Analysis
-
max time kernel
143s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
05-04-2023 11:04
Static task
static1
Behavioral task
behavioral1
Sample
765cbbbb41b433ad23ad00c37e06f2f0df134518f174f563ce71542bb54b4bef.exe
Resource
win7-20230220-en
General
-
Target
765cbbbb41b433ad23ad00c37e06f2f0df134518f174f563ce71542bb54b4bef.exe
-
Size
461KB
-
MD5
5c1b6e8b6457c4c20025b35f84a3b4cb
-
SHA1
78a29561ed2069fd539e06606b1b6dd93a24f0d1
-
SHA256
765cbbbb41b433ad23ad00c37e06f2f0df134518f174f563ce71542bb54b4bef
-
SHA512
674a09252391f01b70ab931b930d7f05fd8b1879c5ecea8cd89482cf34dfb991a9ba735952b323e4f839601f45d85f4bdad91d70fc08f8aa5d28822f543124c4
-
SSDEEP
12288:snaTZ1Yqu84rYqFPrGkEgiyiZ+/RTuRhtd:snKNu8qYszGkEHkMtd
Malware Config
Extracted
nanocore
1.2.2.0
zafar101.duckdns.org:8779
f3e2761c-8ffb-415b-b6b5-024a2ef9ff3e
-
activate_away_mode
true
-
backup_connection_host
zafar101.duckdns.org
-
backup_dns_server
zafar101.duckdns.org
-
buffer_size
65535
-
build_time
2022-08-13T10:33:19.772981836Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
8779
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
f3e2761c-8ffb-415b-b6b5-024a2ef9ff3e
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
zafar101.duckdns.org
-
primary_dns_server
zafar101.duckdns.org
-
request_elevation
false
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SAAS Monitor = "C:\\Program Files (x86)\\SAAS Monitor\\saasmon.exe" RegSvcs.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
765cbbbb41b433ad23ad00c37e06f2f0df134518f174f563ce71542bb54b4bef.exedescription pid process target process PID 2616 set thread context of 676 2616 765cbbbb41b433ad23ad00c37e06f2f0df134518f174f563ce71542bb54b4bef.exe RegSvcs.exe -
Drops file in Program Files directory 2 IoCs
Processes:
RegSvcs.exedescription ioc process File created C:\Program Files (x86)\SAAS Monitor\saasmon.exe RegSvcs.exe File opened for modification C:\Program Files (x86)\SAAS Monitor\saasmon.exe RegSvcs.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2200 schtasks.exe 4800 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
RegSvcs.exepid process 676 RegSvcs.exe 676 RegSvcs.exe 676 RegSvcs.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegSvcs.exepid process 676 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 676 RegSvcs.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
765cbbbb41b433ad23ad00c37e06f2f0df134518f174f563ce71542bb54b4bef.exepid process 2616 765cbbbb41b433ad23ad00c37e06f2f0df134518f174f563ce71542bb54b4bef.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
765cbbbb41b433ad23ad00c37e06f2f0df134518f174f563ce71542bb54b4bef.exeRegSvcs.exedescription pid process target process PID 2616 wrote to memory of 676 2616 765cbbbb41b433ad23ad00c37e06f2f0df134518f174f563ce71542bb54b4bef.exe RegSvcs.exe PID 2616 wrote to memory of 676 2616 765cbbbb41b433ad23ad00c37e06f2f0df134518f174f563ce71542bb54b4bef.exe RegSvcs.exe PID 2616 wrote to memory of 676 2616 765cbbbb41b433ad23ad00c37e06f2f0df134518f174f563ce71542bb54b4bef.exe RegSvcs.exe PID 2616 wrote to memory of 676 2616 765cbbbb41b433ad23ad00c37e06f2f0df134518f174f563ce71542bb54b4bef.exe RegSvcs.exe PID 2616 wrote to memory of 676 2616 765cbbbb41b433ad23ad00c37e06f2f0df134518f174f563ce71542bb54b4bef.exe RegSvcs.exe PID 2616 wrote to memory of 676 2616 765cbbbb41b433ad23ad00c37e06f2f0df134518f174f563ce71542bb54b4bef.exe RegSvcs.exe PID 2616 wrote to memory of 676 2616 765cbbbb41b433ad23ad00c37e06f2f0df134518f174f563ce71542bb54b4bef.exe RegSvcs.exe PID 2616 wrote to memory of 676 2616 765cbbbb41b433ad23ad00c37e06f2f0df134518f174f563ce71542bb54b4bef.exe RegSvcs.exe PID 676 wrote to memory of 2200 676 RegSvcs.exe schtasks.exe PID 676 wrote to memory of 2200 676 RegSvcs.exe schtasks.exe PID 676 wrote to memory of 2200 676 RegSvcs.exe schtasks.exe PID 676 wrote to memory of 4800 676 RegSvcs.exe schtasks.exe PID 676 wrote to memory of 4800 676 RegSvcs.exe schtasks.exe PID 676 wrote to memory of 4800 676 RegSvcs.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\765cbbbb41b433ad23ad00c37e06f2f0df134518f174f563ce71542bb54b4bef.exe"C:\Users\Admin\AppData\Local\Temp\765cbbbb41b433ad23ad00c37e06f2f0df134518f174f563ce71542bb54b4bef.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "SAAS Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmpCEDE.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "SAAS Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpD017.tmp"3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpCEDE.tmpFilesize
1KB
MD58cad1b41587ced0f1e74396794f31d58
SHA111054bf74fcf5e8e412768035e4dae43aa7b710f
SHA2563086d914f6b23268f8a12cb1a05516cd5465c2577e1d1e449f1b45c8e5e8f83c
SHA51299c2ef89029de51a866df932841684b7fc912df21e10e2dd0d09e400203bbdc6cba6319a31780b7bf8b286d2cea8ea3fc7d084348bf2f002ab4f5a34218ccbef
-
C:\Users\Admin\AppData\Local\Temp\tmpD017.tmpFilesize
1KB
MD58a92e4176a36b704a55c4888e04853e2
SHA16efbd8d0097e2632ca90083974b845f93e5b6a5c
SHA25691f88494715f51246ed7255ad4bba50e2f5dec26bef203f31450a6a8e1443cdd
SHA5124ea87f28391b022cfad5e0f695c2413a5addb18a6e9fdf9c56c4121253cf6e532110da8200b1c57b43ee85ed047f1530b1516a7c689c9574af069176114fa157
-
memory/676-139-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/676-140-0x0000000005F90000-0x0000000006534000-memory.dmpFilesize
5.6MB
-
memory/676-141-0x00000000058A0000-0x0000000005932000-memory.dmpFilesize
584KB
-
memory/676-142-0x00000000059E0000-0x0000000005A7C000-memory.dmpFilesize
624KB
-
memory/676-143-0x0000000005B30000-0x0000000005B40000-memory.dmpFilesize
64KB
-
memory/676-144-0x0000000005870000-0x000000000587A000-memory.dmpFilesize
40KB
-
memory/676-152-0x0000000005B30000-0x0000000005B40000-memory.dmpFilesize
64KB
-
memory/676-153-0x0000000005B30000-0x0000000005B40000-memory.dmpFilesize
64KB
-
memory/676-154-0x0000000005B30000-0x0000000005B40000-memory.dmpFilesize
64KB