Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
26/11/2022, 23:45
Static task
static1
Behavioral task
behavioral1
Sample
96b39ed0e1d194c901c52781a2cfc872751f072d77c88732ff34a5806f7d0322.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
96b39ed0e1d194c901c52781a2cfc872751f072d77c88732ff34a5806f7d0322.exe
Resource
win10v2004-20220812-en
General
-
Target
96b39ed0e1d194c901c52781a2cfc872751f072d77c88732ff34a5806f7d0322.exe
-
Size
880KB
-
MD5
168a2c2ce1f613b4d70619fa695e6b78
-
SHA1
f10cb10f36c98dac6f41b5012acd976f281e7d90
-
SHA256
96b39ed0e1d194c901c52781a2cfc872751f072d77c88732ff34a5806f7d0322
-
SHA512
bf8fbc62652dceea06973402178dbd081eedc394cd591874670c60563bb1d8f1d0710101c2784b21aa2a37eb6b6214fe06624e98ad94ce165abdc1bc4888da98
-
SSDEEP
12288:sZhUf7LXHxRqPRR1cI/lMb5QWS/DWQt28QQwyp0dewzuJ/zg/EukKAFGnyTz4+Du:skLXHjqPV+Fqt28wvTaYERKAFSMiP
Malware Config
Extracted
nanocore
1.2.1.1
mcsoft.noip.me:1122
r0c.ddns.net:1122
0f01c8f8-e5b8-4d3f-85f7-c9b862c3088b
-
activate_away_mode
true
-
backup_connection_host
r0c.ddns.net
- backup_dns_server
-
buffer_size
65535
-
build_time
2014-09-10T18:22:22.056357136Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
1122
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
0f01c8f8-e5b8-4d3f-85f7-c9b862c3088b
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
mcsoft.noip.me
- primary_dns_server
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.1.1
-
wan_timeout
8000
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\amptask.exe" 96b39ed0e1d194c901c52781a2cfc872751f072d77c88732ff34a5806f7d0322.exe -
Executes dropped EXE 2 IoCs
pid Process 1296 Pop4.exe 1472 notepad .exe -
Drops startup file 4 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pop4.exe Pop4.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amptask.exe cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\amptask.exe cmd.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pop4.exe Pop4.exe -
Loads dropped DLL 2 IoCs
pid Process 2016 96b39ed0e1d194c901c52781a2cfc872751f072d77c88732ff34a5806f7d0322.exe 2016 96b39ed0e1d194c901c52781a2cfc872751f072d77c88732ff34a5806f7d0322.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NTFS Monitor = "C:\\Program Files (x86)\\NTFS Monitor\\ntfsmon.exe" notepad .exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Pop = "C:\\Users\\Admin\\AppData\\Roaming\\Pop_Ads\\My\\1.0.0.0\\Pop4.exe" Pop4.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA notepad .exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2016 set thread context of 1472 2016 96b39ed0e1d194c901c52781a2cfc872751f072d77c88732ff34a5806f7d0322.exe 30 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\NTFS Monitor\ntfsmon.exe notepad .exe File opened for modification C:\Program Files (x86)\NTFS Monitor\ntfsmon.exe notepad .exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
pid Process 1944 timeout.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2016 96b39ed0e1d194c901c52781a2cfc872751f072d77c88732ff34a5806f7d0322.exe 2016 96b39ed0e1d194c901c52781a2cfc872751f072d77c88732ff34a5806f7d0322.exe 1472 notepad .exe 1472 notepad .exe 2016 96b39ed0e1d194c901c52781a2cfc872751f072d77c88732ff34a5806f7d0322.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1472 notepad .exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2016 96b39ed0e1d194c901c52781a2cfc872751f072d77c88732ff34a5806f7d0322.exe Token: SeDebugPrivilege 1472 notepad .exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 2016 wrote to memory of 1296 2016 96b39ed0e1d194c901c52781a2cfc872751f072d77c88732ff34a5806f7d0322.exe 27 PID 2016 wrote to memory of 1296 2016 96b39ed0e1d194c901c52781a2cfc872751f072d77c88732ff34a5806f7d0322.exe 27 PID 2016 wrote to memory of 1296 2016 96b39ed0e1d194c901c52781a2cfc872751f072d77c88732ff34a5806f7d0322.exe 27 PID 2016 wrote to memory of 1296 2016 96b39ed0e1d194c901c52781a2cfc872751f072d77c88732ff34a5806f7d0322.exe 27 PID 2016 wrote to memory of 1756 2016 96b39ed0e1d194c901c52781a2cfc872751f072d77c88732ff34a5806f7d0322.exe 28 PID 2016 wrote to memory of 1756 2016 96b39ed0e1d194c901c52781a2cfc872751f072d77c88732ff34a5806f7d0322.exe 28 PID 2016 wrote to memory of 1756 2016 96b39ed0e1d194c901c52781a2cfc872751f072d77c88732ff34a5806f7d0322.exe 28 PID 2016 wrote to memory of 1756 2016 96b39ed0e1d194c901c52781a2cfc872751f072d77c88732ff34a5806f7d0322.exe 28 PID 2016 wrote to memory of 1472 2016 96b39ed0e1d194c901c52781a2cfc872751f072d77c88732ff34a5806f7d0322.exe 30 PID 2016 wrote to memory of 1472 2016 96b39ed0e1d194c901c52781a2cfc872751f072d77c88732ff34a5806f7d0322.exe 30 PID 2016 wrote to memory of 1472 2016 96b39ed0e1d194c901c52781a2cfc872751f072d77c88732ff34a5806f7d0322.exe 30 PID 2016 wrote to memory of 1472 2016 96b39ed0e1d194c901c52781a2cfc872751f072d77c88732ff34a5806f7d0322.exe 30 PID 2016 wrote to memory of 1472 2016 96b39ed0e1d194c901c52781a2cfc872751f072d77c88732ff34a5806f7d0322.exe 30 PID 2016 wrote to memory of 1472 2016 96b39ed0e1d194c901c52781a2cfc872751f072d77c88732ff34a5806f7d0322.exe 30 PID 2016 wrote to memory of 1472 2016 96b39ed0e1d194c901c52781a2cfc872751f072d77c88732ff34a5806f7d0322.exe 30 PID 2016 wrote to memory of 1472 2016 96b39ed0e1d194c901c52781a2cfc872751f072d77c88732ff34a5806f7d0322.exe 30 PID 2016 wrote to memory of 1472 2016 96b39ed0e1d194c901c52781a2cfc872751f072d77c88732ff34a5806f7d0322.exe 30 PID 1756 wrote to memory of 1100 1756 cmd.exe 31 PID 1756 wrote to memory of 1100 1756 cmd.exe 31 PID 1756 wrote to memory of 1100 1756 cmd.exe 31 PID 1756 wrote to memory of 1100 1756 cmd.exe 31 PID 1100 wrote to memory of 1276 1100 wscript.exe 32 PID 1100 wrote to memory of 1276 1100 wscript.exe 32 PID 1100 wrote to memory of 1276 1100 wscript.exe 32 PID 1100 wrote to memory of 1276 1100 wscript.exe 32 PID 2016 wrote to memory of 808 2016 96b39ed0e1d194c901c52781a2cfc872751f072d77c88732ff34a5806f7d0322.exe 34 PID 2016 wrote to memory of 808 2016 96b39ed0e1d194c901c52781a2cfc872751f072d77c88732ff34a5806f7d0322.exe 34 PID 2016 wrote to memory of 808 2016 96b39ed0e1d194c901c52781a2cfc872751f072d77c88732ff34a5806f7d0322.exe 34 PID 2016 wrote to memory of 808 2016 96b39ed0e1d194c901c52781a2cfc872751f072d77c88732ff34a5806f7d0322.exe 34 PID 808 wrote to memory of 1944 808 cmd.exe 36 PID 808 wrote to memory of 1944 808 cmd.exe 36 PID 808 wrote to memory of 1944 808 cmd.exe 36 PID 808 wrote to memory of 1944 808 cmd.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\96b39ed0e1d194c901c52781a2cfc872751f072d77c88732ff34a5806f7d0322.exe"C:\Users\Admin\AppData\Local\Temp\96b39ed0e1d194c901c52781a2cfc872751f072d77c88732ff34a5806f7d0322.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Users\Admin\AppData\Local\Temp\Pop4.exe"C:\Users\Admin\AppData\Local\Temp\Pop4.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
PID:1296
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\Windows\mata.bat2⤵
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\wscript.exewscript.exe "C:\Users\Admin\AppData\Roaming\Windows\invs.vbs" "C:\Users\Admin\AppData\Roaming\Windows\mata2.bat3⤵
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\Windows\mata2.bat" "4⤵
- Drops startup file
PID:1276
-
-
-
-
C:\Users\Admin\AppData\Roaming\notepad .exe"C:\Users\Admin\AppData\Roaming\notepad .exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1472
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\Windows\notepad.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Windows\SysWOW64\timeout.exetimeout /t 3003⤵
- Delays execution with timeout.exe
PID:1944
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
31KB
MD5f897f903e4942678ec765a31eda224fb
SHA1dbd82191f21b95abb8db284950059950d4bb780d
SHA2568833df32992ef03eb51c3aec5354be775f15ebdfba9016f1156222b3a7145091
SHA51267a24c55fac905f185658caef3ee2007860546454c624942d85f739612e56ebeb0edd53b91e872693c5adee86b0fa2c35352cf5d57545a7c109791aa60a4c873
-
Filesize
31KB
MD5f897f903e4942678ec765a31eda224fb
SHA1dbd82191f21b95abb8db284950059950d4bb780d
SHA2568833df32992ef03eb51c3aec5354be775f15ebdfba9016f1156222b3a7145091
SHA51267a24c55fac905f185658caef3ee2007860546454c624942d85f739612e56ebeb0edd53b91e872693c5adee86b0fa2c35352cf5d57545a7c109791aa60a4c873
-
Filesize
880KB
MD5168a2c2ce1f613b4d70619fa695e6b78
SHA1f10cb10f36c98dac6f41b5012acd976f281e7d90
SHA25696b39ed0e1d194c901c52781a2cfc872751f072d77c88732ff34a5806f7d0322
SHA512bf8fbc62652dceea06973402178dbd081eedc394cd591874670c60563bb1d8f1d0710101c2784b21aa2a37eb6b6214fe06624e98ad94ce165abdc1bc4888da98
-
Filesize
78B
MD5c578d9653b22800c3eb6b6a51219bbb8
SHA1a97aa251901bbe179a48dbc7a0c1872e163b1f2d
SHA25620a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2
SHA5123ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d
-
Filesize
69B
MD590f43387dc853e2f6012421794bce803
SHA1175c394ede22184a3de907018504ca78ad9f8fe9
SHA256ea9a9a1f2b36eb85a12ac384ceea8eb50aae661164741abaff273d4064b7fadc
SHA512c1e3a52ef4ec660512bd14ad4afca0597b22992379ffc512e6184bcdc8e8396bc7d684cb68e88769afc471635fb14ada8b7f83de763c238a0ff837290dcd5b0d
-
Filesize
182B
MD50b187db0d3d9e528e2a2b1a5cdf5ea00
SHA1013a7a5a84318d53d2ff73228eb44c512384a007
SHA25623d53516761e4b167166d781ad41ecd717a76016c8694f2af27dd4b60fc12b21
SHA5124408effa053b30a56cbd4c27f56fb49c2124192297f216ab72fc6f0a2e8eeea8b00e8312710abac485f4f6adc6e138be224a35fc3d6f6444e2c5c13c5645f8e9
-
Filesize
208B
MD5c2e905cdf49e21a46637203e212217e8
SHA1a697d162bb1208e6a67214d05cea697ebbbf2732
SHA25665fa669a0a06900043e32ebca9721abd3dbb60b21c96fbf78d37712b6cc6bc1e
SHA51220eee69e49286f50eb84c244fc5fdcf8952e5750d467e631d85d516a17b15cfe6626860f78368c142381dad6e6678f60d069efbfc3f8dae01e1a7a9903870f41
-
Filesize
880KB
MD5168a2c2ce1f613b4d70619fa695e6b78
SHA1f10cb10f36c98dac6f41b5012acd976f281e7d90
SHA25696b39ed0e1d194c901c52781a2cfc872751f072d77c88732ff34a5806f7d0322
SHA512bf8fbc62652dceea06973402178dbd081eedc394cd591874670c60563bb1d8f1d0710101c2784b21aa2a37eb6b6214fe06624e98ad94ce165abdc1bc4888da98
-
Filesize
52KB
MD5278edbd499374bf73621f8c1f969d894
SHA1a81170af14747781c5f5f51bb1215893136f0bc0
SHA256c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391
SHA51293b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9
-
Filesize
52KB
MD5278edbd499374bf73621f8c1f969d894
SHA1a81170af14747781c5f5f51bb1215893136f0bc0
SHA256c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391
SHA51293b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9
-
Filesize
31KB
MD5f897f903e4942678ec765a31eda224fb
SHA1dbd82191f21b95abb8db284950059950d4bb780d
SHA2568833df32992ef03eb51c3aec5354be775f15ebdfba9016f1156222b3a7145091
SHA51267a24c55fac905f185658caef3ee2007860546454c624942d85f739612e56ebeb0edd53b91e872693c5adee86b0fa2c35352cf5d57545a7c109791aa60a4c873
-
Filesize
52KB
MD5278edbd499374bf73621f8c1f969d894
SHA1a81170af14747781c5f5f51bb1215893136f0bc0
SHA256c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391
SHA51293b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9