Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
15-01-2021 13:52
Static task
static1
Behavioral task
behavioral1
Sample
TECHNICAL OFFERS.exe
Resource
win7v20201028
General
-
Target
TECHNICAL OFFERS.exe
-
Size
288KB
-
MD5
7d5e8d9809ed642c031226dc385f98f3
-
SHA1
eb5b7f5617e9cac86931c9a6fecff5dce2d975dd
-
SHA256
44b244b665832f11995d435e978ca9cd406c7bc8816e68c23c4a22a51990b0fb
-
SHA512
66e35ba5914b03fbe549f61aec7143daca89655faa60c58556b4038b8db1d03452a3e92cb30519a587ae2964de8c2399e992394e326ab7a401d3fffde8baef2d
Malware Config
Extracted
nanocore
1.2.2.0
mystupidfriend.duckdns.org:6578
32885bce-b113-4152-91c6-9c705cad8fa3
-
activate_away_mode
true
-
backup_connection_host
mystupidfriend.duckdns.org
-
backup_dns_server
mystupidfriend.duckdns.org
-
buffer_size
65535
-
build_time
2020-10-27T08:44:15.324888036Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
6578
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
32885bce-b113-4152-91c6-9c705cad8fa3
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
mystupidfriend.duckdns.org
-
primary_dns_server
mystupidfriend.duckdns.org
-
request_elevation
false
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
TECHNICAL OFFERS.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WPA Host = "C:\\Program Files (x86)\\WPA Host\\wpahost.exe" TECHNICAL OFFERS.exe -
Processes:
TECHNICAL OFFERS.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA TECHNICAL OFFERS.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
TECHNICAL OFFERS.exedescription pid process target process PID 848 set thread context of 2008 848 TECHNICAL OFFERS.exe TECHNICAL OFFERS.exe -
Drops file in Program Files directory 2 IoCs
Processes:
TECHNICAL OFFERS.exedescription ioc process File created C:\Program Files (x86)\WPA Host\wpahost.exe TECHNICAL OFFERS.exe File opened for modification C:\Program Files (x86)\WPA Host\wpahost.exe TECHNICAL OFFERS.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2044 schtasks.exe 1980 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
TECHNICAL OFFERS.exepid process 2008 TECHNICAL OFFERS.exe 2008 TECHNICAL OFFERS.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
TECHNICAL OFFERS.exepid process 2008 TECHNICAL OFFERS.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
TECHNICAL OFFERS.exepid process 848 TECHNICAL OFFERS.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
TECHNICAL OFFERS.exedescription pid process Token: SeDebugPrivilege 2008 TECHNICAL OFFERS.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
TECHNICAL OFFERS.exeTECHNICAL OFFERS.exedescription pid process target process PID 848 wrote to memory of 1996 848 TECHNICAL OFFERS.exe cmd.exe PID 848 wrote to memory of 1996 848 TECHNICAL OFFERS.exe cmd.exe PID 848 wrote to memory of 1996 848 TECHNICAL OFFERS.exe cmd.exe PID 848 wrote to memory of 1996 848 TECHNICAL OFFERS.exe cmd.exe PID 848 wrote to memory of 2008 848 TECHNICAL OFFERS.exe TECHNICAL OFFERS.exe PID 848 wrote to memory of 2008 848 TECHNICAL OFFERS.exe TECHNICAL OFFERS.exe PID 848 wrote to memory of 2008 848 TECHNICAL OFFERS.exe TECHNICAL OFFERS.exe PID 848 wrote to memory of 2008 848 TECHNICAL OFFERS.exe TECHNICAL OFFERS.exe PID 848 wrote to memory of 2008 848 TECHNICAL OFFERS.exe TECHNICAL OFFERS.exe PID 2008 wrote to memory of 1980 2008 TECHNICAL OFFERS.exe schtasks.exe PID 2008 wrote to memory of 1980 2008 TECHNICAL OFFERS.exe schtasks.exe PID 2008 wrote to memory of 1980 2008 TECHNICAL OFFERS.exe schtasks.exe PID 2008 wrote to memory of 1980 2008 TECHNICAL OFFERS.exe schtasks.exe PID 2008 wrote to memory of 2044 2008 TECHNICAL OFFERS.exe schtasks.exe PID 2008 wrote to memory of 2044 2008 TECHNICAL OFFERS.exe schtasks.exe PID 2008 wrote to memory of 2044 2008 TECHNICAL OFFERS.exe schtasks.exe PID 2008 wrote to memory of 2044 2008 TECHNICAL OFFERS.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\TECHNICAL OFFERS.exe"C:\Users\Admin\AppData\Local\Temp\TECHNICAL OFFERS.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Users\Admin\AppData\Local\Temp\TECHNICAL OFFERS.exe"C:\Users\Admin\AppData\Local\Temp\TECHNICAL OFFERS.exe"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "WPA Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmp19D7.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "WPA Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp1B10.tmp"3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp19D7.tmpMD5
f2eee8cfc479e25d22bbd29ed53c009a
SHA11fa54cca5b14d3c35c977456a1b706e34069e3aa
SHA2563e1fa2229e7740810a39a25e9087adfb4506250606ffecf5a60a04871569b32f
SHA512b655eb4dcae4f1699f6e8a2a3c0c3779a7b9a8286d75764bea4231473421206870d8a1c3e4704af138ebf272fae81dd89444136046c7bbae966c17225f6c2f87
-
C:\Users\Admin\AppData\Local\Temp\tmp1B10.tmpMD5
819bdbdac3be050783d203020e6c4c30
SHA1a373521fceb21cac8b93e55ee48578e40a6e740b
SHA2560e5dedca6d0d3c50ebcedb5bbf51ef3d434eb6b43da46764205de7636131f053
SHA512cece1c4d8b4db79fc6e3cd225efaccdf9d2493f28991b1d48439944af38aaa61a215bd00a0beedcbdecc4f1ec5be0843774375a483f3d4a573a3980c54798cbd
-
memory/1980-9-0x0000000000000000-mapping.dmp
-
memory/1996-2-0x0000000000000000-mapping.dmp
-
memory/2008-5-0x0000000000400000-0x0000000000448000-memory.dmpFilesize
288KB
-
memory/2008-6-0x00000000745D0000-0x0000000074CBE000-memory.dmpFilesize
6.9MB
-
memory/2008-7-0x00000000004F0000-0x0000000000523000-memory.dmpFilesize
204KB
-
memory/2008-4-0x000000000040188B-mapping.dmp
-
memory/2008-3-0x0000000000400000-0x0000000000448000-memory.dmpFilesize
288KB
-
memory/2008-13-0x0000000000A90000-0x0000000000A95000-memory.dmpFilesize
20KB
-
memory/2008-14-0x0000000000AE0000-0x0000000000AF9000-memory.dmpFilesize
100KB
-
memory/2008-15-0x0000000000B10000-0x0000000000B13000-memory.dmpFilesize
12KB
-
memory/2044-11-0x0000000000000000-mapping.dmp