Analysis Overview
SHA256
6771ab93cecc2ca6b8527d18d4a6c449610d7d836d7a4d2bd9321b0993d0e84d
Threat Level: Known bad
The file 6771ab93cecc2ca6b8527d18d4a6c449610d7d836d7a4d2bd9321b0993d0e84d was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
NanoCore
Checks whether UAC is enabled
Suspicious use of SetThreadContext
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-27 00:05
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-27 00:05
Reported
2022-11-27 17:46
Platform
win7-20221111-en
Max time kernel
164s
Max time network
92s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\9oNqwXA0uhYSdCD3\\fwJRU0yK4uB3.exe\",explorer.exe" | C:\Users\Admin\AppData\Local\Temp\6771ab93cecc2ca6b8527d18d4a6c449610d7d836d7a4d2bd9321b0993d0e84d.exe | N/A |
NanoCore
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\6771ab93cecc2ca6b8527d18d4a6c449610d7d836d7a4d2bd9321b0993d0e84d.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1724 set thread context of 468 | N/A | C:\Users\Admin\AppData\Local\Temp\6771ab93cecc2ca6b8527d18d4a6c449610d7d836d7a4d2bd9321b0993d0e84d.exe | C:\Users\Admin\AppData\Local\Temp\6771ab93cecc2ca6b8527d18d4a6c449610d7d836d7a4d2bd9321b0993d0e84d.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6771ab93cecc2ca6b8527d18d4a6c449610d7d836d7a4d2bd9321b0993d0e84d.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\6771ab93cecc2ca6b8527d18d4a6c449610d7d836d7a4d2bd9321b0993d0e84d.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\6771ab93cecc2ca6b8527d18d4a6c449610d7d836d7a4d2bd9321b0993d0e84d.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6771ab93cecc2ca6b8527d18d4a6c449610d7d836d7a4d2bd9321b0993d0e84d.exe
"C:\Users\Admin\AppData\Local\Temp\6771ab93cecc2ca6b8527d18d4a6c449610d7d836d7a4d2bd9321b0993d0e84d.exe"
C:\Users\Admin\AppData\Local\Temp\6771ab93cecc2ca6b8527d18d4a6c449610d7d836d7a4d2bd9321b0993d0e84d.exe
"C:\Users\Admin\AppData\Local\Temp\6771ab93cecc2ca6b8527d18d4a6c449610d7d836d7a4d2bd9321b0993d0e84d.exe"
C:\Users\Admin\AppData\Local\Temp\6771ab93cecc2ca6b8527d18d4a6c449610d7d836d7a4d2bd9321b0993d0e84d.exe
"C:\Users\Admin\AppData\Local\Temp\6771ab93cecc2ca6b8527d18d4a6c449610d7d836d7a4d2bd9321b0993d0e84d.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | euroano.ddns.net | udp |
| N/A | 8.8.8.8:53 | euroano2.ddns.net | udp |
Files
memory/1724-54-0x0000000075A91000-0x0000000075A93000-memory.dmp
memory/1724-55-0x0000000074110000-0x00000000746BB000-memory.dmp
memory/1724-56-0x0000000074110000-0x00000000746BB000-memory.dmp
memory/468-57-0x0000000000400000-0x0000000000438000-memory.dmp
memory/468-58-0x0000000000400000-0x0000000000438000-memory.dmp
memory/468-60-0x0000000000400000-0x0000000000438000-memory.dmp
memory/468-61-0x0000000000400000-0x0000000000438000-memory.dmp
memory/468-63-0x0000000000400000-0x0000000000438000-memory.dmp
memory/468-64-0x000000000041EDAE-mapping.dmp
memory/468-68-0x0000000000400000-0x0000000000438000-memory.dmp
memory/468-66-0x0000000000400000-0x0000000000438000-memory.dmp
memory/468-70-0x0000000074110000-0x00000000746BB000-memory.dmp
memory/1724-71-0x0000000074110000-0x00000000746BB000-memory.dmp
memory/468-72-0x0000000074110000-0x00000000746BB000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-11-27 00:05
Reported
2022-11-27 17:45
Platform
win10v2004-20220812-en
Max time kernel
172s
Max time network
174s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\9oNqwXA0uhYSdCD3\\xm8ePVAjEwOT.exe\",explorer.exe" | C:\Users\Admin\AppData\Local\Temp\6771ab93cecc2ca6b8527d18d4a6c449610d7d836d7a4d2bd9321b0993d0e84d.exe | N/A |
NanoCore
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\6771ab93cecc2ca6b8527d18d4a6c449610d7d836d7a4d2bd9321b0993d0e84d.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3592 set thread context of 1744 | N/A | C:\Users\Admin\AppData\Local\Temp\6771ab93cecc2ca6b8527d18d4a6c449610d7d836d7a4d2bd9321b0993d0e84d.exe | C:\Users\Admin\AppData\Local\Temp\6771ab93cecc2ca6b8527d18d4a6c449610d7d836d7a4d2bd9321b0993d0e84d.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6771ab93cecc2ca6b8527d18d4a6c449610d7d836d7a4d2bd9321b0993d0e84d.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\6771ab93cecc2ca6b8527d18d4a6c449610d7d836d7a4d2bd9321b0993d0e84d.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\6771ab93cecc2ca6b8527d18d4a6c449610d7d836d7a4d2bd9321b0993d0e84d.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6771ab93cecc2ca6b8527d18d4a6c449610d7d836d7a4d2bd9321b0993d0e84d.exe
"C:\Users\Admin\AppData\Local\Temp\6771ab93cecc2ca6b8527d18d4a6c449610d7d836d7a4d2bd9321b0993d0e84d.exe"
C:\Users\Admin\AppData\Local\Temp\6771ab93cecc2ca6b8527d18d4a6c449610d7d836d7a4d2bd9321b0993d0e84d.exe
"C:\Users\Admin\AppData\Local\Temp\6771ab93cecc2ca6b8527d18d4a6c449610d7d836d7a4d2bd9321b0993d0e84d.exe"
C:\Users\Admin\AppData\Local\Temp\6771ab93cecc2ca6b8527d18d4a6c449610d7d836d7a4d2bd9321b0993d0e84d.exe
"C:\Users\Admin\AppData\Local\Temp\6771ab93cecc2ca6b8527d18d4a6c449610d7d836d7a4d2bd9321b0993d0e84d.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 8.8.8.8:53 | euroano.ddns.net | udp |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 8.8.8.8:53 | euroano.ddns.net | udp |
| N/A | 13.69.239.73:443 | tcp | |
| N/A | 8.8.8.8:53 | euroano2.ddns.net | udp |
| N/A | 8.8.8.8:53 | euroano2.ddns.net | udp |
| N/A | 8.8.8.8:53 | euroano.ddns.net | udp |
| N/A | 8.8.8.8:53 | euroano.ddns.net | udp |
| N/A | 8.8.8.8:53 | euroano2.ddns.net | udp |
| N/A | 8.8.8.8:53 | euroano2.ddns.net | udp |
| N/A | 8.8.8.8:53 | euroano.ddns.net | udp |
| N/A | 8.8.8.8:53 | euroano.ddns.net | udp |
| N/A | 8.8.8.8:53 | euroano2.ddns.net | udp |
| N/A | 8.8.8.8:53 | euroano2.ddns.net | udp |
| N/A | 8.8.8.8:53 | euroano.ddns.net | udp |
| N/A | 8.8.8.8:53 | euroano.ddns.net | udp |
| N/A | 8.8.8.8:53 | 226.101.242.52.in-addr.arpa | udp |
| N/A | 8.8.8.8:53 | euroano2.ddns.net | udp |
| N/A | 8.8.8.8:53 | euroano2.ddns.net | udp |
| N/A | 8.8.8.8:53 | euroano.ddns.net | udp |
| N/A | 8.8.8.8:53 | euroano.ddns.net | udp |
| N/A | 8.8.8.8:53 | euroano2.ddns.net | udp |
| N/A | 8.8.8.8:53 | euroano2.ddns.net | udp |
| N/A | 8.8.8.8:53 | euroano.ddns.net | udp |
| N/A | 8.8.8.8:53 | euroano.ddns.net | udp |
| N/A | 8.8.8.8:53 | euroano2.ddns.net | udp |
Files
memory/3592-132-0x0000000074C60000-0x0000000075211000-memory.dmp
memory/2424-133-0x0000000000000000-mapping.dmp
memory/1744-134-0x0000000000000000-mapping.dmp
memory/1744-135-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\6771ab93cecc2ca6b8527d18d4a6c449610d7d836d7a4d2bd9321b0993d0e84d.exe.log
| MD5 | 0a9b4592cd49c3c21f6767c2dabda92f |
| SHA1 | f534297527ae5ccc0ecb2221ddeb8e58daeb8b74 |
| SHA256 | c7effe9cb81a70d738dee863991afefab040290d4c4b78b4202383bcb9f88fcd |
| SHA512 | 6b878df474e5bbfb8e9e265f15a76560c2ef151dcebc6388c82d7f6f86ffaf83f5ade5a09f1842e493cb6c8fd63b0b88d088c728fd725f7139f965a5ee332307 |
memory/1744-137-0x0000000074C60000-0x0000000075211000-memory.dmp
memory/3592-138-0x0000000074C60000-0x0000000075211000-memory.dmp
memory/1744-139-0x0000000074C60000-0x0000000075211000-memory.dmp