Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
28/01/2024, 06:21
Static task
static1
Behavioral task
behavioral1
Sample
7c5fefe93d62fc7ce29b236be8235197.exe
Resource
win7-20231215-en
General
-
Target
7c5fefe93d62fc7ce29b236be8235197.exe
-
Size
1.2MB
-
MD5
7c5fefe93d62fc7ce29b236be8235197
-
SHA1
882eabe9a067575521065329b923dc9fe61fa6d9
-
SHA256
93e2ba272cce84fa13eac9b5f393e15a55c3719d59651c60bd3b8f27136fef59
-
SHA512
38c75753e8fd7531111befcff012e5fea95863de95329ecff117d6989e4177b0b53a42857d14901f122e66b07d9207b907f8d7b9f6a1d9ce49eac1a10149c0a7
-
SSDEEP
24576:9AHnh+eWsN3skA4RV1Hom2KXMmHaFZyrh9QI/C+EZCBqUIYXmf8MuvWzD:ch+ZkldoPK8YaFZyri7QPIYXLMr
Malware Config
Extracted
nanocore
1.2.2.0
megida.hopto.org:8822
0622add8-a38b-49c1-8dc8-c09cf4320fc4
-
activate_away_mode
true
- backup_connection_host
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2019-03-11T12:24:33.692689636Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
8822
-
default_group
NewLappi
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
0622add8-a38b-49c1-8dc8-c09cf4320fc4
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
megida.hopto.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sdchange.lnk 7c5fefe93d62fc7ce29b236be8235197.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2772 set thread context of 2468 2772 7c5fefe93d62fc7ce29b236be8235197.exe 97 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 27 IoCs
pid Process 2772 7c5fefe93d62fc7ce29b236be8235197.exe 2772 7c5fefe93d62fc7ce29b236be8235197.exe 2772 7c5fefe93d62fc7ce29b236be8235197.exe 2772 7c5fefe93d62fc7ce29b236be8235197.exe 2468 RegAsm.exe 2468 RegAsm.exe 2468 RegAsm.exe 2772 7c5fefe93d62fc7ce29b236be8235197.exe 2772 7c5fefe93d62fc7ce29b236be8235197.exe 2772 7c5fefe93d62fc7ce29b236be8235197.exe 2772 7c5fefe93d62fc7ce29b236be8235197.exe 2772 7c5fefe93d62fc7ce29b236be8235197.exe 2772 7c5fefe93d62fc7ce29b236be8235197.exe 2772 7c5fefe93d62fc7ce29b236be8235197.exe 2772 7c5fefe93d62fc7ce29b236be8235197.exe 2772 7c5fefe93d62fc7ce29b236be8235197.exe 2772 7c5fefe93d62fc7ce29b236be8235197.exe 2772 7c5fefe93d62fc7ce29b236be8235197.exe 2772 7c5fefe93d62fc7ce29b236be8235197.exe 2772 7c5fefe93d62fc7ce29b236be8235197.exe 2772 7c5fefe93d62fc7ce29b236be8235197.exe 2772 7c5fefe93d62fc7ce29b236be8235197.exe 2772 7c5fefe93d62fc7ce29b236be8235197.exe 2772 7c5fefe93d62fc7ce29b236be8235197.exe 2772 7c5fefe93d62fc7ce29b236be8235197.exe 2772 7c5fefe93d62fc7ce29b236be8235197.exe 2772 7c5fefe93d62fc7ce29b236be8235197.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2468 RegAsm.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 2772 7c5fefe93d62fc7ce29b236be8235197.exe 2772 7c5fefe93d62fc7ce29b236be8235197.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2468 RegAsm.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 2772 7c5fefe93d62fc7ce29b236be8235197.exe 2772 7c5fefe93d62fc7ce29b236be8235197.exe 2772 7c5fefe93d62fc7ce29b236be8235197.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 2772 7c5fefe93d62fc7ce29b236be8235197.exe 2772 7c5fefe93d62fc7ce29b236be8235197.exe 2772 7c5fefe93d62fc7ce29b236be8235197.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2772 wrote to memory of 4780 2772 7c5fefe93d62fc7ce29b236be8235197.exe 96 PID 2772 wrote to memory of 4780 2772 7c5fefe93d62fc7ce29b236be8235197.exe 96 PID 2772 wrote to memory of 4780 2772 7c5fefe93d62fc7ce29b236be8235197.exe 96 PID 2772 wrote to memory of 2468 2772 7c5fefe93d62fc7ce29b236be8235197.exe 97 PID 2772 wrote to memory of 2468 2772 7c5fefe93d62fc7ce29b236be8235197.exe 97 PID 2772 wrote to memory of 2468 2772 7c5fefe93d62fc7ce29b236be8235197.exe 97 PID 2772 wrote to memory of 2468 2772 7c5fefe93d62fc7ce29b236be8235197.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\7c5fefe93d62fc7ce29b236be8235197.exe"C:\Users\Admin\AppData\Local\Temp\7c5fefe93d62fc7ce29b236be8235197.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵PID:4780
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2468
-