Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
27-03-2024 13:06
Static task
static1
Behavioral task
behavioral1
Sample
e1bdba8cd7ae8d8f3fe039b5ee58b88d.exe
Resource
win7-20240221-en
General
-
Target
e1bdba8cd7ae8d8f3fe039b5ee58b88d.exe
-
Size
776KB
-
MD5
e1bdba8cd7ae8d8f3fe039b5ee58b88d
-
SHA1
b61a538cdbe88e5f9c769006147d64f93117f890
-
SHA256
b7f93fdcba04537197b4d1a307bf54da300480074376b631c82c1a2c903a5db5
-
SHA512
ff17d6743cf79d9753c4a923264ad3eeff999e6d9ed9e119e3c9b05529dddbf06797e676dfc43f3112025845c9b9f038bda2d4f562fcc9d5f43134fd2e37bfbb
-
SSDEEP
6144:J85JVCO4nPDZvWekYzl23aPfulMJyn/2ENzDScV33TKtJWTlksz/DrPwjqh3O2oC:JqVCjDZuyTSMGJ3TKTmFDzPMar0
Malware Config
Extracted
nanocore
1.2.2.0
godisgood1.hopto.org:7712
9ed8d108-2eb1-4e23-9679-783796e4baff
-
activate_away_mode
true
- backup_connection_host
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2021-04-23T17:16:53.813634136Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
7712
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
9ed8d108-2eb1-4e23-9679-783796e4baff
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
godisgood1.hopto.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
e1bdba8cd7ae8d8f3fe039b5ee58b88d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NAT Subsystem = "C:\\Program Files (x86)\\NAT Subsystem\\natss.exe" e1bdba8cd7ae8d8f3fe039b5ee58b88d.exe -
Processes:
e1bdba8cd7ae8d8f3fe039b5ee58b88d.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA e1bdba8cd7ae8d8f3fe039b5ee58b88d.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
e1bdba8cd7ae8d8f3fe039b5ee58b88d.exedescription pid process target process PID 2004 set thread context of 2892 2004 e1bdba8cd7ae8d8f3fe039b5ee58b88d.exe e1bdba8cd7ae8d8f3fe039b5ee58b88d.exe -
Drops file in Program Files directory 2 IoCs
Processes:
e1bdba8cd7ae8d8f3fe039b5ee58b88d.exedescription ioc process File created C:\Program Files (x86)\NAT Subsystem\natss.exe e1bdba8cd7ae8d8f3fe039b5ee58b88d.exe File opened for modification C:\Program Files (x86)\NAT Subsystem\natss.exe e1bdba8cd7ae8d8f3fe039b5ee58b88d.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1612 schtasks.exe 4208 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
e1bdba8cd7ae8d8f3fe039b5ee58b88d.exepid process 2892 e1bdba8cd7ae8d8f3fe039b5ee58b88d.exe 2892 e1bdba8cd7ae8d8f3fe039b5ee58b88d.exe 2892 e1bdba8cd7ae8d8f3fe039b5ee58b88d.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
e1bdba8cd7ae8d8f3fe039b5ee58b88d.exepid process 2892 e1bdba8cd7ae8d8f3fe039b5ee58b88d.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
e1bdba8cd7ae8d8f3fe039b5ee58b88d.exedescription pid process Token: SeDebugPrivilege 2892 e1bdba8cd7ae8d8f3fe039b5ee58b88d.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
e1bdba8cd7ae8d8f3fe039b5ee58b88d.exee1bdba8cd7ae8d8f3fe039b5ee58b88d.exedescription pid process target process PID 2004 wrote to memory of 2892 2004 e1bdba8cd7ae8d8f3fe039b5ee58b88d.exe e1bdba8cd7ae8d8f3fe039b5ee58b88d.exe PID 2004 wrote to memory of 2892 2004 e1bdba8cd7ae8d8f3fe039b5ee58b88d.exe e1bdba8cd7ae8d8f3fe039b5ee58b88d.exe PID 2004 wrote to memory of 2892 2004 e1bdba8cd7ae8d8f3fe039b5ee58b88d.exe e1bdba8cd7ae8d8f3fe039b5ee58b88d.exe PID 2004 wrote to memory of 2892 2004 e1bdba8cd7ae8d8f3fe039b5ee58b88d.exe e1bdba8cd7ae8d8f3fe039b5ee58b88d.exe PID 2004 wrote to memory of 2892 2004 e1bdba8cd7ae8d8f3fe039b5ee58b88d.exe e1bdba8cd7ae8d8f3fe039b5ee58b88d.exe PID 2004 wrote to memory of 2892 2004 e1bdba8cd7ae8d8f3fe039b5ee58b88d.exe e1bdba8cd7ae8d8f3fe039b5ee58b88d.exe PID 2004 wrote to memory of 2892 2004 e1bdba8cd7ae8d8f3fe039b5ee58b88d.exe e1bdba8cd7ae8d8f3fe039b5ee58b88d.exe PID 2004 wrote to memory of 2892 2004 e1bdba8cd7ae8d8f3fe039b5ee58b88d.exe e1bdba8cd7ae8d8f3fe039b5ee58b88d.exe PID 2892 wrote to memory of 1612 2892 e1bdba8cd7ae8d8f3fe039b5ee58b88d.exe schtasks.exe PID 2892 wrote to memory of 1612 2892 e1bdba8cd7ae8d8f3fe039b5ee58b88d.exe schtasks.exe PID 2892 wrote to memory of 1612 2892 e1bdba8cd7ae8d8f3fe039b5ee58b88d.exe schtasks.exe PID 2892 wrote to memory of 4208 2892 e1bdba8cd7ae8d8f3fe039b5ee58b88d.exe schtasks.exe PID 2892 wrote to memory of 4208 2892 e1bdba8cd7ae8d8f3fe039b5ee58b88d.exe schtasks.exe PID 2892 wrote to memory of 4208 2892 e1bdba8cd7ae8d8f3fe039b5ee58b88d.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e1bdba8cd7ae8d8f3fe039b5ee58b88d.exe"C:\Users\Admin\AppData\Local\Temp\e1bdba8cd7ae8d8f3fe039b5ee58b88d.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e1bdba8cd7ae8d8f3fe039b5ee58b88d.exe"C:\Users\Admin\AppData\Local\Temp\e1bdba8cd7ae8d8f3fe039b5ee58b88d.exe"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "NAT Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmpF608.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "NAT Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpF677.tmp"3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\e1bdba8cd7ae8d8f3fe039b5ee58b88d.exe.logFilesize
496B
MD5cb76b18ebed3a9f05a14aed43d35fba6
SHA1836a4b4e351846fca08b84149cb734cb59b8c0d6
SHA2568d0edecf54cbbdf7981c8e41a3ed8621503188a87415f9af0fb8d890b138c349
SHA5127631141e4a6dda29452ada666326837372cd3d045f773006f63d9eff15d9432ed00029d9108a72c1a3b858377600a2aab2c9ec03764285c8801b6019babcf21c
-
C:\Users\Admin\AppData\Local\Temp\tmpF608.tmpFilesize
1KB
MD5e7a34760990c1d3fbee9bc02d29dc99d
SHA19f786674de276ad569c7feedb603da84f8bca005
SHA25671a53813f3cbf5855d227dace93eb53f5460f947af05eade10ebfdf4d2c67fc4
SHA512fd9435696648e4533d2ca55111a338549eba5444c4fc0400168e03bf1241424f538ef9f912d7f35f7f576ef10dc3620f97dbd07fda6132a7e514ceedef8847f7
-
C:\Users\Admin\AppData\Local\Temp\tmpF677.tmpFilesize
1KB
MD5c58d37cb49c18f1d7cece3c78ac2f407
SHA1769ed0ea9d5269e1cec7234eaac77da129cc0463
SHA25652cdb418384a912c5b7071c92d7761f0d12250f07dbbb31876eb2e8d65acbae7
SHA5122efcb3eaf050d56ad3d483112303a1543f9fc457119fbca7d81b45d5619c0f1ba706ce96644d4e2055c1b5ada7af13f071495287a775ce234d9125633bf02775
-
memory/2004-4-0x0000000001960000-0x0000000001970000-memory.dmpFilesize
64KB
-
memory/2004-1-0x0000000001960000-0x0000000001970000-memory.dmpFilesize
64KB
-
memory/2004-5-0x0000000001960000-0x0000000001970000-memory.dmpFilesize
64KB
-
memory/2004-0-0x00000000752A0000-0x0000000075851000-memory.dmpFilesize
5.7MB
-
memory/2004-3-0x00000000752A0000-0x0000000075851000-memory.dmpFilesize
5.7MB
-
memory/2004-9-0x00000000752A0000-0x0000000075851000-memory.dmpFilesize
5.7MB
-
memory/2004-2-0x00000000752A0000-0x0000000075851000-memory.dmpFilesize
5.7MB
-
memory/2892-11-0x0000000001050000-0x0000000001060000-memory.dmpFilesize
64KB
-
memory/2892-12-0x00000000752A0000-0x0000000075851000-memory.dmpFilesize
5.7MB
-
memory/2892-10-0x00000000752A0000-0x0000000075851000-memory.dmpFilesize
5.7MB
-
memory/2892-6-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2892-20-0x0000000001050000-0x0000000001060000-memory.dmpFilesize
64KB
-
memory/2892-21-0x00000000752A0000-0x0000000075851000-memory.dmpFilesize
5.7MB
-
memory/2892-22-0x0000000001050000-0x0000000001060000-memory.dmpFilesize
64KB