Analysis
-
max time kernel
144s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
06/01/2024, 10:50
Static task
static1
Behavioral task
behavioral1
Sample
605c35366b7c51d33746d7173b9a5169.exe
Resource
win7-20231215-en
General
-
Target
605c35366b7c51d33746d7173b9a5169.exe
-
Size
1.1MB
-
MD5
605c35366b7c51d33746d7173b9a5169
-
SHA1
f75fb8bb1b086ad55461ab18227d35811b4cc5d6
-
SHA256
4a67899d740ecd593679a000e4fd663474307306640d8862a2d986ba4ce3b189
-
SHA512
1459976dbc4fc81ace18c90e87cf39149971ed1e796c4e2997e1cb760d7dd299bad8bbef53c6ae7e6ee67e38dcb94c6768e1f7469b0890c28e48f4450c50f5f6
-
SSDEEP
24576:IxVxBeKif9i/ylluneUyxcaMep/ahpka:I/xBfyPfuneP1Mepy
Malware Config
Extracted
nanocore
1.2.2.0
1116.hopto.org:1116
185.140.53.9:1116
909dcd33-e0d7-4bd0-87b2-b7fd2611b6b9
-
activate_away_mode
true
-
backup_connection_host
185.140.53.9
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2021-02-16T08:43:19.524585136Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
1116
-
default_group
1116
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
909dcd33-e0d7-4bd0-87b2-b7fd2611b6b9
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
1116.hopto.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LAN Monitor = "C:\\Program Files (x86)\\LAN Monitor\\lanmon.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2780 set thread context of 440 2780 605c35366b7c51d33746d7173b9a5169.exe 32 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\LAN Monitor\lanmon.exe RegSvcs.exe File opened for modification C:\Program Files (x86)\LAN Monitor\lanmon.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 560 schtasks.exe 2440 schtasks.exe 952 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 440 RegSvcs.exe 440 RegSvcs.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 440 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 440 RegSvcs.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2780 wrote to memory of 560 2780 605c35366b7c51d33746d7173b9a5169.exe 30 PID 2780 wrote to memory of 560 2780 605c35366b7c51d33746d7173b9a5169.exe 30 PID 2780 wrote to memory of 560 2780 605c35366b7c51d33746d7173b9a5169.exe 30 PID 2780 wrote to memory of 560 2780 605c35366b7c51d33746d7173b9a5169.exe 30 PID 2780 wrote to memory of 440 2780 605c35366b7c51d33746d7173b9a5169.exe 32 PID 2780 wrote to memory of 440 2780 605c35366b7c51d33746d7173b9a5169.exe 32 PID 2780 wrote to memory of 440 2780 605c35366b7c51d33746d7173b9a5169.exe 32 PID 2780 wrote to memory of 440 2780 605c35366b7c51d33746d7173b9a5169.exe 32 PID 2780 wrote to memory of 440 2780 605c35366b7c51d33746d7173b9a5169.exe 32 PID 2780 wrote to memory of 440 2780 605c35366b7c51d33746d7173b9a5169.exe 32 PID 2780 wrote to memory of 440 2780 605c35366b7c51d33746d7173b9a5169.exe 32 PID 2780 wrote to memory of 440 2780 605c35366b7c51d33746d7173b9a5169.exe 32 PID 2780 wrote to memory of 440 2780 605c35366b7c51d33746d7173b9a5169.exe 32 PID 2780 wrote to memory of 440 2780 605c35366b7c51d33746d7173b9a5169.exe 32 PID 2780 wrote to memory of 440 2780 605c35366b7c51d33746d7173b9a5169.exe 32 PID 2780 wrote to memory of 440 2780 605c35366b7c51d33746d7173b9a5169.exe 32 PID 440 wrote to memory of 2440 440 RegSvcs.exe 33 PID 440 wrote to memory of 2440 440 RegSvcs.exe 33 PID 440 wrote to memory of 2440 440 RegSvcs.exe 33 PID 440 wrote to memory of 2440 440 RegSvcs.exe 33 PID 440 wrote to memory of 952 440 RegSvcs.exe 35 PID 440 wrote to memory of 952 440 RegSvcs.exe 35 PID 440 wrote to memory of 952 440 RegSvcs.exe 35 PID 440 wrote to memory of 952 440 RegSvcs.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\605c35366b7c51d33746d7173b9a5169.exe"C:\Users\Admin\AppData\Local\Temp\605c35366b7c51d33746d7173b9a5169.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sjxNYmz" /XML "C:\Users\Admin\AppData\Local\Temp\tmp65E4.tmp"2⤵
- Creates scheduled task(s)
PID:560
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:440 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "LAN Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmp6D63.tmp"3⤵
- Creates scheduled task(s)
PID:2440
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "LAN Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp6EEA.tmp"3⤵
- Creates scheduled task(s)
PID:952
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD576008acf5c08aa64e40a96ba1cd5e783
SHA1f506f4d5e4743b2c33f3a4d93260c93d7b838245
SHA2568aab931900a539ffb3d82d6c0e3d9d165bd9fe55eac5bff2c13081c7e0528b16
SHA51215615c34dd626a51dd8b4ee54e52a909c773f72341c8d8b4ad070ff8ef36a8e0e27a11747b5b1e3cb2a11d5952c5a54bf268028f718b2e81a97af422285c31cd
-
Filesize
1KB
MD58cad1b41587ced0f1e74396794f31d58
SHA111054bf74fcf5e8e412768035e4dae43aa7b710f
SHA2563086d914f6b23268f8a12cb1a05516cd5465c2577e1d1e449f1b45c8e5e8f83c
SHA51299c2ef89029de51a866df932841684b7fc912df21e10e2dd0d09e400203bbdc6cba6319a31780b7bf8b286d2cea8ea3fc7d084348bf2f002ab4f5a34218ccbef
-
Filesize
1KB
MD5ecf141ec69adbb2a5c3dd5c85cd0ec39
SHA10ad224632fa58d103142c05c44a142f3d7208291
SHA25664d8cfa0b25afee269839cd5fc0b66e5643bc318e5f4d3ce1b9dba2456c83316
SHA5124821b062d6672f3ed07833cfd7ab9abb533850b451b632d781fbfad8238fcd5ac52855f1f239547ae2d1c1477959f022430302a75cfd3c19a8473af72a1ef201