Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
29-04-2024 04:26
Static task
static1
Behavioral task
behavioral1
Sample
gK5vkTm6WAcfbiz.exe
Resource
win7-20231129-en
General
-
Target
gK5vkTm6WAcfbiz.exe
-
Size
630KB
-
MD5
55abd8961bb1559aacdd14bc4abe2948
-
SHA1
cff001eea9b43d712fbcc4cf9fb9b136f8c4109d
-
SHA256
0117ba3b90a77a00da548bf15490d6623de69e535d75fbbce8279b91c82f5ef6
-
SHA512
e5a6e38bc943c2b6fe7c157f3e719303c7b216edf3d483dd7c2b7a4267dd3d0d6b500015ef96d3c041e2032e6aabec6787bebb6f4af3f2070d9cb9fa8d2b4c2b
-
SSDEEP
12288:KjB778QTJ4oNyNN1N84trNRngS5B2/JD3CJMJjEebEPs18VT1IMajPsWj6Mr:UBlJ4tNXN84NgSUtCW1EeAaihaDsWj6Q
Malware Config
Extracted
nanocore
1.2.2.0
december2nd.ddns.net:64418
december2n.duckdns.org:64418
a73ea09a-fffa-47fc-8cf2-8699258828eb
-
activate_away_mode
false
-
backup_connection_host
december2n.duckdns.org
- backup_dns_server
-
buffer_size
65538
-
build_time
2024-02-03T01:52:12.147368736Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
false
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
64418
-
default_group
NO GREE
-
enable_debug_mode
true
-
gc_threshold
1.0485772e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.0485772e+07
-
mutex
a73ea09a-fffa-47fc-8cf2-8699258828eb
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
december2nd.ddns.net
- primary_dns_server
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
false
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8009
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
gK5vkTm6WAcfbiz.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TCP Service = "C:\\Program Files (x86)\\TCP Service\\tcpsv.exe" gK5vkTm6WAcfbiz.exe -
Processes:
gK5vkTm6WAcfbiz.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gK5vkTm6WAcfbiz.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
gK5vkTm6WAcfbiz.exedescription pid process target process PID 3040 set thread context of 2448 3040 gK5vkTm6WAcfbiz.exe gK5vkTm6WAcfbiz.exe -
Drops file in Program Files directory 2 IoCs
Processes:
gK5vkTm6WAcfbiz.exedescription ioc process File opened for modification C:\Program Files (x86)\TCP Service\tcpsv.exe gK5vkTm6WAcfbiz.exe File created C:\Program Files (x86)\TCP Service\tcpsv.exe gK5vkTm6WAcfbiz.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 2636 schtasks.exe 2320 schtasks.exe 2204 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
gK5vkTm6WAcfbiz.exepowershell.exepowershell.exegK5vkTm6WAcfbiz.exepid process 3040 gK5vkTm6WAcfbiz.exe 3040 gK5vkTm6WAcfbiz.exe 3040 gK5vkTm6WAcfbiz.exe 3040 gK5vkTm6WAcfbiz.exe 3040 gK5vkTm6WAcfbiz.exe 3040 gK5vkTm6WAcfbiz.exe 3040 gK5vkTm6WAcfbiz.exe 2020 powershell.exe 2588 powershell.exe 2448 gK5vkTm6WAcfbiz.exe 2448 gK5vkTm6WAcfbiz.exe 2448 gK5vkTm6WAcfbiz.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
gK5vkTm6WAcfbiz.exepid process 2448 gK5vkTm6WAcfbiz.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
gK5vkTm6WAcfbiz.exepowershell.exepowershell.exegK5vkTm6WAcfbiz.exedescription pid process Token: SeDebugPrivilege 3040 gK5vkTm6WAcfbiz.exe Token: SeDebugPrivilege 2020 powershell.exe Token: SeDebugPrivilege 2588 powershell.exe Token: SeDebugPrivilege 2448 gK5vkTm6WAcfbiz.exe Token: SeDebugPrivilege 2448 gK5vkTm6WAcfbiz.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
gK5vkTm6WAcfbiz.exegK5vkTm6WAcfbiz.exedescription pid process target process PID 3040 wrote to memory of 2020 3040 gK5vkTm6WAcfbiz.exe powershell.exe PID 3040 wrote to memory of 2020 3040 gK5vkTm6WAcfbiz.exe powershell.exe PID 3040 wrote to memory of 2020 3040 gK5vkTm6WAcfbiz.exe powershell.exe PID 3040 wrote to memory of 2020 3040 gK5vkTm6WAcfbiz.exe powershell.exe PID 3040 wrote to memory of 2588 3040 gK5vkTm6WAcfbiz.exe powershell.exe PID 3040 wrote to memory of 2588 3040 gK5vkTm6WAcfbiz.exe powershell.exe PID 3040 wrote to memory of 2588 3040 gK5vkTm6WAcfbiz.exe powershell.exe PID 3040 wrote to memory of 2588 3040 gK5vkTm6WAcfbiz.exe powershell.exe PID 3040 wrote to memory of 2636 3040 gK5vkTm6WAcfbiz.exe schtasks.exe PID 3040 wrote to memory of 2636 3040 gK5vkTm6WAcfbiz.exe schtasks.exe PID 3040 wrote to memory of 2636 3040 gK5vkTm6WAcfbiz.exe schtasks.exe PID 3040 wrote to memory of 2636 3040 gK5vkTm6WAcfbiz.exe schtasks.exe PID 3040 wrote to memory of 2448 3040 gK5vkTm6WAcfbiz.exe gK5vkTm6WAcfbiz.exe PID 3040 wrote to memory of 2448 3040 gK5vkTm6WAcfbiz.exe gK5vkTm6WAcfbiz.exe PID 3040 wrote to memory of 2448 3040 gK5vkTm6WAcfbiz.exe gK5vkTm6WAcfbiz.exe PID 3040 wrote to memory of 2448 3040 gK5vkTm6WAcfbiz.exe gK5vkTm6WAcfbiz.exe PID 3040 wrote to memory of 2448 3040 gK5vkTm6WAcfbiz.exe gK5vkTm6WAcfbiz.exe PID 3040 wrote to memory of 2448 3040 gK5vkTm6WAcfbiz.exe gK5vkTm6WAcfbiz.exe PID 3040 wrote to memory of 2448 3040 gK5vkTm6WAcfbiz.exe gK5vkTm6WAcfbiz.exe PID 3040 wrote to memory of 2448 3040 gK5vkTm6WAcfbiz.exe gK5vkTm6WAcfbiz.exe PID 3040 wrote to memory of 2448 3040 gK5vkTm6WAcfbiz.exe gK5vkTm6WAcfbiz.exe PID 2448 wrote to memory of 2320 2448 gK5vkTm6WAcfbiz.exe schtasks.exe PID 2448 wrote to memory of 2320 2448 gK5vkTm6WAcfbiz.exe schtasks.exe PID 2448 wrote to memory of 2320 2448 gK5vkTm6WAcfbiz.exe schtasks.exe PID 2448 wrote to memory of 2320 2448 gK5vkTm6WAcfbiz.exe schtasks.exe PID 2448 wrote to memory of 2204 2448 gK5vkTm6WAcfbiz.exe schtasks.exe PID 2448 wrote to memory of 2204 2448 gK5vkTm6WAcfbiz.exe schtasks.exe PID 2448 wrote to memory of 2204 2448 gK5vkTm6WAcfbiz.exe schtasks.exe PID 2448 wrote to memory of 2204 2448 gK5vkTm6WAcfbiz.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe"C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2020 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ZYoQJBONC.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2588 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZYoQJBONC" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6AF3.tmp"2⤵
- Creates scheduled task(s)
PID:2636 -
C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe"C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "TCP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp6CC7.tmp"3⤵
- Creates scheduled task(s)
PID:2320 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "TCP Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp6D45.tmp"3⤵
- Creates scheduled task(s)
PID:2204
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5be13c83910daa3f8140ccaa37955ae09
SHA1251722dee6e656c3619637c84534a478b26f63f9
SHA256f470d74b713027aeed776d9f9b283908b997870bbe05a01b70a20a1adb436119
SHA512ce5f42cc9c066efae25015ec6f5e3c749d1496d84dadfabb471ffd914879ffa42329585844ae84ab368adfd221287fd2076f4afaa0b3802b78236f8e01095312
-
Filesize
1KB
MD5d4561c71381b52aaedee04fb1dd48775
SHA1c8c2ff059414c1e9fd75a6f4e69067de017f5358
SHA2567a0ff9bd88d411effa13a431e003693a1a3e5b5f02d0b68a6f42db98cc214b09
SHA512c1bd2bab168965624bcb758f360f87492a4dfadb11a95b6becc98b670f43aa49adc6cb1c93e4bbf44333993d59c697fd8450dc3ce7377a4ebdad3650684b962f
-
Filesize
1KB
MD593fc3117767507c9889abd12dc667d22
SHA11096e4cfa0c35756e3c3fb866c1e4c1e59115df9
SHA256684997dd4ce15031cec8f2f93933b1d41d7bf5cbbff655dd64377b07055c449a
SHA512e403348ee77bd3e7c45245dd5dae81c3ea130d5cf342f630982772ce5f75548b292013480e2831d68cf51349b64afde4589d4eec94b567d20f0a01e3b9549bdc
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0BA9EGCNGG6II492GMWI.temp
Filesize7KB
MD5d1d97985337c3a84ce28c7e4de794c0d
SHA159963536963da19f29a2ce9768ff0f6e31ca1f14
SHA2562c5ed845d76bb9feaa50dc63d884ce090f5665b9b87bfa4566b3034df5d35784
SHA512326bb1e077b910ddc4a854456f154fd5d7dd18b3fa7eb96d6ce50252b59082fac5df1c73700cc3949835b044ff8bb1ad5230ec6450fad46448dbbc064c471695