Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
31-07-2020 08:32
Static task
static1
Behavioral task
behavioral1
Sample
bb4eb0cc2f31f248a9c2f38c0abbb252.exe
Resource
win7
General
-
Target
bb4eb0cc2f31f248a9c2f38c0abbb252.exe
-
Size
710KB
-
MD5
bb4eb0cc2f31f248a9c2f38c0abbb252
-
SHA1
562528a4a0ea3eefe8e5526ad68ffdf3df9b5e64
-
SHA256
5901a8e4a36574b8ca6cb3c899e64cdfc27395de606cd4a512431e6dd827196f
-
SHA512
07b33a80ce27fc9b3b4d01900d7a513f1900183ea484e07d79ad57093b94d6adf81006b52f3cc412bcc73c43b32eeba155bbd793d180fa2d3a1a372396fbae79
Malware Config
Extracted
nanocore
1.2.2.0
godisgood.hopto.org:2177
185.165.153.30:2177
adf7c98d-c26d-478d-b499-e4ca79cefdbc
-
activate_away_mode
true
-
backup_connection_host
185.165.153.30
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-05-04T01:35:20.350531836Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
2177
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
adf7c98d-c26d-478d-b499-e4ca79cefdbc
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
godisgood.hopto.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
bb4eb0cc2f31f248a9c2f38c0abbb252.exenotepad.exehfsjrifske.exehfsjrifske.exedescription pid process target process PID 2584 wrote to memory of 492 2584 bb4eb0cc2f31f248a9c2f38c0abbb252.exe notepad.exe PID 2584 wrote to memory of 492 2584 bb4eb0cc2f31f248a9c2f38c0abbb252.exe notepad.exe PID 2584 wrote to memory of 492 2584 bb4eb0cc2f31f248a9c2f38c0abbb252.exe notepad.exe PID 2584 wrote to memory of 492 2584 bb4eb0cc2f31f248a9c2f38c0abbb252.exe notepad.exe PID 2584 wrote to memory of 492 2584 bb4eb0cc2f31f248a9c2f38c0abbb252.exe notepad.exe PID 492 wrote to memory of 632 492 notepad.exe hfsjrifske.exe PID 492 wrote to memory of 632 492 notepad.exe hfsjrifske.exe PID 492 wrote to memory of 632 492 notepad.exe hfsjrifske.exe PID 632 wrote to memory of 804 632 hfsjrifske.exe hfsjrifske.exe PID 632 wrote to memory of 804 632 hfsjrifske.exe hfsjrifske.exe PID 632 wrote to memory of 804 632 hfsjrifske.exe hfsjrifske.exe PID 632 wrote to memory of 996 632 hfsjrifske.exe hfsjrifske.exe PID 632 wrote to memory of 996 632 hfsjrifske.exe hfsjrifske.exe PID 632 wrote to memory of 996 632 hfsjrifske.exe hfsjrifske.exe PID 804 wrote to memory of 1100 804 hfsjrifske.exe schtasks.exe PID 804 wrote to memory of 1100 804 hfsjrifske.exe schtasks.exe PID 804 wrote to memory of 1100 804 hfsjrifske.exe schtasks.exe PID 804 wrote to memory of 1412 804 hfsjrifske.exe schtasks.exe PID 804 wrote to memory of 1412 804 hfsjrifske.exe schtasks.exe PID 804 wrote to memory of 1412 804 hfsjrifske.exe schtasks.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
hfsjrifske.exepid process 632 hfsjrifske.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
hfsjrifske.exedescription pid process Token: SeDebugPrivilege 804 hfsjrifske.exe -
Processes:
hfsjrifske.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA hfsjrifske.exe -
Executes dropped EXE 3 IoCs
Processes:
hfsjrifske.exehfsjrifske.exehfsjrifske.exepid process 632 hfsjrifske.exe 804 hfsjrifske.exe 996 hfsjrifske.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
hfsjrifske.exedescription pid process target process PID 632 set thread context of 804 632 hfsjrifske.exe hfsjrifske.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
hfsjrifske.exepid process 804 hfsjrifske.exe -
NTFS ADS 2 IoCs
Processes:
notepad.exehfsjrifske.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\appdata\hfsjrifske.exe:ZoneIdentifier notepad.exe File created C:\Program Files (x86)\IMAP Service\imapsv.exe\:ZoneIdentifier:$DATA hfsjrifske.exe -
Drops startup file 1 IoCs
Processes:
notepad.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\web.vbs notepad.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1100 schtasks.exe 1412 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2703 IoCs
Processes:
bb4eb0cc2f31f248a9c2f38c0abbb252.exehfsjrifske.exehfsjrifske.exepid process 2584 bb4eb0cc2f31f248a9c2f38c0abbb252.exe 2584 bb4eb0cc2f31f248a9c2f38c0abbb252.exe 632 hfsjrifske.exe 632 hfsjrifske.exe 996 hfsjrifske.exe 996 hfsjrifske.exe 996 hfsjrifske.exe 996 hfsjrifske.exe 996 hfsjrifske.exe 996 hfsjrifske.exe 996 hfsjrifske.exe 996 hfsjrifske.exe 996 hfsjrifske.exe 996 hfsjrifske.exe 996 hfsjrifske.exe 996 hfsjrifske.exe 996 hfsjrifske.exe 996 hfsjrifske.exe 996 hfsjrifske.exe 996 hfsjrifske.exe 996 hfsjrifske.exe 996 hfsjrifske.exe 996 hfsjrifske.exe 996 hfsjrifske.exe 996 hfsjrifske.exe 996 hfsjrifske.exe 996 hfsjrifske.exe 996 hfsjrifske.exe 996 hfsjrifske.exe 996 hfsjrifske.exe 996 hfsjrifske.exe 996 hfsjrifske.exe 996 hfsjrifske.exe 996 hfsjrifske.exe 996 hfsjrifske.exe 996 hfsjrifske.exe 996 hfsjrifske.exe 996 hfsjrifske.exe 996 hfsjrifske.exe 996 hfsjrifske.exe 996 hfsjrifske.exe 996 hfsjrifske.exe 996 hfsjrifske.exe 996 hfsjrifske.exe 996 hfsjrifske.exe 996 hfsjrifske.exe 996 hfsjrifske.exe 996 hfsjrifske.exe 996 hfsjrifske.exe 996 hfsjrifske.exe 996 hfsjrifske.exe 996 hfsjrifske.exe 996 hfsjrifske.exe 996 hfsjrifske.exe 996 hfsjrifske.exe 996 hfsjrifske.exe 996 hfsjrifske.exe 996 hfsjrifske.exe 996 hfsjrifske.exe 996 hfsjrifske.exe 996 hfsjrifske.exe 996 hfsjrifske.exe 996 hfsjrifske.exe 996 hfsjrifske.exe -
Processes:
resource yara_rule behavioral2/memory/804-4-0x0000000000400000-0x000000000047F000-memory.dmp upx behavioral2/memory/804-4-0x0000000000400000-0x000000000047F000-memory.dmp upx behavioral2/memory/804-8-0x0000000000400000-0x000000000047F000-memory.dmp upx behavioral2/memory/804-8-0x0000000000400000-0x000000000047F000-memory.dmp upx behavioral2/memory/804-9-0x0000000000400000-0x000000000047F000-memory.dmp upx behavioral2/memory/804-9-0x0000000000400000-0x000000000047F000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
Processes:
hfsjrifske.exedescription ioc process File created C:\Program Files (x86)\IMAP Service\imapsv.exe hfsjrifske.exe File opened for modification C:\Program Files (x86)\IMAP Service\imapsv.exe hfsjrifske.exe File created C:\Program Files (x86)\IMAP Service\imapsv.exe\:ZoneIdentifier:$DATA hfsjrifske.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
hfsjrifske.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\IMAP Service = "C:\\Program Files (x86)\\IMAP Service\\imapsv.exe" hfsjrifske.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bb4eb0cc2f31f248a9c2f38c0abbb252.exe"C:\Users\Admin\AppData\Local\Temp\bb4eb0cc2f31f248a9c2f38c0abbb252.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"2⤵
- Suspicious use of WriteProcessMemory
- NTFS ADS
- Drops startup file
-
C:\Users\Admin\AppData\Roaming\appdata\hfsjrifske.exe"C:\Users\Admin\AppData\Roaming\appdata\hfsjrifske.exe"3⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\appdata\hfsjrifske.exe"C:\Users\Admin\AppData\Roaming\appdata\hfsjrifske.exe"4⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Checks whether UAC is enabled
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- NTFS ADS
- Drops file in Program Files directory
- Adds Run key to start application
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "IMAP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmpC7DF.tmp"5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "IMAP Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpC986.tmp"5⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\appdata\hfsjrifske.exe"C:\Users\Admin\AppData\Roaming\appdata\hfsjrifske.exe" 2 804 1099064⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpC7DF.tmp
-
C:\Users\Admin\AppData\Local\Temp\tmpC986.tmp
-
C:\Users\Admin\AppData\Roaming\appdata\hfsjrifske.exe
-
C:\Users\Admin\AppData\Roaming\appdata\hfsjrifske.exe
-
C:\Users\Admin\AppData\Roaming\appdata\hfsjrifske.exe
-
C:\Users\Admin\AppData\Roaming\appdata\hfsjrifske.exe
-
memory/492-0-0x0000000000000000-mapping.dmp
-
memory/632-1-0x0000000000000000-mapping.dmp
-
memory/804-12-0x0000000000972000-0x0000000000973000-memory.dmpFilesize
4KB
-
memory/804-9-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/804-11-0x0000000002180000-0x00000000021B8000-memory.dmpFilesize
224KB
-
memory/804-8-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/804-5-0x000000000047D730-mapping.dmp
-
memory/804-4-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/996-7-0x0000000000000000-mapping.dmp
-
memory/1100-13-0x0000000000000000-mapping.dmp
-
memory/1412-15-0x0000000000000000-mapping.dmp