Analysis
-
max time kernel
162s -
max time network
202s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 23:21
Static task
static1
Behavioral task
behavioral1
Sample
Z2OO7PDS.exe
Resource
win7-20220414-en
General
-
Target
Z2OO7PDS.exe
-
Size
442KB
-
MD5
ba83069cf373373d35a107ac5d8b4da9
-
SHA1
8f1ccfccd2e9f2e3b4652bdf3b385d69c4f57c7d
-
SHA256
82c3dd9e4b7e58fba6607bd562d4a80bc2c30f329bd7e7a5be3f40398b45caf1
-
SHA512
b7d15454c882410ef178d8bc20ca747597a128234dc4bbfd92826b0b895bd4279a123d2f315aa107728f48ab41c54169136922cafca2616d3ad8c9d047fc5e5c
Malware Config
Extracted
nanocore
1.2.2.0
185.84.181.89:9083
godrich.duckdns.org:9083
1279205d-f778-4dea-87c3-5b0f16201404
-
activate_away_mode
true
-
backup_connection_host
godrich.duckdns.org
-
backup_dns_server
8.8.4.4
-
buffer_size
65556
-
build_time
2020-05-17T06:02:33.528877536Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
9083
-
default_group
Sales
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
1279205d-f778-4dea-87c3-5b0f16201404
-
mutex_timeout
5006
-
prevent_system_sleep
false
-
primary_connection_host
185.84.181.89
-
primary_dns_server
8.8.8.8
-
request_elevation
false
-
restart_delay
5012
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Z2OO7PDS.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WPA Subsystem = "C:\\Program Files (x86)\\WPA Subsystem\\wpass.exe" Z2OO7PDS.exe -
Processes:
Z2OO7PDS.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Z2OO7PDS.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Z2OO7PDS.exedescription pid process target process PID 1676 set thread context of 2016 1676 Z2OO7PDS.exe Z2OO7PDS.exe -
Drops file in Program Files directory 2 IoCs
Processes:
Z2OO7PDS.exedescription ioc process File created C:\Program Files (x86)\WPA Subsystem\wpass.exe Z2OO7PDS.exe File opened for modification C:\Program Files (x86)\WPA Subsystem\wpass.exe Z2OO7PDS.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1700 schtasks.exe 1488 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
Z2OO7PDS.exeZ2OO7PDS.exepid process 1676 Z2OO7PDS.exe 1676 Z2OO7PDS.exe 2016 Z2OO7PDS.exe 2016 Z2OO7PDS.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Z2OO7PDS.exeZ2OO7PDS.exedescription pid process Token: SeDebugPrivilege 1676 Z2OO7PDS.exe Token: SeDebugPrivilege 2016 Z2OO7PDS.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
Z2OO7PDS.exeZ2OO7PDS.exedescription pid process target process PID 1676 wrote to memory of 2016 1676 Z2OO7PDS.exe Z2OO7PDS.exe PID 1676 wrote to memory of 2016 1676 Z2OO7PDS.exe Z2OO7PDS.exe PID 1676 wrote to memory of 2016 1676 Z2OO7PDS.exe Z2OO7PDS.exe PID 1676 wrote to memory of 2016 1676 Z2OO7PDS.exe Z2OO7PDS.exe PID 1676 wrote to memory of 2016 1676 Z2OO7PDS.exe Z2OO7PDS.exe PID 1676 wrote to memory of 2016 1676 Z2OO7PDS.exe Z2OO7PDS.exe PID 1676 wrote to memory of 2016 1676 Z2OO7PDS.exe Z2OO7PDS.exe PID 1676 wrote to memory of 2016 1676 Z2OO7PDS.exe Z2OO7PDS.exe PID 1676 wrote to memory of 2016 1676 Z2OO7PDS.exe Z2OO7PDS.exe PID 2016 wrote to memory of 1700 2016 Z2OO7PDS.exe schtasks.exe PID 2016 wrote to memory of 1700 2016 Z2OO7PDS.exe schtasks.exe PID 2016 wrote to memory of 1700 2016 Z2OO7PDS.exe schtasks.exe PID 2016 wrote to memory of 1700 2016 Z2OO7PDS.exe schtasks.exe PID 2016 wrote to memory of 1488 2016 Z2OO7PDS.exe schtasks.exe PID 2016 wrote to memory of 1488 2016 Z2OO7PDS.exe schtasks.exe PID 2016 wrote to memory of 1488 2016 Z2OO7PDS.exe schtasks.exe PID 2016 wrote to memory of 1488 2016 Z2OO7PDS.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Z2OO7PDS.exe"C:\Users\Admin\AppData\Local\Temp\Z2OO7PDS.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Z2OO7PDS.exe"{path}"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "WPA Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmpFFF2.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "WPA Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp3BA.tmp"3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp3BA.tmpFilesize
1KB
MD54365cd1ae65923a319ef2683a45891fe
SHA185dde233112660e31c53884aedfbad52e4547e09
SHA25684b6ce4ba26fa6fb57fa70b9ad191f7c42c71e259897955b5d514385bcd91b58
SHA512d1bd24f504c5c2ecaa3ae98268ccc2e400ea3e16980c6caf394eadf7738225e4d5578fbe62bbe2de3fe0cb56a0d76bb3fc84cef3b9cd2f3d8be6d0becefdc035
-
C:\Users\Admin\AppData\Local\Temp\tmpFFF2.tmpFilesize
1KB
MD557d030974b893acde94283816b5c18d4
SHA12da210248ccdfeed7f64f6eed90e399be4a46e24
SHA256f734ec317c0d58b4bd332dc4fd8ec671494355133424aa269d0cc0fbde983a44
SHA5128030525f3dd8aafb027ee5d5e39f1894629bd8f777d977b5f57934298dafbea2122db47304dfdb273eb47a87024dd03e1f0dde7e02b8bf2fc360b4816b77f6df
-
memory/1488-74-0x0000000000000000-mapping.dmp
-
memory/1676-55-0x0000000075761000-0x0000000075763000-memory.dmpFilesize
8KB
-
memory/1676-56-0x0000000000520000-0x0000000000530000-memory.dmpFilesize
64KB
-
memory/1676-57-0x00000000041F0000-0x000000000424E000-memory.dmpFilesize
376KB
-
memory/1676-58-0x0000000000BF0000-0x0000000000C28000-memory.dmpFilesize
224KB
-
memory/1676-54-0x0000000000D70000-0x0000000000DE4000-memory.dmpFilesize
464KB
-
memory/1700-72-0x0000000000000000-mapping.dmp
-
memory/2016-59-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2016-66-0x000000000041E792-mapping.dmp
-
memory/2016-68-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2016-70-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2016-65-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2016-63-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2016-62-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2016-60-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2016-76-0x0000000000440000-0x000000000044A000-memory.dmpFilesize
40KB
-
memory/2016-77-0x0000000000450000-0x000000000046E000-memory.dmpFilesize
120KB
-
memory/2016-78-0x0000000000470000-0x000000000047A000-memory.dmpFilesize
40KB