Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
27/01/2024, 12:02
Static task
static1
Behavioral task
behavioral1
Sample
7a31a2743fd46eaac57e0facfa4cc550.exe
Resource
win7-20231215-en
General
-
Target
7a31a2743fd46eaac57e0facfa4cc550.exe
-
Size
1.0MB
-
MD5
7a31a2743fd46eaac57e0facfa4cc550
-
SHA1
0b495b9d62c4504cb58d32c01f2718ce76ad27a8
-
SHA256
f67ef0bea71caf8b6cb8b570304051aacce30cb42c51eec9d5bc10365b057430
-
SHA512
174bfc47be92e1e0c3ac107b0a32227fdd31075380eb6f657f00d9d31e0d1d5abc2e22f299203090aab91d7d9e843039aa2516bc1fe63f05924f6dc5b1e970fb
-
SSDEEP
12288:Ww8IpRoJiHDs2qVPA9I/9X6NIbwooBQZ:Ww84osHHU4S6ywo
Malware Config
Extracted
nanocore
1.2.2.0
judge777.ddns.net:8282
127.0.0.1:8282
0ed357f7-1b88-47ff-bb68-1b617843f125
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
-
backup_dns_server
37.235.1.177
-
buffer_size
65535
-
build_time
2021-01-11T10:18:25.208357936Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
8282
-
default_group
enzo
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
0ed357f7-1b88-47ff-bb68-1b617843f125
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
judge777.ddns.net
-
primary_dns_server
37.235.1.174
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Unexpected DNS network traffic destination 4 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 37.235.1.177 Destination IP 37.235.1.174 Destination IP 37.235.1.177 Destination IP 37.235.1.174 -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WPA Host = "C:\\Program Files (x86)\\WPA Host\\wpahost.exe" 7a31a2743fd46eaac57e0facfa4cc550.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 7a31a2743fd46eaac57e0facfa4cc550.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1196 set thread context of 2900 1196 7a31a2743fd46eaac57e0facfa4cc550.exe 37 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\WPA Host\wpahost.exe 7a31a2743fd46eaac57e0facfa4cc550.exe File opened for modification C:\Program Files (x86)\WPA Host\wpahost.exe 7a31a2743fd46eaac57e0facfa4cc550.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2012 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 1196 7a31a2743fd46eaac57e0facfa4cc550.exe 1196 7a31a2743fd46eaac57e0facfa4cc550.exe 3000 powershell.exe 2600 powershell.exe 1196 7a31a2743fd46eaac57e0facfa4cc550.exe 2884 powershell.exe 2900 7a31a2743fd46eaac57e0facfa4cc550.exe 2900 7a31a2743fd46eaac57e0facfa4cc550.exe 2900 7a31a2743fd46eaac57e0facfa4cc550.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2900 7a31a2743fd46eaac57e0facfa4cc550.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 1196 7a31a2743fd46eaac57e0facfa4cc550.exe Token: SeDebugPrivilege 3000 powershell.exe Token: SeDebugPrivilege 2600 powershell.exe Token: SeDebugPrivilege 2884 powershell.exe Token: SeDebugPrivilege 2900 7a31a2743fd46eaac57e0facfa4cc550.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 1196 wrote to memory of 3000 1196 7a31a2743fd46eaac57e0facfa4cc550.exe 30 PID 1196 wrote to memory of 3000 1196 7a31a2743fd46eaac57e0facfa4cc550.exe 30 PID 1196 wrote to memory of 3000 1196 7a31a2743fd46eaac57e0facfa4cc550.exe 30 PID 1196 wrote to memory of 3000 1196 7a31a2743fd46eaac57e0facfa4cc550.exe 30 PID 1196 wrote to memory of 2600 1196 7a31a2743fd46eaac57e0facfa4cc550.exe 32 PID 1196 wrote to memory of 2600 1196 7a31a2743fd46eaac57e0facfa4cc550.exe 32 PID 1196 wrote to memory of 2600 1196 7a31a2743fd46eaac57e0facfa4cc550.exe 32 PID 1196 wrote to memory of 2600 1196 7a31a2743fd46eaac57e0facfa4cc550.exe 32 PID 1196 wrote to memory of 2012 1196 7a31a2743fd46eaac57e0facfa4cc550.exe 34 PID 1196 wrote to memory of 2012 1196 7a31a2743fd46eaac57e0facfa4cc550.exe 34 PID 1196 wrote to memory of 2012 1196 7a31a2743fd46eaac57e0facfa4cc550.exe 34 PID 1196 wrote to memory of 2012 1196 7a31a2743fd46eaac57e0facfa4cc550.exe 34 PID 1196 wrote to memory of 2884 1196 7a31a2743fd46eaac57e0facfa4cc550.exe 38 PID 1196 wrote to memory of 2884 1196 7a31a2743fd46eaac57e0facfa4cc550.exe 38 PID 1196 wrote to memory of 2884 1196 7a31a2743fd46eaac57e0facfa4cc550.exe 38 PID 1196 wrote to memory of 2884 1196 7a31a2743fd46eaac57e0facfa4cc550.exe 38 PID 1196 wrote to memory of 2900 1196 7a31a2743fd46eaac57e0facfa4cc550.exe 37 PID 1196 wrote to memory of 2900 1196 7a31a2743fd46eaac57e0facfa4cc550.exe 37 PID 1196 wrote to memory of 2900 1196 7a31a2743fd46eaac57e0facfa4cc550.exe 37 PID 1196 wrote to memory of 2900 1196 7a31a2743fd46eaac57e0facfa4cc550.exe 37 PID 1196 wrote to memory of 2900 1196 7a31a2743fd46eaac57e0facfa4cc550.exe 37 PID 1196 wrote to memory of 2900 1196 7a31a2743fd46eaac57e0facfa4cc550.exe 37 PID 1196 wrote to memory of 2900 1196 7a31a2743fd46eaac57e0facfa4cc550.exe 37 PID 1196 wrote to memory of 2900 1196 7a31a2743fd46eaac57e0facfa4cc550.exe 37 PID 1196 wrote to memory of 2900 1196 7a31a2743fd46eaac57e0facfa4cc550.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe"C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3000
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GoJyWEU.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2600
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GoJyWEU" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF142.tmp"2⤵
- Creates scheduled task(s)
PID:2012
-
-
C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe"C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2900
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GoJyWEU.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2884
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD561efd0bcf0eed06c8eb1607cd208d7b6
SHA138a2bb2b8d8330a788521efac9acd1c3b3cf356a
SHA2565fe328b118f91490ad7dadb8b015863e46c619a0bc918f03d5b3093e6d6ce3b7
SHA5123f500156d0edf50e25fbbf344769643fa190f882b25610459cd43222ff4ee1f952cb5792b51cf43951ffa096ce2a2f13f72d717421684c9770c62c5582c2f34f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7NTW3KQ1POW5X0MIY6FJ.temp
Filesize7KB
MD5105fe2f5733f6514679a087518afe7db
SHA102a095af81cd7d3b3cba23f3847c5c1f8fe58832
SHA256fcd263f841ba3a4d4656b2fb59785db9bf9382bf52188aea842ed642425da0ab
SHA512df1dce1c306d747dbfb6fcdc45d2376a683fff90347840ad16ab2623c14971849387ffb3a5b1f4f9902c326d0288c32c3fa3fd94797aaf2b187d5f41708a4ae8