Analysis
-
max time kernel
127s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
05/05/2023, 19:06
Static task
static1
Behavioral task
behavioral1
Sample
b3ac1d448ec0c1a677e30b26a02cf525.exe
Resource
win7-20230220-en
General
-
Target
b3ac1d448ec0c1a677e30b26a02cf525.exe
-
Size
992KB
-
MD5
b3ac1d448ec0c1a677e30b26a02cf525
-
SHA1
7ac37e6d210fd713a350fbc5920d523404397b86
-
SHA256
b56fcfe2487e1acd67163ca50b4d05d793557d927971675a09f1a5bcfa8464cb
-
SHA512
6169b2b7520af1898d074b4ecee84c19b070f9e1b05349605e4442d42c183c43b97abb10198893eff6b30dfabe87920ab676c70a300c9682e27ea8dd3e638846
-
SSDEEP
12288:DtE1YG6m3qToJq0Kw2Yh3ZCZV4upfn98ZQ/O1NL4I3VTK0bOT0NRHl:DtE1xOk4vw2m5o/98S/OfDFOp
Malware Config
Extracted
nanocore
1.2.2.0
1116.hopto.org:1116
185.140.53.9:1116
909dcd33-e0d7-4bd0-87b2-b7fd2611b6b9
-
activate_away_mode
true
-
backup_connection_host
185.140.53.9
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2021-02-16T08:43:19.524585136Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
1116
-
default_group
1116
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
909dcd33-e0d7-4bd0-87b2-b7fd2611b6b9
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
1116.hopto.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DSL Subsystem = "C:\\Program Files (x86)\\DSL Subsystem\\dslss.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1088 set thread context of 460 1088 b3ac1d448ec0c1a677e30b26a02cf525.exe 30 -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\DSL Subsystem\dslss.exe RegSvcs.exe File created C:\Program Files (x86)\DSL Subsystem\dslss.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 580 schtasks.exe 868 schtasks.exe 1532 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 460 RegSvcs.exe 460 RegSvcs.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 460 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 460 RegSvcs.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 1088 wrote to memory of 580 1088 b3ac1d448ec0c1a677e30b26a02cf525.exe 28 PID 1088 wrote to memory of 580 1088 b3ac1d448ec0c1a677e30b26a02cf525.exe 28 PID 1088 wrote to memory of 580 1088 b3ac1d448ec0c1a677e30b26a02cf525.exe 28 PID 1088 wrote to memory of 580 1088 b3ac1d448ec0c1a677e30b26a02cf525.exe 28 PID 1088 wrote to memory of 460 1088 b3ac1d448ec0c1a677e30b26a02cf525.exe 30 PID 1088 wrote to memory of 460 1088 b3ac1d448ec0c1a677e30b26a02cf525.exe 30 PID 1088 wrote to memory of 460 1088 b3ac1d448ec0c1a677e30b26a02cf525.exe 30 PID 1088 wrote to memory of 460 1088 b3ac1d448ec0c1a677e30b26a02cf525.exe 30 PID 1088 wrote to memory of 460 1088 b3ac1d448ec0c1a677e30b26a02cf525.exe 30 PID 1088 wrote to memory of 460 1088 b3ac1d448ec0c1a677e30b26a02cf525.exe 30 PID 1088 wrote to memory of 460 1088 b3ac1d448ec0c1a677e30b26a02cf525.exe 30 PID 1088 wrote to memory of 460 1088 b3ac1d448ec0c1a677e30b26a02cf525.exe 30 PID 1088 wrote to memory of 460 1088 b3ac1d448ec0c1a677e30b26a02cf525.exe 30 PID 1088 wrote to memory of 460 1088 b3ac1d448ec0c1a677e30b26a02cf525.exe 30 PID 1088 wrote to memory of 460 1088 b3ac1d448ec0c1a677e30b26a02cf525.exe 30 PID 1088 wrote to memory of 460 1088 b3ac1d448ec0c1a677e30b26a02cf525.exe 30 PID 460 wrote to memory of 868 460 RegSvcs.exe 31 PID 460 wrote to memory of 868 460 RegSvcs.exe 31 PID 460 wrote to memory of 868 460 RegSvcs.exe 31 PID 460 wrote to memory of 868 460 RegSvcs.exe 31 PID 460 wrote to memory of 1532 460 RegSvcs.exe 33 PID 460 wrote to memory of 1532 460 RegSvcs.exe 33 PID 460 wrote to memory of 1532 460 RegSvcs.exe 33 PID 460 wrote to memory of 1532 460 RegSvcs.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\b3ac1d448ec0c1a677e30b26a02cf525.exe"C:\Users\Admin\AppData\Local\Temp\b3ac1d448ec0c1a677e30b26a02cf525.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qPUTVS" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD7E9.tmp"2⤵
- Creates scheduled task(s)
PID:580
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:460 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DSL Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmpDD26.tmp"3⤵
- Creates scheduled task(s)
PID:868
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DSL Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpDEAD.tmp"3⤵
- Creates scheduled task(s)
PID:1532
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD564878bdfe21ac908ac5396d408027686
SHA1fd02cfb3f027087d56e50542fc20b2731f52fe02
SHA2566a71dc6b9f69a565f7e4e760391067b9160a2e265f7ae0957de5e818e7d251f8
SHA512d7b87b3aaf48cee15e9e896c9b62f9ea5d9a34bee436cdb75f2e68e3195c09bc9d2aa45518d667d90aae8a83fbd8bf52e425083b1893a18097fd915f9629e9b6
-
Filesize
1KB
MD58cad1b41587ced0f1e74396794f31d58
SHA111054bf74fcf5e8e412768035e4dae43aa7b710f
SHA2563086d914f6b23268f8a12cb1a05516cd5465c2577e1d1e449f1b45c8e5e8f83c
SHA51299c2ef89029de51a866df932841684b7fc912df21e10e2dd0d09e400203bbdc6cba6319a31780b7bf8b286d2cea8ea3fc7d084348bf2f002ab4f5a34218ccbef
-
Filesize
1KB
MD5cc41562853d473a6d8785f7887ed523f
SHA15be25b133c7a5cbc1b240822e87f3cbe94aaa312
SHA256a259d5fb27ddfee2968c9b1c1346121934b35bda37f9f446e9470a72cb95c2b7
SHA512678c59e91d604607c7a3576dcab70eac4fb6af40d9f9db799a7a9fee67a1dd306a1a8b3bc4885e46fa6ab75970bb37fd62e6dcc66c61c09413d59991f90f12fd