Analysis
-
max time kernel
200s -
max time network
213s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
05-12-2022 09:17
Static task
static1
Behavioral task
behavioral1
Sample
f7a5ad596bd5d58585f8882331659e05.exe
Resource
win7-20221111-en
General
-
Target
f7a5ad596bd5d58585f8882331659e05.exe
-
Size
852KB
-
MD5
f7a5ad596bd5d58585f8882331659e05
-
SHA1
5db9d0e545b9a94dcfd89432518bc377d4cea07c
-
SHA256
535cd0a815cba9e42f83f54f256659be81ec735475e393d7a696eae64197d1f9
-
SHA512
791480ebcca0772980561496911c52b18ff429cb3c21f00e926fc004e85ae8b824f36f5d6f79ae0d4e7ca125b0c82b847a9cddd85c5619fc9e4118cc0b59b673
-
SSDEEP
12288:l/9ciMQJ7v8J2tD8gy4R1EDp0GRmuZbiTGBQ44I8yxCCLkg586aWHff:V9Z778Jp21E1Re+R4I8YCCB5O8f
Malware Config
Extracted
nanocore
1.2.2.0
tzitziklishop.ddns.net:1665
127.0.0.1:1665
54c43eb3-9a5e-48cf-bbb9-9a65e46643a1
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2022-09-09T09:23:36.606577636Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
1665
-
default_group
NOV282022
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
54c43eb3-9a5e-48cf-bbb9-9a65e46643a1
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
tzitziklishop.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
f7a5ad596bd5d58585f8882331659e05.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UPNP Monitor = "C:\\Program Files (x86)\\UPNP Monitor\\upnpmon.exe" f7a5ad596bd5d58585f8882331659e05.exe -
Processes:
f7a5ad596bd5d58585f8882331659e05.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA f7a5ad596bd5d58585f8882331659e05.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
f7a5ad596bd5d58585f8882331659e05.exedescription pid process target process PID 2080 set thread context of 1708 2080 f7a5ad596bd5d58585f8882331659e05.exe f7a5ad596bd5d58585f8882331659e05.exe -
Drops file in Program Files directory 2 IoCs
Processes:
f7a5ad596bd5d58585f8882331659e05.exedescription ioc process File created C:\Program Files (x86)\UPNP Monitor\upnpmon.exe f7a5ad596bd5d58585f8882331659e05.exe File opened for modification C:\Program Files (x86)\UPNP Monitor\upnpmon.exe f7a5ad596bd5d58585f8882331659e05.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1164 schtasks.exe 4044 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
f7a5ad596bd5d58585f8882331659e05.exepid process 1708 f7a5ad596bd5d58585f8882331659e05.exe 1708 f7a5ad596bd5d58585f8882331659e05.exe 1708 f7a5ad596bd5d58585f8882331659e05.exe 1708 f7a5ad596bd5d58585f8882331659e05.exe 1708 f7a5ad596bd5d58585f8882331659e05.exe 1708 f7a5ad596bd5d58585f8882331659e05.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
f7a5ad596bd5d58585f8882331659e05.exepid process 1708 f7a5ad596bd5d58585f8882331659e05.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
f7a5ad596bd5d58585f8882331659e05.exedescription pid process Token: SeDebugPrivilege 1708 f7a5ad596bd5d58585f8882331659e05.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
f7a5ad596bd5d58585f8882331659e05.exef7a5ad596bd5d58585f8882331659e05.exedescription pid process target process PID 2080 wrote to memory of 1708 2080 f7a5ad596bd5d58585f8882331659e05.exe f7a5ad596bd5d58585f8882331659e05.exe PID 2080 wrote to memory of 1708 2080 f7a5ad596bd5d58585f8882331659e05.exe f7a5ad596bd5d58585f8882331659e05.exe PID 2080 wrote to memory of 1708 2080 f7a5ad596bd5d58585f8882331659e05.exe f7a5ad596bd5d58585f8882331659e05.exe PID 2080 wrote to memory of 1708 2080 f7a5ad596bd5d58585f8882331659e05.exe f7a5ad596bd5d58585f8882331659e05.exe PID 2080 wrote to memory of 1708 2080 f7a5ad596bd5d58585f8882331659e05.exe f7a5ad596bd5d58585f8882331659e05.exe PID 2080 wrote to memory of 1708 2080 f7a5ad596bd5d58585f8882331659e05.exe f7a5ad596bd5d58585f8882331659e05.exe PID 2080 wrote to memory of 1708 2080 f7a5ad596bd5d58585f8882331659e05.exe f7a5ad596bd5d58585f8882331659e05.exe PID 2080 wrote to memory of 1708 2080 f7a5ad596bd5d58585f8882331659e05.exe f7a5ad596bd5d58585f8882331659e05.exe PID 1708 wrote to memory of 4044 1708 f7a5ad596bd5d58585f8882331659e05.exe schtasks.exe PID 1708 wrote to memory of 4044 1708 f7a5ad596bd5d58585f8882331659e05.exe schtasks.exe PID 1708 wrote to memory of 4044 1708 f7a5ad596bd5d58585f8882331659e05.exe schtasks.exe PID 1708 wrote to memory of 1164 1708 f7a5ad596bd5d58585f8882331659e05.exe schtasks.exe PID 1708 wrote to memory of 1164 1708 f7a5ad596bd5d58585f8882331659e05.exe schtasks.exe PID 1708 wrote to memory of 1164 1708 f7a5ad596bd5d58585f8882331659e05.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f7a5ad596bd5d58585f8882331659e05.exe"C:\Users\Admin\AppData\Local\Temp\f7a5ad596bd5d58585f8882331659e05.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f7a5ad596bd5d58585f8882331659e05.exe"C:\Users\Admin\AppData\Local\Temp\f7a5ad596bd5d58585f8882331659e05.exe"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "UPNP Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmpB263.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "UPNP Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpB8DC.tmp"3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\f7a5ad596bd5d58585f8882331659e05.exe.logFilesize
1KB
MD58ec831f3e3a3f77e4a7b9cd32b48384c
SHA1d83f09fd87c5bd86e045873c231c14836e76a05c
SHA2567667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA51226bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3
-
C:\Users\Admin\AppData\Local\Temp\tmpB263.tmpFilesize
1KB
MD5e37b299da7744fd2320d02ea34841d23
SHA112733e31aad7951b297bff66b05b4eaaa7458618
SHA25688bed0d477cb50c2be70f826ecdaa165ff5110801da8a1a6157a085afe9eebcf
SHA512f1a211e4c2dc5d05cac349898229729672baa2da0d7463f66585b9fc1f740d24df87326d57d6f6a8241ac084709451cc5822f1739492c47c5f80c440897e396c
-
C:\Users\Admin\AppData\Local\Temp\tmpB8DC.tmpFilesize
1KB
MD5c9a4c783d2e18eea86e071de92f36f02
SHA14cb02db05386ccb70a23fa89dbadfddfc8f7b6af
SHA25621d669a674eb23538f38f6822429d797e69e0685d18c0e6e03ec6801098b240a
SHA512b6d5198d9ca83687fcc491c02ad8b417e02dff0150b514c3d39d13b8de9ffba6f3779ee7bb6350b087474fb6e0d1bd10b8fdd5c8f48a46c9cfd183d9045b80ef
-
memory/1164-142-0x0000000000000000-mapping.dmp
-
memory/1708-137-0x0000000000000000-mapping.dmp
-
memory/1708-138-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2080-132-0x0000000000F40000-0x000000000101C000-memory.dmpFilesize
880KB
-
memory/2080-133-0x0000000005EC0000-0x0000000006464000-memory.dmpFilesize
5.6MB
-
memory/2080-134-0x00000000059F0000-0x0000000005A82000-memory.dmpFilesize
584KB
-
memory/2080-135-0x00000000059D0000-0x00000000059DA000-memory.dmpFilesize
40KB
-
memory/2080-136-0x0000000007AD0000-0x0000000007B6C000-memory.dmpFilesize
624KB
-
memory/4044-140-0x0000000000000000-mapping.dmp