Analysis
-
max time kernel
142s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
26/01/2024, 05:42
Static task
static1
Behavioral task
behavioral1
Sample
768a83faefcdc81b408b09df7ed89395.exe
Resource
win7-20231215-en
General
-
Target
768a83faefcdc81b408b09df7ed89395.exe
-
Size
7.6MB
-
MD5
768a83faefcdc81b408b09df7ed89395
-
SHA1
5b7667574ef61d4b2003c819e87d6040a0b56f22
-
SHA256
ebd4fcb03911f9f6d4ba31386e21881841c98591e78a539f976110b2ff7e8f05
-
SHA512
abf219f8acc403fdef57d72f71c3523a610487ddd3bf543f413ce6b44fe2a76a3b016f63c48fd381e9b97fc336aaf19bc30ae2ac175becabf59f24fb399fc188
-
SSDEEP
196608:YtPu+xXrI2bFvKQYs0TMDfzJppk2HDS2M0hdeJfVFUxri:6RrPFPYsJDdg2HGd00fzuri
Malware Config
Extracted
nanocore
1.2.2.0
sabifati34.duckdns.org:54984
kingspy.mywire.org:54984
3c8bcba0-4059-4b34-be57-f36406e41f3b
-
activate_away_mode
false
-
backup_connection_host
kingspy.mywire.org
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-08-31T22:25:34.564478236Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
false
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
54984
-
default_group
ofis
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
3c8bcba0-4059-4b34-be57-f36406e41f3b
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
sabifati34.duckdns.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe nan0.exe -
Executes dropped EXE 3 IoCs
pid Process 2356 32bit Patch.exe 2776 11.exe 2612 nan0.exe -
Loads dropped DLL 6 IoCs
pid Process 1724 768a83faefcdc81b408b09df7ed89395.exe 1636 WerFault.exe 1636 WerFault.exe 1636 WerFault.exe 1636 WerFault.exe 1636 WerFault.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TCP Service = "C:\\Program Files (x86)\\TCP Service\\tcpsvc.exe" RegAsm.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2612 set thread context of 2020 2612 nan0.exe 32 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\TCP Service\tcpsvc.exe RegAsm.exe File opened for modification C:\Program Files (x86)\TCP Service\tcpsvc.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 2356 32bit Patch.exe 2356 32bit Patch.exe 2612 nan0.exe 2612 nan0.exe 2612 nan0.exe 2020 RegAsm.exe 2020 RegAsm.exe 2020 RegAsm.exe 2020 RegAsm.exe 2020 RegAsm.exe 2020 RegAsm.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2020 RegAsm.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2612 nan0.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2612 nan0.exe Token: SeDebugPrivilege 2020 RegAsm.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 1724 wrote to memory of 2356 1724 768a83faefcdc81b408b09df7ed89395.exe 28 PID 1724 wrote to memory of 2356 1724 768a83faefcdc81b408b09df7ed89395.exe 28 PID 1724 wrote to memory of 2356 1724 768a83faefcdc81b408b09df7ed89395.exe 28 PID 1724 wrote to memory of 2356 1724 768a83faefcdc81b408b09df7ed89395.exe 28 PID 1724 wrote to memory of 2356 1724 768a83faefcdc81b408b09df7ed89395.exe 28 PID 1724 wrote to memory of 2356 1724 768a83faefcdc81b408b09df7ed89395.exe 28 PID 1724 wrote to memory of 2356 1724 768a83faefcdc81b408b09df7ed89395.exe 28 PID 1724 wrote to memory of 2776 1724 768a83faefcdc81b408b09df7ed89395.exe 29 PID 1724 wrote to memory of 2776 1724 768a83faefcdc81b408b09df7ed89395.exe 29 PID 1724 wrote to memory of 2776 1724 768a83faefcdc81b408b09df7ed89395.exe 29 PID 1724 wrote to memory of 2612 1724 768a83faefcdc81b408b09df7ed89395.exe 30 PID 1724 wrote to memory of 2612 1724 768a83faefcdc81b408b09df7ed89395.exe 30 PID 1724 wrote to memory of 2612 1724 768a83faefcdc81b408b09df7ed89395.exe 30 PID 1724 wrote to memory of 2612 1724 768a83faefcdc81b408b09df7ed89395.exe 30 PID 2776 wrote to memory of 1636 2776 11.exe 31 PID 2776 wrote to memory of 1636 2776 11.exe 31 PID 2776 wrote to memory of 1636 2776 11.exe 31 PID 2612 wrote to memory of 2020 2612 nan0.exe 32 PID 2612 wrote to memory of 2020 2612 nan0.exe 32 PID 2612 wrote to memory of 2020 2612 nan0.exe 32 PID 2612 wrote to memory of 2020 2612 nan0.exe 32 PID 2612 wrote to memory of 2020 2612 nan0.exe 32 PID 2612 wrote to memory of 2020 2612 nan0.exe 32 PID 2612 wrote to memory of 2020 2612 nan0.exe 32 PID 2612 wrote to memory of 2020 2612 nan0.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\768a83faefcdc81b408b09df7ed89395.exe"C:\Users\Admin\AppData\Local\Temp\768a83faefcdc81b408b09df7ed89395.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Users\Admin\AppData\Roaming\32bit Patch.exe"C:\Users\Admin\AppData\Roaming\32bit Patch.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2356
-
-
C:\Users\Admin\AppData\Roaming\11.exe"C:\Users\Admin\AppData\Roaming\11.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2776 -s 5163⤵
- Loads dropped DLL
PID:1636
-
-
-
C:\Users\Admin\AppData\Roaming\nan0.exe"C:\Users\Admin\AppData\Roaming\nan0.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2020
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.3MB
MD5941f6c12cef77bc88218c384d12d6ff0
SHA1cc38714927b2572fe448f51c8cfc605102a88fd9
SHA2566a821b75ab9e5e3176d2c0d073d31f77695900f361611cf657c5be63e5f7cda1
SHA512e2b955b2b7a362f3bcc1f562671f6ac9e25c85f87a31fa155cf7eb8bef4c1cbda7ce09039dd9b5bb4b1d703f363855e7b284d4f6939d32cb370190f3d7bdfb32
-
Filesize
1.7MB
MD58612992452fe0f42f76f33d0320c208c
SHA1aef42d62ec61ab3675767ab87a6a57d6bdf91135
SHA25660d61c61f5db33ea50ec002f0a6d6db988c270876e73c703475e05179b8e35bc
SHA5124b081d881c93ef332bfa060d8bb1a3b648308677a16233bfcd490b7f6423c70006de1fd8d4f52ba61e8b43bac043ae89ab29e173593593548e14a3981e239bd2
-
Filesize
2.0MB
MD5a26084634bab2ad1124e104447269bd8
SHA143379a654f142016d91ab1b7bb696e48b09fd65c
SHA2565edaa30b874d91e663356e188705fd4579f7910cc610f4746858f0d96b47a599
SHA5120361fb6a96862efaa7af2047e7f53f85da1b3f8886697fa63bf623d56d091f1c3b85e4d0e8ef6c8ee06cb5fb4022c4d2710ef3e7ce777d52adaf4c891aebab6c
-
Filesize
1.5MB
MD5014a6633585a89c8be4c80991ca8e4e0
SHA1eaeed24ad805d1f2d6b7f10e3ab6ed0e67f5b581
SHA256b4d25b0627f0d2fb88f51dd6383428daebe2fde862ca95547be8552634c13f85
SHA512898277a68c4e77807d336f872be7a004a2e8aecfc7d49c2e6d9d69ec0a689d741cc60d7932bcd16f97a7fb9eecdde4b414c0fc2772a3de0f3564a2a1dd0bde17
-
Filesize
744KB
MD5eb5dac7b7c59d99135d021760108ef5a
SHA1a2a7f393eef680b8077895a8bfb7de09b7abb3eb
SHA2566ec4ee2eadfc7e325e2b1e25f08bc5a7e4e6edc769521e3fa088ea9e68e854ba
SHA512db8a5abcd5d5c4c318bac8d1bbcb4dd81b667168a4cbd2f94c5e191e62908ff70d2bf1a4c23c64d76a66dcb995c420fa8bf88397876fbd9658d155a2fb8d267a
-
Filesize
73KB
MD50f8e43ed64baa667770e749417e60d34
SHA181ba263ddd26fb643e7775e8890de04258a9b8df
SHA2563530dde67c08938518222f1c3d52f8f5eb48629cdbf0567a96a5180d29af6682
SHA512db41a26753a128ec93d759b8161ecfd5e59052788a245e11ac2efca9b75c5449b6b42e6b9b804cdef81c3c3f8e4719167189c2aa6d729abcee929f09087cb5a3
-
Filesize
1.6MB
MD572af9d1a256297124ba2caf0e008a23e
SHA14343cb572feb2cae40a155b7126aafe3b66fb699
SHA25695268103fa0a9a48a1686a4c98ed18a459bb3ac706cd774d87450ea9526fb88f
SHA51247f6bc014f8274e426eb4a4c3702984afeef64cde4e02cdea893cd4dcf3bca716683a232c541bbf72f605f10dad9e56bb3c119afcb548c5711b3772cab2041de
-
Filesize
1.6MB
MD569b7aba132952b1263ae190d934faac6
SHA17dac83d0945fba43b38259c94ee2f7db01cfec72
SHA2564a0853bd11c4337fc44738389500bbf537d8b7edebf2754964f79699b4d00080
SHA5120474b2788d1612f97bc6d4b9d60bd5255c77dd9c8c28688e4815c857409fdd892d5e052df2c6f3ad79a9f4e828d89db4377a27a90885b7d8fccf4c8e25cf430d
-
Filesize
1.2MB
MD5348141d30d5edc50ce53d629673ade71
SHA1e36c163d926e1be72ace708124d91b149ea37ad0
SHA256cd9d0415b3a4447fa945f970a28826ff3baff10e37cb8a92886e2a467ba6266b
SHA51210f5bef0880964ac23a13cc3fc88456127a02b0760bef4686695719a4068ee7aebc9f1e73448a77c3e59c9f248d3cf6f97d0101c71a3ebaac8bc19ad09f68921
-
Filesize
1.8MB
MD5f8d9f739161722e291ecd8500ef83371
SHA1cb96f5b3b71310fe4a5e0274ef05f9c3cb295151
SHA256d6815861c1d05b306ebcd4eec408c69e895203fc0e1b429b585528f6d7e9241d
SHA512d3bd589e83678d9cb9c4a493129971becadbc8f3522f18d7906ecdcfbb91a11666a1550e555f1e97d8e501a8beb7cf1f0aeaf4f5fb52417afa454e0f58e57462
-
Filesize
1.3MB
MD5e2ad596ddeaed06e434a0ccfe5f197ea
SHA1bffe4cc4876dc90e7fdec2e9c3bcb1a31405a086
SHA256678e6636b051170ae3a549c198b9347a9f2f29af9346ceef66d89d3ec6c9a7cf
SHA5125aacb3311c5cabe46332b1096f15bb8bdf9b3911e43fe0350303bc3cb571d41788c04e9e5019641386e81b8003c919d754d34cca088eb9e09467408bd66a552c
-
Filesize
1.2MB
MD5da7f3a087955941a62eab64c7c068b7e
SHA184f196582a8da8fb9517f289f230d742db9988e8
SHA2569b50525b4453465532d46cba1de9f7024c491c4231daafa92bb2f7312801d4c5
SHA5122454203e5ed67a6aea75de3dd452fd6a2188beef0193f143fcdc5a1300e204b517a3ce31c389efe20887260bb311145b58d0eeae552e51276d4b7c50142af4f3