Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
03-06-2024 06:40
Static task
static1
Behavioral task
behavioral1
Sample
PO#43-2018-VFT-FPS.scr
Resource
win7-20240508-en
General
-
Target
PO#43-2018-VFT-FPS.scr
-
Size
594KB
-
MD5
3e469125a53065043e66127c9e071c69
-
SHA1
acaeb4b3c50034f660d01a830736dab98ba85846
-
SHA256
28de94cf55c15c8a694fafdfdf1e4a8a50a028dc3b590b578a25f6ebb51043c5
-
SHA512
065560482700c7a65491d24e95dce67583ad19e3b34e44a1aca20668a7395e4c12bbf9fc8aef7aa4c088a6dc7820b23bf60d63f9dcb92097db88a78721bc8cc7
-
SSDEEP
12288:i73YMO3LL8BfeMeTX+3iTEbW5gqtcL/Eh0/UIWu/gq:moRL4z3iyWKqtcoiX
Malware Config
Extracted
nanocore
1.2.2.0
185.163.100.9:87
f1126821-b7e6-4ac2-a8d5-f1ace13fc56f
-
activate_away_mode
true
- backup_connection_host
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2018-06-14T07:44:20.112036436Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
87
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
f1126821-b7e6-4ac2-a8d5-f1ace13fc56f
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
185.163.100.9
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
filename.exefilename.exepid process 2728 filename.exe 2732 filename.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exefilename.exepid process 2344 cmd.exe 2728 filename.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exefilename.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ARP Host = "C:\\Program Files (x86)\\ARP Host\\arphost.exe" filename.exe -
Processes:
filename.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA filename.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
filename.exedescription pid process target process PID 2728 set thread context of 2732 2728 filename.exe filename.exe -
Drops file in Program Files directory 2 IoCs
Processes:
filename.exedescription ioc process File created C:\Program Files (x86)\ARP Host\arphost.exe filename.exe File opened for modification C:\Program Files (x86)\ARP Host\arphost.exe filename.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2540 schtasks.exe 2320 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
filename.exepid process 2732 filename.exe 2732 filename.exe 2732 filename.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
filename.exepid process 2732 filename.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
PO#43-2018-VFT-FPS.scrfilename.exefilename.exedescription pid process Token: SeDebugPrivilege 1772 PO#43-2018-VFT-FPS.scr Token: SeDebugPrivilege 2728 filename.exe Token: SeDebugPrivilege 2732 filename.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
PO#43-2018-VFT-FPS.scrcmd.exefilename.execmd.exefilename.exedescription pid process target process PID 1772 wrote to memory of 2344 1772 PO#43-2018-VFT-FPS.scr cmd.exe PID 1772 wrote to memory of 2344 1772 PO#43-2018-VFT-FPS.scr cmd.exe PID 1772 wrote to memory of 2344 1772 PO#43-2018-VFT-FPS.scr cmd.exe PID 1772 wrote to memory of 2344 1772 PO#43-2018-VFT-FPS.scr cmd.exe PID 2344 wrote to memory of 2728 2344 cmd.exe filename.exe PID 2344 wrote to memory of 2728 2344 cmd.exe filename.exe PID 2344 wrote to memory of 2728 2344 cmd.exe filename.exe PID 2344 wrote to memory of 2728 2344 cmd.exe filename.exe PID 2728 wrote to memory of 2652 2728 filename.exe cmd.exe PID 2728 wrote to memory of 2652 2728 filename.exe cmd.exe PID 2728 wrote to memory of 2652 2728 filename.exe cmd.exe PID 2728 wrote to memory of 2652 2728 filename.exe cmd.exe PID 2652 wrote to memory of 2712 2652 cmd.exe reg.exe PID 2652 wrote to memory of 2712 2652 cmd.exe reg.exe PID 2652 wrote to memory of 2712 2652 cmd.exe reg.exe PID 2652 wrote to memory of 2712 2652 cmd.exe reg.exe PID 2728 wrote to memory of 2732 2728 filename.exe filename.exe PID 2728 wrote to memory of 2732 2728 filename.exe filename.exe PID 2728 wrote to memory of 2732 2728 filename.exe filename.exe PID 2728 wrote to memory of 2732 2728 filename.exe filename.exe PID 2728 wrote to memory of 2732 2728 filename.exe filename.exe PID 2728 wrote to memory of 2732 2728 filename.exe filename.exe PID 2728 wrote to memory of 2732 2728 filename.exe filename.exe PID 2728 wrote to memory of 2732 2728 filename.exe filename.exe PID 2728 wrote to memory of 2732 2728 filename.exe filename.exe PID 2732 wrote to memory of 2540 2732 filename.exe schtasks.exe PID 2732 wrote to memory of 2540 2732 filename.exe schtasks.exe PID 2732 wrote to memory of 2540 2732 filename.exe schtasks.exe PID 2732 wrote to memory of 2540 2732 filename.exe schtasks.exe PID 2732 wrote to memory of 2320 2732 filename.exe schtasks.exe PID 2732 wrote to memory of 2320 2732 filename.exe schtasks.exe PID 2732 wrote to memory of 2320 2732 filename.exe schtasks.exe PID 2732 wrote to memory of 2320 2732 filename.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO#43-2018-VFT-FPS.scr"C:\Users\Admin\AppData\Local\Temp\PO#43-2018-VFT-FPS.scr" /S1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Desktop\filename.exe"C:\Users\Admin\Desktop\filename.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"5⤵
- Adds Run key to start application
-
C:\Users\Admin\Desktop\filename.exe"C:\Users\Admin\Desktop\filename.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "ARP Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmp25E8.tmp"5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "ARP Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp2656.tmp"5⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp25E8.tmpFilesize
1KB
MD53e69cfdc97414457ef33010fb54c2ede
SHA13cd07f08434a402260b205263eb1de499853b1a1
SHA256b55422096b144e40a6061d9e894cdb17d2690792ed8939329c4755099a0d73d8
SHA51201f50c544e2bb42c36aed9bedf6202a204187cc247cf4c76b5071127f4098e635eb25c4fd922aea64cd34abd728fcea3491af658286db1eda2f3e89e547a282c
-
C:\Users\Admin\AppData\Local\Temp\tmp2656.tmpFilesize
1KB
MD5447ab194ab36cb1d20078d80e502b1b2
SHA1a947b3b2c91d7c50bb8d39bd4fc91a0d0cc5b1c0
SHA2568d5304b20b7d7dea223ce2738e5668054250d57bf6bed86b305b69924bd472f5
SHA51249ddc557f7f6635627eea9bf0fa12a14b7b13edb235ed560ee0044a7f87fe27b686ff878d347d0273d92eb0b318b8c2bca85c0fbf42d586ed7d7da39eac6a327
-
C:\Users\Admin\Desktop\filename.exeFilesize
594KB
MD53e469125a53065043e66127c9e071c69
SHA1acaeb4b3c50034f660d01a830736dab98ba85846
SHA25628de94cf55c15c8a694fafdfdf1e4a8a50a028dc3b590b578a25f6ebb51043c5
SHA512065560482700c7a65491d24e95dce67583ad19e3b34e44a1aca20668a7395e4c12bbf9fc8aef7aa4c088a6dc7820b23bf60d63f9dcb92097db88a78721bc8cc7
-
memory/1772-1-0x00000000749E0000-0x0000000074F8B000-memory.dmpFilesize
5.7MB
-
memory/1772-2-0x00000000749E0000-0x0000000074F8B000-memory.dmpFilesize
5.7MB
-
memory/1772-8-0x00000000749E0000-0x0000000074F8B000-memory.dmpFilesize
5.7MB
-
memory/1772-0-0x00000000749E1000-0x00000000749E2000-memory.dmpFilesize
4KB
-
memory/2728-29-0x00000000749E0000-0x0000000074F8B000-memory.dmpFilesize
5.7MB
-
memory/2728-9-0x00000000749E0000-0x0000000074F8B000-memory.dmpFilesize
5.7MB
-
memory/2728-10-0x00000000749E0000-0x0000000074F8B000-memory.dmpFilesize
5.7MB
-
memory/2728-7-0x00000000749E0000-0x0000000074F8B000-memory.dmpFilesize
5.7MB
-
memory/2732-13-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2732-23-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2732-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2732-19-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2732-17-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2732-26-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2732-28-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2732-15-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB