Analysis
-
max time kernel
144s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
26/01/2024, 10:25
Static task
static1
Behavioral task
behavioral1
Sample
771b029ca2ea27495376d8783f14f7f9.exe
Resource
win7-20231215-en
General
-
Target
771b029ca2ea27495376d8783f14f7f9.exe
-
Size
880KB
-
MD5
771b029ca2ea27495376d8783f14f7f9
-
SHA1
2fcceb16b9cbb40ba7674aa7f7ac21ec3e15593a
-
SHA256
668ae0ac95f0d86230704acfd42aeec2837d51e16486e96b52fcf51907b6ddbd
-
SHA512
dfa483eae106a628835dd82aaab1cbf9a9a68ef632ed6a2baf09ff8ca0887ec1b3852f5cf493caf85af1be7c5209ee063ab88966d5d83701b4772888cba2c0c4
-
SSDEEP
24576:b8mTQXkDFBvRll2PrGzx/LUYfxfFOhByMXFXc5n:4cQ0DPsPyfxdOoWFX
Malware Config
Extracted
nanocore
1.2.2.0
xp18.ddns.net:1012
ef6b2072-3b38-4899-b925-378df7ad2d73
-
activate_away_mode
true
-
backup_connection_host
xp18.ddns.net
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2021-04-23T05:59:24.479035036Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
1012
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
ef6b2072-3b38-4899-b925-378df7ad2d73
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
xp18.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TCP Service = "C:\\Program Files (x86)\\TCP Service\\tcpsvc.exe" 771b029ca2ea27495376d8783f14f7f9.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 771b029ca2ea27495376d8783f14f7f9.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2460 set thread context of 2600 2460 771b029ca2ea27495376d8783f14f7f9.exe 30 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\TCP Service\tcpsvc.exe 771b029ca2ea27495376d8783f14f7f9.exe File opened for modification C:\Program Files (x86)\TCP Service\tcpsvc.exe 771b029ca2ea27495376d8783f14f7f9.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1824 schtasks.exe 2828 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2600 771b029ca2ea27495376d8783f14f7f9.exe 2600 771b029ca2ea27495376d8783f14f7f9.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2600 771b029ca2ea27495376d8783f14f7f9.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2600 771b029ca2ea27495376d8783f14f7f9.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2460 wrote to memory of 2600 2460 771b029ca2ea27495376d8783f14f7f9.exe 30 PID 2460 wrote to memory of 2600 2460 771b029ca2ea27495376d8783f14f7f9.exe 30 PID 2460 wrote to memory of 2600 2460 771b029ca2ea27495376d8783f14f7f9.exe 30 PID 2460 wrote to memory of 2600 2460 771b029ca2ea27495376d8783f14f7f9.exe 30 PID 2460 wrote to memory of 2600 2460 771b029ca2ea27495376d8783f14f7f9.exe 30 PID 2460 wrote to memory of 2600 2460 771b029ca2ea27495376d8783f14f7f9.exe 30 PID 2460 wrote to memory of 2600 2460 771b029ca2ea27495376d8783f14f7f9.exe 30 PID 2460 wrote to memory of 2600 2460 771b029ca2ea27495376d8783f14f7f9.exe 30 PID 2460 wrote to memory of 2600 2460 771b029ca2ea27495376d8783f14f7f9.exe 30 PID 2600 wrote to memory of 1824 2600 771b029ca2ea27495376d8783f14f7f9.exe 31 PID 2600 wrote to memory of 1824 2600 771b029ca2ea27495376d8783f14f7f9.exe 31 PID 2600 wrote to memory of 1824 2600 771b029ca2ea27495376d8783f14f7f9.exe 31 PID 2600 wrote to memory of 1824 2600 771b029ca2ea27495376d8783f14f7f9.exe 31 PID 2600 wrote to memory of 2828 2600 771b029ca2ea27495376d8783f14f7f9.exe 33 PID 2600 wrote to memory of 2828 2600 771b029ca2ea27495376d8783f14f7f9.exe 33 PID 2600 wrote to memory of 2828 2600 771b029ca2ea27495376d8783f14f7f9.exe 33 PID 2600 wrote to memory of 2828 2600 771b029ca2ea27495376d8783f14f7f9.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\771b029ca2ea27495376d8783f14f7f9.exe"C:\Users\Admin\AppData\Local\Temp\771b029ca2ea27495376d8783f14f7f9.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Users\Admin\AppData\Local\Temp\771b029ca2ea27495376d8783f14f7f9.exe"C:\Users\Admin\AppData\Local\Temp\771b029ca2ea27495376d8783f14f7f9.exe"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "TCP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp686.tmp"3⤵
- Creates scheduled task(s)
PID:1824
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "TCP Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp7AF.tmp"3⤵
- Creates scheduled task(s)
PID:2828
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5ed32dd906845ffe39bc55d203a47e9ab
SHA1679f6ab7bc2c35f5fa5260fb35fe769df92645b5
SHA2564cb9909da90a374e8130b361d1774e990794b55d5677164c5a2833cfce6b7975
SHA512f400f6d4904b3dc9e13c7a0c22ee90905823d30ee904d67b829db27111eaed81ccdfc6b32c963e2f4a2e2aa5bd4a9f1fca5490327d9cdb4c544dfad398180091
-
Filesize
1KB
MD59db6095f31f8b4ae8173fe11424a8dfe
SHA14b0655ae95def24a41710ca137649d93bfa49407
SHA2569911b4513e44521c90c020ddcddea1ddc58095055a72ec638b593bf9ee23aa72
SHA5125bee977264545a30a2d53e674f54a4066d4529dc9162d46911b9cac957052cdc1ea7c8d60f9c57d3f33db6cb964b1e6bb2347d0e0e2af0a32ac98938c02ffc1c