Analysis
-
max time kernel
146s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
27/01/2024, 12:27
Static task
static1
Behavioral task
behavioral1
Sample
7a40d67c8a78ef63bda595ab16f5ac0f.exe
Resource
win7-20231215-en
General
-
Target
7a40d67c8a78ef63bda595ab16f5ac0f.exe
-
Size
1.5MB
-
MD5
7a40d67c8a78ef63bda595ab16f5ac0f
-
SHA1
3a4636fdee0797e1dfa0c5075cb0466c9ea00f84
-
SHA256
e2baf0f5b01a92323fa0f46207e5b9ae09ec8945ef722b912d3559d43c6e907c
-
SHA512
c448e227eb2244a62e7457823ad471da15a42ceb49e47f9cf148dceaafea95f7d2edca544dc900c4bf53411c94e4a59d393e861767a2fe569a04de707c2fe6bb
-
SSDEEP
12288:KsJG6kBgpx60IbcNk+uVD7TgUdnfQu5X7Q6H+Uy1Susr8MmH3j2:M6k2n64EPVY1ZZS5R0
Malware Config
Extracted
nanocore
1.2.2.0
fablousy.kozow.com:4050
127.0.0.1:4050
58d1d627-4bc2-40ea-9ed5-7063fbcc1866
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2021-05-17T05:23:14.334950536Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
4050
-
default_group
ike
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
58d1d627-4bc2-40ea-9ed5-7063fbcc1866
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
fablousy.kozow.com
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 7a40d67c8a78ef63bda595ab16f5ac0f.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2336 set thread context of 596 2336 7a40d67c8a78ef63bda595ab16f5ac0f.exe 32 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 524 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 596 7a40d67c8a78ef63bda595ab16f5ac0f.exe 596 7a40d67c8a78ef63bda595ab16f5ac0f.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 596 7a40d67c8a78ef63bda595ab16f5ac0f.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 596 7a40d67c8a78ef63bda595ab16f5ac0f.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 2336 wrote to memory of 524 2336 7a40d67c8a78ef63bda595ab16f5ac0f.exe 30 PID 2336 wrote to memory of 524 2336 7a40d67c8a78ef63bda595ab16f5ac0f.exe 30 PID 2336 wrote to memory of 524 2336 7a40d67c8a78ef63bda595ab16f5ac0f.exe 30 PID 2336 wrote to memory of 524 2336 7a40d67c8a78ef63bda595ab16f5ac0f.exe 30 PID 2336 wrote to memory of 596 2336 7a40d67c8a78ef63bda595ab16f5ac0f.exe 32 PID 2336 wrote to memory of 596 2336 7a40d67c8a78ef63bda595ab16f5ac0f.exe 32 PID 2336 wrote to memory of 596 2336 7a40d67c8a78ef63bda595ab16f5ac0f.exe 32 PID 2336 wrote to memory of 596 2336 7a40d67c8a78ef63bda595ab16f5ac0f.exe 32 PID 2336 wrote to memory of 596 2336 7a40d67c8a78ef63bda595ab16f5ac0f.exe 32 PID 2336 wrote to memory of 596 2336 7a40d67c8a78ef63bda595ab16f5ac0f.exe 32 PID 2336 wrote to memory of 596 2336 7a40d67c8a78ef63bda595ab16f5ac0f.exe 32 PID 2336 wrote to memory of 596 2336 7a40d67c8a78ef63bda595ab16f5ac0f.exe 32 PID 2336 wrote to memory of 596 2336 7a40d67c8a78ef63bda595ab16f5ac0f.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\7a40d67c8a78ef63bda595ab16f5ac0f.exe"C:\Users\Admin\AppData\Local\Temp\7a40d67c8a78ef63bda595ab16f5ac0f.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uTptUfOsJI" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5206.tmp"2⤵
- Creates scheduled task(s)
PID:524
-
-
C:\Users\Admin\AppData\Local\Temp\7a40d67c8a78ef63bda595ab16f5ac0f.exe"C:\Users\Admin\AppData\Local\Temp\7a40d67c8a78ef63bda595ab16f5ac0f.exe"2⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:596
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD56bd631165363f9d2a16b51b4a04e8da7
SHA13f7e3f7850f18cdb9ea4f269421a21957c0640ae
SHA256126119e16b352ec912c0dd2ed4a7dd573fb61be98afa4e020de08376eec287b0
SHA512bffea97ac73a0074caa6f549525a21c4679dd9a6275dbfd3f39feac2583acc3b024ee2cfb782440e31f0664ea9d2ecef98f58a0f5853fc4088547002ceac189f