Analysis
-
max time kernel
91s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
01-12-2022 15:45
Static task
static1
Behavioral task
behavioral1
Sample
0a0671ce1039d895af0984a16b1f54ee.exe
Resource
win7-20220812-en
General
-
Target
0a0671ce1039d895af0984a16b1f54ee.exe
-
Size
809KB
-
MD5
0a0671ce1039d895af0984a16b1f54ee
-
SHA1
b85f0fcd100cda02d076f99b178d5c7546aacdbd
-
SHA256
ccbaf764d75b62d77aaa93db6a20926161eba9762d398a53e3bebb007443edba
-
SHA512
2a59aee635ff0353c86c6cba6f308844d669f9d576ad7d509ea17604e6b802e7ee4c13d028314b6011216027f09d2cce4482f4b075e8512a7de78936ecbb8825
-
SSDEEP
12288:tOvuqJwk3uG9JwObO+92SmULZuZMh1AOn6PK7l9lLAgNB:TqJwk3uWlb/2UL0ZMh1A5PK7lHLA0
Malware Config
Extracted
nanocore
1.2.2.0
tzitziklishop.ddns.net:1665
127.0.0.1:1665
54c43eb3-9a5e-48cf-bbb9-9a65e46643a1
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2022-09-09T09:23:36.606577636Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
1665
-
default_group
NOV282022
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
54c43eb3-9a5e-48cf-bbb9-9a65e46643a1
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
tzitziklishop.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0a0671ce1039d895af0984a16b1f54ee.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DHCP Subsystem = "C:\\Program Files (x86)\\DHCP Subsystem\\dhcpss.exe" 0a0671ce1039d895af0984a16b1f54ee.exe -
Processes:
0a0671ce1039d895af0984a16b1f54ee.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 0a0671ce1039d895af0984a16b1f54ee.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
0a0671ce1039d895af0984a16b1f54ee.exedescription pid process target process PID 5064 set thread context of 2172 5064 0a0671ce1039d895af0984a16b1f54ee.exe 0a0671ce1039d895af0984a16b1f54ee.exe -
Drops file in Program Files directory 2 IoCs
Processes:
0a0671ce1039d895af0984a16b1f54ee.exedescription ioc process File created C:\Program Files (x86)\DHCP Subsystem\dhcpss.exe 0a0671ce1039d895af0984a16b1f54ee.exe File opened for modification C:\Program Files (x86)\DHCP Subsystem\dhcpss.exe 0a0671ce1039d895af0984a16b1f54ee.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
0a0671ce1039d895af0984a16b1f54ee.exepid process 2172 0a0671ce1039d895af0984a16b1f54ee.exe 2172 0a0671ce1039d895af0984a16b1f54ee.exe 2172 0a0671ce1039d895af0984a16b1f54ee.exe 2172 0a0671ce1039d895af0984a16b1f54ee.exe 2172 0a0671ce1039d895af0984a16b1f54ee.exe 2172 0a0671ce1039d895af0984a16b1f54ee.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
0a0671ce1039d895af0984a16b1f54ee.exepid process 2172 0a0671ce1039d895af0984a16b1f54ee.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0a0671ce1039d895af0984a16b1f54ee.exedescription pid process Token: SeDebugPrivilege 2172 0a0671ce1039d895af0984a16b1f54ee.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
0a0671ce1039d895af0984a16b1f54ee.exe0a0671ce1039d895af0984a16b1f54ee.exedescription pid process target process PID 5064 wrote to memory of 2172 5064 0a0671ce1039d895af0984a16b1f54ee.exe 0a0671ce1039d895af0984a16b1f54ee.exe PID 5064 wrote to memory of 2172 5064 0a0671ce1039d895af0984a16b1f54ee.exe 0a0671ce1039d895af0984a16b1f54ee.exe PID 5064 wrote to memory of 2172 5064 0a0671ce1039d895af0984a16b1f54ee.exe 0a0671ce1039d895af0984a16b1f54ee.exe PID 5064 wrote to memory of 2172 5064 0a0671ce1039d895af0984a16b1f54ee.exe 0a0671ce1039d895af0984a16b1f54ee.exe PID 5064 wrote to memory of 2172 5064 0a0671ce1039d895af0984a16b1f54ee.exe 0a0671ce1039d895af0984a16b1f54ee.exe PID 5064 wrote to memory of 2172 5064 0a0671ce1039d895af0984a16b1f54ee.exe 0a0671ce1039d895af0984a16b1f54ee.exe PID 5064 wrote to memory of 2172 5064 0a0671ce1039d895af0984a16b1f54ee.exe 0a0671ce1039d895af0984a16b1f54ee.exe PID 5064 wrote to memory of 2172 5064 0a0671ce1039d895af0984a16b1f54ee.exe 0a0671ce1039d895af0984a16b1f54ee.exe PID 2172 wrote to memory of 1128 2172 0a0671ce1039d895af0984a16b1f54ee.exe schtasks.exe PID 2172 wrote to memory of 1128 2172 0a0671ce1039d895af0984a16b1f54ee.exe schtasks.exe PID 2172 wrote to memory of 1128 2172 0a0671ce1039d895af0984a16b1f54ee.exe schtasks.exe PID 2172 wrote to memory of 212 2172 0a0671ce1039d895af0984a16b1f54ee.exe schtasks.exe PID 2172 wrote to memory of 212 2172 0a0671ce1039d895af0984a16b1f54ee.exe schtasks.exe PID 2172 wrote to memory of 212 2172 0a0671ce1039d895af0984a16b1f54ee.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a0671ce1039d895af0984a16b1f54ee.exe"C:\Users\Admin\AppData\Local\Temp\0a0671ce1039d895af0984a16b1f54ee.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\0a0671ce1039d895af0984a16b1f54ee.exe"C:\Users\Admin\AppData\Local\Temp\0a0671ce1039d895af0984a16b1f54ee.exe"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DHCP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp5D91.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DHCP Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp5E2E.tmp"3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp5D91.tmpFilesize
1KB
MD59ec73cb1a4bc5bb187faf1db725066e8
SHA10a0699887a8b72e369093640140697e42977ea5a
SHA256be3ea046edb1cec6c8dc8302087eeaf684212c5fcb8546d5bf247ce75644b828
SHA512b340640887d46fac1f1f61f1f7a146095d22ffe98f3ce9adf7e67441fe377f2176d63d08826eed2d21ae0d7f1d7eab93eab7f4c06a7baf8f01eef97f8ed2767b
-
C:\Users\Admin\AppData\Local\Temp\tmp5E2E.tmpFilesize
1KB
MD52f26d92c1eeead3896820e56ec46f6f1
SHA1d95533b61eed7d89e4ada56bc566d60e42ac1f61
SHA25699a158463ce40c750bad6991ae1fceece305a0dbf8e209dd7147b5d539756bfa
SHA5126c1ed12d5e1afcd9e7f327e0153786fd8594f75a995f341c408ef014e69917452a9fe99c511f0249aceb57b3045b707f1fd3f404e4086cfbf0aadcb3318db892
-
memory/212-141-0x0000000000000000-mapping.dmp
-
memory/1128-139-0x0000000000000000-mapping.dmp
-
memory/2172-137-0x0000000000000000-mapping.dmp
-
memory/2172-138-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2172-143-0x00000000074C0000-0x0000000007526000-memory.dmpFilesize
408KB
-
memory/5064-132-0x0000000000400000-0x00000000004D0000-memory.dmpFilesize
832KB
-
memory/5064-133-0x00000000053B0000-0x0000000005954000-memory.dmpFilesize
5.6MB
-
memory/5064-134-0x0000000004EA0000-0x0000000004F32000-memory.dmpFilesize
584KB
-
memory/5064-135-0x0000000004E80000-0x0000000004E8A000-memory.dmpFilesize
40KB
-
memory/5064-136-0x0000000008C90000-0x0000000008D2C000-memory.dmpFilesize
624KB