Analysis
-
max time kernel
69s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
18/11/2022, 06:46
Static task
static1
Behavioral task
behavioral1
Sample
9c8b27cd0131c5451b869eebce9518bf.exe
Resource
win7-20221111-en
General
-
Target
9c8b27cd0131c5451b869eebce9518bf.exe
-
Size
7KB
-
MD5
9c8b27cd0131c5451b869eebce9518bf
-
SHA1
860890fd1df703774615faca15ee9102405f16bb
-
SHA256
9d9f2c64c077d3240f88906f3e73559c5bf554809a1e8974f8c8f28704c576ea
-
SHA512
82f7d7fff8cf29af2f6230daa258d48d206cc8ad4c6efdc90cf4b01ed3b0bf1f892230faa01a3e7bbb9fcc853a59d2641179338f61a759b0a289c4f9935635f1
-
SSDEEP
96:daIzZKMDduv8msmvlIiLrTXTWBkYPe2OpDOlk23v9zNt:daw0xvXsmKiLrykY22OpDOe23
Malware Config
Extracted
nanocore
1.2.2.0
maxlogs.webhop.me:1620
9d764268-05c2-4a8e-8c39-b4db356d4640
-
activate_away_mode
true
- backup_connection_host
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-05-29T07:34:04.203922136Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
1620
-
default_group
x
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
9d764268-05c2-4a8e-8c39-b4db356d4640
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
maxlogs.webhop.me
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AGP Monitor = "C:\\Program Files (x86)\\AGP Monitor\\agpmon.exe" MSBuild.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2112 set thread context of 540 2112 9c8b27cd0131c5451b869eebce9518bf.exe 80 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\AGP Monitor\agpmon.exe MSBuild.exe File opened for modification C:\Program Files (x86)\AGP Monitor\agpmon.exe MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 2112 9c8b27cd0131c5451b869eebce9518bf.exe 540 MSBuild.exe 540 MSBuild.exe 540 MSBuild.exe 540 MSBuild.exe 540 MSBuild.exe 540 MSBuild.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 540 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2112 9c8b27cd0131c5451b869eebce9518bf.exe Token: SeDebugPrivilege 540 MSBuild.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2112 wrote to memory of 540 2112 9c8b27cd0131c5451b869eebce9518bf.exe 80 PID 2112 wrote to memory of 540 2112 9c8b27cd0131c5451b869eebce9518bf.exe 80 PID 2112 wrote to memory of 540 2112 9c8b27cd0131c5451b869eebce9518bf.exe 80 PID 2112 wrote to memory of 540 2112 9c8b27cd0131c5451b869eebce9518bf.exe 80 PID 2112 wrote to memory of 540 2112 9c8b27cd0131c5451b869eebce9518bf.exe 80 PID 2112 wrote to memory of 540 2112 9c8b27cd0131c5451b869eebce9518bf.exe 80 PID 2112 wrote to memory of 540 2112 9c8b27cd0131c5451b869eebce9518bf.exe 80 PID 2112 wrote to memory of 540 2112 9c8b27cd0131c5451b869eebce9518bf.exe 80
Processes
-
C:\Users\Admin\AppData\Local\Temp\9c8b27cd0131c5451b869eebce9518bf.exe"C:\Users\Admin\AppData\Local\Temp\9c8b27cd0131c5451b869eebce9518bf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe2⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:540
-