Analysis
-
max time kernel
134s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
29-04-2024 04:28
Static task
static1
Behavioral task
behavioral1
Sample
gK5vkTm6WAcfbiz.exe
Resource
win7-20240419-en
General
-
Target
gK5vkTm6WAcfbiz.exe
-
Size
630KB
-
MD5
55abd8961bb1559aacdd14bc4abe2948
-
SHA1
cff001eea9b43d712fbcc4cf9fb9b136f8c4109d
-
SHA256
0117ba3b90a77a00da548bf15490d6623de69e535d75fbbce8279b91c82f5ef6
-
SHA512
e5a6e38bc943c2b6fe7c157f3e719303c7b216edf3d483dd7c2b7a4267dd3d0d6b500015ef96d3c041e2032e6aabec6787bebb6f4af3f2070d9cb9fa8d2b4c2b
-
SSDEEP
12288:KjB778QTJ4oNyNN1N84trNRngS5B2/JD3CJMJjEebEPs18VT1IMajPsWj6Mr:UBlJ4tNXN84NgSUtCW1EeAaihaDsWj6Q
Malware Config
Extracted
nanocore
1.2.2.0
december2nd.ddns.net:64418
december2n.duckdns.org:64418
a73ea09a-fffa-47fc-8cf2-8699258828eb
-
activate_away_mode
false
-
backup_connection_host
december2n.duckdns.org
- backup_dns_server
-
buffer_size
65538
-
build_time
2024-02-03T01:52:12.147368736Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
false
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
64418
-
default_group
NO GREE
-
enable_debug_mode
true
-
gc_threshold
1.0485772e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.0485772e+07
-
mutex
a73ea09a-fffa-47fc-8cf2-8699258828eb
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
december2nd.ddns.net
- primary_dns_server
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
false
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8009
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
gK5vkTm6WAcfbiz.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DOS Manager = "C:\\Program Files (x86)\\DOS Manager\\dosmgr.exe" gK5vkTm6WAcfbiz.exe -
Processes:
gK5vkTm6WAcfbiz.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gK5vkTm6WAcfbiz.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
gK5vkTm6WAcfbiz.exedescription pid process target process PID 2012 set thread context of 2516 2012 gK5vkTm6WAcfbiz.exe gK5vkTm6WAcfbiz.exe -
Drops file in Program Files directory 2 IoCs
Processes:
gK5vkTm6WAcfbiz.exedescription ioc process File created C:\Program Files (x86)\DOS Manager\dosmgr.exe gK5vkTm6WAcfbiz.exe File opened for modification C:\Program Files (x86)\DOS Manager\dosmgr.exe gK5vkTm6WAcfbiz.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 2748 schtasks.exe 2844 schtasks.exe 2904 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
gK5vkTm6WAcfbiz.exepowershell.exepowershell.exegK5vkTm6WAcfbiz.exepid process 2012 gK5vkTm6WAcfbiz.exe 2012 gK5vkTm6WAcfbiz.exe 2012 gK5vkTm6WAcfbiz.exe 2012 gK5vkTm6WAcfbiz.exe 2012 gK5vkTm6WAcfbiz.exe 2012 gK5vkTm6WAcfbiz.exe 2012 gK5vkTm6WAcfbiz.exe 2700 powershell.exe 1648 powershell.exe 2516 gK5vkTm6WAcfbiz.exe 2516 gK5vkTm6WAcfbiz.exe 2516 gK5vkTm6WAcfbiz.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
gK5vkTm6WAcfbiz.exepid process 2516 gK5vkTm6WAcfbiz.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
gK5vkTm6WAcfbiz.exepowershell.exepowershell.exegK5vkTm6WAcfbiz.exedescription pid process Token: SeDebugPrivilege 2012 gK5vkTm6WAcfbiz.exe Token: SeDebugPrivilege 2700 powershell.exe Token: SeDebugPrivilege 1648 powershell.exe Token: SeDebugPrivilege 2516 gK5vkTm6WAcfbiz.exe Token: SeDebugPrivilege 2516 gK5vkTm6WAcfbiz.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
gK5vkTm6WAcfbiz.exegK5vkTm6WAcfbiz.exedescription pid process target process PID 2012 wrote to memory of 1648 2012 gK5vkTm6WAcfbiz.exe powershell.exe PID 2012 wrote to memory of 1648 2012 gK5vkTm6WAcfbiz.exe powershell.exe PID 2012 wrote to memory of 1648 2012 gK5vkTm6WAcfbiz.exe powershell.exe PID 2012 wrote to memory of 1648 2012 gK5vkTm6WAcfbiz.exe powershell.exe PID 2012 wrote to memory of 2700 2012 gK5vkTm6WAcfbiz.exe powershell.exe PID 2012 wrote to memory of 2700 2012 gK5vkTm6WAcfbiz.exe powershell.exe PID 2012 wrote to memory of 2700 2012 gK5vkTm6WAcfbiz.exe powershell.exe PID 2012 wrote to memory of 2700 2012 gK5vkTm6WAcfbiz.exe powershell.exe PID 2012 wrote to memory of 2748 2012 gK5vkTm6WAcfbiz.exe schtasks.exe PID 2012 wrote to memory of 2748 2012 gK5vkTm6WAcfbiz.exe schtasks.exe PID 2012 wrote to memory of 2748 2012 gK5vkTm6WAcfbiz.exe schtasks.exe PID 2012 wrote to memory of 2748 2012 gK5vkTm6WAcfbiz.exe schtasks.exe PID 2012 wrote to memory of 2516 2012 gK5vkTm6WAcfbiz.exe gK5vkTm6WAcfbiz.exe PID 2012 wrote to memory of 2516 2012 gK5vkTm6WAcfbiz.exe gK5vkTm6WAcfbiz.exe PID 2012 wrote to memory of 2516 2012 gK5vkTm6WAcfbiz.exe gK5vkTm6WAcfbiz.exe PID 2012 wrote to memory of 2516 2012 gK5vkTm6WAcfbiz.exe gK5vkTm6WAcfbiz.exe PID 2012 wrote to memory of 2516 2012 gK5vkTm6WAcfbiz.exe gK5vkTm6WAcfbiz.exe PID 2012 wrote to memory of 2516 2012 gK5vkTm6WAcfbiz.exe gK5vkTm6WAcfbiz.exe PID 2012 wrote to memory of 2516 2012 gK5vkTm6WAcfbiz.exe gK5vkTm6WAcfbiz.exe PID 2012 wrote to memory of 2516 2012 gK5vkTm6WAcfbiz.exe gK5vkTm6WAcfbiz.exe PID 2012 wrote to memory of 2516 2012 gK5vkTm6WAcfbiz.exe gK5vkTm6WAcfbiz.exe PID 2516 wrote to memory of 2844 2516 gK5vkTm6WAcfbiz.exe schtasks.exe PID 2516 wrote to memory of 2844 2516 gK5vkTm6WAcfbiz.exe schtasks.exe PID 2516 wrote to memory of 2844 2516 gK5vkTm6WAcfbiz.exe schtasks.exe PID 2516 wrote to memory of 2844 2516 gK5vkTm6WAcfbiz.exe schtasks.exe PID 2516 wrote to memory of 2904 2516 gK5vkTm6WAcfbiz.exe schtasks.exe PID 2516 wrote to memory of 2904 2516 gK5vkTm6WAcfbiz.exe schtasks.exe PID 2516 wrote to memory of 2904 2516 gK5vkTm6WAcfbiz.exe schtasks.exe PID 2516 wrote to memory of 2904 2516 gK5vkTm6WAcfbiz.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe"C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1648 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ZYoQJBONC.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2700 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZYoQJBONC" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7EC1.tmp"2⤵
- Creates scheduled task(s)
PID:2748 -
C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe"C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DOS Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmp8102.tmp"3⤵
- Creates scheduled task(s)
PID:2844 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DOS Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp8161.tmp"3⤵
- Creates scheduled task(s)
PID:2904
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD50a049d946a141d3cf1d8b8917003f93a
SHA18ae6b06e1cf75e80be62b278244cc58a5c839149
SHA256e22dc75cb060563ef3bb857ac763319c7fac3456b98f8b2f96b961f6c9e1e70a
SHA512b96195367b0614ea56f31e7985e052eb4dd16b2ce7eb13fd9ddbf83314340ece5d9401605461694dc254fee8647ca73b06b2103677ed0cde8f756d698970b71f
-
Filesize
1KB
MD5d4561c71381b52aaedee04fb1dd48775
SHA1c8c2ff059414c1e9fd75a6f4e69067de017f5358
SHA2567a0ff9bd88d411effa13a431e003693a1a3e5b5f02d0b68a6f42db98cc214b09
SHA512c1bd2bab168965624bcb758f360f87492a4dfadb11a95b6becc98b670f43aa49adc6cb1c93e4bbf44333993d59c697fd8450dc3ce7377a4ebdad3650684b962f
-
Filesize
1KB
MD58f5713b14cee3089852f6c8d2a7a7d57
SHA18bffbea05715c6434ad593cce8a2c737f80ff788
SHA256ab3ce102242c3144f87bcbfe83984a478821cd09e62c0e5211b2ab37dde02d2c
SHA51282bd2378c2d6bb34a1ad3f2d26bfea583fc8403691bed6668521ba3e8bc7bdbdf142f872ddbc8e5251550f47c9bbee4eb3d0d6096f80d85259082cf68a454c72
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LK4NVNQVVWU1KI1NR6QR.temp
Filesize7KB
MD5b9f7fdde95b31ec1b9a6c229620f9e29
SHA1141a7419029ac49c1190c6dd6f9941643b260713
SHA2564c995708eda7ffec29fd5f4ccc5b3fba666929183b103cef600423db1873fe07
SHA51280f6cb8c334a320da9a72e7cf2c37249ef315eaaba52f1867e78a284c6bc5404b2cf8230b1f0326de7cd9b1fb7eb09cc993b84263c85b5ad6bbb17f064252c80