjrifske.exe PID 616 wrote to memory of 1432 616 hfsjrifske.exe hfsjrifske.exe PID 616 wrote to memory of 1432 616 hfsjrifske.exe hfsjrifske.exe PID 616 wrote to memory of 1432 616 hfsjrifske.exe hfsjrifske.exe PID 616 wrote to memory of 1432 616 hfsjrifske.exe hfsjrifske.exe PID 1408 wrote to memory of 808 1408 hfsjrifske.exe schtasks.exe PID 1408 wrote to memory of 808 1408 hfsjrifske.exe schtasks.exe PID 1408 wrote to memory of 808 1408 hfsjrifske.exe schtasks.exe PID 1408 wrote to memory of 808 1408 hfsjrifske.exe schtasks.exe PID 1408 wrote to memory of 1048 1408 hfsjrifske.exe schtasks.exe PID 1408 wrote to memory of 1048 1408 hfsjrifske.exe schtasks.exe PID 1408 wrote to memory of 1048 1408 hfsjrifske.exe schtasks.exe PID 1408 wrote to memory of 1048 1408 hfsjrifske.exe schtasks.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
hfsjrifske.exedescription pid process Token: SeDebugPrivilege 1408 hfsjrifske.exe -
Processes:
resource yara_rule behavioral1/memory/1408-7-0x0000000000400000-0x000000000047F000-memory.dmp upx behavioral1/memory/1408-7-0x0000000000400000-0x000000000047F000-memory.dmp upx behavioral1/memory/1408-11-0x0000000000400000-0x000000000047F000-memory.dmp upx behavioral1/memory/1408-11-0x0000000000400000-0x000000000047F000-memory.dmp upx behavioral1/memory/1408-12-0x0000000000400000-0x000000000047F000-memory.dmp upx behavioral1/memory/1408-12-0x0000000000400000-0x000000000047F000-memory.dmp upx -
Drops startup file 1 IoCs
Processes:
notepad.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\web.vbs notepad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bb4eb0cc2f31f248a9c2f38c0abbb252.exe"C:\Users\Admin\AppData\Local\Temp\bb4eb0cc2f31f248a9c2f38c0abbb252.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"2⤵
- Loads dropped DLL
- NTFS ADS
- Suspicious use of WriteProcessMemory
- Drops startup file
-
C:\Users\Admin\AppData\Roaming\appdata\hfsjrifske.exe"C:\Users\Admin\AppData\Roaming\appdata\hfsjrifske.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\appdata\hfsjrifske.exe"C:\Users\Admin\AppData\Roaming\appdata\hfsjrifske.exe"4⤵
- Checks whether UAC is enabled
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Drops file in Program Files directory
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "WAN Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp28A5.tmp"5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "WAN Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp29DE.tmp"5⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\appdata\hfsjrifske.exe"C:\Users\Admin\AppData\Roaming\appdata\hfsjrifske.exe" 2 1408 747714⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp28A5.tmp
-
C:\Users\Admin\AppData\Local\Temp\tmp29DE.tmp
-
C:\Users\Admin\AppData\Roaming\appdata\hfsjrifske.exe
-
C:\Users\Admin\AppData\Roaming\appdata\hfsjrifske.exe
-
C:\Users\Admin\AppData\Roaming\appdata\hfsjrifske.exe
-
C:\Users\Admin\AppData\Roaming\appdata\hfsjrifske.exe
-
\Users\Admin\AppData\Roaming\appdata\hfsjrifske.exe
-
\Users\Admin\AppData\Roaming\appdata\hfsjrifske.exe
-
memory/616-4-0x0000000000000000-mapping.dmp
-
memory/808-18-0x0000000000000000-mapping.dmp
-
memory/1048-20-0x0000000000000000-mapping.dmp
-
memory/1228-1-0x0000000000090000-0x0000000000091000-memory.dmpFilesize
4KB
-
memory/1228-0-0x0000000000000000-mapping.dmp
-
memory/1408-15-0x00000000002B2000-0x00000000002B3000-memory.dmpFilesize
4KB
-
memory/1408-14-0x00000000002C0000-0x00000000002F8000-memory.dmpFilesize
224KB
-
memory/1408-12-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1408-16-0x0000000000220000-0x0000000000253000-memory.dmpFilesize
204KB
-
memory/1408-11-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1408-8-0x000000000047D730-mapping.dmp
-
memory/1408-7-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1432-10-0x0000000000000000-mapping.dmp