Analysis
-
max time kernel
146s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
26/01/2024, 05:25
Static task
static1
Behavioral task
behavioral1
Sample
767ff65d4ac23c72ff613718bad1c65f.exe
Resource
win7-20231215-en
General
-
Target
767ff65d4ac23c72ff613718bad1c65f.exe
-
Size
325KB
-
MD5
767ff65d4ac23c72ff613718bad1c65f
-
SHA1
228a211622dd3a16d94e9a8e52b6b58f789ffa5e
-
SHA256
130aab8a31c0ee448e9dfa04b6b5937bb0013aa22583d8fbcc60e75c2c3f1417
-
SHA512
84776d6350a5a51c79758df86106fe80ce4bf5297313874959299654883e58525dc52dae018d4cecc3db10cac7962d00298c32df49095d3bffafa215f93421e8
-
SSDEEP
6144:8Rrf0xh3Hfr5YwuLpVoG3SyeGl4wVIg4pqSzafxCKEQC8hcLc0fpZGF:Krf0P3HD5Y3lKwYgSKx+4ac0fpZw
Malware Config
Extracted
nanocore
1.2.2.0
shahzad73.casacam.net:9036
shahzad73.ddns.net:9036
2da93aa6-e7d1-4685-b650-2c46bf98075b
-
activate_away_mode
true
-
backup_connection_host
shahzad73.ddns.net
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2021-04-17T03:02:43.205976936Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
9036
-
default_group
JULY-BLESS
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
2da93aa6-e7d1-4685-b650-2c46bf98075b
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
shahzad73.casacam.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4060 set thread context of 3620 4060 767ff65d4ac23c72ff613718bad1c65f.exe 87 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2568 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 3620 MSBuild.exe 3620 MSBuild.exe 3620 MSBuild.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3620 MSBuild.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4060 767ff65d4ac23c72ff613718bad1c65f.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3620 MSBuild.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 4060 wrote to memory of 3620 4060 767ff65d4ac23c72ff613718bad1c65f.exe 87 PID 4060 wrote to memory of 3620 4060 767ff65d4ac23c72ff613718bad1c65f.exe 87 PID 4060 wrote to memory of 3620 4060 767ff65d4ac23c72ff613718bad1c65f.exe 87 PID 4060 wrote to memory of 3620 4060 767ff65d4ac23c72ff613718bad1c65f.exe 87 PID 3620 wrote to memory of 2568 3620 MSBuild.exe 91 PID 3620 wrote to memory of 2568 3620 MSBuild.exe 91 PID 3620 wrote to memory of 2568 3620 MSBuild.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\767ff65d4ac23c72ff613718bad1c65f.exe"C:\Users\Admin\AppData\Local\Temp\767ff65d4ac23c72ff613718bad1c65f.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4060 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Users\Admin\AppData\Local\Temp\767ff65d4ac23c72ff613718bad1c65f.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3620 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "AGP Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmp4585.tmp"3⤵
- Creates scheduled task(s)
PID:2568
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD53e2b26ed8b75ae83a269595180e84ef6
SHA1d30a0335fcce406bca8ba5764288235e6192f608
SHA256108be30aeb8eb31c185a39a6726f26dacbc4e4124951c61a29ade4b7038c71ea
SHA512b6981c68fcb886cc8379a068b96931b9d4f5cc5aa9bdc467e36c4168fe6c5273a2a84d8850b12c11703ec03ac6b1f1950d1e669efcb59fc2402ce4bba9dc03d3