Analysis
-
max time kernel
128s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
30-04-2024 16:43
General
-
Target
godhuntermode.exe
-
Size
203KB
-
MD5
fa27771b02f19cbd8ffca1099538858a
-
SHA1
ae591814aa4b40bc0ecf87a50d0fc1df9d16c7a7
-
SHA256
26fa94e684087b55f0d0ae839904aba0de3d6bd7f8fc2d19ddea18e6f66b8396
-
SHA512
c985071e77314a5a3687a522fff337c3ee4b08d228b999694a6f5dbeaadd8b03f717b4c5c50526cb45cff319aaf666a7ddae63f402ed023e8246865750d821c8
-
SSDEEP
6144:OLV6Bta6dtJmakIM5GO3JM1fMKQqa7FPp0k4n:OLV6BtpmkWGpC78n
Malware Config
Extracted
nanocore
1.2.2.0
july-pty.at.ply.gg:32243
67724526-acee-4fc3-8e87-76383b2ac38c
-
activate_away_mode
false
- backup_connection_host
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2024-02-10T18:23:58.395796136Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
false
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
32243
-
default_group
triage
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
67724526-acee-4fc3-8e87-76383b2ac38c
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
july-pty.at.ply.gg
-
primary_dns_server
8.8.8.8
-
request_elevation
false
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
false
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
godhuntermode.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WPA Service = "C:\\Program Files\\WPA Service\\wpasvc.exe" godhuntermode.exe -
Processes:
godhuntermode.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA godhuntermode.exe -
Drops file in Program Files directory 2 IoCs
Processes:
godhuntermode.exedescription ioc process File created C:\Program Files\WPA Service\wpasvc.exe godhuntermode.exe File opened for modification C:\Program Files\WPA Service\wpasvc.exe godhuntermode.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 944 schtasks.exe 2032 schtasks.exe -
Modifies registry class 1 IoCs
Processes:
taskmgr.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000_Classes\Local Settings taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
godhuntermode.exetaskmgr.exepid process 2296 godhuntermode.exe 2296 godhuntermode.exe 2296 godhuntermode.exe 2296 godhuntermode.exe 2296 godhuntermode.exe 2296 godhuntermode.exe 2296 godhuntermode.exe 2296 godhuntermode.exe 2296 godhuntermode.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 2296 godhuntermode.exe 2296 godhuntermode.exe 2296 godhuntermode.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
godhuntermode.exepid process 2296 godhuntermode.exe -
Suspicious behavior: LoadsDriver 6 IoCs
Processes:
pid 4 4 4 4 4 660 -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
godhuntermode.exetaskmgr.exedescription pid process Token: SeDebugPrivilege 2296 godhuntermode.exe Token: SeDebugPrivilege 2296 godhuntermode.exe Token: SeDebugPrivilege 1084 taskmgr.exe Token: SeSystemProfilePrivilege 1084 taskmgr.exe Token: SeCreateGlobalPrivilege 1084 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
taskmgr.exepid process 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exepid process 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe 1084 taskmgr.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
godhuntermode.exedescription pid process target process PID 2296 wrote to memory of 944 2296 godhuntermode.exe schtasks.exe PID 2296 wrote to memory of 944 2296 godhuntermode.exe schtasks.exe PID 2296 wrote to memory of 2032 2296 godhuntermode.exe schtasks.exe PID 2296 wrote to memory of 2032 2296 godhuntermode.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\godhuntermode.exe"C:\Users\Admin\AppData\Local\Temp\godhuntermode.exe"1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks.exe" /create /f /tn "WPA Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp3EDE.tmp"2⤵
- Creates scheduled task(s)
PID:944 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks.exe" /create /f /tn "WPA Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp3F2D.tmp"2⤵
- Creates scheduled task(s)
PID:2032
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1084
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3244
-
C:\Users\Admin\AppData\Local\Temp\godhuntermode.exe"C:\Users\Admin\AppData\Local\Temp\godhuntermode.exe"1⤵PID:4968
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
203KB
MD5fa27771b02f19cbd8ffca1099538858a
SHA1ae591814aa4b40bc0ecf87a50d0fc1df9d16c7a7
SHA25626fa94e684087b55f0d0ae839904aba0de3d6bd7f8fc2d19ddea18e6f66b8396
SHA512c985071e77314a5a3687a522fff337c3ee4b08d228b999694a6f5dbeaadd8b03f717b4c5c50526cb45cff319aaf666a7ddae63f402ed023e8246865750d821c8
-
Filesize
1KB
MD5f5d30efce4b1aee5eae396d83a3ba12b
SHA1c710a5815e1431398a03edf703dce91328e06b56
SHA2563c7dd02a58748453a8f136ba495fbbfebd4d00ff283c0ebf9bc4db32e1d9a948
SHA512d04000a54938a075c4228ac2c50b4c2389546b953b806cbc6425072ab1cbd79f3ce13b27def1fe15e9fd2e81d06d1d650a3aedd2e0286ad4a445e25a6308bb7b
-
Filesize
1KB
MD589d4f47b8239eb10ea16b9402fceb731
SHA12d53c08c3517541b6d99e2924805cdaad0860349
SHA2560d75e1df0698ef20fa6af1fdaca12163a3551aefc45e535953ffa74a1bf1b9dc
SHA512c52ea6d682467512a5e1e755c6f532385eeed42ec1921d1aa1975d95822d296056a39681d043c42c44104543dd9db4dc8ee0437049fe2b04719e2e5b4699fc3b