Analysis
-
max time kernel
146s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
06-05-2024 09:20
Static task
static1
Behavioral task
behavioral1
Sample
PO-B1120017228.exe
Resource
win7-20240221-en
General
-
Target
PO-B1120017228.exe
-
Size
256KB
-
MD5
8c810e18058e24ff54a30a44e040569a
-
SHA1
b0329f16013e786898cd75c101565fa70850be03
-
SHA256
0e07d406f33fbf19219ea60e644cfd634fc8c934508bb608a6a1a3f13db1cc5a
-
SHA512
f9beeaf52b85d01596382b2d5a64922332fea7f4894c24eeeae45ad07ba80cd70800a81e29f13922accc1d922b0ba56e8456a24bd03f0f1e51c623f2cc6726e1
-
SSDEEP
6144:PZJR0bf1uc1p4wp/vNClO74ahHmJGhygfke7WLSaRnG:hiD1pR/Vv74aJygfkeSLv
Malware Config
Extracted
nanocore
1.2.2.0
happiboi.hopto.org:1122
985ac1b8-7476-4608-8827-7b04eef2179c
-
activate_away_mode
true
-
backup_connection_host
happiboi.hopto.org
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2018-06-08T16:18:15.234143736Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
true
-
connect_delay
4000
-
connection_port
1122
-
default_group
Jnr Boi
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
985ac1b8-7476-4608-8827-7b04eef2179c
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
happiboi.hopto.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Drops startup file 1 IoCs
Processes:
PO-B1120017228.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.exe.lnk PO-B1120017228.exe -
Executes dropped EXE 1 IoCs
Processes:
tmp.exepid process 2644 tmp.exe -
Loads dropped DLL 4 IoCs
Processes:
PO-B1120017228.exepid process 1688 PO-B1120017228.exe 1688 PO-B1120017228.exe 1688 PO-B1120017228.exe 1688 PO-B1120017228.exe -
Processes:
PO-B1120017228.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA PO-B1120017228.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PO-B1120017228.exedescription pid process target process PID 1688 set thread context of 1708 1688 PO-B1120017228.exe PO-B1120017228.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2864 timeout.exe -
NTFS ADS 1 IoCs
Processes:
cmd.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\winlogon\winlogon.exe:Zone.Identifier cmd.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
PO-B1120017228.exePO-B1120017228.exepid process 1688 PO-B1120017228.exe 1688 PO-B1120017228.exe 1688 PO-B1120017228.exe 1708 PO-B1120017228.exe 1708 PO-B1120017228.exe 1708 PO-B1120017228.exe 1688 PO-B1120017228.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
PO-B1120017228.exepid process 1708 PO-B1120017228.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
PO-B1120017228.exePO-B1120017228.exedescription pid process Token: SeDebugPrivilege 1688 PO-B1120017228.exe Token: 33 1688 PO-B1120017228.exe Token: SeIncBasePriorityPrivilege 1688 PO-B1120017228.exe Token: SeDebugPrivilege 1708 PO-B1120017228.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
PO-B1120017228.execmd.exePO-B1120017228.execmd.exedescription pid process target process PID 1688 wrote to memory of 2936 1688 PO-B1120017228.exe cmd.exe PID 1688 wrote to memory of 2936 1688 PO-B1120017228.exe cmd.exe PID 1688 wrote to memory of 2936 1688 PO-B1120017228.exe cmd.exe PID 1688 wrote to memory of 2936 1688 PO-B1120017228.exe cmd.exe PID 2936 wrote to memory of 2560 2936 cmd.exe reg.exe PID 2936 wrote to memory of 2560 2936 cmd.exe reg.exe PID 2936 wrote to memory of 2560 2936 cmd.exe reg.exe PID 2936 wrote to memory of 2560 2936 cmd.exe reg.exe PID 1688 wrote to memory of 2644 1688 PO-B1120017228.exe tmp.exe PID 1688 wrote to memory of 2644 1688 PO-B1120017228.exe tmp.exe PID 1688 wrote to memory of 2644 1688 PO-B1120017228.exe tmp.exe PID 1688 wrote to memory of 2644 1688 PO-B1120017228.exe tmp.exe PID 1688 wrote to memory of 1708 1688 PO-B1120017228.exe PO-B1120017228.exe PID 1688 wrote to memory of 1708 1688 PO-B1120017228.exe PO-B1120017228.exe PID 1688 wrote to memory of 1708 1688 PO-B1120017228.exe PO-B1120017228.exe PID 1688 wrote to memory of 1708 1688 PO-B1120017228.exe PO-B1120017228.exe PID 1688 wrote to memory of 1708 1688 PO-B1120017228.exe PO-B1120017228.exe PID 1688 wrote to memory of 1708 1688 PO-B1120017228.exe PO-B1120017228.exe PID 1688 wrote to memory of 1708 1688 PO-B1120017228.exe PO-B1120017228.exe PID 1688 wrote to memory of 1708 1688 PO-B1120017228.exe PO-B1120017228.exe PID 1688 wrote to memory of 1708 1688 PO-B1120017228.exe PO-B1120017228.exe PID 1688 wrote to memory of 2504 1688 PO-B1120017228.exe cmd.exe PID 1688 wrote to memory of 2504 1688 PO-B1120017228.exe cmd.exe PID 1688 wrote to memory of 2504 1688 PO-B1120017228.exe cmd.exe PID 1688 wrote to memory of 2504 1688 PO-B1120017228.exe cmd.exe PID 1708 wrote to memory of 2480 1708 PO-B1120017228.exe schtasks.exe PID 1708 wrote to memory of 2480 1708 PO-B1120017228.exe schtasks.exe PID 1708 wrote to memory of 2480 1708 PO-B1120017228.exe schtasks.exe PID 1708 wrote to memory of 2480 1708 PO-B1120017228.exe schtasks.exe PID 2504 wrote to memory of 2864 2504 cmd.exe timeout.exe PID 2504 wrote to memory of 2864 2504 cmd.exe timeout.exe PID 2504 wrote to memory of 2864 2504 cmd.exe timeout.exe PID 2504 wrote to memory of 2864 2504 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe"C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe"2⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\winlogon\winlogon.exe.lnk" /f3⤵PID:2560
-
C:\Users\Admin\AppData\Roaming\tmp.exe"C:\Users\Admin\AppData\Roaming\tmp.exe"2⤵
- Executes dropped EXE
PID:2644 -
C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe"C:\Users\Admin\AppData\Local\Temp\PO-B1120017228.exe"2⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "NAS Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmp5C34.tmp"3⤵
- Creates scheduled task(s)
PID:2480 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winlogon\winlogon.exe.bat2⤵
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\timeout.exetimeout /t 3003⤵
- Delays execution with timeout.exe
PID:2864
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5e5cc560fef620b58811b19ec54168440
SHA1a6d5d68e2009bb12ffd49c5251d26fe973f7e10f
SHA25682da477cdf0dc2ed8197afd69d702e34240578250c233b489dfe5e8472f56b75
SHA51264e5b751072bb0eea1b36dd6385be0b824e90db08fac384ce02f63a51b9a23ad7efd2ac7c71d5c2f1f2f7018c881335dae321ed96c821adca5d9b58ed6ec7bb6
-
Filesize
256KB
MD58c810e18058e24ff54a30a44e040569a
SHA1b0329f16013e786898cd75c101565fa70850be03
SHA2560e07d406f33fbf19219ea60e644cfd634fc8c934508bb608a6a1a3f13db1cc5a
SHA512f9beeaf52b85d01596382b2d5a64922332fea7f4894c24eeeae45ad07ba80cd70800a81e29f13922accc1d922b0ba56e8456a24bd03f0f1e51c623f2cc6726e1
-
Filesize
194B
MD5a6a348e297488daf6ff46dfa30aae8b2
SHA1df8d695405da71f61dc6640882ce942271ae5695
SHA256877588837ba56aebb4e60e060f881401a081fdc852e6cdea71086d86b6f82daa
SHA51282227ba2d19b6b8ee1fe0f4a034b1725a33fb524d53bc045c471da724798ccd2327173fb1b113056a31e09fd228059f6335050ceeb4c0f33f349b60caa49a3ba
-
Filesize
203KB
MD5aee43daf7741caca297366c1b3847064
SHA11489823a4d9b9a1af0c0b68d4f9736b2e4e8760c
SHA25686f69803a5ef3352b380deeb1f13a31ea64a284ef468aa383c18a362f0136533
SHA5122ae87b23504e2fa2b5cf971c3aa90dd5169b7d867608e1ed03519545904bcf512a2798cd1efb2cd781a96e7e146ce346cd2470fb77fcf9a8633928fee31f7f15