Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
20-09-2022 16:20
Static task
static1
Behavioral task
behavioral1
Sample
46f93ddbac62282be9a1c50c45fc47af.exe
Resource
win7-20220901-en
General
-
Target
46f93ddbac62282be9a1c50c45fc47af.exe
-
Size
880KB
-
MD5
46f93ddbac62282be9a1c50c45fc47af
-
SHA1
fd33afba3b59b797a44916b55f5edc66b4550679
-
SHA256
4a006f30188cebe843f8f979bbb0bd3c1808bb8bc46f9e2dbbec566d1e0e9e6b
-
SHA512
89ea18de5c201acd10b0256733671ccdab52c9d9c7f0c6d0e635a2a08bffac95501b77739edeaa71a2b08d39b149661cc4cf268b67ee0edeb617caa84d7c6e5c
-
SSDEEP
12288:58eSvB7/el8Z5GW8mnMBtZIHEDmpuWqV1bCBW5twGw9/:5M1eOWt+kDOub1GBW5twt9/
Malware Config
Extracted
Family |
nanocore |
Version |
1.2.2.0 |
C2 |
rolandlandson149.bounceme.net:1007 127.0.0.1:1007 |
Attributes |
activate_away_mode true
backup_connection_host 127.0.0.1
backup_dns_server 8.8.4.4
buffer_size 65535
build_time 2022-06-13T20:58:05.824762936Z
bypass_user_account_control false
bypass_user_account_control_data PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control true
clear_zone_identifier false
connect_delay 4000
connection_port 1007
default_group sepTmAn
enable_debug_mode true
gc_threshold 1.048576e+07
keep_alive_timeout 30000
keyboard_logging false
lan_timeout 2500
max_packet_size 1.048576e+07
mutex 48099ca8-c1b4-49f3-9fe1-d8dfcbf66c09
mutex_timeout 5000
prevent_system_sleep false
primary_connection_host rolandlandson149.bounceme.net
primary_dns_server 8.8.8.8
request_elevation true
restart_delay 5000
run_delay 0
run_on_startup false
set_critical_process true
timeout_interval 5000
use_custom_dns_server false
version 1.2.2.0
wan_timeout 8000 |
Signatures
-
Adds Run key to start application ⋅ 2 TTPs 1 IoCs
Processes:
46f93ddbac62282be9a1c50c45fc47af.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AGP Monitor = "C:\\Program Files (x86)\\AGP Monitor\\agpmon.exe" 46f93ddbac62282be9a1c50c45fc47af.exe -
Processes:
46f93ddbac62282be9a1c50c45fc47af.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 46f93ddbac62282be9a1c50c45fc47af.exe -
Suspicious use of SetThreadContext ⋅ 1 IoCs
Processes:
46f93ddbac62282be9a1c50c45fc47af.exedescription pid process target process PID 4308 set thread context of 2172 4308 46f93ddbac62282be9a1c50c45fc47af.exe 46f93ddbac62282be9a1c50c45fc47af.exe -
Drops file in Program Files directory ⋅ 2 IoCs
Processes:
46f93ddbac62282be9a1c50c45fc47af.exedescription ioc process File created C:\Program Files (x86)\AGP Monitor\agpmon.exe 46f93ddbac62282be9a1c50c45fc47af.exe File opened for modification C:\Program Files (x86)\AGP Monitor\agpmon.exe 46f93ddbac62282be9a1c50c45fc47af.exe -
Creates scheduled task(s) ⋅ 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
TTPs:
Processes:
schtasks.exeschtasks.exepid process 3468 schtasks.exe 3756 schtasks.exe -
Suspicious behavior: EnumeratesProcesses ⋅ 3 IoCs
Processes:
46f93ddbac62282be9a1c50c45fc47af.exepid process 2172 46f93ddbac62282be9a1c50c45fc47af.exe 2172 46f93ddbac62282be9a1c50c45fc47af.exe 2172 46f93ddbac62282be9a1c50c45fc47af.exe -
Suspicious behavior: GetForegroundWindowSpam ⋅ 1 IoCs
Processes:
46f93ddbac62282be9a1c50c45fc47af.exepid process 2172 46f93ddbac62282be9a1c50c45fc47af.exe -
Suspicious use of AdjustPrivilegeToken ⋅ 1 IoCs
Processes:
46f93ddbac62282be9a1c50c45fc47af.exedescription pid process Token: SeDebugPrivilege 2172 46f93ddbac62282be9a1c50c45fc47af.exe -
Suspicious use of WriteProcessMemory ⋅ 14 IoCs
Processes:
46f93ddbac62282be9a1c50c45fc47af.exe46f93ddbac62282be9a1c50c45fc47af.exedescription pid process target process PID 4308 wrote to memory of 2172 4308 46f93ddbac62282be9a1c50c45fc47af.exe 46f93ddbac62282be9a1c50c45fc47af.exe PID 4308 wrote to memory of 2172 4308 46f93ddbac62282be9a1c50c45fc47af.exe 46f93ddbac62282be9a1c50c45fc47af.exe PID 4308 wrote to memory of 2172 4308 46f93ddbac62282be9a1c50c45fc47af.exe 46f93ddbac62282be9a1c50c45fc47af.exe PID 4308 wrote to memory of 2172 4308 46f93ddbac62282be9a1c50c45fc47af.exe 46f93ddbac62282be9a1c50c45fc47af.exe PID 4308 wrote to memory of 2172 4308 46f93ddbac62282be9a1c50c45fc47af.exe 46f93ddbac62282be9a1c50c45fc47af.exe PID 4308 wrote to memory of 2172 4308 46f93ddbac62282be9a1c50c45fc47af.exe 46f93ddbac62282be9a1c50c45fc47af.exe PID 4308 wrote to memory of 2172 4308 46f93ddbac62282be9a1c50c45fc47af.exe 46f93ddbac62282be9a1c50c45fc47af.exe PID 4308 wrote to memory of 2172 4308 46f93ddbac62282be9a1c50c45fc47af.exe 46f93ddbac62282be9a1c50c45fc47af.exe PID 2172 wrote to memory of 3468 2172 46f93ddbac62282be9a1c50c45fc47af.exe schtasks.exe PID 2172 wrote to memory of 3468 2172 46f93ddbac62282be9a1c50c45fc47af.exe schtasks.exe PID 2172 wrote to memory of 3468 2172 46f93ddbac62282be9a1c50c45fc47af.exe schtasks.exe PID 2172 wrote to memory of 3756 2172 46f93ddbac62282be9a1c50c45fc47af.exe schtasks.exe PID 2172 wrote to memory of 3756 2172 46f93ddbac62282be9a1c50c45fc47af.exe schtasks.exe PID 2172 wrote to memory of 3756 2172 46f93ddbac62282be9a1c50c45fc47af.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\46f93ddbac62282be9a1c50c45fc47af.exe"C:\Users\Admin\AppData\Local\Temp\46f93ddbac62282be9a1c50c45fc47af.exe"Suspicious use of SetThreadContextSuspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\46f93ddbac62282be9a1c50c45fc47af.exe"C:\Users\Admin\AppData\Local\Temp\46f93ddbac62282be9a1c50c45fc47af.exe"Adds Run key to start applicationChecks whether UAC is enabledDrops file in Program Files directorySuspicious behavior: EnumeratesProcessesSuspicious behavior: GetForegroundWindowSpamSuspicious use of AdjustPrivilegeTokenSuspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "AGP Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmp200B.tmp"Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "AGP Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp2164.tmp"Creates scheduled task(s)
Network
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Replay Monitor
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\46f93ddbac62282be9a1c50c45fc47af.exe.logMD5
e08f822522c617a40840c62e4b0fb45e
SHA1ae516dca4da5234be6676d3f234c19ec55725be7
SHA256bd9d5e9f7fe6fcff17d873555d4077d15f7d6cdda1183e7f7d278b735ffe1fd7
SHA512894a7fb7bbc18ac6ba13378f58a7db80ad00d6080be9a66b01cae8e23e41d9d2d4cd53c1e20669356b73590c8a3ebfda4bdda3258f81240db56c4a81b7313fe4
-
C:\Users\Admin\AppData\Local\Temp\tmp200B.tmpMD5
06f19a531502f7c18e0e845e9378115e
SHA161392960eeefb9048ab40806b73180abe52effa4
SHA256d84aeda36d3a02bc747dda659a9e3b0d2e0b8d500b2a8fb7de23863d7d6f10e5
SHA512499cee0a456bdae39473155da1ba6c42bd3b32c28cc53f40a3e52e391345feafe0c0bbe509dca17d9c655754061df580d90b921f9f137f06ce15acd1a233550e
-
C:\Users\Admin\AppData\Local\Temp\tmp2164.tmpMD5
157cd55403665c49c9fd3ca1196c4397
SHA14feed6e606b41bb617274471349582963182756b
SHA25649d903f84313feb16bd189c58b6c206f98b05da00ea0da881e2ff0c893b6ba5e
SHA512bea7e3caa9c37cadd772a6d3ee0d9ed47de6b3e880cd58649be2939cacd00f70d4edc1ad177e432539267bb520094d9cda3f781cdfc69122f3775242321c11b8
-
memory/2172-138-0x0000000000000000-mapping.dmp
-
memory/2172-139-0x0000000000400000-0x0000000000438000-memory.dmp
-
memory/3468-141-0x0000000000000000-mapping.dmp
-
memory/3756-143-0x0000000000000000-mapping.dmp
-
memory/4308-137-0x0000000009710000-0x0000000009776000-memory.dmp
-
memory/4308-136-0x0000000009670000-0x000000000970C000-memory.dmp
-
memory/4308-135-0x0000000005A20000-0x0000000005A2A000-memory.dmp
-
memory/4308-132-0x0000000000EF0000-0x0000000000FD2000-memory.dmp
-
memory/4308-134-0x0000000005970000-0x0000000005A02000-memory.dmp
-
memory/4308-133-0x0000000005E80000-0x0000000006424000-memory.dmp