Analysis
-
max time kernel
3s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2023, 18:26
Static task
static1
Behavioral task
behavioral1
Sample
840ef8d2d1936ebf66e63f85c7dece42.exe
Resource
win7-20231215-en
General
-
Target
840ef8d2d1936ebf66e63f85c7dece42.exe
-
Size
1.9MB
-
MD5
840ef8d2d1936ebf66e63f85c7dece42
-
SHA1
f4770a5e987d15d1615c40ef40f3a96098c0e8c2
-
SHA256
6dad4f5325f635039e443e725ddaf3eb210952b0ebe81027dae9f9fb0a09e831
-
SHA512
91443a07773e48dff09cc5ff768278c54690b45dd1d9519c49f9eb51eca928f2a55a9388aafc66584ca4d12b6f6ec8516ac133b6b562972e7cf71ecd3d41ad43
-
SSDEEP
6144:hl4uX/nkpB6i+WCWm9R+bM3WIVc7giHomaXXxB6IoeO0nSW/iYPEeuCZAA2iPIZd:hPtsU+bYWqBRoeT//iKsKtb
Malware Config
Extracted
nanocore
1.2.2.0
omaprilcode.duckdns.org:8090
f8dffc54-5ec5-4013-9de8-d8d853682f44
-
activate_away_mode
true
-
backup_connection_host
omaprilcode.duckdns.org
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2021-01-26T15:04:24.913843336Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
8090
-
default_group
CODEDBASE
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
f8dffc54-5ec5-4013-9de8-d8d853682f44
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
omaprilcode.duckdns.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths 840ef8d2d1936ebf66e63f85c7dece42.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files\Common Files\System\IfB44785yo4aR44dco3pdD14W\svchost.exe = "0" 840ef8d2d1936ebf66e63f85c7dece42.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation 840ef8d2d1936ebf66e63f85c7dece42.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths 840ef8d2d1936ebf66e63f85c7dece42.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions 840ef8d2d1936ebf66e63f85c7dece42.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files\Common Files\System\IfB44785yo4aR44dco3pdD14W\svchost.exe = "0" 840ef8d2d1936ebf66e63f85c7dece42.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2108 3624 WerFault.exe 15 -
Delays execution with timeout.exe 1 IoCs
pid Process 2460 timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe"C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe"1⤵
- Windows security bypass
- Checks computer location settings
- Windows security modification
PID:3624 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\IfB44785yo4aR44dco3pdD14W\svchost.exe" -Force2⤵PID:1712
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\IfB44785yo4aR44dco3pdD14W\svchost.exe" -Force2⤵PID:4500
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe" -Force2⤵PID:2336
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 12⤵PID:1580
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2460
-
-
-
C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe"C:\Users\Admin\AppData\Local\Temp\840ef8d2d1936ebf66e63f85c7dece42.exe"2⤵PID:1372
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 16082⤵
- Program crash
PID:2108
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3624 -ip 36241⤵PID:4932
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
18KB
MD583e783907e18e90f5e5e6aebc34f2ac5
SHA1038aeadb925b5c455993ec1a6f5765099ba7b5c7
SHA256315ae4165153e728b2e8aae5d68b310cf4d9f4f9dc181856b68f5bfeba67c5cd
SHA512e4352c19f29fec832b1403e35a280dd788734b16863fed363c18aafb5e3cdc36e9525a7d38727fc000dfa317f9b180983fce82a443e544aeba89c4e0c740fb72
-
Filesize
18KB
MD57f373306d581126483e9abb53e2c6d9c
SHA1a4224e6c111a120684726d13b66185b03929b438
SHA2563d779c72a91d1c808d48468a72d7ce6bfb310f0797d1145ff86e8ae7e4e1c74d
SHA5126f4db363a8ad5975dfbe83109024f8a0a43996527a9d6ac3cf4e82eff573038dded42996736f0b71f35fdc8188e218f82e2aa72b6f1e20597d9e4833ea04e815