Analysis
-
max time kernel
101s -
max time network
98s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
14-05-2024 06:47
Static task
static1
Behavioral task
behavioral1
Sample
nje91q.zip
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
nje91q.zip
Resource
win10v2004-20240426-en
General
-
Target
nje91q.zip
-
Size
632KB
-
MD5
f85c33dc9b710080b0691cb9170a0924
-
SHA1
a5ffe397ce816453a59992da2d545aefb53cdd23
-
SHA256
14f41e52e85831bb42d9122b038fe76e86bc084e10636d086a4bd9f7f26abc97
-
SHA512
ed126ca04306853ba28e298fe890829932406cc376c2460e5def5695b59bf79b9981222333d8a168af4c753603f6813a7533776324aa33f402369fc9ae928a76
-
SSDEEP
12288:rUwiC/+f9QM+Uug1e+12zqguO2zhnp7clY/3lqH98PM:4wv8QM+Uug132zRuO20lA4d8PM
Malware Config
Extracted
nanocore
1.2.2.0
december2nd.ddns.net:65024
december2n.duckdns.org:65024
2c009a56-c28c-48f4-8875-acf9e1222e9f
-
activate_away_mode
false
-
backup_connection_host
december2n.duckdns.org
- backup_dns_server
-
buffer_size
65535
-
build_time
2024-02-17T09:12:36.211032636Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
false
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
65024
-
default_group
NO GREE
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
2c009a56-c28c-48f4-8875-acf9e1222e9f
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
december2nd.ddns.net
- primary_dns_server
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid process 1860 powershell.exe 2388 powershell.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ISS Host = "C:\\Program Files (x86)\\ISS Host\\isshost.exe" RegSvcs.exe -
Drops file in System32 directory 2 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
63HiIJrDNvEfDcl.exedescription pid process target process PID 3008 set thread context of 1364 3008 63HiIJrDNvEfDcl.exe RegSvcs.exe -
Drops file in Program Files directory 2 IoCs
Processes:
RegSvcs.exedescription ioc process File created C:\Program Files (x86)\ISS Host\isshost.exe RegSvcs.exe File opened for modification C:\Program Files (x86)\ISS Host\isshost.exe RegSvcs.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 2484 schtasks.exe 1992 schtasks.exe 2820 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
63HiIJrDNvEfDcl.exepowershell.exepowershell.exeRegSvcs.exepid process 3008 63HiIJrDNvEfDcl.exe 3008 63HiIJrDNvEfDcl.exe 3008 63HiIJrDNvEfDcl.exe 3008 63HiIJrDNvEfDcl.exe 3008 63HiIJrDNvEfDcl.exe 3008 63HiIJrDNvEfDcl.exe 3008 63HiIJrDNvEfDcl.exe 2388 powershell.exe 1860 powershell.exe 1364 RegSvcs.exe 1364 RegSvcs.exe 1364 RegSvcs.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegSvcs.exepid process 1364 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
63HiIJrDNvEfDcl.exepowershell.exepowershell.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 3008 63HiIJrDNvEfDcl.exe Token: SeDebugPrivilege 2388 powershell.exe Token: SeDebugPrivilege 1860 powershell.exe Token: SeDebugPrivilege 1364 RegSvcs.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
63HiIJrDNvEfDcl.exeRegSvcs.exedescription pid process target process PID 3008 wrote to memory of 1860 3008 63HiIJrDNvEfDcl.exe powershell.exe PID 3008 wrote to memory of 1860 3008 63HiIJrDNvEfDcl.exe powershell.exe PID 3008 wrote to memory of 1860 3008 63HiIJrDNvEfDcl.exe powershell.exe PID 3008 wrote to memory of 1860 3008 63HiIJrDNvEfDcl.exe powershell.exe PID 3008 wrote to memory of 2388 3008 63HiIJrDNvEfDcl.exe powershell.exe PID 3008 wrote to memory of 2388 3008 63HiIJrDNvEfDcl.exe powershell.exe PID 3008 wrote to memory of 2388 3008 63HiIJrDNvEfDcl.exe powershell.exe PID 3008 wrote to memory of 2388 3008 63HiIJrDNvEfDcl.exe powershell.exe PID 3008 wrote to memory of 2484 3008 63HiIJrDNvEfDcl.exe schtasks.exe PID 3008 wrote to memory of 2484 3008 63HiIJrDNvEfDcl.exe schtasks.exe PID 3008 wrote to memory of 2484 3008 63HiIJrDNvEfDcl.exe schtasks.exe PID 3008 wrote to memory of 2484 3008 63HiIJrDNvEfDcl.exe schtasks.exe PID 3008 wrote to memory of 1364 3008 63HiIJrDNvEfDcl.exe RegSvcs.exe PID 3008 wrote to memory of 1364 3008 63HiIJrDNvEfDcl.exe RegSvcs.exe PID 3008 wrote to memory of 1364 3008 63HiIJrDNvEfDcl.exe RegSvcs.exe PID 3008 wrote to memory of 1364 3008 63HiIJrDNvEfDcl.exe RegSvcs.exe PID 3008 wrote to memory of 1364 3008 63HiIJrDNvEfDcl.exe RegSvcs.exe PID 3008 wrote to memory of 1364 3008 63HiIJrDNvEfDcl.exe RegSvcs.exe PID 3008 wrote to memory of 1364 3008 63HiIJrDNvEfDcl.exe RegSvcs.exe PID 3008 wrote to memory of 1364 3008 63HiIJrDNvEfDcl.exe RegSvcs.exe PID 3008 wrote to memory of 1364 3008 63HiIJrDNvEfDcl.exe RegSvcs.exe PID 3008 wrote to memory of 1364 3008 63HiIJrDNvEfDcl.exe RegSvcs.exe PID 3008 wrote to memory of 1364 3008 63HiIJrDNvEfDcl.exe RegSvcs.exe PID 3008 wrote to memory of 1364 3008 63HiIJrDNvEfDcl.exe RegSvcs.exe PID 1364 wrote to memory of 1992 1364 RegSvcs.exe schtasks.exe PID 1364 wrote to memory of 1992 1364 RegSvcs.exe schtasks.exe PID 1364 wrote to memory of 1992 1364 RegSvcs.exe schtasks.exe PID 1364 wrote to memory of 1992 1364 RegSvcs.exe schtasks.exe PID 1364 wrote to memory of 2820 1364 RegSvcs.exe schtasks.exe PID 1364 wrote to memory of 2820 1364 RegSvcs.exe schtasks.exe PID 1364 wrote to memory of 2820 1364 RegSvcs.exe schtasks.exe PID 1364 wrote to memory of 2820 1364 RegSvcs.exe schtasks.exe
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\nje91q.zip1⤵
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
-
C:\Windows\system32\verclsid.exe"C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x4011⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp1_nje91q.zip\63HiIJrDNvEfDcl.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_nje91q.zip\63HiIJrDNvEfDcl.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Temp1_nje91q.zip\63HiIJrDNvEfDcl.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\vrwJUPrQkQA.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vrwJUPrQkQA" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7C9F.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "ISS Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmp7E83.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "ISS Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp7EF1.tmp"3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp7C9F.tmpFilesize
1KB
MD57c9a9c83ac0ae2abd4053fb4f16c0a76
SHA167ffcb1749a038ee73e689d87b19b23d0ef3104d
SHA256abd07821d0f2f75bdf03a69be00e36cf9e2957892e08796c499ab0c7bccf65d2
SHA5124a5bd41f8eacd4529a5c766cdd6450fcd2a9626910769086e659845775970e7eeb2ce227f8f02f3431b5c8b226f2b0f8e58a5a1a0d8293e6c52f320b13e875f6
-
C:\Users\Admin\AppData\Local\Temp\tmp7E83.tmpFilesize
1KB
MD58cad1b41587ced0f1e74396794f31d58
SHA111054bf74fcf5e8e412768035e4dae43aa7b710f
SHA2563086d914f6b23268f8a12cb1a05516cd5465c2577e1d1e449f1b45c8e5e8f83c
SHA51299c2ef89029de51a866df932841684b7fc912df21e10e2dd0d09e400203bbdc6cba6319a31780b7bf8b286d2cea8ea3fc7d084348bf2f002ab4f5a34218ccbef
-
C:\Users\Admin\AppData\Local\Temp\tmp7EF1.tmpFilesize
1KB
MD53d1580c0395f6de62659467f5b7f1acf
SHA18e73a3885896cecca7ff799a272fc9ddfe06ea96
SHA2566f40196c42a171f24a3e16edeca664cdc5a2f7c150d468255b0e14ab10a2b714
SHA5127637c0d9b03227dffcb00a68d97ddce60bfc40ca0f8a7a4bbd700ea56be6d570908511dea5cab9f609a7da2e558e5298c482fd1e330af085f9c52867d5a847ea
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3T0WR6IBHYQ412XI7P5T.tempFilesize
7KB
MD5ddf579040018c49f1d915cf2d062b8cb
SHA1c69daa8b8bf88ecd361b3e05f9b073d0dcf7bd73
SHA256665476cf6da09d9423f309df2091aa30db3d55f27fa5c04edc662dbb337ca945
SHA5122f6c6ad057dcff7fa82bbfcdccab233a74dd8901d09d40b1d7d4666b23995991fef89487efd11421435d9d93ca57e8f83b82380cea2015a987684473c4e71f0a
-
memory/1364-25-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1364-21-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1364-39-0x00000000009D0000-0x00000000009DA000-memory.dmpFilesize
40KB
-
memory/1364-17-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1364-23-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1364-19-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1364-28-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1364-26-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1364-38-0x0000000000970000-0x000000000098E000-memory.dmpFilesize
120KB
-
memory/1364-37-0x0000000000450000-0x000000000045C000-memory.dmpFilesize
48KB
-
memory/1364-27-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1364-36-0x0000000000440000-0x000000000044A000-memory.dmpFilesize
40KB
-
memory/3008-1-0x0000000000BA0000-0x0000000000BBE000-memory.dmpFilesize
120KB
-
memory/3008-2-0x00000000005E0000-0x00000000005F0000-memory.dmpFilesize
64KB
-
memory/3008-0-0x0000000000EF0000-0x0000000000F9C000-memory.dmpFilesize
688KB
-
memory/3008-3-0x0000000000630000-0x0000000000646000-memory.dmpFilesize
88KB
-
memory/3008-4-0x0000000005D60000-0x0000000005DDC000-memory.dmpFilesize
496KB