Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
27/01/2024, 07:02
Static task
static1
Behavioral task
behavioral1
Sample
79949bbec90a663289312a4bcb043aeb.exe
Resource
win7-20231215-en
General
-
Target
79949bbec90a663289312a4bcb043aeb.exe
-
Size
420KB
-
MD5
79949bbec90a663289312a4bcb043aeb
-
SHA1
14b39b97dd2564d2bee5bdbb166552a5e15b8c1f
-
SHA256
0b0818a3e82b1653a0160daedf39b18f4dd2a1b41661928451e5a26c4b6392a7
-
SHA512
09ffa62f1af6bb6f0bb00fc9da3c6e59abaabc9c1e461a8dd3391d205ad3f0d3d4fa18e063230fdfefe4ddb105adbe8a5795d05d1414cf142cc80669c0628f1c
-
SSDEEP
12288:gOOOYs0vs0vs0vs0B53OZjoI0/XJ2dGPDi0sMUEzSxFEqW:Gs0vs0vs0vs0X80PJPP
Malware Config
Extracted
nanocore
1.2.2.0
grene231.ddns.net:9017
050c3e25-856b-443b-ae6e-44a1fa0b6039
-
activate_away_mode
true
-
backup_connection_host
grene231.ddns.net
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2018-12-09T09:11:12.426017136Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
9017
-
default_group
Vala
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
050c3e25-856b-443b-ae6e-44a1fa0b6039
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
grene231.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SMTP Subsystem = "C:\\Program Files (x86)\\SMTP Subsystem\\smtpss.exe" 79949bbec90a663289312a4bcb043aeb.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 79949bbec90a663289312a4bcb043aeb.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1960 set thread context of 2544 1960 79949bbec90a663289312a4bcb043aeb.exe 88 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\SMTP Subsystem\smtpss.exe 79949bbec90a663289312a4bcb043aeb.exe File opened for modification C:\Program Files (x86)\SMTP Subsystem\smtpss.exe 79949bbec90a663289312a4bcb043aeb.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2544 79949bbec90a663289312a4bcb043aeb.exe 2544 79949bbec90a663289312a4bcb043aeb.exe 2544 79949bbec90a663289312a4bcb043aeb.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2544 79949bbec90a663289312a4bcb043aeb.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2544 79949bbec90a663289312a4bcb043aeb.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1960 wrote to memory of 2544 1960 79949bbec90a663289312a4bcb043aeb.exe 88 PID 1960 wrote to memory of 2544 1960 79949bbec90a663289312a4bcb043aeb.exe 88 PID 1960 wrote to memory of 2544 1960 79949bbec90a663289312a4bcb043aeb.exe 88 PID 1960 wrote to memory of 2544 1960 79949bbec90a663289312a4bcb043aeb.exe 88 PID 1960 wrote to memory of 2544 1960 79949bbec90a663289312a4bcb043aeb.exe 88 PID 1960 wrote to memory of 2544 1960 79949bbec90a663289312a4bcb043aeb.exe 88 PID 1960 wrote to memory of 2544 1960 79949bbec90a663289312a4bcb043aeb.exe 88 PID 1960 wrote to memory of 2544 1960 79949bbec90a663289312a4bcb043aeb.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\79949bbec90a663289312a4bcb043aeb.exe"C:\Users\Admin\AppData\Local\Temp\79949bbec90a663289312a4bcb043aeb.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Users\Admin\AppData\Local\Temp\79949bbec90a663289312a4bcb043aeb.exe"C:\Users\Admin\AppData\Local\Temp\79949bbec90a663289312a4bcb043aeb.exe"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2544
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\79949bbec90a663289312a4bcb043aeb.exe.log
Filesize706B
MD5a6b67088efc040365b2447fdcda1e0fd
SHA1ecbb5a3354bedfb924c498e5d852c5831a5b22f7
SHA256a2c0432a8caeb10a8cd8634ceee0bc4b53d75a02e8e463a01bf97a4e25b46a55
SHA512cb83069882d727e7733945d1593e87f34869fc5397d01d17d3022c4777a37322d9d94ecdfaeca863a01dec89aaaaeaf7dd997e17a97ba4ffdacf64d31021c156