Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
06/01/2024, 13:47
Static task
static1
Behavioral task
behavioral1
Sample
4662bc8b2cd5a9b9bfd3ebb0e2d45684.exe
Resource
win7-20231215-en
General
-
Target
4662bc8b2cd5a9b9bfd3ebb0e2d45684.exe
-
Size
1.3MB
-
MD5
4662bc8b2cd5a9b9bfd3ebb0e2d45684
-
SHA1
c915483639d5f13f908b6af3c0dab99acb804a14
-
SHA256
3f283257101f1d8df573c4afce1addb1c48891a0ab6d278e64e84dabfad766d4
-
SHA512
1dfeb049d9cdc627bc8410c0e63ab1651ff299e0838c88fbdac52d610cafaa29607744c4ad6a902608bb21f09fa4761b90ba7052e99698b0b31ea12cb99856f7
-
SSDEEP
24576:yNA3R5drXimYV3/VLS48jIkUV+v+u1h6LId7nT1RMwaMm3CfBom+:L5i7VvV86+B1h6LIdzTXM76fBoz
Malware Config
Extracted
nanocore
1.2.2.0
stanpooker.hopto.org:5050
127.0.0.1:5050
ad2f73fd-cc4c-4c14-95a5-6e61a8c57a7d
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2019-12-02T13:42:04.688649336Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
5050
-
default_group
Qanon
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
ad2f73fd-cc4c-4c14-95a5-6e61a8c57a7d
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
stanpooker.hopto.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2624 bffmore.exe -
Loads dropped DLL 4 IoCs
pid Process 2220 4662bc8b2cd5a9b9bfd3ebb0e2d45684.exe 2220 4662bc8b2cd5a9b9bfd3ebb0e2d45684.exe 2220 4662bc8b2cd5a9b9bfd3ebb0e2d45684.exe 2220 4662bc8b2cd5a9b9bfd3ebb0e2d45684.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\81252489\\bffmore.exe C:\\Users\\Admin\\AppData\\Roaming\\81252489\\urlm.avg" bffmore.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2624 set thread context of 1164 2624 bffmore.exe 29 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2044 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 2624 bffmore.exe 2624 bffmore.exe 2624 bffmore.exe 2624 bffmore.exe 2624 bffmore.exe 2624 bffmore.exe 1164 RegSvcs.exe 1164 RegSvcs.exe 1164 RegSvcs.exe 1164 RegSvcs.exe 1164 RegSvcs.exe 1164 RegSvcs.exe 1164 RegSvcs.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1164 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1164 RegSvcs.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2220 wrote to memory of 2624 2220 4662bc8b2cd5a9b9bfd3ebb0e2d45684.exe 28 PID 2220 wrote to memory of 2624 2220 4662bc8b2cd5a9b9bfd3ebb0e2d45684.exe 28 PID 2220 wrote to memory of 2624 2220 4662bc8b2cd5a9b9bfd3ebb0e2d45684.exe 28 PID 2220 wrote to memory of 2624 2220 4662bc8b2cd5a9b9bfd3ebb0e2d45684.exe 28 PID 2624 wrote to memory of 1164 2624 bffmore.exe 29 PID 2624 wrote to memory of 1164 2624 bffmore.exe 29 PID 2624 wrote to memory of 1164 2624 bffmore.exe 29 PID 2624 wrote to memory of 1164 2624 bffmore.exe 29 PID 2624 wrote to memory of 1164 2624 bffmore.exe 29 PID 2624 wrote to memory of 1164 2624 bffmore.exe 29 PID 2624 wrote to memory of 1164 2624 bffmore.exe 29 PID 2624 wrote to memory of 1164 2624 bffmore.exe 29 PID 2624 wrote to memory of 1164 2624 bffmore.exe 29 PID 1164 wrote to memory of 2044 1164 RegSvcs.exe 32 PID 1164 wrote to memory of 2044 1164 RegSvcs.exe 32 PID 1164 wrote to memory of 2044 1164 RegSvcs.exe 32 PID 1164 wrote to memory of 2044 1164 RegSvcs.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\4662bc8b2cd5a9b9bfd3ebb0e2d45684.exe"C:\Users\Admin\AppData\Local\Temp\4662bc8b2cd5a9b9bfd3ebb0e2d45684.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Users\Admin\AppData\Roaming\81252489\bffmore.exe"C:\Users\Admin\AppData\Roaming\81252489\bffmore.exe" urlm.avg2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "LAN Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmpEB58.tmp"4⤵
- Creates scheduled task(s)
PID:2044
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD58cad1b41587ced0f1e74396794f31d58
SHA111054bf74fcf5e8e412768035e4dae43aa7b710f
SHA2563086d914f6b23268f8a12cb1a05516cd5465c2577e1d1e449f1b45c8e5e8f83c
SHA51299c2ef89029de51a866df932841684b7fc912df21e10e2dd0d09e400203bbdc6cba6319a31780b7bf8b286d2cea8ea3fc7d084348bf2f002ab4f5a34218ccbef
-
Filesize
163.6MB
MD5f29fa59fb7608f7d2d89711399e07c5f
SHA19c2a1ef1b6ed7e77b80489d55bfd66e1f2bdedff
SHA256bf76bcdd34083dcb0daf72ce02d74f088f508810c5d927bbe0b35cb5f6f79aac
SHA512343f9c3e2e989e1d80a4d45d650413b6b8b4f8b6afdac70b973ca3950add56015a76eae4a314c7d28c6e93929fd4e4e3fb1ccbadaafc151ca8d624cb7f693992
-
Filesize
461KB
MD561085555250f8b31da9c9ac34227aba5
SHA119287b6d6ac2efd33ed5c480c04ce46b9ff27f02
SHA256af708eee368e82354127ff068bfb6b09bd005845fcbe951c4a27cf4a84a45b2d
SHA51230bdc7367d271b330f36b1f8885e27d0ca9d121977a70e70dd23c6c697b2bc495fb538d99a18fb6898087f4a60487df4eb5289469612074f95ca66823347c6a7
-
Filesize
732KB
MD571d8f6d5dc35517275bc38ebcc815f9f
SHA1cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA5124826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59