Analysis
-
max time kernel
144s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
26/01/2024, 05:42
Static task
static1
Behavioral task
behavioral1
Sample
768a83faefcdc81b408b09df7ed89395.exe
Resource
win7-20231215-en
General
-
Target
768a83faefcdc81b408b09df7ed89395.exe
-
Size
7.6MB
-
MD5
768a83faefcdc81b408b09df7ed89395
-
SHA1
5b7667574ef61d4b2003c819e87d6040a0b56f22
-
SHA256
ebd4fcb03911f9f6d4ba31386e21881841c98591e78a539f976110b2ff7e8f05
-
SHA512
abf219f8acc403fdef57d72f71c3523a610487ddd3bf543f413ce6b44fe2a76a3b016f63c48fd381e9b97fc336aaf19bc30ae2ac175becabf59f24fb399fc188
-
SSDEEP
196608:YtPu+xXrI2bFvKQYs0TMDfzJppk2HDS2M0hdeJfVFUxri:6RrPFPYsJDdg2HGd00fzuri
Malware Config
Extracted
nanocore
1.2.2.0
sabifati34.duckdns.org:54984
kingspy.mywire.org:54984
3c8bcba0-4059-4b34-be57-f36406e41f3b
-
activate_away_mode
false
-
backup_connection_host
kingspy.mywire.org
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-08-31T22:25:34.564478236Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
false
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
54984
-
default_group
ofis
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
3c8bcba0-4059-4b34-be57-f36406e41f3b
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
sabifati34.duckdns.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation 768a83faefcdc81b408b09df7ed89395.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe nan0.exe -
Executes dropped EXE 3 IoCs
pid Process 2844 32bit Patch.exe 728 11.exe 1928 nan0.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UDP Subsystem = "C:\\Program Files (x86)\\UDP Subsystem\\udpss.exe" RegAsm.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1928 set thread context of 1312 1928 nan0.exe 100 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\UDP Subsystem\udpss.exe RegAsm.exe File opened for modification C:\Program Files (x86)\UDP Subsystem\udpss.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 2844 32bit Patch.exe 2844 32bit Patch.exe 1928 nan0.exe 1928 nan0.exe 1928 nan0.exe 1312 RegAsm.exe 1312 RegAsm.exe 1312 RegAsm.exe 1312 RegAsm.exe 1312 RegAsm.exe 1312 RegAsm.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1312 RegAsm.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 1928 nan0.exe 1928 nan0.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1928 nan0.exe Token: SeDebugPrivilege 1312 RegAsm.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1160 wrote to memory of 2844 1160 768a83faefcdc81b408b09df7ed89395.exe 86 PID 1160 wrote to memory of 2844 1160 768a83faefcdc81b408b09df7ed89395.exe 86 PID 1160 wrote to memory of 2844 1160 768a83faefcdc81b408b09df7ed89395.exe 86 PID 1160 wrote to memory of 728 1160 768a83faefcdc81b408b09df7ed89395.exe 88 PID 1160 wrote to memory of 728 1160 768a83faefcdc81b408b09df7ed89395.exe 88 PID 1160 wrote to memory of 1928 1160 768a83faefcdc81b408b09df7ed89395.exe 89 PID 1160 wrote to memory of 1928 1160 768a83faefcdc81b408b09df7ed89395.exe 89 PID 1160 wrote to memory of 1928 1160 768a83faefcdc81b408b09df7ed89395.exe 89 PID 1928 wrote to memory of 1452 1928 nan0.exe 99 PID 1928 wrote to memory of 1452 1928 nan0.exe 99 PID 1928 wrote to memory of 1452 1928 nan0.exe 99 PID 1928 wrote to memory of 1312 1928 nan0.exe 100 PID 1928 wrote to memory of 1312 1928 nan0.exe 100 PID 1928 wrote to memory of 1312 1928 nan0.exe 100 PID 1928 wrote to memory of 1312 1928 nan0.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\768a83faefcdc81b408b09df7ed89395.exe"C:\Users\Admin\AppData\Local\Temp\768a83faefcdc81b408b09df7ed89395.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Users\Admin\AppData\Roaming\32bit Patch.exe"C:\Users\Admin\AppData\Roaming\32bit Patch.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2844
-
-
C:\Users\Admin\AppData\Roaming\11.exe"C:\Users\Admin\AppData\Roaming\11.exe"2⤵
- Executes dropped EXE
PID:728
-
-
C:\Users\Admin\AppData\Roaming\nan0.exe"C:\Users\Admin\AppData\Roaming\nan0.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵PID:1452
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1312
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
989KB
MD5767e3bebe092ca47e5856ae2fae5c453
SHA11fcc083c041385bfa50476bf78fa72cebe025f6a
SHA256ffd6bb6dc47d52ae9f02321905314b0d9828f997939d12493259eda1e0c73c46
SHA5120453b8f8366853bab28c6bdd793b757f7b41cdbd2bb28f7e309020dffd5e97a545cfe23997217463be12b169973aa7936634aa9c17cb76f8f851675d88f85d93
-
Filesize
1.1MB
MD5a73be1e0cf92fa060dd72a9298e248c7
SHA113647ffbbdd28e5016770233d61f7c6904794dff
SHA256c1049504a0e29d2b35ecd83f747f4770551e29f70c4a5a4728eb9ce478bc1bdd
SHA512f4667698081aef6a6629d19c28704a5b834924402c299bf0a3827e6d6982573494ec88327b6c6462e1b35bc27194f36975faef6063ec9f92f18d323d15508079
-
Filesize
1.0MB
MD5e07418dc6d3680af28be6a647f8bd4dd
SHA1bae1a2796bd212c4e30116cf89e84bbff37a0317
SHA25651c464395767688f6d545c4ab894f892b16b53a736d789ca555cb2c75c301096
SHA5123942178c4f3ac1de880c879206ddd2644c001829dbec482d56ccf85b3254e4442e06463a9edea46802adae09ea1976e0f47d9683cae61e95538cf0bf473c3e94
-
Filesize
1.2MB
MD5687ae36a5a6422c66e8c65a5f44a1f74
SHA143bf001c867fec70722e4e0db5378dab565e6456
SHA256be9b2b3fb3730378110a9911e18af87b2969ee8400b13a078ba3a65312b87d03
SHA51299ac05cde085cd9c624caecfc37ff4e71a36dfc827e5433a8c8287a02998427c2b65c62205f2aedf23470b0069b69e923d986895e14f29686190bb19d8d3c9c2
-
Filesize
1.3MB
MD56f86cb7b2a458135e3ebf1157febe13d
SHA1f5b16aef3346938d43f3cb87bb1dc0dc68dab87c
SHA25678432ad49cf03023a5ac7068d29cef55c46319ce797a0e36d23de548df00a03d
SHA51289c634779e1778a1e2d35841553f1307ddc8b1ea02f20822f92d5d9e92eda187ea2ada86bae51cddf2586f20ad05a52014008f1421846fccd986dfdaa4626d4f
-
Filesize
1.9MB
MD5566452be3534b31515d00acbead7cde3
SHA1a349b2b9e8ad7cc5a003b1d190cdad54480ae1b0
SHA256486d5e6344ff0416ada988efc71a99147560b1a27d75aa259a5aca40af3feb82
SHA512805ccb2321b97fbf7764ce423dea58cfa0a5ff559743946a60ad723f615e557e7447fb534b883c8ca948dc86b3eb09d9fd9321ce31ad0176acb34e4fcf1f14a0
-
Filesize
744KB
MD5eb5dac7b7c59d99135d021760108ef5a
SHA1a2a7f393eef680b8077895a8bfb7de09b7abb3eb
SHA2566ec4ee2eadfc7e325e2b1e25f08bc5a7e4e6edc769521e3fa088ea9e68e854ba
SHA512db8a5abcd5d5c4c318bac8d1bbcb4dd81b667168a4cbd2f94c5e191e62908ff70d2bf1a4c23c64d76a66dcb995c420fa8bf88397876fbd9658d155a2fb8d267a
-
Filesize
619KB
MD52c50b3d8a2cfa624f33c5b87f212b9b6
SHA15fd68f0d0822bcfbd7e59f2a89b40a063da52d1b
SHA2567b82f469a8d338a29b7ebe581bd0002d89023243614477d49cb0911df6a7b018
SHA512a2990025b726556f7f2b8e9d96c1678d6abe2b7b8d6acf0851daa06b2d8f898fdd95d50bba4be060892cc371d518a6cc09660eabc740beab0c76460ee05267b3