Analysis
-
max time kernel
151s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
06/01/2024, 13:47
Static task
static1
Behavioral task
behavioral1
Sample
4662bc8b2cd5a9b9bfd3ebb0e2d45684.exe
Resource
win7-20231215-en
General
-
Target
4662bc8b2cd5a9b9bfd3ebb0e2d45684.exe
-
Size
1.3MB
-
MD5
4662bc8b2cd5a9b9bfd3ebb0e2d45684
-
SHA1
c915483639d5f13f908b6af3c0dab99acb804a14
-
SHA256
3f283257101f1d8df573c4afce1addb1c48891a0ab6d278e64e84dabfad766d4
-
SHA512
1dfeb049d9cdc627bc8410c0e63ab1651ff299e0838c88fbdac52d610cafaa29607744c4ad6a902608bb21f09fa4761b90ba7052e99698b0b31ea12cb99856f7
-
SSDEEP
24576:yNA3R5drXimYV3/VLS48jIkUV+v+u1h6LId7nT1RMwaMm3CfBom+:L5i7VvV86+B1h6LIdzTXM76fBoz
Malware Config
Extracted
nanocore
1.2.2.0
stanpooker.hopto.org:5050
127.0.0.1:5050
ad2f73fd-cc4c-4c14-95a5-6e61a8c57a7d
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2019-12-02T13:42:04.688649336Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
5050
-
default_group
Qanon
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
ad2f73fd-cc4c-4c14-95a5-6e61a8c57a7d
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
stanpooker.hopto.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation 4662bc8b2cd5a9b9bfd3ebb0e2d45684.exe -
Executes dropped EXE 1 IoCs
pid Process 1964 bffmore.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\81252489\\bffmore.exe C:\\Users\\Admin\\AppData\\Roaming\\81252489\\urlm.avg" bffmore.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1964 set thread context of 696 1964 bffmore.exe 93 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1120 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 1964 bffmore.exe 1964 bffmore.exe 1964 bffmore.exe 1964 bffmore.exe 1964 bffmore.exe 1964 bffmore.exe 1964 bffmore.exe 1964 bffmore.exe 1964 bffmore.exe 1964 bffmore.exe 1964 bffmore.exe 1964 bffmore.exe 696 RegSvcs.exe 696 RegSvcs.exe 696 RegSvcs.exe 696 RegSvcs.exe 696 RegSvcs.exe 696 RegSvcs.exe 696 RegSvcs.exe 696 RegSvcs.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 696 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 696 RegSvcs.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1752 wrote to memory of 1964 1752 4662bc8b2cd5a9b9bfd3ebb0e2d45684.exe 91 PID 1752 wrote to memory of 1964 1752 4662bc8b2cd5a9b9bfd3ebb0e2d45684.exe 91 PID 1752 wrote to memory of 1964 1752 4662bc8b2cd5a9b9bfd3ebb0e2d45684.exe 91 PID 1964 wrote to memory of 696 1964 bffmore.exe 93 PID 1964 wrote to memory of 696 1964 bffmore.exe 93 PID 1964 wrote to memory of 696 1964 bffmore.exe 93 PID 1964 wrote to memory of 696 1964 bffmore.exe 93 PID 1964 wrote to memory of 696 1964 bffmore.exe 93 PID 696 wrote to memory of 1120 696 RegSvcs.exe 100 PID 696 wrote to memory of 1120 696 RegSvcs.exe 100 PID 696 wrote to memory of 1120 696 RegSvcs.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\4662bc8b2cd5a9b9bfd3ebb0e2d45684.exe"C:\Users\Admin\AppData\Local\Temp\4662bc8b2cd5a9b9bfd3ebb0e2d45684.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Users\Admin\AppData\Roaming\81252489\bffmore.exe"C:\Users\Admin\AppData\Roaming\81252489\bffmore.exe" urlm.avg2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:696 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "UDP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp4AFE.tmp"4⤵
- Creates scheduled task(s)
PID:1120
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD58cad1b41587ced0f1e74396794f31d58
SHA111054bf74fcf5e8e412768035e4dae43aa7b710f
SHA2563086d914f6b23268f8a12cb1a05516cd5465c2577e1d1e449f1b45c8e5e8f83c
SHA51299c2ef89029de51a866df932841684b7fc912df21e10e2dd0d09e400203bbdc6cba6319a31780b7bf8b286d2cea8ea3fc7d084348bf2f002ab4f5a34218ccbef
-
Filesize
732KB
MD571d8f6d5dc35517275bc38ebcc815f9f
SHA1cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA5124826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59
-
Filesize
163.6MB
MD5f29fa59fb7608f7d2d89711399e07c5f
SHA19c2a1ef1b6ed7e77b80489d55bfd66e1f2bdedff
SHA256bf76bcdd34083dcb0daf72ce02d74f088f508810c5d927bbe0b35cb5f6f79aac
SHA512343f9c3e2e989e1d80a4d45d650413b6b8b4f8b6afdac70b973ca3950add56015a76eae4a314c7d28c6e93929fd4e4e3fb1ccbadaafc151ca8d624cb7f693992
-
Filesize
461KB
MD561085555250f8b31da9c9ac34227aba5
SHA119287b6d6ac2efd33ed5c480c04ce46b9ff27f02
SHA256af708eee368e82354127ff068bfb6b09bd005845fcbe951c4a27cf4a84a45b2d
SHA51230bdc7367d271b330f36b1f8885e27d0ca9d121977a70e70dd23c6c697b2bc495fb538d99a18fb6898087f4a60487df4eb5289469612074f95ca66823347c6a7