Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
27/01/2024, 07:02
Static task
static1
Behavioral task
behavioral1
Sample
79949bbec90a663289312a4bcb043aeb.exe
Resource
win7-20231215-en
General
-
Target
79949bbec90a663289312a4bcb043aeb.exe
-
Size
420KB
-
MD5
79949bbec90a663289312a4bcb043aeb
-
SHA1
14b39b97dd2564d2bee5bdbb166552a5e15b8c1f
-
SHA256
0b0818a3e82b1653a0160daedf39b18f4dd2a1b41661928451e5a26c4b6392a7
-
SHA512
09ffa62f1af6bb6f0bb00fc9da3c6e59abaabc9c1e461a8dd3391d205ad3f0d3d4fa18e063230fdfefe4ddb105adbe8a5795d05d1414cf142cc80669c0628f1c
-
SSDEEP
12288:gOOOYs0vs0vs0vs0B53OZjoI0/XJ2dGPDi0sMUEzSxFEqW:Gs0vs0vs0vs0X80PJPP
Malware Config
Extracted
nanocore
1.2.2.0
grene231.ddns.net:9017
050c3e25-856b-443b-ae6e-44a1fa0b6039
-
activate_away_mode
true
-
backup_connection_host
grene231.ddns.net
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2018-12-09T09:11:12.426017136Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
9017
-
default_group
Vala
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
050c3e25-856b-443b-ae6e-44a1fa0b6039
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
grene231.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ISS Manager = "C:\\Program Files (x86)\\ISS Manager\\issmgr.exe" 79949bbec90a663289312a4bcb043aeb.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 79949bbec90a663289312a4bcb043aeb.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 816 set thread context of 2880 816 79949bbec90a663289312a4bcb043aeb.exe 28 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\ISS Manager\issmgr.exe 79949bbec90a663289312a4bcb043aeb.exe File opened for modification C:\Program Files (x86)\ISS Manager\issmgr.exe 79949bbec90a663289312a4bcb043aeb.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2880 79949bbec90a663289312a4bcb043aeb.exe 2880 79949bbec90a663289312a4bcb043aeb.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2880 79949bbec90a663289312a4bcb043aeb.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2880 79949bbec90a663289312a4bcb043aeb.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 816 wrote to memory of 2880 816 79949bbec90a663289312a4bcb043aeb.exe 28 PID 816 wrote to memory of 2880 816 79949bbec90a663289312a4bcb043aeb.exe 28 PID 816 wrote to memory of 2880 816 79949bbec90a663289312a4bcb043aeb.exe 28 PID 816 wrote to memory of 2880 816 79949bbec90a663289312a4bcb043aeb.exe 28 PID 816 wrote to memory of 2880 816 79949bbec90a663289312a4bcb043aeb.exe 28 PID 816 wrote to memory of 2880 816 79949bbec90a663289312a4bcb043aeb.exe 28 PID 816 wrote to memory of 2880 816 79949bbec90a663289312a4bcb043aeb.exe 28 PID 816 wrote to memory of 2880 816 79949bbec90a663289312a4bcb043aeb.exe 28 PID 816 wrote to memory of 2880 816 79949bbec90a663289312a4bcb043aeb.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\79949bbec90a663289312a4bcb043aeb.exe"C:\Users\Admin\AppData\Local\Temp\79949bbec90a663289312a4bcb043aeb.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:816 -
C:\Users\Admin\AppData\Local\Temp\79949bbec90a663289312a4bcb043aeb.exe"C:\Users\Admin\AppData\Local\Temp\79949bbec90a663289312a4bcb043aeb.exe"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2880
-