Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
04-05-2024 11:53
Behavioral task
behavioral1
Sample
Microsoft_Upgrade.exe
Resource
win7-20240221-en
General
-
Target
Microsoft_Upgrade.exe
-
Size
637KB
-
MD5
c966dbcfcfd2b34349b69a64ca2d84b2
-
SHA1
a38239f0c1b582eb703a8a51c67894559cbddc17
-
SHA256
f7f198c7576f5b5445c13bc91959541534f1412cbadca9a33c929731f594514c
-
SHA512
e7e4ffa5c49f83b1b93f2ccf65d5a2d762c25368babaac73317121873a5ce95e342a842dbe60a00a2005b920acdc8f3ed5b570b478a0dfd23b3743757a04ff3c
-
SSDEEP
12288:FYV6MorX7qzuC3QHO9FQVHPF51jgcaI8j9r66W6NYRC/wvL71fic:6BXu9HGaVHaI8j9m6W6NYA8pB
Malware Config
Extracted
nanocore
1.2.2.0
54111.duckdns.org:54111
127.0.0.1:54111
cfac1586-e1cf-4d97-b493-5e7e1dd40a32
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2019-02-12T06:39:37.387793036Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
54111
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
cfac1586-e1cf-4d97-b493-5e7e1dd40a32
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
54111.duckdns.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Microsoft_Upgrade.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation Microsoft_Upgrade.exe -
Processes:
resource yara_rule behavioral2/memory/4368-0-0x0000000000DE0000-0x0000000000F4B000-memory.dmp upx behavioral2/memory/4368-9-0x0000000000DE0000-0x0000000000F4B000-memory.dmp upx -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/4368-9-0x0000000000DE0000-0x0000000000F4B000-memory.dmp autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Microsoft_Upgrade.exedescription pid process target process PID 4368 set thread context of 4748 4368 Microsoft_Upgrade.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3800 timeout.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
RegSvcs.exepid process 4748 RegSvcs.exe 4748 RegSvcs.exe 4748 RegSvcs.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegSvcs.exepid process 4748 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 4748 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
Microsoft_Upgrade.exepid process 4368 Microsoft_Upgrade.exe 4368 Microsoft_Upgrade.exe 4368 Microsoft_Upgrade.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
Microsoft_Upgrade.exepid process 4368 Microsoft_Upgrade.exe 4368 Microsoft_Upgrade.exe 4368 Microsoft_Upgrade.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
Microsoft_Upgrade.execmd.exedescription pid process target process PID 4368 wrote to memory of 4748 4368 Microsoft_Upgrade.exe RegSvcs.exe PID 4368 wrote to memory of 4748 4368 Microsoft_Upgrade.exe RegSvcs.exe PID 4368 wrote to memory of 4748 4368 Microsoft_Upgrade.exe RegSvcs.exe PID 4368 wrote to memory of 4748 4368 Microsoft_Upgrade.exe RegSvcs.exe PID 4368 wrote to memory of 4748 4368 Microsoft_Upgrade.exe RegSvcs.exe PID 4368 wrote to memory of 3464 4368 Microsoft_Upgrade.exe cmd.exe PID 4368 wrote to memory of 3464 4368 Microsoft_Upgrade.exe cmd.exe PID 4368 wrote to memory of 3464 4368 Microsoft_Upgrade.exe cmd.exe PID 3464 wrote to memory of 3800 3464 cmd.exe timeout.exe PID 3464 wrote to memory of 3800 3464 cmd.exe timeout.exe PID 3464 wrote to memory of 3800 3464 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Microsoft_Upgrade.exe"C:\Users\Admin\AppData\Local\Temp\Microsoft_Upgrade.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4368 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4748 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c TimeOut 1 & Del /F "C:\Users\Admin\AppData\Local\Temp\Microsoft_Upgrade.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3464 -
C:\Windows\SysWOW64\timeout.exeTimeOut 13⤵
- Delays execution with timeout.exe
PID:3800