Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 08:54
Static task
static1
Behavioral task
behavioral1
Sample
Scan00223.exe
Resource
win7-20240221-en
General
-
Target
Scan00223.exe
-
Size
1.2MB
-
MD5
5cdc2ba3ecb6b8b18d2ee2abacaa1eec
-
SHA1
af6e083f4bc6ea922ea86d2e5809945c2444d561
-
SHA256
e1cbe1e9e86779580e6a3b92e68d38d3fbeb40dc3b6f10e5bcdd1078ec87023e
-
SHA512
d7d67fcf0fbd2c5738c0c2a6e9771c8c8e53cb4ec265e4c0cbcfdd0474e758b11675589c4ff09124d1f104b8266aff062fab23d05055d2916eb1ed8865699f6b
-
SSDEEP
24576:OAHnh+eWsN3skA4RV1Hom2KXMmHasw4aCntfV0I5:5h+ZkldoPK8Yas3L
Malware Config
Extracted
nanocore
1.2.2.0
185.244.31.187:3000
85b72eaa-435b-4ed4-afb0-2dc6909a8443
-
activate_away_mode
true
-
backup_connection_host
185.244.31.187
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2018-11-25T09:02:14.508155636Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
3000
-
default_group
FEB
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
85b72eaa-435b-4ed4-afb0-2dc6909a8443
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
185.244.31.187
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Scan00223.exeBrowserSettingSync.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Scan00223.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation BrowserSettingSync.exe -
Executes dropped EXE 2 IoCs
Processes:
BrowserSettingSync.exeBrowserSettingSync.exepid process 4788 BrowserSettingSync.exe 5008 BrowserSettingSync.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegAsm.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DPI Subsystem = "C:\\Program Files (x86)\\DPI Subsystem\\dpiss.exe" RegAsm.exe -
Processes:
RegAsm.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegAsm.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\cleanmgr\BrowserSettingSync.exe autoit_exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
Scan00223.exeBrowserSettingSync.exedescription pid process target process PID 2712 set thread context of 2244 2712 Scan00223.exe RegAsm.exe PID 4788 set thread context of 4216 4788 BrowserSettingSync.exe RegAsm.exe -
Drops file in Program Files directory 2 IoCs
Processes:
RegAsm.exedescription ioc process File created C:\Program Files (x86)\DPI Subsystem\dpiss.exe RegAsm.exe File opened for modification C:\Program Files (x86)\DPI Subsystem\dpiss.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4696 schtasks.exe 3604 schtasks.exe 4444 schtasks.exe 4836 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
RegAsm.exepid process 2244 RegAsm.exe 2244 RegAsm.exe 2244 RegAsm.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegAsm.exepid process 2244 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegAsm.exedescription pid process Token: SeDebugPrivilege 2244 RegAsm.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
Scan00223.exeRegAsm.exeBrowserSettingSync.exedescription pid process target process PID 2712 wrote to memory of 2244 2712 Scan00223.exe RegAsm.exe PID 2712 wrote to memory of 2244 2712 Scan00223.exe RegAsm.exe PID 2712 wrote to memory of 2244 2712 Scan00223.exe RegAsm.exe PID 2712 wrote to memory of 2244 2712 Scan00223.exe RegAsm.exe PID 2712 wrote to memory of 2244 2712 Scan00223.exe RegAsm.exe PID 2244 wrote to memory of 4696 2244 RegAsm.exe schtasks.exe PID 2244 wrote to memory of 4696 2244 RegAsm.exe schtasks.exe PID 2244 wrote to memory of 4696 2244 RegAsm.exe schtasks.exe PID 2244 wrote to memory of 3604 2244 RegAsm.exe schtasks.exe PID 2244 wrote to memory of 3604 2244 RegAsm.exe schtasks.exe PID 2244 wrote to memory of 3604 2244 RegAsm.exe schtasks.exe PID 2712 wrote to memory of 4444 2712 Scan00223.exe schtasks.exe PID 2712 wrote to memory of 4444 2712 Scan00223.exe schtasks.exe PID 2712 wrote to memory of 4444 2712 Scan00223.exe schtasks.exe PID 4788 wrote to memory of 4216 4788 BrowserSettingSync.exe RegAsm.exe PID 4788 wrote to memory of 4216 4788 BrowserSettingSync.exe RegAsm.exe PID 4788 wrote to memory of 4216 4788 BrowserSettingSync.exe RegAsm.exe PID 4788 wrote to memory of 4216 4788 BrowserSettingSync.exe RegAsm.exe PID 4788 wrote to memory of 4216 4788 BrowserSettingSync.exe RegAsm.exe PID 4788 wrote to memory of 4836 4788 BrowserSettingSync.exe schtasks.exe PID 4788 wrote to memory of 4836 4788 BrowserSettingSync.exe schtasks.exe PID 4788 wrote to memory of 4836 4788 BrowserSettingSync.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Scan00223.exe"C:\Users\Admin\AppData\Local\Temp\Scan00223.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DPI Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmpECC1.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DPI Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpED20.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn BluetoothDesktopHandlers /tr "C:\Users\Admin\AppData\Roaming\cleanmgr\BrowserSettingSync.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\cleanmgr\BrowserSettingSync.exeC:\Users\Admin\AppData\Roaming\cleanmgr\BrowserSettingSync.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn BluetoothDesktopHandlers /tr "C:\Users\Admin\AppData\Roaming\cleanmgr\BrowserSettingSync.exe" /sc minute /mo 1 /F2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\cleanmgr\BrowserSettingSync.exeC:\Users\Admin\AppData\Roaming\cleanmgr\BrowserSettingSync.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpECC1.tmpFilesize
1KB
MD5c6f0625bf4c1cdfb699980c9243d3b22
SHA143de1fe580576935516327f17b5da0c656c72851
SHA2568dfc4e937f0b2374e3ced25fce344b0731cf44b8854625b318d50ece2da8f576
SHA5129ef2dbd4142ad0e1e6006929376ecb8011e7ffc801ee2101e906787d70325ad82752df65839de9972391fa52e1e5974ec1a5c7465a88aa56257633ebb7d70969
-
C:\Users\Admin\AppData\Local\Temp\tmpED20.tmpFilesize
1KB
MD55fea24e883e06e4df6d240dc72abf2c5
SHA1d778bf0f436141e02df4b421e8188abdcc9a84a4
SHA256e858982f4ab3c74f7a8903eea18c0f73501a77273ae38b54d5c9dec997e79a66
SHA51215afc2ffbbee14d28a5ff8dc8285d01c942147aada36fb33e31045a4e998769b51738bebe199bcad3462f918b535845a893aa2f80c84b9c795cd1fee4a327924
-
C:\Users\Admin\AppData\Roaming\cleanmgr\BrowserSettingSync.exeFilesize
1.2MB
MD5a90fbc8481d48550684ab4b68871808a
SHA166e6cb6988cf465ab10076528e6d3f0a4a8bcf37
SHA256c9e17403c588fa8eb5a11bcd34eb510244a482e27ee44db3168c8c0155efd970
SHA51209770ae83453970da3dfc24f2929b8d922fbe988fecea53acd16ce4aba9303ed39a381614656e62e572b3fa0c5c9e0132f14d2675ad4816230cb3ccd7f1e8c4a
-
memory/2244-1-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2244-6-0x0000000073882000-0x0000000073883000-memory.dmpFilesize
4KB
-
memory/2244-7-0x0000000073880000-0x0000000073E31000-memory.dmpFilesize
5.7MB
-
memory/2244-8-0x0000000073880000-0x0000000073E31000-memory.dmpFilesize
5.7MB
-
memory/2244-18-0x0000000073882000-0x0000000073883000-memory.dmpFilesize
4KB
-
memory/2244-19-0x0000000073880000-0x0000000073E31000-memory.dmpFilesize
5.7MB
-
memory/2712-0-0x00000000010D0000-0x00000000010D1000-memory.dmpFilesize
4KB