Analysis
-
max time kernel
147s -
max time network
194s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
05-12-2022 08:13
Static task
static1
Behavioral task
behavioral1
Sample
Bank Report.exe
Resource
win7-20220812-en
General
-
Target
Bank Report.exe
-
Size
944KB
-
MD5
b77ff86a8ae8dde9138ddc5f991b67e3
-
SHA1
d8f69066737b8625a3ff4f7a465b404add960b69
-
SHA256
96b0f5deac71ac49ff7c41baf84f279dd918fbf16ed9283f7e9870dd29956085
-
SHA512
1fee324dfbc4db3ee985235a96284ad9edbf5643c46f5affd9434d2080e29cd67f5f5c30bb2088dbc71e64474e8bc91b44133f3219a6f49bffaa4eeec9d49585
-
SSDEEP
12288:jPprXT9vE50LpDSSVsPwMM2bbouANl8X7BIXVpQWsNTADQjL9QWi8pVrc1NfpHs8:coDx2zMibNsleXzTRjJQJ8phcO
Malware Config
Extracted
nanocore
1.2.2.0
kamzy2022.ddns.net:7600
194.55.186.150:7600
9cfc376c-59e4-461b-8735-e43978cd6016
-
activate_away_mode
true
-
backup_connection_host
194.55.186.150
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2022-09-10T20:51:10.905424736Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
7600
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
9cfc376c-59e4-461b-8735-e43978cd6016
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
kamzy2022.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Bank Report.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NTFS Monitor = "C:\\Program Files (x86)\\NTFS Monitor\\ntfsmon.exe" Bank Report.exe -
Processes:
Bank Report.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Bank Report.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Bank Report.exedescription pid process target process PID 2044 set thread context of 1396 2044 Bank Report.exe Bank Report.exe -
Drops file in Program Files directory 2 IoCs
Processes:
Bank Report.exedescription ioc process File opened for modification C:\Program Files (x86)\NTFS Monitor\ntfsmon.exe Bank Report.exe File created C:\Program Files (x86)\NTFS Monitor\ntfsmon.exe Bank Report.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
Bank Report.exeBank Report.exepid process 2044 Bank Report.exe 2044 Bank Report.exe 2044 Bank Report.exe 2044 Bank Report.exe 1396 Bank Report.exe 1396 Bank Report.exe 1396 Bank Report.exe 1396 Bank Report.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Bank Report.exepid process 1396 Bank Report.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Bank Report.exeBank Report.exedescription pid process Token: SeDebugPrivilege 2044 Bank Report.exe Token: SeDebugPrivilege 1396 Bank Report.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
Bank Report.exeBank Report.exedescription pid process target process PID 2044 wrote to memory of 1360 2044 Bank Report.exe Bank Report.exe PID 2044 wrote to memory of 1360 2044 Bank Report.exe Bank Report.exe PID 2044 wrote to memory of 1360 2044 Bank Report.exe Bank Report.exe PID 2044 wrote to memory of 1360 2044 Bank Report.exe Bank Report.exe PID 2044 wrote to memory of 1776 2044 Bank Report.exe Bank Report.exe PID 2044 wrote to memory of 1776 2044 Bank Report.exe Bank Report.exe PID 2044 wrote to memory of 1776 2044 Bank Report.exe Bank Report.exe PID 2044 wrote to memory of 1776 2044 Bank Report.exe Bank Report.exe PID 2044 wrote to memory of 1264 2044 Bank Report.exe Bank Report.exe PID 2044 wrote to memory of 1264 2044 Bank Report.exe Bank Report.exe PID 2044 wrote to memory of 1264 2044 Bank Report.exe Bank Report.exe PID 2044 wrote to memory of 1264 2044 Bank Report.exe Bank Report.exe PID 2044 wrote to memory of 1404 2044 Bank Report.exe Bank Report.exe PID 2044 wrote to memory of 1404 2044 Bank Report.exe Bank Report.exe PID 2044 wrote to memory of 1404 2044 Bank Report.exe Bank Report.exe PID 2044 wrote to memory of 1404 2044 Bank Report.exe Bank Report.exe PID 2044 wrote to memory of 1396 2044 Bank Report.exe Bank Report.exe PID 2044 wrote to memory of 1396 2044 Bank Report.exe Bank Report.exe PID 2044 wrote to memory of 1396 2044 Bank Report.exe Bank Report.exe PID 2044 wrote to memory of 1396 2044 Bank Report.exe Bank Report.exe PID 2044 wrote to memory of 1396 2044 Bank Report.exe Bank Report.exe PID 2044 wrote to memory of 1396 2044 Bank Report.exe Bank Report.exe PID 2044 wrote to memory of 1396 2044 Bank Report.exe Bank Report.exe PID 2044 wrote to memory of 1396 2044 Bank Report.exe Bank Report.exe PID 2044 wrote to memory of 1396 2044 Bank Report.exe Bank Report.exe PID 1396 wrote to memory of 1572 1396 Bank Report.exe schtasks.exe PID 1396 wrote to memory of 1572 1396 Bank Report.exe schtasks.exe PID 1396 wrote to memory of 1572 1396 Bank Report.exe schtasks.exe PID 1396 wrote to memory of 1572 1396 Bank Report.exe schtasks.exe PID 1396 wrote to memory of 780 1396 Bank Report.exe schtasks.exe PID 1396 wrote to memory of 780 1396 Bank Report.exe schtasks.exe PID 1396 wrote to memory of 780 1396 Bank Report.exe schtasks.exe PID 1396 wrote to memory of 780 1396 Bank Report.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Bank Report.exe"C:\Users\Admin\AppData\Local\Temp\Bank Report.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Bank Report.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Bank Report.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Bank Report.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Bank Report.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Bank Report.exe"{path}"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "NTFS Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmp63F2.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "NTFS Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp98C8.tmp"3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp63F2.tmpFilesize
1KB
MD5cd04c8570e996d042fd64004c0694074
SHA1a481173753a6c9e61a3a41d5e05f98e9ea723de4
SHA25605ed64abfe7ba34e3567a84f99db27e627e12d8b4e98a70c75bffd0d073670ad
SHA5128d36b4bda117255aa12eab2addd457c401563e46480d11bf574abee351a9e8dfb47cab901cfbbf76fac0dfe1b52ad588d88a0548cdd3efbb8c58428b9f31f2a8
-
C:\Users\Admin\AppData\Local\Temp\tmp98C8.tmpFilesize
1KB
MD5981e126601526eaa5b0ad45c496c4465
SHA1d610d6a21a8420cc73fcd3e54ddae75a5897b28b
SHA25611ae277dfa39e7038b782ca6557339e7fe88533fe83705c356a1500a1402d527
SHA512a59fb704d931ccb7e1ec1a7b98e24ccd8708be529066c6de4b673098cdebef539f7f50d9e051c43954b5a8e7f810862b3a4ede170f131e080dadc3e763ed4bdb
-
memory/780-74-0x0000000000000000-mapping.dmp
-
memory/1396-63-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1396-62-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1396-76-0x0000000000570000-0x000000000057A000-memory.dmpFilesize
40KB
-
memory/1396-60-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1396-77-0x0000000000680000-0x000000000069E000-memory.dmpFilesize
120KB
-
memory/1396-90-0x0000000004290000-0x00000000042A4000-memory.dmpFilesize
80KB
-
memory/1396-65-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1396-66-0x000000000041E792-mapping.dmp
-
memory/1396-70-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1396-68-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1396-89-0x00000000042F0000-0x000000000431E000-memory.dmpFilesize
184KB
-
memory/1396-78-0x00000000006A0000-0x00000000006AA000-memory.dmpFilesize
40KB
-
memory/1396-88-0x0000000004230000-0x000000000423E000-memory.dmpFilesize
56KB
-
memory/1396-87-0x0000000004220000-0x0000000004234000-memory.dmpFilesize
80KB
-
memory/1396-59-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1396-86-0x0000000002190000-0x00000000021A0000-memory.dmpFilesize
64KB
-
memory/1396-85-0x0000000002180000-0x0000000002194000-memory.dmpFilesize
80KB
-
memory/1396-79-0x0000000000A50000-0x0000000000A62000-memory.dmpFilesize
72KB
-
memory/1396-80-0x0000000002010000-0x000000000202A000-memory.dmpFilesize
104KB
-
memory/1396-81-0x0000000002030000-0x000000000203E000-memory.dmpFilesize
56KB
-
memory/1396-82-0x0000000002040000-0x0000000002052000-memory.dmpFilesize
72KB
-
memory/1396-83-0x0000000002060000-0x000000000206C000-memory.dmpFilesize
48KB
-
memory/1396-84-0x0000000002070000-0x000000000207E000-memory.dmpFilesize
56KB
-
memory/1572-72-0x0000000000000000-mapping.dmp
-
memory/2044-57-0x0000000005BE0000-0x0000000005C68000-memory.dmpFilesize
544KB
-
memory/2044-58-0x0000000004C90000-0x0000000004CCA000-memory.dmpFilesize
232KB
-
memory/2044-55-0x0000000075501000-0x0000000075503000-memory.dmpFilesize
8KB
-
memory/2044-56-0x0000000000390000-0x00000000003A2000-memory.dmpFilesize
72KB
-
memory/2044-54-0x0000000000070000-0x0000000000162000-memory.dmpFilesize
968KB