Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
03-06-2024 06:40
Static task
static1
Behavioral task
behavioral1
Sample
PO#43-2018-VFT-FPS.scr
Resource
win7-20240508-en
General
-
Target
PO#43-2018-VFT-FPS.scr
-
Size
594KB
-
MD5
3e469125a53065043e66127c9e071c69
-
SHA1
acaeb4b3c50034f660d01a830736dab98ba85846
-
SHA256
28de94cf55c15c8a694fafdfdf1e4a8a50a028dc3b590b578a25f6ebb51043c5
-
SHA512
065560482700c7a65491d24e95dce67583ad19e3b34e44a1aca20668a7395e4c12bbf9fc8aef7aa4c088a6dc7820b23bf60d63f9dcb92097db88a78721bc8cc7
-
SSDEEP
12288:i73YMO3LL8BfeMeTX+3iTEbW5gqtcL/Eh0/UIWu/gq:moRL4z3iyWKqtcoiX
Malware Config
Extracted
nanocore
1.2.2.0
185.163.100.9:87
f1126821-b7e6-4ac2-a8d5-f1ace13fc56f
-
activate_away_mode
true
- backup_connection_host
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2018-06-14T07:44:20.112036436Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
87
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
f1126821-b7e6-4ac2-a8d5-f1ace13fc56f
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
185.163.100.9
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
filename.exefilename.exefilename.exepid process 4084 filename.exe 4148 filename.exe 1952 filename.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exefilename.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UDP Subsystem = "C:\\Program Files (x86)\\UDP Subsystem\\udpss.exe" filename.exe -
Processes:
filename.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA filename.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
filename.exedescription pid process target process PID 4084 set thread context of 1952 4084 filename.exe filename.exe -
Drops file in Program Files directory 2 IoCs
Processes:
filename.exedescription ioc process File created C:\Program Files (x86)\UDP Subsystem\udpss.exe filename.exe File opened for modification C:\Program Files (x86)\UDP Subsystem\udpss.exe filename.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2360 schtasks.exe 3212 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
filename.exepid process 1952 filename.exe 1952 filename.exe 1952 filename.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
filename.exepid process 1952 filename.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
PO#43-2018-VFT-FPS.scrfilename.exefilename.exedescription pid process Token: SeDebugPrivilege 3016 PO#43-2018-VFT-FPS.scr Token: SeDebugPrivilege 4084 filename.exe Token: SeDebugPrivilege 1952 filename.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
PO#43-2018-VFT-FPS.scrcmd.exefilename.execmd.exefilename.exedescription pid process target process PID 3016 wrote to memory of 3920 3016 PO#43-2018-VFT-FPS.scr cmd.exe PID 3016 wrote to memory of 3920 3016 PO#43-2018-VFT-FPS.scr cmd.exe PID 3016 wrote to memory of 3920 3016 PO#43-2018-VFT-FPS.scr cmd.exe PID 3920 wrote to memory of 4084 3920 cmd.exe filename.exe PID 3920 wrote to memory of 4084 3920 cmd.exe filename.exe PID 3920 wrote to memory of 4084 3920 cmd.exe filename.exe PID 4084 wrote to memory of 3884 4084 filename.exe cmd.exe PID 4084 wrote to memory of 3884 4084 filename.exe cmd.exe PID 4084 wrote to memory of 3884 4084 filename.exe cmd.exe PID 3884 wrote to memory of 5032 3884 cmd.exe reg.exe PID 3884 wrote to memory of 5032 3884 cmd.exe reg.exe PID 3884 wrote to memory of 5032 3884 cmd.exe reg.exe PID 4084 wrote to memory of 4148 4084 filename.exe filename.exe PID 4084 wrote to memory of 4148 4084 filename.exe filename.exe PID 4084 wrote to memory of 4148 4084 filename.exe filename.exe PID 4084 wrote to memory of 1952 4084 filename.exe filename.exe PID 4084 wrote to memory of 1952 4084 filename.exe filename.exe PID 4084 wrote to memory of 1952 4084 filename.exe filename.exe PID 4084 wrote to memory of 1952 4084 filename.exe filename.exe PID 4084 wrote to memory of 1952 4084 filename.exe filename.exe PID 4084 wrote to memory of 1952 4084 filename.exe filename.exe PID 4084 wrote to memory of 1952 4084 filename.exe filename.exe PID 4084 wrote to memory of 1952 4084 filename.exe filename.exe PID 1952 wrote to memory of 2360 1952 filename.exe schtasks.exe PID 1952 wrote to memory of 2360 1952 filename.exe schtasks.exe PID 1952 wrote to memory of 2360 1952 filename.exe schtasks.exe PID 1952 wrote to memory of 3212 1952 filename.exe schtasks.exe PID 1952 wrote to memory of 3212 1952 filename.exe schtasks.exe PID 1952 wrote to memory of 3212 1952 filename.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO#43-2018-VFT-FPS.scr"C:\Users\Admin\AppData\Local\Temp\PO#43-2018-VFT-FPS.scr" /S1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Desktop\filename.exe"C:\Users\Admin\Desktop\filename.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"5⤵
- Adds Run key to start application
-
C:\Users\Admin\Desktop\filename.exe"C:\Users\Admin\Desktop\filename.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\Desktop\filename.exe"C:\Users\Admin\Desktop\filename.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "UDP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp4BDE.tmp"5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "UDP Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp4C7B.tmp"5⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\filename.exe.logFilesize
223B
MD5cde6529abeea500fb852f29ba0da6115
SHA145f2f48492417ae6a0eade8aaa808d3d1d760743
SHA256d7f4964443470b6729865676d76f5f1f416da633033071c34ea5eb19cdea53b5
SHA512c95fa7faf6a90f32060dba70f79c4d66c68d6eec587306fb98f36fc3ba5d377ebf9dabf47298b71db208fb10f7ccb4e0ed82236c8f26bcc746552588bbb38234
-
C:\Users\Admin\AppData\Local\Temp\tmp4BDE.tmpFilesize
1KB
MD53e69cfdc97414457ef33010fb54c2ede
SHA13cd07f08434a402260b205263eb1de499853b1a1
SHA256b55422096b144e40a6061d9e894cdb17d2690792ed8939329c4755099a0d73d8
SHA51201f50c544e2bb42c36aed9bedf6202a204187cc247cf4c76b5071127f4098e635eb25c4fd922aea64cd34abd728fcea3491af658286db1eda2f3e89e547a282c
-
C:\Users\Admin\AppData\Local\Temp\tmp4C7B.tmpFilesize
1KB
MD5c4aecdef99eba873119e79616df3f4b0
SHA1b1b3af52655fb633eed909dfed05b64fbbfac37c
SHA25624fd0d87bea36a024449a95f808aaa174e4ed9003cb8a427b67c02411b8a2e0b
SHA512e3f44b07267fccf4f5abd4efe80f2b037ddadc4cb898bdfca9d21ac5d79fcac828950065c2060d3ce125ee971fc3096183afee5287ba9951fbbda7257d8ed8d4
-
C:\Users\Admin\Desktop\filename.exeFilesize
594KB
MD53e469125a53065043e66127c9e071c69
SHA1acaeb4b3c50034f660d01a830736dab98ba85846
SHA25628de94cf55c15c8a694fafdfdf1e4a8a50a028dc3b590b578a25f6ebb51043c5
SHA512065560482700c7a65491d24e95dce67583ad19e3b34e44a1aca20668a7395e4c12bbf9fc8aef7aa4c088a6dc7820b23bf60d63f9dcb92097db88a78721bc8cc7
-
memory/1952-29-0x0000000074F70000-0x0000000075521000-memory.dmpFilesize
5.7MB
-
memory/1952-21-0x0000000074F70000-0x0000000075521000-memory.dmpFilesize
5.7MB
-
memory/1952-14-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1952-19-0x0000000074F70000-0x0000000075521000-memory.dmpFilesize
5.7MB
-
memory/1952-20-0x0000000074F70000-0x0000000075521000-memory.dmpFilesize
5.7MB
-
memory/3016-0-0x0000000074F72000-0x0000000074F73000-memory.dmpFilesize
4KB
-
memory/3016-9-0x0000000074F70000-0x0000000075521000-memory.dmpFilesize
5.7MB
-
memory/3016-2-0x0000000074F70000-0x0000000075521000-memory.dmpFilesize
5.7MB
-
memory/3016-1-0x0000000074F70000-0x0000000075521000-memory.dmpFilesize
5.7MB
-
memory/4084-8-0x0000000074F70000-0x0000000075521000-memory.dmpFilesize
5.7MB
-
memory/4084-18-0x0000000074F70000-0x0000000075521000-memory.dmpFilesize
5.7MB
-
memory/4084-11-0x0000000074F70000-0x0000000075521000-memory.dmpFilesize
5.7MB
-
memory/4084-10-0x0000000074F70000-0x0000000075521000-memory.dmpFilesize
5.7MB