Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 19:37
Behavioral task
behavioral1
Sample
RFQ 1107052020.exe
Resource
win7v20201028
General
-
Target
RFQ 1107052020.exe
-
Size
439KB
-
MD5
6f76cf57e27e27dc36ef6365bf992d0b
-
SHA1
ecc4feea2d22a4e7b5cdcee281bddd2396a54f5c
-
SHA256
a625100d55ce2671fe17784442c36fa6bae6ada85d516c2e3ac4509112d4c740
-
SHA512
3676e45051dce3a6e8857de0713da27449831fc4ec5b2a84c1afbe3d6689ceaf6a763452013ff066c3e3413547c1111f12beff0a4be652fabca784b906ab5dac
Malware Config
Extracted
nanocore
1.2.2.0
sydney112.hopto.org:1007
79.134.225.7:1007
1794518e-1406-42a0-bd9e-26459aee0f43
-
activate_away_mode
true
-
backup_connection_host
79.134.225.7
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-02-10T00:18:24.962118936Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
1007
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
1794518e-1406-42a0-bd9e-26459aee0f43
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
sydney112.hopto.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RFQ 1107052020.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SMTP Manager = "C:\\Program Files (x86)\\SMTP Manager\\smtpmgr.exe" RFQ 1107052020.exe -
Processes:
RFQ 1107052020.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RFQ 1107052020.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
RFQ 1107052020.exedescription pid process target process PID 540 set thread context of 3356 540 RFQ 1107052020.exe RFQ 1107052020.exe -
Drops file in Program Files directory 2 IoCs
Processes:
RFQ 1107052020.exedescription ioc process File opened for modification C:\Program Files (x86)\SMTP Manager\smtpmgr.exe RFQ 1107052020.exe File created C:\Program Files (x86)\SMTP Manager\smtpmgr.exe RFQ 1107052020.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 3672 schtasks.exe 1092 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
RFQ 1107052020.exeRFQ 1107052020.exepid process 540 RFQ 1107052020.exe 540 RFQ 1107052020.exe 540 RFQ 1107052020.exe 540 RFQ 1107052020.exe 540 RFQ 1107052020.exe 3356 RFQ 1107052020.exe 3356 RFQ 1107052020.exe 3356 RFQ 1107052020.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RFQ 1107052020.exepid process 3356 RFQ 1107052020.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
RFQ 1107052020.exeRFQ 1107052020.exedescription pid process Token: SeDebugPrivilege 540 RFQ 1107052020.exe Token: SeDebugPrivilege 3356 RFQ 1107052020.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
RFQ 1107052020.exepid process 540 RFQ 1107052020.exe 540 RFQ 1107052020.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
RFQ 1107052020.exeRFQ 1107052020.exedescription pid process target process PID 540 wrote to memory of 3696 540 RFQ 1107052020.exe RFQ 1107052020.exe PID 540 wrote to memory of 3696 540 RFQ 1107052020.exe RFQ 1107052020.exe PID 540 wrote to memory of 3696 540 RFQ 1107052020.exe RFQ 1107052020.exe PID 540 wrote to memory of 2412 540 RFQ 1107052020.exe RFQ 1107052020.exe PID 540 wrote to memory of 2412 540 RFQ 1107052020.exe RFQ 1107052020.exe PID 540 wrote to memory of 2412 540 RFQ 1107052020.exe RFQ 1107052020.exe PID 540 wrote to memory of 3356 540 RFQ 1107052020.exe RFQ 1107052020.exe PID 540 wrote to memory of 3356 540 RFQ 1107052020.exe RFQ 1107052020.exe PID 540 wrote to memory of 3356 540 RFQ 1107052020.exe RFQ 1107052020.exe PID 540 wrote to memory of 3356 540 RFQ 1107052020.exe RFQ 1107052020.exe PID 540 wrote to memory of 3356 540 RFQ 1107052020.exe RFQ 1107052020.exe PID 540 wrote to memory of 3356 540 RFQ 1107052020.exe RFQ 1107052020.exe PID 540 wrote to memory of 3356 540 RFQ 1107052020.exe RFQ 1107052020.exe PID 540 wrote to memory of 3356 540 RFQ 1107052020.exe RFQ 1107052020.exe PID 3356 wrote to memory of 3672 3356 RFQ 1107052020.exe schtasks.exe PID 3356 wrote to memory of 3672 3356 RFQ 1107052020.exe schtasks.exe PID 3356 wrote to memory of 3672 3356 RFQ 1107052020.exe schtasks.exe PID 3356 wrote to memory of 1092 3356 RFQ 1107052020.exe schtasks.exe PID 3356 wrote to memory of 1092 3356 RFQ 1107052020.exe schtasks.exe PID 3356 wrote to memory of 1092 3356 RFQ 1107052020.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\RFQ 1107052020.exe"C:\Users\Admin\AppData\Local\Temp\RFQ 1107052020.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RFQ 1107052020.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\RFQ 1107052020.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\RFQ 1107052020.exe"{path}"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "SMTP Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmp7F86.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "SMTP Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp818B.tmp"3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RFQ 1107052020.exe.logMD5
2ce1b56364fa233e3c3b24c1094c08ef
SHA16bd332829aebe567d7b2cb1fd9a82dfe1791052f
SHA256dcf175d01a6de724456eebafad26562a1c6c59bb61ed4a40675e80b7dbc5680e
SHA5125abf87138689fdc6f8f79c130c3511c863bac1fb0acc60525bc660c532276e3e0037134a9653e0b4f9a77142236cc18144e90bb40ace7271d6eb57fcf438bfe9
-
C:\Users\Admin\AppData\Local\Temp\tmp7F86.tmpMD5
fb80d0e19032b29c47d85d14f009fd97
SHA1e1c6ce934402c7443cc1a923a15b99f3f734c915
SHA256ae06bb533582078648bc61e560160bd222aa87ce0bf27eacd0988d04a3c34a97
SHA512c0b5310625c03de2a15244324d8c5caf3cdebe7e53fd20c887285dce71e92249eb8a57997deaa6c2736ebeb9ff2d49ca21d3f8ef9aabe1fa947efc3c011767d3
-
C:\Users\Admin\AppData\Local\Temp\tmp818B.tmpMD5
b3b017f9df206021717a11f11d895402
SHA1e4ea12823af6550ee634536eec1eb14490580a3b
SHA256654dfce2c28024364e679e1b958f3fb81fc6d29685d534d905d1c83a84351024
SHA51295666cb81aa1fd1ade04a32f63381ce8bff274d7d300c0b59cbb10a294c4d1eebaa3000365a2000b38793de030044995cf23e623c5e3648d9b00501f97ff9343
-
memory/1092-7-0x0000000000000000-mapping.dmp
-
memory/3356-3-0x000000000041E792-mapping.dmp
-
memory/3356-2-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/3672-5-0x0000000000000000-mapping.dmp