Analysis
-
max time kernel
64s -
max time network
152s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
05-01-2021 08:08
Static task
static1
Behavioral task
behavioral1
Sample
File.exe
Resource
win7v20201028
General
-
Target
File.exe
-
Size
1.0MB
-
MD5
64becd6a7a8590aea83f5d702b66a34b
-
SHA1
3b4b903509f057357ef73784f5ce8aaad027a067
-
SHA256
0c687ab49f5ce45edd012b56f690fe15cf0001769fa33b482c91c65cd5c626fc
-
SHA512
4ed2b6df7307289907e70fa8fac4cd01bc636787f97f9aca8ba782e33ea7f0e8b101ad035b26485b5c66f59fd674f45f39192ff15c18f217bb5daa5f14e59933
Malware Config
Extracted
nanocore
1.2.2.0
innocentbooii.hopto.org:55420
194.5.98.133:55420
aa47b8cc-db9f-4bb0-af63-a1d647549754
-
activate_away_mode
false
-
backup_connection_host
194.5.98.133
- backup_dns_server
-
buffer_size
65538
-
build_time
2020-09-25T13:39:29.523835236Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
false
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
55420
-
default_group
Bail
-
enable_debug_mode
true
-
gc_threshold
1.0485772e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.0485772e+07
-
mutex
aa47b8cc-db9f-4bb0-af63-a1d647549754
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
innocentbooii.hopto.org
- primary_dns_server
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
false
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8009
Signatures
-
Processes:
File.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA File.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
File.exedescription pid process target process PID 1200 set thread context of 1312 1200 File.exe File.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1764 schtasks.exe 1372 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
File.exeFile.exepid process 1200 File.exe 1312 File.exe 1312 File.exe 1312 File.exe 1312 File.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
File.exepid process 1312 File.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
File.exeFile.exedescription pid process Token: SeDebugPrivilege 1200 File.exe Token: SeDebugPrivilege 1312 File.exe Token: SeDebugPrivilege 1312 File.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
File.exeFile.exedescription pid process target process PID 1200 wrote to memory of 1764 1200 File.exe schtasks.exe PID 1200 wrote to memory of 1764 1200 File.exe schtasks.exe PID 1200 wrote to memory of 1764 1200 File.exe schtasks.exe PID 1200 wrote to memory of 1764 1200 File.exe schtasks.exe PID 1200 wrote to memory of 1312 1200 File.exe File.exe PID 1200 wrote to memory of 1312 1200 File.exe File.exe PID 1200 wrote to memory of 1312 1200 File.exe File.exe PID 1200 wrote to memory of 1312 1200 File.exe File.exe PID 1200 wrote to memory of 1312 1200 File.exe File.exe PID 1200 wrote to memory of 1312 1200 File.exe File.exe PID 1200 wrote to memory of 1312 1200 File.exe File.exe PID 1200 wrote to memory of 1312 1200 File.exe File.exe PID 1200 wrote to memory of 1312 1200 File.exe File.exe PID 1312 wrote to memory of 1372 1312 File.exe schtasks.exe PID 1312 wrote to memory of 1372 1312 File.exe schtasks.exe PID 1312 wrote to memory of 1372 1312 File.exe schtasks.exe PID 1312 wrote to memory of 1372 1312 File.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\File.exe"C:\Users\Admin\AppData\Local\Temp\File.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uoiGoAgNIP" /XML "C:\Users\Admin\AppData\Local\Temp\tmp281A.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\File.exe"{path}"2⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "NTFS Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmp2CFA.tmp"3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp281A.tmpMD5
c9eefd8b35a806a8904302aecc0e9fbc
SHA1b38c57201b718bf91b6963e6e4519a7d06ad6647
SHA2564e6eaf7e951d7bae1b0326cdfe9a76f38f1b927d166da631a45189567a2728b8
SHA51217abb73514cf7719239c7919b4f66a864c5af488273fa8b8e4bc9e7f5e09d040c392af53d4901ee650fc418b79d162be3a0a204c8182364504034673abea0c19
-
C:\Users\Admin\AppData\Local\Temp\tmp2CFA.tmpMD5
b9ff32dd5b07a822c08ca4550298ffd9
SHA130e7b594aec1f3f554ca7a460d3ed99fdbacd4f2
SHA2560a2419cb37d47c1ac8cfbf20d33e566f985f22f6ca810e3cb3e12dfc5d59202c
SHA512510a84f4e7df924edd8521ab91cb829204ee24b993994a06df0a86b660b763ced58f0d7851106ba6fc4133be47cef30320ca17de9afcf75b3f16cd614798ac89
-
memory/1312-5-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1312-6-0x000000000041E792-mapping.dmp
-
memory/1312-7-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1312-8-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1372-9-0x0000000000000000-mapping.dmp
-
memory/1764-3-0x0000000000000000-mapping.dmp