Analysis
-
max time kernel
137s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 23:21
Static task
static1
Behavioral task
behavioral1
Sample
Z2OO7PDS.exe
Resource
win7-20220414-en
General
-
Target
Z2OO7PDS.exe
-
Size
442KB
-
MD5
ba83069cf373373d35a107ac5d8b4da9
-
SHA1
8f1ccfccd2e9f2e3b4652bdf3b385d69c4f57c7d
-
SHA256
82c3dd9e4b7e58fba6607bd562d4a80bc2c30f329bd7e7a5be3f40398b45caf1
-
SHA512
b7d15454c882410ef178d8bc20ca747597a128234dc4bbfd92826b0b895bd4279a123d2f315aa107728f48ab41c54169136922cafca2616d3ad8c9d047fc5e5c
Malware Config
Extracted
nanocore
1.2.2.0
185.84.181.89:9083
godrich.duckdns.org:9083
1279205d-f778-4dea-87c3-5b0f16201404
-
activate_away_mode
true
-
backup_connection_host
godrich.duckdns.org
-
backup_dns_server
8.8.4.4
-
buffer_size
65556
-
build_time
2020-05-17T06:02:33.528877536Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
9083
-
default_group
Sales
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
1279205d-f778-4dea-87c3-5b0f16201404
-
mutex_timeout
5006
-
prevent_system_sleep
false
-
primary_connection_host
185.84.181.89
-
primary_dns_server
8.8.8.8
-
request_elevation
false
-
restart_delay
5012
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Z2OO7PDS.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WPA Service = "C:\\Program Files (x86)\\WPA Service\\wpasv.exe" Z2OO7PDS.exe -
Processes:
Z2OO7PDS.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Z2OO7PDS.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Z2OO7PDS.exedescription pid process target process PID 4828 set thread context of 4876 4828 Z2OO7PDS.exe Z2OO7PDS.exe -
Drops file in Program Files directory 2 IoCs
Processes:
Z2OO7PDS.exedescription ioc process File created C:\Program Files (x86)\WPA Service\wpasv.exe Z2OO7PDS.exe File opened for modification C:\Program Files (x86)\WPA Service\wpasv.exe Z2OO7PDS.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2576 schtasks.exe 4924 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
Z2OO7PDS.exeZ2OO7PDS.exepid process 4828 Z2OO7PDS.exe 4828 Z2OO7PDS.exe 4828 Z2OO7PDS.exe 4876 Z2OO7PDS.exe 4876 Z2OO7PDS.exe 4876 Z2OO7PDS.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Z2OO7PDS.exepid process 4876 Z2OO7PDS.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Z2OO7PDS.exeZ2OO7PDS.exedescription pid process Token: SeDebugPrivilege 4828 Z2OO7PDS.exe Token: SeDebugPrivilege 4876 Z2OO7PDS.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
Z2OO7PDS.exeZ2OO7PDS.exedescription pid process target process PID 4828 wrote to memory of 4876 4828 Z2OO7PDS.exe Z2OO7PDS.exe PID 4828 wrote to memory of 4876 4828 Z2OO7PDS.exe Z2OO7PDS.exe PID 4828 wrote to memory of 4876 4828 Z2OO7PDS.exe Z2OO7PDS.exe PID 4828 wrote to memory of 4876 4828 Z2OO7PDS.exe Z2OO7PDS.exe PID 4828 wrote to memory of 4876 4828 Z2OO7PDS.exe Z2OO7PDS.exe PID 4828 wrote to memory of 4876 4828 Z2OO7PDS.exe Z2OO7PDS.exe PID 4828 wrote to memory of 4876 4828 Z2OO7PDS.exe Z2OO7PDS.exe PID 4828 wrote to memory of 4876 4828 Z2OO7PDS.exe Z2OO7PDS.exe PID 4876 wrote to memory of 2576 4876 Z2OO7PDS.exe schtasks.exe PID 4876 wrote to memory of 2576 4876 Z2OO7PDS.exe schtasks.exe PID 4876 wrote to memory of 2576 4876 Z2OO7PDS.exe schtasks.exe PID 4876 wrote to memory of 4924 4876 Z2OO7PDS.exe schtasks.exe PID 4876 wrote to memory of 4924 4876 Z2OO7PDS.exe schtasks.exe PID 4876 wrote to memory of 4924 4876 Z2OO7PDS.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Z2OO7PDS.exe"C:\Users\Admin\AppData\Local\Temp\Z2OO7PDS.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Z2OO7PDS.exe"{path}"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "WPA Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmpB70B.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "WPA Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpBA0A.tmp"3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpB70B.tmpFilesize
1KB
MD557d030974b893acde94283816b5c18d4
SHA12da210248ccdfeed7f64f6eed90e399be4a46e24
SHA256f734ec317c0d58b4bd332dc4fd8ec671494355133424aa269d0cc0fbde983a44
SHA5128030525f3dd8aafb027ee5d5e39f1894629bd8f777d977b5f57934298dafbea2122db47304dfdb273eb47a87024dd03e1f0dde7e02b8bf2fc360b4816b77f6df
-
C:\Users\Admin\AppData\Local\Temp\tmpBA0A.tmpFilesize
1KB
MD521de6c3a6440d917bdbb4b491191d9b2
SHA1c63c300affe7147910dc4544d2d5f3029bf321a6
SHA25623af17733a3882cdd82a5bbc321d896b2430dc1bb4b4ac034d129cde5027afc4
SHA512dcd1c464ed36593b990e072940ab415804ef8076743015fff4939211e30e436beb7ce6af3072769abe0214f737cedb210d2b45e6e90da20dac54c3945b11575f
-
memory/2576-137-0x0000000000000000-mapping.dmp
-
memory/4828-130-0x0000000000550000-0x00000000005C4000-memory.dmpFilesize
464KB
-
memory/4828-131-0x0000000005550000-0x0000000005AF4000-memory.dmpFilesize
5.6MB
-
memory/4828-132-0x0000000005040000-0x00000000050D2000-memory.dmpFilesize
584KB
-
memory/4828-133-0x0000000004F70000-0x0000000004F7A000-memory.dmpFilesize
40KB
-
memory/4828-134-0x0000000007C90000-0x0000000007D2C000-memory.dmpFilesize
624KB
-
memory/4876-135-0x0000000000000000-mapping.dmp
-
memory/4876-136-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/4924-139-0x0000000000000000-mapping.dmp