Analysis
-
max time kernel
137s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04-05-2024 11:53
Behavioral task
behavioral1
Sample
Microsoft_Upgrade.exe
Resource
win7-20240221-en
General
-
Target
Microsoft_Upgrade.exe
-
Size
637KB
-
MD5
c966dbcfcfd2b34349b69a64ca2d84b2
-
SHA1
a38239f0c1b582eb703a8a51c67894559cbddc17
-
SHA256
f7f198c7576f5b5445c13bc91959541534f1412cbadca9a33c929731f594514c
-
SHA512
e7e4ffa5c49f83b1b93f2ccf65d5a2d762c25368babaac73317121873a5ce95e342a842dbe60a00a2005b920acdc8f3ed5b570b478a0dfd23b3743757a04ff3c
-
SSDEEP
12288:FYV6MorX7qzuC3QHO9FQVHPF51jgcaI8j9r66W6NYRC/wvL71fic:6BXu9HGaVHaI8j9m6W6NYA8pB
Malware Config
Extracted
nanocore
1.2.2.0
54111.duckdns.org:54111
127.0.0.1:54111
cfac1586-e1cf-4d97-b493-5e7e1dd40a32
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2019-02-12T06:39:37.387793036Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
54111
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
cfac1586-e1cf-4d97-b493-5e7e1dd40a32
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
54111.duckdns.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2272 cmd.exe -
Processes:
resource yara_rule behavioral1/memory/2208-0-0x0000000000270000-0x00000000003DB000-memory.dmp upx behavioral1/memory/2208-13-0x0000000000270000-0x00000000003DB000-memory.dmp upx -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/2208-13-0x0000000000270000-0x00000000003DB000-memory.dmp autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Microsoft_Upgrade.exedescription pid process target process PID 2208 set thread context of 1100 2208 Microsoft_Upgrade.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2580 timeout.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegSvcs.exepid process 1100 RegSvcs.exe 1100 RegSvcs.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegSvcs.exepid process 1100 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 1100 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
Microsoft_Upgrade.exepid process 2208 Microsoft_Upgrade.exe 2208 Microsoft_Upgrade.exe 2208 Microsoft_Upgrade.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
Microsoft_Upgrade.exepid process 2208 Microsoft_Upgrade.exe 2208 Microsoft_Upgrade.exe 2208 Microsoft_Upgrade.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
Microsoft_Upgrade.execmd.exedescription pid process target process PID 2208 wrote to memory of 1100 2208 Microsoft_Upgrade.exe RegSvcs.exe PID 2208 wrote to memory of 1100 2208 Microsoft_Upgrade.exe RegSvcs.exe PID 2208 wrote to memory of 1100 2208 Microsoft_Upgrade.exe RegSvcs.exe PID 2208 wrote to memory of 1100 2208 Microsoft_Upgrade.exe RegSvcs.exe PID 2208 wrote to memory of 1100 2208 Microsoft_Upgrade.exe RegSvcs.exe PID 2208 wrote to memory of 1100 2208 Microsoft_Upgrade.exe RegSvcs.exe PID 2208 wrote to memory of 1100 2208 Microsoft_Upgrade.exe RegSvcs.exe PID 2208 wrote to memory of 1100 2208 Microsoft_Upgrade.exe RegSvcs.exe PID 2208 wrote to memory of 1100 2208 Microsoft_Upgrade.exe RegSvcs.exe PID 2208 wrote to memory of 2272 2208 Microsoft_Upgrade.exe cmd.exe PID 2208 wrote to memory of 2272 2208 Microsoft_Upgrade.exe cmd.exe PID 2208 wrote to memory of 2272 2208 Microsoft_Upgrade.exe cmd.exe PID 2208 wrote to memory of 2272 2208 Microsoft_Upgrade.exe cmd.exe PID 2272 wrote to memory of 2580 2272 cmd.exe timeout.exe PID 2272 wrote to memory of 2580 2272 cmd.exe timeout.exe PID 2272 wrote to memory of 2580 2272 cmd.exe timeout.exe PID 2272 wrote to memory of 2580 2272 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Microsoft_Upgrade.exe"C:\Users\Admin\AppData\Local\Temp\Microsoft_Upgrade.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1100 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c TimeOut 1 & Del /F "C:\Users\Admin\AppData\Local\Temp\Microsoft_Upgrade.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\timeout.exeTimeOut 13⤵
- Delays execution with timeout.exe
PID:2580