Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
27/01/2024, 02:31
Static task
static1
Behavioral task
behavioral1
Sample
790b9e9961e4b8ca5171d422239e0541.exe
Resource
win7-20231215-en
General
-
Target
790b9e9961e4b8ca5171d422239e0541.exe
-
Size
1.0MB
-
MD5
790b9e9961e4b8ca5171d422239e0541
-
SHA1
28b6a1a0f3d823c2626d35607a58f19520f48df8
-
SHA256
b1eeeb094d51c8f5f2931b00533cb5a0dfb98cf310ea06580c7967976d215b3b
-
SHA512
bdb23c43c65dbaad81426ffb00abbe71b4e2e9ca57219f16c83724e490e2abd5c860d78536b68735f882b861f0ee7b7943dacf0308c69a60f90a33cb51809012
-
SSDEEP
24576:08pod6qMyQ7RLRUlL/HbDL0PoJH4T2fXBxV:flAL/7DQSH4T2/BT
Malware Config
Extracted
nanocore
1.2.2.0
194.5.98.28:3040
127.0.0.1:3040
eed6a097-a4d3-4ab0-9875-46a22fdaf6ba
-
activate_away_mode
false
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2021-05-18T10:55:38.959783136Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
3040
-
default_group
AUGUST 08/06/2021
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
eed6a097-a4d3-4ab0-9875-46a22fdaf6ba
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
194.5.98.28
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation 790b9e9961e4b8ca5171d422239e0541.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 790b9e9961e4b8ca5171d422239e0541.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4288 set thread context of 5088 4288 790b9e9961e4b8ca5171d422239e0541.exe 97 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2756 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4288 790b9e9961e4b8ca5171d422239e0541.exe 5088 790b9e9961e4b8ca5171d422239e0541.exe 5088 790b9e9961e4b8ca5171d422239e0541.exe 5088 790b9e9961e4b8ca5171d422239e0541.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 5088 790b9e9961e4b8ca5171d422239e0541.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4288 790b9e9961e4b8ca5171d422239e0541.exe Token: SeDebugPrivilege 5088 790b9e9961e4b8ca5171d422239e0541.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 4288 wrote to memory of 2756 4288 790b9e9961e4b8ca5171d422239e0541.exe 96 PID 4288 wrote to memory of 2756 4288 790b9e9961e4b8ca5171d422239e0541.exe 96 PID 4288 wrote to memory of 2756 4288 790b9e9961e4b8ca5171d422239e0541.exe 96 PID 4288 wrote to memory of 5088 4288 790b9e9961e4b8ca5171d422239e0541.exe 97 PID 4288 wrote to memory of 5088 4288 790b9e9961e4b8ca5171d422239e0541.exe 97 PID 4288 wrote to memory of 5088 4288 790b9e9961e4b8ca5171d422239e0541.exe 97 PID 4288 wrote to memory of 5088 4288 790b9e9961e4b8ca5171d422239e0541.exe 97 PID 4288 wrote to memory of 5088 4288 790b9e9961e4b8ca5171d422239e0541.exe 97 PID 4288 wrote to memory of 5088 4288 790b9e9961e4b8ca5171d422239e0541.exe 97 PID 4288 wrote to memory of 5088 4288 790b9e9961e4b8ca5171d422239e0541.exe 97 PID 4288 wrote to memory of 5088 4288 790b9e9961e4b8ca5171d422239e0541.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\790b9e9961e4b8ca5171d422239e0541.exe"C:\Users\Admin\AppData\Local\Temp\790b9e9961e4b8ca5171d422239e0541.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4288 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sRwOrsHsaniq" /XML "C:\Users\Admin\AppData\Local\Temp\tmp20A2.tmp"2⤵
- Creates scheduled task(s)
PID:2756
-
-
C:\Users\Admin\AppData\Local\Temp\790b9e9961e4b8ca5171d422239e0541.exe"C:\Users\Admin\AppData\Local\Temp\790b9e9961e4b8ca5171d422239e0541.exe"2⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:5088
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\790b9e9961e4b8ca5171d422239e0541.exe.log
Filesize1KB
MD517573558c4e714f606f997e5157afaac
SHA113e16e9415ceef429aaf124139671ebeca09ed23
SHA256c18db6aecad2436da4a63ff26af4e3a337cca48f01c21b8db494fe5ccc60e553
SHA512f4edf13f05a0d142e4dd42802098c8c44988ee8869621a62c2b565a77c9a95857f636583ff8d6d9baa366603d98b9bfbf1fc75bc6f9f8f83c80cb1215b2941cc
-
Filesize
1KB
MD5372fde01a0dc2ff581c862e4070fead0
SHA1d869f5af11f96359c8d93e0f41bd6f042a6ad001
SHA25662ca54a873628404b9d6881c03f43511be57dd814ab7c1140bf405a98438523e
SHA512d5946c4986b12308b4e9e857945ad570bf3d2180dc68886a348d8dbba7c4b0b9886faa6ca6c24023feaefacab1517278f7af15221149375ea76c24927f322b8c