Analysis
-
max time kernel
167s -
max time network
179s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2023, 08:38
Static task
static1
Behavioral task
behavioral1
Sample
605c35366b7c51d33746d7173b9a5169.exe
Resource
win7-20231215-en
General
-
Target
605c35366b7c51d33746d7173b9a5169.exe
-
Size
1.1MB
-
MD5
605c35366b7c51d33746d7173b9a5169
-
SHA1
f75fb8bb1b086ad55461ab18227d35811b4cc5d6
-
SHA256
4a67899d740ecd593679a000e4fd663474307306640d8862a2d986ba4ce3b189
-
SHA512
1459976dbc4fc81ace18c90e87cf39149971ed1e796c4e2997e1cb760d7dd299bad8bbef53c6ae7e6ee67e38dcb94c6768e1f7469b0890c28e48f4450c50f5f6
-
SSDEEP
24576:IxVxBeKif9i/ylluneUyxcaMep/ahpka:I/xBfyPfuneP1Mepy
Malware Config
Extracted
nanocore
1.2.2.0
1116.hopto.org:1116
185.140.53.9:1116
909dcd33-e0d7-4bd0-87b2-b7fd2611b6b9
-
activate_away_mode
true
-
backup_connection_host
185.140.53.9
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2021-02-16T08:43:19.524585136Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
1116
-
default_group
1116
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
909dcd33-e0d7-4bd0-87b2-b7fd2611b6b9
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
1116.hopto.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation 605c35366b7c51d33746d7173b9a5169.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ARP Manager = "C:\\Program Files (x86)\\ARP Manager\\arpmgr.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4292 set thread context of 4892 4292 605c35366b7c51d33746d7173b9a5169.exe 107 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\ARP Manager\arpmgr.exe RegSvcs.exe File opened for modification C:\Program Files (x86)\ARP Manager\arpmgr.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 320 schtasks.exe 2292 schtasks.exe 2500 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 4292 605c35366b7c51d33746d7173b9a5169.exe 4292 605c35366b7c51d33746d7173b9a5169.exe 4892 RegSvcs.exe 4892 RegSvcs.exe 4892 RegSvcs.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4892 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4292 605c35366b7c51d33746d7173b9a5169.exe Token: SeDebugPrivilege 4892 RegSvcs.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4292 wrote to memory of 320 4292 605c35366b7c51d33746d7173b9a5169.exe 106 PID 4292 wrote to memory of 320 4292 605c35366b7c51d33746d7173b9a5169.exe 106 PID 4292 wrote to memory of 320 4292 605c35366b7c51d33746d7173b9a5169.exe 106 PID 4292 wrote to memory of 4892 4292 605c35366b7c51d33746d7173b9a5169.exe 107 PID 4292 wrote to memory of 4892 4292 605c35366b7c51d33746d7173b9a5169.exe 107 PID 4292 wrote to memory of 4892 4292 605c35366b7c51d33746d7173b9a5169.exe 107 PID 4292 wrote to memory of 4892 4292 605c35366b7c51d33746d7173b9a5169.exe 107 PID 4292 wrote to memory of 4892 4292 605c35366b7c51d33746d7173b9a5169.exe 107 PID 4292 wrote to memory of 4892 4292 605c35366b7c51d33746d7173b9a5169.exe 107 PID 4292 wrote to memory of 4892 4292 605c35366b7c51d33746d7173b9a5169.exe 107 PID 4292 wrote to memory of 4892 4292 605c35366b7c51d33746d7173b9a5169.exe 107 PID 4892 wrote to memory of 2292 4892 RegSvcs.exe 109 PID 4892 wrote to memory of 2292 4892 RegSvcs.exe 109 PID 4892 wrote to memory of 2292 4892 RegSvcs.exe 109 PID 4892 wrote to memory of 2500 4892 RegSvcs.exe 110 PID 4892 wrote to memory of 2500 4892 RegSvcs.exe 110 PID 4892 wrote to memory of 2500 4892 RegSvcs.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\605c35366b7c51d33746d7173b9a5169.exe"C:\Users\Admin\AppData\Local\Temp\605c35366b7c51d33746d7173b9a5169.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4292 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sjxNYmz" /XML "C:\Users\Admin\AppData\Local\Temp\tmp64.tmp"2⤵
- Creates scheduled task(s)
PID:320
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "ARP Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmp749.tmp"3⤵
- Creates scheduled task(s)
PID:2292
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "ARP Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp10C0.tmp"3⤵
- Creates scheduled task(s)
PID:2500
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5b6fc28b9f341812fc919e0d4c5ac0941
SHA1d49341ec5a78189830dbf64b2bb553d0fbe06e88
SHA2562aacf4d9629bbec978f5a9ecfe8009cd18cfb5dbde09507937e0aaa13b1aeaba
SHA512166ece1d42a5f438142bc5df5f34b30ee17de5844383bb7517200ee77d77b1b8096e963739cc9188602742984d2e1dc8bc9788d8ae12010e5a05415676e29fdf
-
Filesize
1KB
MD55ab73a4127f2b244bb189cb2390cb47c
SHA12257d69c15a7e9cf669acb09d47a6deae90b510c
SHA2566c823819052208efc65d3615a7a193122b2c94fb3914a11737cae1568e09a189
SHA512dbd310258e537d9b3fd442c22d582a5160f4d7b0a5fdb4602102b4893ce9a080b9fea772433477c744f6718a864860fd8e2867e3dd835bd5ac6a06aa6c646bf8
-
Filesize
1KB
MD58cad1b41587ced0f1e74396794f31d58
SHA111054bf74fcf5e8e412768035e4dae43aa7b710f
SHA2563086d914f6b23268f8a12cb1a05516cd5465c2577e1d1e449f1b45c8e5e8f83c
SHA51299c2ef89029de51a866df932841684b7fc912df21e10e2dd0d09e400203bbdc6cba6319a31780b7bf8b286d2cea8ea3fc7d084348bf2f002ab4f5a34218ccbef