Analysis
-
max time kernel
148s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
26/01/2024, 10:25
Static task
static1
Behavioral task
behavioral1
Sample
771b029ca2ea27495376d8783f14f7f9.exe
Resource
win7-20231215-en
General
-
Target
771b029ca2ea27495376d8783f14f7f9.exe
-
Size
880KB
-
MD5
771b029ca2ea27495376d8783f14f7f9
-
SHA1
2fcceb16b9cbb40ba7674aa7f7ac21ec3e15593a
-
SHA256
668ae0ac95f0d86230704acfd42aeec2837d51e16486e96b52fcf51907b6ddbd
-
SHA512
dfa483eae106a628835dd82aaab1cbf9a9a68ef632ed6a2baf09ff8ca0887ec1b3852f5cf493caf85af1be7c5209ee063ab88966d5d83701b4772888cba2c0c4
-
SSDEEP
24576:b8mTQXkDFBvRll2PrGzx/LUYfxfFOhByMXFXc5n:4cQ0DPsPyfxdOoWFX
Malware Config
Extracted
nanocore
1.2.2.0
xp18.ddns.net:1012
ef6b2072-3b38-4899-b925-378df7ad2d73
-
activate_away_mode
true
-
backup_connection_host
xp18.ddns.net
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2021-04-23T05:59:24.479035036Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
1012
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
ef6b2072-3b38-4899-b925-378df7ad2d73
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
xp18.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DHCP Service = "C:\\Program Files (x86)\\DHCP Service\\dhcpsvc.exe" 771b029ca2ea27495376d8783f14f7f9.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 771b029ca2ea27495376d8783f14f7f9.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3544 set thread context of 2796 3544 771b029ca2ea27495376d8783f14f7f9.exe 97 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\DHCP Service\dhcpsvc.exe 771b029ca2ea27495376d8783f14f7f9.exe File opened for modification C:\Program Files (x86)\DHCP Service\dhcpsvc.exe 771b029ca2ea27495376d8783f14f7f9.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3188 schtasks.exe 4844 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2796 771b029ca2ea27495376d8783f14f7f9.exe 2796 771b029ca2ea27495376d8783f14f7f9.exe 2796 771b029ca2ea27495376d8783f14f7f9.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2796 771b029ca2ea27495376d8783f14f7f9.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2796 771b029ca2ea27495376d8783f14f7f9.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 3544 wrote to memory of 2796 3544 771b029ca2ea27495376d8783f14f7f9.exe 97 PID 3544 wrote to memory of 2796 3544 771b029ca2ea27495376d8783f14f7f9.exe 97 PID 3544 wrote to memory of 2796 3544 771b029ca2ea27495376d8783f14f7f9.exe 97 PID 3544 wrote to memory of 2796 3544 771b029ca2ea27495376d8783f14f7f9.exe 97 PID 3544 wrote to memory of 2796 3544 771b029ca2ea27495376d8783f14f7f9.exe 97 PID 3544 wrote to memory of 2796 3544 771b029ca2ea27495376d8783f14f7f9.exe 97 PID 3544 wrote to memory of 2796 3544 771b029ca2ea27495376d8783f14f7f9.exe 97 PID 3544 wrote to memory of 2796 3544 771b029ca2ea27495376d8783f14f7f9.exe 97 PID 2796 wrote to memory of 3188 2796 771b029ca2ea27495376d8783f14f7f9.exe 98 PID 2796 wrote to memory of 3188 2796 771b029ca2ea27495376d8783f14f7f9.exe 98 PID 2796 wrote to memory of 3188 2796 771b029ca2ea27495376d8783f14f7f9.exe 98 PID 2796 wrote to memory of 4844 2796 771b029ca2ea27495376d8783f14f7f9.exe 100 PID 2796 wrote to memory of 4844 2796 771b029ca2ea27495376d8783f14f7f9.exe 100 PID 2796 wrote to memory of 4844 2796 771b029ca2ea27495376d8783f14f7f9.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\771b029ca2ea27495376d8783f14f7f9.exe"C:\Users\Admin\AppData\Local\Temp\771b029ca2ea27495376d8783f14f7f9.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3544 -
C:\Users\Admin\AppData\Local\Temp\771b029ca2ea27495376d8783f14f7f9.exe"C:\Users\Admin\AppData\Local\Temp\771b029ca2ea27495376d8783f14f7f9.exe"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DHCP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmpCBF6.tmp"3⤵
- Creates scheduled task(s)
PID:3188
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DHCP Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpD85B.tmp"3⤵
- Creates scheduled task(s)
PID:4844
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\771b029ca2ea27495376d8783f14f7f9.exe.log
Filesize496B
MD55b4789d01bb4d7483b71e1a35bce6a8b
SHA1de083f2131c9a763c0d1810c97a38732146cffbf
SHA256e248cef9500ed6e0c9f99d72a2a6a36955a5f0cfc0725748ef25a733cc8282f6
SHA512357e18ef30430e4b9cc4f2569b9735b1cd12f934c83162e4de78ac29ba9703b63ddb624ccc22afd5a5868f6e9d91a3c64581846abac22e9625f5b2e3d80b3ede
-
Filesize
1KB
MD5ed32dd906845ffe39bc55d203a47e9ab
SHA1679f6ab7bc2c35f5fa5260fb35fe769df92645b5
SHA2564cb9909da90a374e8130b361d1774e990794b55d5677164c5a2833cfce6b7975
SHA512f400f6d4904b3dc9e13c7a0c22ee90905823d30ee904d67b829db27111eaed81ccdfc6b32c963e2f4a2e2aa5bd4a9f1fca5490327d9cdb4c544dfad398180091
-
Filesize
1KB
MD57f4b37265a0a4b0fea67999d11d911e8
SHA11b8e13e6a27c3768c30cf713b79eaa8a757e1349
SHA25639b16b3a00b6b43c6820357127228c0768a577153014ce7b0ea3c585244dc08b
SHA512ef97ccfb663555aedc7fdc4b3ac4cd6536c80a778b4ec3bc6124a09544733988de1dac1e6a3714b0d6e8713e3523e0732d5dfcf674f2c5e1f3eadacb0c8e5e03