Analysis
-
max time kernel
151s -
max time network
146s -
platform
windows7_x64 -
resource
win7 -
submitted
31-07-2020 08:32
Static task
static1
Behavioral task
behavioral1
Sample
c85493fbd869baf0b92c89a09604562d.exe
Resource
win7
General
-
Target
c85493fbd869baf0b92c89a09604562d.exe
-
Size
710KB
-
MD5
c85493fbd869baf0b92c89a09604562d
-
SHA1
c3412e74e5a797d3d087d05fcf7e03c03e960e1a
-
SHA256
3a8a04925d66b89b7cdb459aa6fc33e5132c447efcc541ab86e17b74f64a8287
-
SHA512
50626f4376d080c0623a31c7d6a6e567b76afb512415709fda66ea383761ed576245776deb4930b715e74a006492767d26b90c0d40cffd19d55aecbd04aaac82
Malware Config
Extracted
nanocore
1.2.2.0
ndlovusamkello.hopto.org:3940
185.140.53.132:3940
c036ee8d-7b1c-4a45-b399-b74d5de4daa9
-
activate_away_mode
true
-
backup_connection_host
185.140.53.132
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-05-03T17:26:20.781540536Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
3940
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
c036ee8d-7b1c-4a45-b399-b74d5de4daa9
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
ndlovusamkello.hopto.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
c85493fbd869baf0b92c89a09604562d.exenotepad.exehdjfksfj.exedescription pid process target process PID 1312 wrote to memory of 316 1312 c85493fbd869baf0b92c89a09604562d.exe notepad.exe PID 1312 wrote to memory of 316 1312 c85493fbd869baf0b92c89a09604562d.exe notepad.exe PID 1312 wrote to memory of 316 1312 c85493fbd869baf0b92c89a09604562d.exe notepad.exe PID 1312 wrote to memory of 316 1312 c85493fbd869baf0b92c89a09604562d.exe notepad.exe PID 1312 wrote to memory of 316 1312 c85493fbd869baf0b92c89a09604562d.exe notepad.exe PID 1312 wrote to memory of 316 1312 c85493fbd869baf0b92c89a09604562d.exe notepad.exe PID 316 wrote to memory of 1396 316 notepad.exe hdjfksfj.exe PID 316 wrote to memory of 1396 316 notepad.exe hdjfksfj.exe PID 316 wrote to memory of 1396 316 notepad.exe hdjfksfj.exe PID 316 wrote to memory of 1396 316 notepad.exe hdjfksfj.exe PID 1396 wrote to memory of 1488 1396 hdjfksfj.exe hdjfksfj.exe PID 1396 wrote to memory of 1488 1396 hdjfksfj.exe hdjfksfj.exe PID 1396 wrote to memory of 1488 1396 hdjfksfj.exe hdjfksfj.exe PID 1396 wrote to memory of 1488 1396 hdjfksfj.exe hdjfksfj.exe PID 1396 wrote to memory of 1624 1396 hdjfksfj.exe hdjfksfj.exe PID 1396 wrote to memory of 1624 1396 hdjfksfj.exe hdjfksfj.exe PID 1396 wrote to memory of 1624 1396 hdjfksfj.exe hdjfksfj.exe PID 1396 wrote to memory of 1624 1396 hdjfksfj.exe hdjfksfj.exe -
Loads dropped DLL 2 IoCs
Processes:
notepad.exepid process 316 notepad.exe 316 notepad.exe -
Executes dropped EXE 3 IoCs
Processes:
hdjfksfj.exehdjfksfj.exehdjfksfj.exepid process 1396 hdjfksfj.exe 1488 hdjfksfj.exe 1624 hdjfksfj.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
hdjfksfj.exedescription pid process Token: SeDebugPrivilege 1488 hdjfksfj.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
hdjfksfj.exepid process 1488 hdjfksfj.exe -
Processes:
resource yara_rule behavioral1/memory/1488-7-0x0000000000400000-0x000000000047F000-memory.dmp upx behavioral1/memory/1488-7-0x0000000000400000-0x000000000047F000-memory.dmp upx behavioral1/memory/1488-10-0x0000000000400000-0x000000000047F000-memory.dmp upx behavioral1/memory/1488-10-0x0000000000400000-0x000000000047F000-memory.dmp upx behavioral1/memory/1488-11-0x0000000000400000-0x000000000047F000-memory.dmp upx behavioral1/memory/1488-11-0x0000000000400000-0x000000000047F000-memory.dmp upx -
Drops startup file 1 IoCs
Processes:
notepad.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\web.vbs notepad.exe -
Suspicious behavior: EnumeratesProcesses 1370 IoCs
Processes:
c85493fbd869baf0b92c89a09604562d.exehdjfksfj.exehdjfksfj.exehdjfksfj.exepid process 1312 c85493fbd869baf0b92c89a09604562d.exe 1396 hdjfksfj.exe 1624 hdjfksfj.exe 1624 hdjfksfj.exe 1624 hdjfksfj.exe 1624 hdjfksfj.exe 1624 hdjfksfj.exe 1624 hdjfksfj.exe 1624 hdjfksfj.exe 1624 hdjfksfj.exe 1624 hdjfksfj.exe 1624 hdjfksfj.exe 1624 hdjfksfj.exe 1624 hdjfksfj.exe 1488 hdjfksfj.exe 1488 hdjfksfj.exe 1624 hdjfksfj.exe 1624 hdjfksfj.exe 1624 hdjfksfj.exe 1624 hdjfksfj.exe 1624 hdjfksfj.exe 1624 hdjfksfj.exe 1624 hdjfksfj.exe 1624 hdjfksfj.exe 1624 hdjfksfj.exe 1624 hdjfksfj.exe 1624 hdjfksfj.exe 1624 hdjfksfj.exe 1624 hdjfksfj.exe 1624 hdjfksfj.exe 1624 hdjfksfj.exe 1624 hdjfksfj.exe 1624 hdjfksfj.exe 1624 hdjfksfj.exe 1624 hdjfksfj.exe 1624 hdjfksfj.exe 1624 hdjfksfj.exe 1624 hdjfksfj.exe 1624 hdjfksfj.exe 1624 hdjfksfj.exe 1624 hdjfksfj.exe 1624 hdjfksfj.exe 1624 hdjfksfj.exe 1624 hdjfksfj.exe 1624 hdjfksfj.exe 1624 hdjfksfj.exe 1624 hdjfksfj.exe 1624 hdjfksfj.exe 1624 hdjfksfj.exe 1624 hdjfksfj.exe 1624 hdjfksfj.exe 1624 hdjfksfj.exe 1624 hdjfksfj.exe 1624 hdjfksfj.exe 1624 hdjfksfj.exe 1624 hdjfksfj.exe 1624 hdjfksfj.exe 1624 hdjfksfj.exe 1624 hdjfksfj.exe 1624 hdjfksfj.exe 1624 hdjfksfj.exe 1624 hdjfksfj.exe 1624 hdjfksfj.exe 1624 hdjfksfj.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
hdjfksfj.exedescription pid process target process PID 1396 set thread context of 1488 1396 hdjfksfj.exe hdjfksfj.exe -
NTFS ADS 1 IoCs
Processes:
notepad.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\appdata\hdjfksfj.exe:ZoneIdentifier notepad.exe -
Processes:
hdjfksfj.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA hdjfksfj.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
hdjfksfj.exepid process 1396 hdjfksfj.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c85493fbd869baf0b92c89a09604562d.exe"C:\Users\Admin\AppData\Local\Temp\c85493fbd869baf0b92c89a09604562d.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"2⤵
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
- Drops startup file
- NTFS ADS
-
C:\Users\Admin\AppData\Roaming\appdata\hdjfksfj.exe"C:\Users\Admin\AppData\Roaming\appdata\hdjfksfj.exe"3⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\appdata\hdjfksfj.exe"C:\Users\Admin\AppData\Roaming\appdata\hdjfksfj.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: EnumeratesProcesses
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Roaming\appdata\hdjfksfj.exe"C:\Users\Admin\AppData\Roaming\appdata\hdjfksfj.exe" 2 1488 634454⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\appdata\hdjfksfj.exe
-
C:\Users\Admin\AppData\Roaming\appdata\hdjfksfj.exe
-
C:\Users\Admin\AppData\Roaming\appdata\hdjfksfj.exe
-
C:\Users\Admin\AppData\Roaming\appdata\hdjfksfj.exe
-
\Users\Admin\AppData\Roaming\appdata\hdjfksfj.exe
-
\Users\Admin\AppData\Roaming\appdata\hdjfksfj.exe
-
memory/316-1-0x00000000000D0000-0x00000000000D1000-memory.dmpFilesize
4KB
-
memory/316-0-0x0000000000000000-mapping.dmp
-
memory/1396-4-0x0000000000000000-mapping.dmp
-
memory/1488-10-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1488-8-0x000000000047D4C0-mapping.dmp
-
memory/1488-11-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1488-7-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1488-14-0x00000000003B0000-0x00000000003E8000-memory.dmpFilesize
224KB
-
memory/1488-15-0x0000000000302000-0x0000000000303000-memory.dmpFilesize
4KB
-
memory/1488-16-0x0000000000220000-0x0000000000253000-memory.dmpFilesize
204KB
-
memory/1624-12-0x0000000000000000-mapping.dmp