Analysis
-
max time kernel
149s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
04-06-2024 01:53
Static task
static1
Behavioral task
behavioral1
Sample
holf.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
holf.exe
Resource
win10v2004-20240226-en
General
-
Target
holf.exe
-
Size
884KB
-
MD5
912d6c88f475bb275629201d52ae0ae6
-
SHA1
3e64f86e98787997c98b98039bb491fa613e79cc
-
SHA256
6b8e10fb6b6aa647c8c0ba181184d950e9f47ca6753213fc96b1b3ec18409f93
-
SHA512
c8362c522e556166cc018800f721c8c4c3067d51209063f91424fbaf249b36441fc69e2556ee9b94cb7c0a6eee82d51b6105c3fa1a8148a98446e1a7e368d254
-
SSDEEP
24576:rmoO8itEqfZng7cw8lSQzuQM9saXICbmyX97i:qvZScwKSQzrM9ZzfN7i
Malware Config
Extracted
nanocore
1.2.2.0
cboss33.hopto.org:4722
f934e45a-6528-4b96-bd96-79fd13c4fe12
-
activate_away_mode
true
- backup_connection_host
- backup_dns_server
-
buffer_size
65535
-
build_time
2018-07-05T13:16:32.309254436Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
true
-
connect_delay
4000
-
connection_port
4722
-
default_group
Dollar
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
f934e45a-6528-4b96-bd96-79fd13c4fe12
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
cboss33.hopto.org
- primary_dns_server
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
excel.sfx.exeexcel.exepid process 2664 excel.sfx.exe 2332 excel.exe -
Loads dropped DLL 5 IoCs
Processes:
cmd.exeexcel.sfx.exepid process 2628 cmd.exe 2664 excel.sfx.exe 2664 excel.sfx.exe 2664 excel.sfx.exe 2664 excel.sfx.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
excel.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ARP Host = "C:\\Program Files\\ARP Host\\arphost.exe" excel.exe -
Processes:
excel.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA excel.exe -
Drops file in Program Files directory 2 IoCs
Processes:
excel.exedescription ioc process File created C:\Program Files\ARP Host\arphost.exe excel.exe File opened for modification C:\Program Files\ARP Host\arphost.exe excel.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
excel.exepid process 2332 excel.exe 2332 excel.exe 2332 excel.exe 2332 excel.exe 2332 excel.exe 2332 excel.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
excel.exepid process 2332 excel.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
excel.exedescription pid process Token: SeDebugPrivilege 2332 excel.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
holf.execmd.exeexcel.sfx.exedescription pid process target process PID 1776 wrote to memory of 2628 1776 holf.exe cmd.exe PID 1776 wrote to memory of 2628 1776 holf.exe cmd.exe PID 1776 wrote to memory of 2628 1776 holf.exe cmd.exe PID 1776 wrote to memory of 2628 1776 holf.exe cmd.exe PID 2628 wrote to memory of 2664 2628 cmd.exe excel.sfx.exe PID 2628 wrote to memory of 2664 2628 cmd.exe excel.sfx.exe PID 2628 wrote to memory of 2664 2628 cmd.exe excel.sfx.exe PID 2628 wrote to memory of 2664 2628 cmd.exe excel.sfx.exe PID 2664 wrote to memory of 2332 2664 excel.sfx.exe excel.exe PID 2664 wrote to memory of 2332 2664 excel.sfx.exe excel.exe PID 2664 wrote to memory of 2332 2664 excel.sfx.exe excel.exe PID 2664 wrote to memory of 2332 2664 excel.sfx.exe excel.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\holf.exe"C:\Users\Admin\AppData\Local\Temp\holf.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\fdd.bat" "2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\excel.sfx.exeexcel.sfx.exe -p126 -dC:\Users\Admin\AppData\Local\Temp3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\excel.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\excel.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\fdd.batFilesize
28B
MD5f0b6f875f327f542118e2416f8259a13
SHA13edb59643d2be4f440aa9216c1a4ec52a972b8de
SHA25648b03ca255d2246d388cce7df6cf578303485d5acfe53e9ca7038ff518a3be01
SHA512f3a0191c5d34fa0771e6ad053a046a3b3d0cec5f61a82281bffe309258d74599534afbd814bb397b619e6033e59b2dc372112cbbcb92cb6ecfd74ce4481bb2ad
-
\Users\Admin\AppData\Local\Temp\RarSFX0\excel.sfx.exeFilesize
757KB
MD5a0b5f08cd959d1e068179e1d6889710f
SHA1e26ac168101697f1660990cfacbad48da4225e04
SHA256e9b5abcd2b8ea76a1e8632156689bd234ddfb0b5be2674b72a17be5b62dcebe2
SHA5127dad1ac11f01c2ed7982f79e891a5b7f07daf6ec126a7a04e0b67681ec08c136f260bdf88e71e319a7285efb4c5fec902c00d5801e7b606e7334c2d4ac5b7aa9
-
\Users\Admin\AppData\Local\Temp\RarSFX1\excel.exeFilesize
552KB
MD53a8ea73b34b33345474770c83cc825ae
SHA1d50ce020098b23149d354ee1c4e6ed742ace11fd
SHA2562b0196abbdb448cdde45f9bc9bce3c879f39ff3783ce375a7a6a1ce4130025f1
SHA5129cbdb8c16fb4595c44434351ae4df8bbbb137dce51e041df8fdbfee031a199d040e6385ea8b93421908b46799a52fbda660ff08f457f536bd511957c5a22b145
-
memory/2332-39-0x0000000000A90000-0x0000000000A9A000-memory.dmpFilesize
40KB
-
memory/2332-40-0x00000000003F0000-0x0000000000402000-memory.dmpFilesize
72KB
-
memory/2332-41-0x0000000000B80000-0x0000000000B9A000-memory.dmpFilesize
104KB
-
memory/2332-43-0x00000000004F0000-0x0000000000502000-memory.dmpFilesize
72KB
-
memory/2332-42-0x0000000000470000-0x000000000047E000-memory.dmpFilesize
56KB
-
memory/2332-46-0x0000000002290000-0x00000000022A4000-memory.dmpFilesize
80KB
-
memory/2332-45-0x0000000002280000-0x000000000228E000-memory.dmpFilesize
56KB
-
memory/2332-44-0x0000000000B60000-0x0000000000B6C000-memory.dmpFilesize
48KB
-
memory/2332-47-0x00000000022A0000-0x00000000022B0000-memory.dmpFilesize
64KB
-
memory/2332-48-0x00000000022B0000-0x00000000022C4000-memory.dmpFilesize
80KB
-
memory/2332-49-0x00000000022C0000-0x00000000022CE000-memory.dmpFilesize
56KB
-
memory/2332-50-0x000000001AFE0000-0x000000001AFFE000-memory.dmpFilesize
120KB
-
memory/2332-51-0x000000001B100000-0x000000001B10A000-memory.dmpFilesize
40KB
-
memory/2332-52-0x000000001B110000-0x000000001B13E000-memory.dmpFilesize
184KB
-
memory/2332-53-0x0000000000B70000-0x0000000000B84000-memory.dmpFilesize
80KB