Analysis
-
max time kernel
167s -
max time network
175s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
05-04-2023 11:04
Static task
static1
Behavioral task
behavioral1
Sample
765cbbbb41b433ad23ad00c37e06f2f0df134518f174f563ce71542bb54b4bef.exe
Resource
win7-20230220-en
General
-
Target
765cbbbb41b433ad23ad00c37e06f2f0df134518f174f563ce71542bb54b4bef.exe
-
Size
461KB
-
MD5
5c1b6e8b6457c4c20025b35f84a3b4cb
-
SHA1
78a29561ed2069fd539e06606b1b6dd93a24f0d1
-
SHA256
765cbbbb41b433ad23ad00c37e06f2f0df134518f174f563ce71542bb54b4bef
-
SHA512
674a09252391f01b70ab931b930d7f05fd8b1879c5ecea8cd89482cf34dfb991a9ba735952b323e4f839601f45d85f4bdad91d70fc08f8aa5d28822f543124c4
-
SSDEEP
12288:snaTZ1Yqu84rYqFPrGkEgiyiZ+/RTuRhtd:snKNu8qYszGkEHkMtd
Malware Config
Extracted
nanocore
1.2.2.0
zafar101.duckdns.org:8779
f3e2761c-8ffb-415b-b6b5-024a2ef9ff3e
-
activate_away_mode
true
-
backup_connection_host
zafar101.duckdns.org
-
backup_dns_server
zafar101.duckdns.org
-
buffer_size
65535
-
build_time
2022-08-13T10:33:19.772981836Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
8779
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
f3e2761c-8ffb-415b-b6b5-024a2ef9ff3e
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
zafar101.duckdns.org
-
primary_dns_server
zafar101.duckdns.org
-
request_elevation
false
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ARP Subsystem = "C:\\Program Files (x86)\\ARP Subsystem\\arpss.exe" RegSvcs.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
765cbbbb41b433ad23ad00c37e06f2f0df134518f174f563ce71542bb54b4bef.exedescription pid process target process PID 920 set thread context of 1540 920 765cbbbb41b433ad23ad00c37e06f2f0df134518f174f563ce71542bb54b4bef.exe RegSvcs.exe -
Drops file in Program Files directory 2 IoCs
Processes:
RegSvcs.exedescription ioc process File created C:\Program Files (x86)\ARP Subsystem\arpss.exe RegSvcs.exe File opened for modification C:\Program Files (x86)\ARP Subsystem\arpss.exe RegSvcs.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2032 schtasks.exe 1936 schtasks.exe -
Processes:
765cbbbb41b433ad23ad00c37e06f2f0df134518f174f563ce71542bb54b4bef.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 765cbbbb41b433ad23ad00c37e06f2f0df134518f174f563ce71542bb54b4bef.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde 765cbbbb41b433ad23ad00c37e06f2f0df134518f174f563ce71542bb54b4bef.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
RegSvcs.exepid process 1540 RegSvcs.exe 1540 RegSvcs.exe 1540 RegSvcs.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegSvcs.exepid process 1540 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 1540 RegSvcs.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
765cbbbb41b433ad23ad00c37e06f2f0df134518f174f563ce71542bb54b4bef.exepid process 920 765cbbbb41b433ad23ad00c37e06f2f0df134518f174f563ce71542bb54b4bef.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
765cbbbb41b433ad23ad00c37e06f2f0df134518f174f563ce71542bb54b4bef.exeRegSvcs.exedescription pid process target process PID 920 wrote to memory of 1540 920 765cbbbb41b433ad23ad00c37e06f2f0df134518f174f563ce71542bb54b4bef.exe RegSvcs.exe PID 920 wrote to memory of 1540 920 765cbbbb41b433ad23ad00c37e06f2f0df134518f174f563ce71542bb54b4bef.exe RegSvcs.exe PID 920 wrote to memory of 1540 920 765cbbbb41b433ad23ad00c37e06f2f0df134518f174f563ce71542bb54b4bef.exe RegSvcs.exe PID 920 wrote to memory of 1540 920 765cbbbb41b433ad23ad00c37e06f2f0df134518f174f563ce71542bb54b4bef.exe RegSvcs.exe PID 920 wrote to memory of 1540 920 765cbbbb41b433ad23ad00c37e06f2f0df134518f174f563ce71542bb54b4bef.exe RegSvcs.exe PID 920 wrote to memory of 1540 920 765cbbbb41b433ad23ad00c37e06f2f0df134518f174f563ce71542bb54b4bef.exe RegSvcs.exe PID 920 wrote to memory of 1540 920 765cbbbb41b433ad23ad00c37e06f2f0df134518f174f563ce71542bb54b4bef.exe RegSvcs.exe PID 920 wrote to memory of 1540 920 765cbbbb41b433ad23ad00c37e06f2f0df134518f174f563ce71542bb54b4bef.exe RegSvcs.exe PID 920 wrote to memory of 1540 920 765cbbbb41b433ad23ad00c37e06f2f0df134518f174f563ce71542bb54b4bef.exe RegSvcs.exe PID 920 wrote to memory of 1540 920 765cbbbb41b433ad23ad00c37e06f2f0df134518f174f563ce71542bb54b4bef.exe RegSvcs.exe PID 920 wrote to memory of 1540 920 765cbbbb41b433ad23ad00c37e06f2f0df134518f174f563ce71542bb54b4bef.exe RegSvcs.exe PID 920 wrote to memory of 1540 920 765cbbbb41b433ad23ad00c37e06f2f0df134518f174f563ce71542bb54b4bef.exe RegSvcs.exe PID 1540 wrote to memory of 1936 1540 RegSvcs.exe schtasks.exe PID 1540 wrote to memory of 1936 1540 RegSvcs.exe schtasks.exe PID 1540 wrote to memory of 1936 1540 RegSvcs.exe schtasks.exe PID 1540 wrote to memory of 1936 1540 RegSvcs.exe schtasks.exe PID 1540 wrote to memory of 2032 1540 RegSvcs.exe schtasks.exe PID 1540 wrote to memory of 2032 1540 RegSvcs.exe schtasks.exe PID 1540 wrote to memory of 2032 1540 RegSvcs.exe schtasks.exe PID 1540 wrote to memory of 2032 1540 RegSvcs.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\765cbbbb41b433ad23ad00c37e06f2f0df134518f174f563ce71542bb54b4bef.exe"C:\Users\Admin\AppData\Local\Temp\765cbbbb41b433ad23ad00c37e06f2f0df134518f174f563ce71542bb54b4bef.exe"1⤵
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "ARP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmpB08B.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "ARP Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpE255.tmp"3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpB08B.tmpFilesize
1KB
MD58cad1b41587ced0f1e74396794f31d58
SHA111054bf74fcf5e8e412768035e4dae43aa7b710f
SHA2563086d914f6b23268f8a12cb1a05516cd5465c2577e1d1e449f1b45c8e5e8f83c
SHA51299c2ef89029de51a866df932841684b7fc912df21e10e2dd0d09e400203bbdc6cba6319a31780b7bf8b286d2cea8ea3fc7d084348bf2f002ab4f5a34218ccbef
-
memory/1540-69-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1540-71-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1540-73-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1540-77-0x0000000000BC0000-0x0000000000C00000-memory.dmpFilesize
256KB
-
memory/1540-79-0x0000000000BC0000-0x0000000000C00000-memory.dmpFilesize
256KB
-
memory/1540-82-0x00000000005D0000-0x00000000005DA000-memory.dmpFilesize
40KB
-
memory/1540-83-0x0000000000630000-0x000000000064E000-memory.dmpFilesize
120KB
-
memory/1540-84-0x00000000005E0000-0x00000000005EA000-memory.dmpFilesize
40KB
-
memory/1540-85-0x0000000000BC0000-0x0000000000C00000-memory.dmpFilesize
256KB
-
memory/1540-86-0x0000000000BC0000-0x0000000000C00000-memory.dmpFilesize
256KB