Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
156s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
08/01/2024, 14:46
Static task
static1
Behavioral task
behavioral1
Sample
4bb71eeb1ef688efb7807a1c182691cb.exe
Resource
win7-20231129-en
General
-
Target
4bb71eeb1ef688efb7807a1c182691cb.exe
-
Size
863KB
-
MD5
4bb71eeb1ef688efb7807a1c182691cb
-
SHA1
34329d26f0c014ca876906e268975778664db10c
-
SHA256
8a0b3ba6dec891704a1ed2e31cae766491fa7e1acb5007a7acfcad32f9834a96
-
SHA512
beb9afece303805a852656aab89b5e054c9a2c3a2848c7662a57d37da3f4c6d6d44a8aea89a8f70abfe600abc441b8effb7e10321c6c37e4b46fa5095c8a26de
-
SSDEEP
24576:9omEXz/VmHV+Wha4xqbtbciqTyoHB17mo5oFCEkv:SmqU1doyqbtbUysHosv
Malware Config
Extracted
nanocore
1.2.2.0
185.244.30.238:1985
127.0.0.1:1985
cd36de34-478d-427e-a222-53f75c55abae
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2021-05-08T22:16:27.321077136Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
false
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
1985
-
default_group
Kdott
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
cd36de34-478d-427e-a222-53f75c55abae
-
mutex_timeout
5000
-
prevent_system_sleep
true
-
primary_connection_host
185.244.30.238
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
CustAttr .NET packer 1 IoCs
Detects CustAttr .NET packer in memory.
resource yara_rule behavioral2/memory/1776-10-0x0000000005090000-0x00000000050A2000-memory.dmp CustAttr -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1776 set thread context of 4980 1776 4bb71eeb1ef688efb7807a1c182691cb.exe 106 -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1776 wrote to memory of 4980 1776 4bb71eeb1ef688efb7807a1c182691cb.exe 106 PID 1776 wrote to memory of 4980 1776 4bb71eeb1ef688efb7807a1c182691cb.exe 106 PID 1776 wrote to memory of 4980 1776 4bb71eeb1ef688efb7807a1c182691cb.exe 106 PID 1776 wrote to memory of 4980 1776 4bb71eeb1ef688efb7807a1c182691cb.exe 106 PID 1776 wrote to memory of 4980 1776 4bb71eeb1ef688efb7807a1c182691cb.exe 106 PID 1776 wrote to memory of 4980 1776 4bb71eeb1ef688efb7807a1c182691cb.exe 106 PID 1776 wrote to memory of 4980 1776 4bb71eeb1ef688efb7807a1c182691cb.exe 106 PID 1776 wrote to memory of 4980 1776 4bb71eeb1ef688efb7807a1c182691cb.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\4bb71eeb1ef688efb7807a1c182691cb.exe"C:\Users\Admin\AppData\Local\Temp\4bb71eeb1ef688efb7807a1c182691cb.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Users\Admin\AppData\Local\Temp\4bb71eeb1ef688efb7807a1c182691cb.exe"C:\Users\Admin\AppData\Local\Temp\4bb71eeb1ef688efb7807a1c182691cb.exe"2⤵PID:4980
-