Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    153s
  • max time network
    51s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    26/11/2022, 00:36

General

  • Target

    be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe

  • Size

    2.1MB

  • MD5

    3329f833ac31ac3878721f49e181393d

  • SHA1

    47b79d529e61c1b41c27a53b9c0e886a6f50a1df

  • SHA256

    be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc

  • SHA512

    29d2bb7cd8fcbd22dd6116ca3a75396bd045e9ad5b38cf3a699d4cdb0597e4b86af82662c11dbc8e0c266258fa648ac26768f111cc865f062e989c3055e5c95f

  • SSDEEP

    24576:ptKb3axCoJgKuA0p1kXH2YNRRWH15ZYSR3T1i2UsDHMZWlZUgbVi0TD5mYbt7E:E3eCauJEN+nZYSp1i2UsQKZUaiqUCx

Malware Config

Extracted

Family

nanocore

Version

1.2.1.1

C2

businessdb04.no-ip.biz:9400

businessdb02.noip.me:9400

Mutex

c31c026e-c64b-4780-aa3d-297739f57e00

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    businessdb02.noip.me

  • backup_dns_server

  • buffer_size

    65535

  • build_time

    2014-11-14T21:30:41.201157736Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    9400

  • default_group

    USA

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    c31c026e-c64b-4780-aa3d-297739f57e00

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    businessdb04.no-ip.biz

  • primary_dns_server

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    true

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.1.1

  • wan_timeout

    8000

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Delays execution with timeout.exe 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe
    "C:\Users\Admin\AppData\Local\Temp\be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2028
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\FolderName\mata.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:280
      • C:\Windows\SysWOW64\wscript.exe
        wscript.exe "C:\Users\Admin\AppData\Local\Temp\FolderName\invs.vbs" "C:\Users\Admin\AppData\Local\Temp\FolderName\mata2.bat"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1532
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Local\Temp\FolderName\mata2.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:564
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderName\windows.exe" /f
            5⤵
            • Modifies WinLogon for persistence
            PID:240
    • C:\Users\Admin\AppData\Local\Temp\be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe
      C:\Users\Admin\AppData\Local\Temp\be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe
      2⤵
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      PID:1600
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\FolderName\svhost.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1708
      • C:\Windows\SysWOW64\timeout.exe
        timeout /t 300
        3⤵
        • Delays execution with timeout.exe
        PID:1712

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\FolderName\invs.vbs

    Filesize

    78B

    MD5

    c578d9653b22800c3eb6b6a51219bbb8

    SHA1

    a97aa251901bbe179a48dbc7a0c1872e163b1f2d

    SHA256

    20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2

    SHA512

    3ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d

  • C:\Users\Admin\AppData\Local\Temp\FolderName\mata.bat

    Filesize

    70B

    MD5

    23f72401196919748c14cb64c1d55c3b

    SHA1

    869e3809cb4391e6f5aee5349a871e40a1e1fb22

    SHA256

    d09c4054568f89c5de2bd9bae9cbcbcb3ef2dda9a9ded0153e29da26dc405d11

    SHA512

    2ab844717c31c4819d8773d7604dfc831e950ae9e38fe311acf8178d46f39fafb54b448ebb6b9cf5d1edd47ed36eae11d649c1be346b0a35d380dd07101c79f1

  • C:\Users\Admin\AppData\Local\Temp\FolderName\mata2.bat

    Filesize

    270B

    MD5

    fb61fb483ef4e9b18561f9d73e1aa135

    SHA1

    0c33b58761fc24453ef6a249503cc493fc22b2ca

    SHA256

    3db85f877de10a4640f53f29495c7f9783a2497555d627015bd05450a19535a7

    SHA512

    65c872e06132b527646e1755129d56168042192e278066adbf093649e76566adb9e4e986fad24d8677edc6c533164373f60776dbc2bbf140481ad9ed31d2860b

  • C:\Users\Admin\AppData\Local\Temp\FolderName\svhost.bat

    Filesize

    212B

    MD5

    b0e98b341bbc605009d9c223f94f253e

    SHA1

    91676ce4fa39752102918ef62badd8dc4e7d88fc

    SHA256

    da455367db63e08fb4ea20c2a0688b5f88a9e5b9db331b2183967c1c48420042

    SHA512

    0e97f3ca37a9dde0b18e75ae36edac7ebccc5b73aafc16f2e53f9b811d184de0ff9857e628f90df727822e42e694fde452e30c25fa3117b5eaab64897a89e055

  • C:\Users\Admin\AppData\Local\Temp\FolderName\windows.exe

    Filesize

    2.1MB

    MD5

    3329f833ac31ac3878721f49e181393d

    SHA1

    47b79d529e61c1b41c27a53b9c0e886a6f50a1df

    SHA256

    be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc

    SHA512

    29d2bb7cd8fcbd22dd6116ca3a75396bd045e9ad5b38cf3a699d4cdb0597e4b86af82662c11dbc8e0c266258fa648ac26768f111cc865f062e989c3055e5c95f

  • memory/1600-61-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

  • memory/1600-67-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

  • memory/1600-69-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

  • memory/1600-72-0x0000000074260000-0x000000007480B000-memory.dmp

    Filesize

    5.7MB

  • memory/1600-64-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

  • memory/1600-62-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

  • memory/1600-84-0x0000000074260000-0x000000007480B000-memory.dmp

    Filesize

    5.7MB

  • memory/1600-59-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

  • memory/1600-58-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

  • memory/2028-78-0x0000000074260000-0x000000007480B000-memory.dmp

    Filesize

    5.7MB

  • memory/2028-55-0x0000000074260000-0x000000007480B000-memory.dmp

    Filesize

    5.7MB

  • memory/2028-83-0x0000000074260000-0x000000007480B000-memory.dmp

    Filesize

    5.7MB

  • memory/2028-54-0x0000000075561000-0x0000000075563000-memory.dmp

    Filesize

    8KB