Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
29-01-2021 17:44
Static task
static1
Behavioral task
behavioral1
Sample
MRC20201030XMY, pdf.exe
Resource
win7v20201028
General
-
Target
MRC20201030XMY, pdf.exe
-
Size
680KB
-
MD5
745a0884f13a2c9fac2d787e7454160f
-
SHA1
ed1c474eb18b804a4b3270ce6ea4a7f8c6d27291
-
SHA256
274e4f123b2129e9e8d7f6eb638e3dc5fddf524781b1a7b2819b7cc6c8ca2a89
-
SHA512
ac010dd0512e112b7556541d555cb25d126c87017f0d4f1c01ccab52446693a30f6a5593ba1bce0545e89fc3ba179ce3b28327f5b931ac98d5b5dae867ed8e58
Malware Config
Extracted
nanocore
1.2.2.0
graceland777.ddns.net:7771
88abe1b7-73a7-478a-80b3-05251cbe93c2
-
activate_away_mode
true
- backup_connection_host
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-11-10T18:05:18.611593036Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
true
-
connect_delay
4000
-
connection_port
7771
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
88abe1b7-73a7-478a-80b3-05251cbe93c2
-
mutex_timeout
5000
-
prevent_system_sleep
true
-
primary_connection_host
graceland777.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
MRC20201030XMY, pdf.exeRegSvcs.exedescription pid process target process PID 636 set thread context of 1968 636 MRC20201030XMY, pdf.exe RegSvcs.exe PID 1968 set thread context of 2756 1968 RegSvcs.exe RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
RegSvcs.exeRegSvcs.exepid process 1968 RegSvcs.exe 2756 RegSvcs.exe 2756 RegSvcs.exe 2756 RegSvcs.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegSvcs.exepid process 2756 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
RegSvcs.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 1968 RegSvcs.exe Token: SeDebugPrivilege 2756 RegSvcs.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
MRC20201030XMY, pdf.exeRegSvcs.exedescription pid process target process PID 636 wrote to memory of 1968 636 MRC20201030XMY, pdf.exe RegSvcs.exe PID 636 wrote to memory of 1968 636 MRC20201030XMY, pdf.exe RegSvcs.exe PID 636 wrote to memory of 1968 636 MRC20201030XMY, pdf.exe RegSvcs.exe PID 636 wrote to memory of 1968 636 MRC20201030XMY, pdf.exe RegSvcs.exe PID 636 wrote to memory of 1968 636 MRC20201030XMY, pdf.exe RegSvcs.exe PID 636 wrote to memory of 1968 636 MRC20201030XMY, pdf.exe RegSvcs.exe PID 636 wrote to memory of 1968 636 MRC20201030XMY, pdf.exe RegSvcs.exe PID 636 wrote to memory of 1968 636 MRC20201030XMY, pdf.exe RegSvcs.exe PID 1968 wrote to memory of 2756 1968 RegSvcs.exe RegSvcs.exe PID 1968 wrote to memory of 2756 1968 RegSvcs.exe RegSvcs.exe PID 1968 wrote to memory of 2756 1968 RegSvcs.exe RegSvcs.exe PID 1968 wrote to memory of 2756 1968 RegSvcs.exe RegSvcs.exe PID 1968 wrote to memory of 2756 1968 RegSvcs.exe RegSvcs.exe PID 1968 wrote to memory of 2756 1968 RegSvcs.exe RegSvcs.exe PID 1968 wrote to memory of 2756 1968 RegSvcs.exe RegSvcs.exe PID 1968 wrote to memory of 2756 1968 RegSvcs.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\MRC20201030XMY, pdf.exe"C:\Users\Admin\AppData\Local\Temp\MRC20201030XMY, pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"{path}"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"{path}"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/636-2-0x0000000002DF0000-0x0000000002DF1000-memory.dmpFilesize
4KB
-
memory/1968-3-0x0000000000400000-0x000000000046E000-memory.dmpFilesize
440KB
-
memory/1968-4-0x0000000000465A6E-mapping.dmp
-
memory/1968-5-0x00000000031B0000-0x00000000031B1000-memory.dmpFilesize
4KB
-
memory/1968-6-0x00000000031B1000-0x00000000031B2000-memory.dmpFilesize
4KB
-
memory/2756-7-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2756-8-0x000000000041E792-mapping.dmp
-
memory/2756-9-0x00000000028A0000-0x00000000028A1000-memory.dmpFilesize
4KB
-
memory/2756-10-0x00000000028A1000-0x00000000028A2000-memory.dmpFilesize
4KB