Analysis
-
max time kernel
144s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
27/01/2024, 12:02
Static task
static1
Behavioral task
behavioral1
Sample
7a31a2743fd46eaac57e0facfa4cc550.exe
Resource
win7-20231215-en
General
-
Target
7a31a2743fd46eaac57e0facfa4cc550.exe
-
Size
1.0MB
-
MD5
7a31a2743fd46eaac57e0facfa4cc550
-
SHA1
0b495b9d62c4504cb58d32c01f2718ce76ad27a8
-
SHA256
f67ef0bea71caf8b6cb8b570304051aacce30cb42c51eec9d5bc10365b057430
-
SHA512
174bfc47be92e1e0c3ac107b0a32227fdd31075380eb6f657f00d9d31e0d1d5abc2e22f299203090aab91d7d9e843039aa2516bc1fe63f05924f6dc5b1e970fb
-
SSDEEP
12288:Ww8IpRoJiHDs2qVPA9I/9X6NIbwooBQZ:Ww84osHHU4S6ywo
Malware Config
Extracted
nanocore
1.2.2.0
judge777.ddns.net:8282
127.0.0.1:8282
0ed357f7-1b88-47ff-bb68-1b617843f125
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
-
backup_dns_server
37.235.1.177
-
buffer_size
65535
-
build_time
2021-01-11T10:18:25.208357936Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
8282
-
default_group
enzo
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
0ed357f7-1b88-47ff-bb68-1b617843f125
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
judge777.ddns.net
-
primary_dns_server
37.235.1.174
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation 7a31a2743fd46eaac57e0facfa4cc550.exe -
Unexpected DNS network traffic destination 4 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 37.235.1.177 Destination IP 37.235.1.174 Destination IP 37.235.1.174 Destination IP 37.235.1.177 -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SCSI Service = "C:\\Program Files (x86)\\SCSI Service\\scsisvc.exe" 7a31a2743fd46eaac57e0facfa4cc550.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 7a31a2743fd46eaac57e0facfa4cc550.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 5052 set thread context of 4744 5052 7a31a2743fd46eaac57e0facfa4cc550.exe 105 -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\SCSI Service\scsisvc.exe 7a31a2743fd46eaac57e0facfa4cc550.exe File created C:\Program Files (x86)\SCSI Service\scsisvc.exe 7a31a2743fd46eaac57e0facfa4cc550.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2304 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
pid Process 5052 7a31a2743fd46eaac57e0facfa4cc550.exe 5052 7a31a2743fd46eaac57e0facfa4cc550.exe 5052 7a31a2743fd46eaac57e0facfa4cc550.exe 5052 7a31a2743fd46eaac57e0facfa4cc550.exe 5052 7a31a2743fd46eaac57e0facfa4cc550.exe 5052 7a31a2743fd46eaac57e0facfa4cc550.exe 4832 powershell.exe 1928 powershell.exe 4744 7a31a2743fd46eaac57e0facfa4cc550.exe 4744 7a31a2743fd46eaac57e0facfa4cc550.exe 4744 7a31a2743fd46eaac57e0facfa4cc550.exe 4424 powershell.exe 4832 powershell.exe 1928 powershell.exe 4424 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4744 7a31a2743fd46eaac57e0facfa4cc550.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 5052 7a31a2743fd46eaac57e0facfa4cc550.exe Token: SeDebugPrivilege 4832 powershell.exe Token: SeDebugPrivilege 1928 powershell.exe Token: SeDebugPrivilege 4744 7a31a2743fd46eaac57e0facfa4cc550.exe Token: SeDebugPrivilege 4424 powershell.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 5052 wrote to memory of 4832 5052 7a31a2743fd46eaac57e0facfa4cc550.exe 97 PID 5052 wrote to memory of 4832 5052 7a31a2743fd46eaac57e0facfa4cc550.exe 97 PID 5052 wrote to memory of 4832 5052 7a31a2743fd46eaac57e0facfa4cc550.exe 97 PID 5052 wrote to memory of 1928 5052 7a31a2743fd46eaac57e0facfa4cc550.exe 99 PID 5052 wrote to memory of 1928 5052 7a31a2743fd46eaac57e0facfa4cc550.exe 99 PID 5052 wrote to memory of 1928 5052 7a31a2743fd46eaac57e0facfa4cc550.exe 99 PID 5052 wrote to memory of 2304 5052 7a31a2743fd46eaac57e0facfa4cc550.exe 102 PID 5052 wrote to memory of 2304 5052 7a31a2743fd46eaac57e0facfa4cc550.exe 102 PID 5052 wrote to memory of 2304 5052 7a31a2743fd46eaac57e0facfa4cc550.exe 102 PID 5052 wrote to memory of 4424 5052 7a31a2743fd46eaac57e0facfa4cc550.exe 103 PID 5052 wrote to memory of 4424 5052 7a31a2743fd46eaac57e0facfa4cc550.exe 103 PID 5052 wrote to memory of 4424 5052 7a31a2743fd46eaac57e0facfa4cc550.exe 103 PID 5052 wrote to memory of 4568 5052 7a31a2743fd46eaac57e0facfa4cc550.exe 106 PID 5052 wrote to memory of 4568 5052 7a31a2743fd46eaac57e0facfa4cc550.exe 106 PID 5052 wrote to memory of 4568 5052 7a31a2743fd46eaac57e0facfa4cc550.exe 106 PID 5052 wrote to memory of 4744 5052 7a31a2743fd46eaac57e0facfa4cc550.exe 105 PID 5052 wrote to memory of 4744 5052 7a31a2743fd46eaac57e0facfa4cc550.exe 105 PID 5052 wrote to memory of 4744 5052 7a31a2743fd46eaac57e0facfa4cc550.exe 105 PID 5052 wrote to memory of 4744 5052 7a31a2743fd46eaac57e0facfa4cc550.exe 105 PID 5052 wrote to memory of 4744 5052 7a31a2743fd46eaac57e0facfa4cc550.exe 105 PID 5052 wrote to memory of 4744 5052 7a31a2743fd46eaac57e0facfa4cc550.exe 105 PID 5052 wrote to memory of 4744 5052 7a31a2743fd46eaac57e0facfa4cc550.exe 105 PID 5052 wrote to memory of 4744 5052 7a31a2743fd46eaac57e0facfa4cc550.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe"C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4832
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GoJyWEU.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1928
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GoJyWEU" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE77D.tmp"2⤵
- Creates scheduled task(s)
PID:2304
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GoJyWEU.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4424
-
-
C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe"C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4744
-
-
C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe"C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe"2⤵PID:4568
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
Filesize
18KB
MD5d02ff7b5a3a592daf90946a04e5be1e6
SHA16535fa21ffade9221ed95804076719e7c752087b
SHA256f8f04fd070dd4010b537c325a4a7750c5d51170588518ac1682701b9d7a2dfd4
SHA5126ab0a97de931dca6d7596cfa94e0db56e095ef2f743cc9de64ada8bcfe7e217f3aaf0891e6437ba6995ca91c6c45cc02b28457d45bc44812e0be2890e1efe516
-
Filesize
18KB
MD52649ceefa4f3d470754d711356a6b198
SHA11d693f204cc3e3505c232733363597b4fb0a63d4
SHA256cb8855f20083c5fcf564e7be4c0298c98c2db286d358b2564410cca1c66b879f
SHA5123f18ff84438e21ea5b55f175c8825c42d328d69afe729dc2bdaf4ee40bc108c74241bf03dd4655575774e911f84835778387140dd1ece57692a65374e3d3ec79
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD57b934c582ccc0210a00e4f5612cdffcc
SHA1ec8b4afcd423da8f5d9d68f6125f152b7b54c5e2
SHA2561f7c4c6035780c8160c279e0eff918b65a0b543bcb282a0495fa3d5316519c4c
SHA5123f6eee58818f1e17a7bf4efc5d1d9c3165a0e566889cbb213ce8d62d1514af8ce65cd2fcc075b4c310d37d5d85a6243489cdafd17b6d3beef111b85755c20e14