Analysis
-
max time kernel
134s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
26/12/2023, 18:26
Static task
static1
Behavioral task
behavioral1
Sample
840ef8d2d1936ebf66e63f85c7dece42.exe
Resource
win7-20231215-en
General
-
Target
840ef8d2d1936ebf66e63f85c7dece42.exe
-
Size
1.9MB
-
MD5
840ef8d2d1936ebf66e63f85c7dece42
-
SHA1
f4770a5e987d15d1615c40ef40f3a96098c0e8c2
-
SHA256
6dad4f5325f635039e443e725ddaf3eb210952b0ebe81027dae9f9fb0a09e831
-
SHA512
91443a07773e48dff09cc5ff768278c54690b45dd1d9519c49f9eb51eca928f2a55a9388aafc66584ca4d12b6f6ec8516ac133b6b562972e7cf71ecd3d41ad43
-
SSDEEP
6144:hl4uX/nkpB6i+WCWm9R+bM3WIVc7giHomaXXxB6IoeO0nSW/iYPEeuCZAA2iPIZd:hPtsU+bYWqBRoeT//iKsKtb
Malware Config
Extracted
nanocore
1.2.2.0
omaprilcode.duckdns.org:8090
f8dffc54-5ec5-4013-9de8-d8d853682f44
-
activate_away_mode
true
-
backup_connection_host
omaprilcode.duckdns.org
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2021-01-26T15:04:24.913843336Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
8090
-
default_group
CODEDBASE
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
f8dffc54-5ec5-4013-9de8-d8d853682f44
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
omaprilcode.duckdns.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths 840ef8d2d1936ebf66e63f85c7dece42.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files\Common Files\System\IfB44785yo4aR44dco3pdD14W\svchost.exe = "0" 840ef8d2d1936ebf66e63f85c7dece42.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe = "0" 840ef8d2d1936ebf66e63f85c7dece42.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files\Common Files\System\IfB44785yo4aR44dco3pdD14W\svchost.exe = "0" 840ef8d2d1936ebf66e63f85c7dece42.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe = "0" 840ef8d2d1936ebf66e63f85c7dece42.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths 840ef8d2d1936ebf66e63f85c7dece42.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions 840ef8d2d1936ebf66e63f85c7dece42.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\2acfo6aw = "C:\\Program Files\\Common Files\\System\\IfB44785yo4aR44dco3pdD14W\\svchost.exe" 840ef8d2d1936ebf66e63f85c7dece42.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 840ef8d2d1936ebf66e63f85c7dece42.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs
pid Process 2992 840ef8d2d1936ebf66e63f85c7dece42.exe 2992 840ef8d2d1936ebf66e63f85c7dece42.exe 2992 840ef8d2d1936ebf66e63f85c7dece42.exe 2992 840ef8d2d1936ebf66e63f85c7dece42.exe 2992 840ef8d2d1936ebf66e63f85c7dece42.exe 2992 840ef8d2d1936ebf66e63f85c7dece42.exe 2992 840ef8d2d1936ebf66e63f85c7dece42.exe 2992 840ef8d2d1936ebf66e63f85c7dece42.exe 2992 840ef8d2d1936ebf66e63f85c7dece42.exe 2992 840ef8d2d1936ebf66e63f85c7dece42.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2992 set thread context of 1472 2992 840ef8d2d1936ebf66e63f85c7dece42.exe 39 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\Common Files\System\IfB44785yo4aR44dco3pdD14W\svchost.exe 840ef8d2d1936ebf66e63f85c7dece42.exe File opened for modification C:\Program Files\Common Files\System\IfB44785yo4aR44dco3pdD14W\svchost.exe 840ef8d2d1936ebf66e63f85c7dece42.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2332 2992 WerFault.exe 27 -
Delays execution with timeout.exe 1 IoCs
pid Process 2040 timeout.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 2748 powershell.exe 2644 powershell.exe 2780 powershell.exe 2992 840ef8d2d1936ebf66e63f85c7dece42.exe 2992 840ef8d2d1936ebf66e63f85c7dece42.exe 2992 840ef8d2d1936ebf66e63f85c7dece42.exe 2992 840ef8d2d1936ebf66e63f85c7dece42.exe 2992 840ef8d2d1936ebf66e63f85c7dece42.exe 2992 840ef8d2d1936ebf66e63f85c7dece42.exe 2992 840ef8d2d1936ebf66e63f85c7dece42.exe 1472 840ef8d2d1936ebf66e63f85c7dece42.exe 1472 840ef8d2d1936ebf66e63f85c7dece42.exe 1472 840ef8d2d1936ebf66e63f85c7dece42.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1472 840ef8d2d1936ebf66e63f85c7dece42.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 2748 powershell.exe Token: SeDebugPrivilege 2644 powershell.exe Token: SeDebugPrivilege 2780 powershell.exe Token: SeDebugPrivilege 2992 840ef8d2d1936ebf66e63f85c7dece42.exe Token: SeDebugPrivilege 1472 840ef8d2d1936ebf66e63f85c7dece42.exe -
Suspicious use of WriteProcessMemory 41 IoCs
description pid Process procid_target PID 2992 wrote to memory of 2644 2992 840ef8d2d1936ebf66e63f85c7dece42.exe 28 PID 2992 wrote to memory of 2644 2992 840ef8d2d1936ebf66e63f85c7dece42.exe 28 PID 2992 wrote to memory of 2644 2992 840ef8d2d1936ebf66e63f85c7dece42.exe 28 PID 2992 wrote to memory of 2644 2992 840ef8d2d1936ebf66e63f85c7dece42.exe 28 PID 2992 wrote to memory of 2780 2992 840ef8d2d1936ebf66e63f85c7dece42.exe 30 PID 2992 wrote to memory of 2780 2992 840ef8d2d1936ebf66e63f85c7dece42.exe 30 PID 2992 wrote to memory of 2780 2992 840ef8d2d1936ebf66e63f85c7dece42.exe 30 PID 2992 wrote to memory of 2780 2992 840ef8d2d1936ebf66e63f85c7dece42.exe 30 PID 2992 wrote to memory of 2748 2992 840ef8d2d1936ebf66e63f85c7dece42.exe 32 PID 2992 wrote to memory of 2748 2992 840ef8d2d1936ebf66e63f85c7dece42.exe 32 PID 2992 wrote to memory of 2748 2992 840ef8d2d1936ebf66e63f85c7dece42.exe 32 PID 2992 wrote to memory of 2748 2992 840ef8d2d1936ebf66e63f85c7dece42.exe 32 PID 2992 wrote to memory of 588 2992 840ef8d2d1936ebf66e63f85c7dece42.exe 34 PID 2992 wrote to memory of 588 2992 840ef8d2d1936ebf66e63f85c7dece42.exe 34 PID 2992 wrote to memory of 588 2992 840ef8d2d1936ebf66e63f85c7dece42.exe 34 PID 2992 wrote to memory of 588 2992 840ef8d2d1936ebf66e63f85c7dece42.exe 34 PID 588 wrote to memory of 2040 588 cmd.exe 36 PID 588 wrote to memory of 2040 588 cmd.exe 36 PID 588 wrote to memory of 2040 588 cmd.exe 36 PID 588 wrote to memory of 2040 588 cmd.exe 36 PID 2992 wrote to memory of 688 2992 840ef8d2d1936ebf66e63f85c7dece42.exe 37 PID 2992 wrote to memory of 688 2992 840ef8d2d1936ebf66e63f85c7dece42.exe 37 PID 2992 wrote to memory of 688 2992 840ef8d2d1936ebf66e63f85c7dece42.exe 37 PID 2992 wrote to memory of 688 2992 840ef8d2d1936ebf66e63f85c7dece42.exe 37 PID 2992 wrote to memory of 380 2992 840ef8d2d1936ebf66e63f85c7dece42.exe 38 PID 2992 wrote to memory of 380 2992 840ef8d2d1936ebf66e63f85c7dece42.exe 38 PID 2992 wrote to memory of 380 2992 840ef8d2d1936ebf66e63f85c7dece42.exe 38 PID 2992 wrote to memory of 380 2992 840ef8d2d1936ebf66e63f85c7dece42.exe 38 PID 2992 wrote to memory of 1472 2992 840ef8d2d1936ebf66e63f85c7dece42.exe 39 PID 2992 wrote to memory of 1472 2992 840ef8d2d1936ebf66e63f85c7dece42.exe 39 PID 2992 wrote to memory of 1472 2992 840ef8d2d1936ebf66e63f85c7dece42.exe 39 PID 2992 wrote to memory of 1472 2992 840ef8d2d1936ebf66e63f85c7dece42.exe 39 PID 2992 wrote to memory of 1472 2992 840ef8d2d1936ebf66e63f85c7dece42.exe 39 PID 2992 wrote to memory of 1472 2992 840ef8d2d1936ebf66e63f85c7dece42.exe 39 PID 2992 wrote to memory of 1472 2992 840ef8d2d1936ebf66e63f85c7dece42.exe 39 PID 2992 wrote to memory of 1472 2992 840ef8d2d1936ebf66e63f85c7dece42.exe 39 PID 2992 wrote to memory of 1472 2992 840ef8d2d1936ebf66e63f85c7dece42.exe 39 PID 2992 wrote to memory of 2332 2992 840ef8d2d1936ebf66e63f85c7dece42.exe 40 PID 2992 wrote to memory of 2332 2992 840ef8d2d1936ebf66e63f85c7dece42.exe 40 PID 2992 wrote to memory of 2332 2992 840ef8d2d1936ebf66e63f85c7dece42.exe 40 PID 2992 wrote to memory of 2332 2992 840ef8d2d1936ebf66e63f85c7dece42.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe"C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe"1⤵
- Windows security bypass
- Windows security modification
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\IfB44785yo4aR44dco3pdD14W\svchost.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2644
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2780
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\IfB44785yo4aR44dco3pdD14W\svchost.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2748
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 12⤵
- Suspicious use of WriteProcessMemory
PID:588 -
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2040
-
-
-
C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe"C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe"2⤵PID:688
-
-
C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe"C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe"2⤵PID:380
-
-
C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe"C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe"2⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1472
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 5402⤵
- Program crash
PID:2332
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5b34658f22668a6fe56131681fc549e2a
SHA14cd335909f463688f2e4e17f18746311eea8a005
SHA2562b7fc3d7c2a6738b52000b4bf9fdad6492ed8629139d7dc872d9a9213f3565fb
SHA51234f66f9c441f744731d4329319b7c55dd9b01a748c378f3fac1636d6bb7b120e7db5e1acb23d8d682a3e838885f2466ea1a1acd3640bee59ad2e3f44e13c041b