Analysis
-
max time kernel
140s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
29-04-2024 04:28
Static task
static1
Behavioral task
behavioral1
Sample
gK5vkTm6WAcfbiz.exe
Resource
win7-20240419-en
General
-
Target
gK5vkTm6WAcfbiz.exe
-
Size
630KB
-
MD5
55abd8961bb1559aacdd14bc4abe2948
-
SHA1
cff001eea9b43d712fbcc4cf9fb9b136f8c4109d
-
SHA256
0117ba3b90a77a00da548bf15490d6623de69e535d75fbbce8279b91c82f5ef6
-
SHA512
e5a6e38bc943c2b6fe7c157f3e719303c7b216edf3d483dd7c2b7a4267dd3d0d6b500015ef96d3c041e2032e6aabec6787bebb6f4af3f2070d9cb9fa8d2b4c2b
-
SSDEEP
12288:KjB778QTJ4oNyNN1N84trNRngS5B2/JD3CJMJjEebEPs18VT1IMajPsWj6Mr:UBlJ4tNXN84NgSUtCW1EeAaihaDsWj6Q
Malware Config
Extracted
nanocore
1.2.2.0
december2nd.ddns.net:64418
december2n.duckdns.org:64418
a73ea09a-fffa-47fc-8cf2-8699258828eb
-
activate_away_mode
false
-
backup_connection_host
december2n.duckdns.org
- backup_dns_server
-
buffer_size
65538
-
build_time
2024-02-03T01:52:12.147368736Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
false
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
64418
-
default_group
NO GREE
-
enable_debug_mode
true
-
gc_threshold
1.0485772e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.0485772e+07
-
mutex
a73ea09a-fffa-47fc-8cf2-8699258828eb
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
december2nd.ddns.net
- primary_dns_server
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
false
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8009
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
gK5vkTm6WAcfbiz.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation gK5vkTm6WAcfbiz.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
gK5vkTm6WAcfbiz.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DHCP Host = "C:\\Program Files (x86)\\DHCP Host\\dhcphost.exe" gK5vkTm6WAcfbiz.exe -
Processes:
gK5vkTm6WAcfbiz.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gK5vkTm6WAcfbiz.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
gK5vkTm6WAcfbiz.exedescription pid process target process PID 2624 set thread context of 1636 2624 gK5vkTm6WAcfbiz.exe gK5vkTm6WAcfbiz.exe -
Drops file in Program Files directory 2 IoCs
Processes:
gK5vkTm6WAcfbiz.exedescription ioc process File created C:\Program Files (x86)\DHCP Host\dhcphost.exe gK5vkTm6WAcfbiz.exe File opened for modification C:\Program Files (x86)\DHCP Host\dhcphost.exe gK5vkTm6WAcfbiz.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 1044 schtasks.exe 4620 schtasks.exe 824 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
gK5vkTm6WAcfbiz.exepowershell.exepowershell.exegK5vkTm6WAcfbiz.exepid process 2624 gK5vkTm6WAcfbiz.exe 2624 gK5vkTm6WAcfbiz.exe 2624 gK5vkTm6WAcfbiz.exe 2624 gK5vkTm6WAcfbiz.exe 2624 gK5vkTm6WAcfbiz.exe 2624 gK5vkTm6WAcfbiz.exe 4080 powershell.exe 4040 powershell.exe 2624 gK5vkTm6WAcfbiz.exe 2624 gK5vkTm6WAcfbiz.exe 2624 gK5vkTm6WAcfbiz.exe 4080 powershell.exe 4040 powershell.exe 1636 gK5vkTm6WAcfbiz.exe 1636 gK5vkTm6WAcfbiz.exe 1636 gK5vkTm6WAcfbiz.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
gK5vkTm6WAcfbiz.exepid process 1636 gK5vkTm6WAcfbiz.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
gK5vkTm6WAcfbiz.exepowershell.exepowershell.exegK5vkTm6WAcfbiz.exedescription pid process Token: SeDebugPrivilege 2624 gK5vkTm6WAcfbiz.exe Token: SeDebugPrivilege 4080 powershell.exe Token: SeDebugPrivilege 4040 powershell.exe Token: SeDebugPrivilege 1636 gK5vkTm6WAcfbiz.exe Token: SeDebugPrivilege 1636 gK5vkTm6WAcfbiz.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
gK5vkTm6WAcfbiz.exegK5vkTm6WAcfbiz.exedescription pid process target process PID 2624 wrote to memory of 4080 2624 gK5vkTm6WAcfbiz.exe powershell.exe PID 2624 wrote to memory of 4080 2624 gK5vkTm6WAcfbiz.exe powershell.exe PID 2624 wrote to memory of 4080 2624 gK5vkTm6WAcfbiz.exe powershell.exe PID 2624 wrote to memory of 4040 2624 gK5vkTm6WAcfbiz.exe powershell.exe PID 2624 wrote to memory of 4040 2624 gK5vkTm6WAcfbiz.exe powershell.exe PID 2624 wrote to memory of 4040 2624 gK5vkTm6WAcfbiz.exe powershell.exe PID 2624 wrote to memory of 1044 2624 gK5vkTm6WAcfbiz.exe schtasks.exe PID 2624 wrote to memory of 1044 2624 gK5vkTm6WAcfbiz.exe schtasks.exe PID 2624 wrote to memory of 1044 2624 gK5vkTm6WAcfbiz.exe schtasks.exe PID 2624 wrote to memory of 972 2624 gK5vkTm6WAcfbiz.exe gK5vkTm6WAcfbiz.exe PID 2624 wrote to memory of 972 2624 gK5vkTm6WAcfbiz.exe gK5vkTm6WAcfbiz.exe PID 2624 wrote to memory of 972 2624 gK5vkTm6WAcfbiz.exe gK5vkTm6WAcfbiz.exe PID 2624 wrote to memory of 1636 2624 gK5vkTm6WAcfbiz.exe gK5vkTm6WAcfbiz.exe PID 2624 wrote to memory of 1636 2624 gK5vkTm6WAcfbiz.exe gK5vkTm6WAcfbiz.exe PID 2624 wrote to memory of 1636 2624 gK5vkTm6WAcfbiz.exe gK5vkTm6WAcfbiz.exe PID 2624 wrote to memory of 1636 2624 gK5vkTm6WAcfbiz.exe gK5vkTm6WAcfbiz.exe PID 2624 wrote to memory of 1636 2624 gK5vkTm6WAcfbiz.exe gK5vkTm6WAcfbiz.exe PID 2624 wrote to memory of 1636 2624 gK5vkTm6WAcfbiz.exe gK5vkTm6WAcfbiz.exe PID 2624 wrote to memory of 1636 2624 gK5vkTm6WAcfbiz.exe gK5vkTm6WAcfbiz.exe PID 2624 wrote to memory of 1636 2624 gK5vkTm6WAcfbiz.exe gK5vkTm6WAcfbiz.exe PID 1636 wrote to memory of 4620 1636 gK5vkTm6WAcfbiz.exe schtasks.exe PID 1636 wrote to memory of 4620 1636 gK5vkTm6WAcfbiz.exe schtasks.exe PID 1636 wrote to memory of 4620 1636 gK5vkTm6WAcfbiz.exe schtasks.exe PID 1636 wrote to memory of 824 1636 gK5vkTm6WAcfbiz.exe schtasks.exe PID 1636 wrote to memory of 824 1636 gK5vkTm6WAcfbiz.exe schtasks.exe PID 1636 wrote to memory of 824 1636 gK5vkTm6WAcfbiz.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe"C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4080 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ZYoQJBONC.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4040 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZYoQJBONC" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8906.tmp"2⤵
- Creates scheduled task(s)
PID:1044 -
C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe"C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe"2⤵PID:972
-
C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe"C:\Users\Admin\AppData\Local\Temp\gK5vkTm6WAcfbiz.exe"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DHCP Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmp8D8A.tmp"3⤵
- Creates scheduled task(s)
PID:4620 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DHCP Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp8F31.tmp"3⤵
- Creates scheduled task(s)
PID:824
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD5253388a458ba2d6ec842afc7a55e6854
SHA164ee2323d2e053e40f268f9e5147b1f204970c23
SHA25679361b7bf0a99528f67732286f3180d020dc571573ba7f0fc9b254e9edb92fc4
SHA512426d58e694bac78fcf0966b45d17f5636935c840fa3fc4cc038e59145c61e52f3af6d0aa8b21a1a9bc19c282339ec4d9609ac5c9e34691d4970f4563a0a9b09a
-
Filesize
1KB
MD5d4561c71381b52aaedee04fb1dd48775
SHA1c8c2ff059414c1e9fd75a6f4e69067de017f5358
SHA2567a0ff9bd88d411effa13a431e003693a1a3e5b5f02d0b68a6f42db98cc214b09
SHA512c1bd2bab168965624bcb758f360f87492a4dfadb11a95b6becc98b670f43aa49adc6cb1c93e4bbf44333993d59c697fd8450dc3ce7377a4ebdad3650684b962f
-
Filesize
1KB
MD50479d5f304ef2d7e3c15fb24a99f88c1
SHA18edbb1450a656fac5f5e96779ffe440ee8c1aec9
SHA256112557c2b2d0c669a3b115129dc32f005341e965330fa8f2ad3e5de1926594bc
SHA512537e8d87e5cd975f0e69bb145f81d6e9d7b0d82eed143ac351304ea38577137386a51fdb7357ec6d641eb04ff5f51e249bba2db8a4b5bf2934d561394a4a3f15