Analysis
-
max time kernel
143s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
14-06-2024 18:41
Static task
static1
Behavioral task
behavioral1
Sample
0e4c4d9f7b2ee56acdd9b3da668e2da3.exe
Resource
win7-20240611-en
General
-
Target
0e4c4d9f7b2ee56acdd9b3da668e2da3.exe
-
Size
820KB
-
MD5
0e4c4d9f7b2ee56acdd9b3da668e2da3
-
SHA1
11189f4174bdeb36fb31ff8a7b2489641dd144be
-
SHA256
e346a199826939f2970cdd5337010e08cd761c0dfa35965afb404a04489ec0ed
-
SHA512
a0b5de3eef3de57468a770f596c98d066eae36d538a9bc0d3e8550d6a4b21c0974deab2cc093bc612a89d935cde902c571ca92f2a61ec6d40bea0d52047df9b9
-
SSDEEP
12288:xxtg61jjk0LAta9AjjNw5DI+J/0oI3QCdiOc8f/TTRptDGiwFMdWefQS4XhEc:xg61jjk0LAta9AODIz88f///dbfQSeK
Malware Config
Extracted
nanocore
1.2.2.0
vjhelena.duckdns.org:54880
alibabaforwader10.ddns.net:54880
a387c389-48e1-4208-8dfc-04ffe53ec013
-
activate_away_mode
true
-
backup_connection_host
alibabaforwader10.ddns.net
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2024-02-09T13:56:51.135504536Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
54880
-
default_group
MAY
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
a387c389-48e1-4208-8dfc-04ffe53ec013
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
vjhelena.duckdns.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid process 2960 powershell.exe 2624 powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
0e4c4d9f7b2ee56acdd9b3da668e2da3.exedescription pid process target process PID 2372 set thread context of 2464 2372 0e4c4d9f7b2ee56acdd9b3da668e2da3.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
0e4c4d9f7b2ee56acdd9b3da668e2da3.exepowershell.exepowershell.exeRegSvcs.exepid process 2372 0e4c4d9f7b2ee56acdd9b3da668e2da3.exe 2372 0e4c4d9f7b2ee56acdd9b3da668e2da3.exe 2372 0e4c4d9f7b2ee56acdd9b3da668e2da3.exe 2372 0e4c4d9f7b2ee56acdd9b3da668e2da3.exe 2372 0e4c4d9f7b2ee56acdd9b3da668e2da3.exe 2372 0e4c4d9f7b2ee56acdd9b3da668e2da3.exe 2372 0e4c4d9f7b2ee56acdd9b3da668e2da3.exe 2372 0e4c4d9f7b2ee56acdd9b3da668e2da3.exe 2372 0e4c4d9f7b2ee56acdd9b3da668e2da3.exe 2372 0e4c4d9f7b2ee56acdd9b3da668e2da3.exe 2624 powershell.exe 2960 powershell.exe 2372 0e4c4d9f7b2ee56acdd9b3da668e2da3.exe 2464 RegSvcs.exe 2464 RegSvcs.exe 2464 RegSvcs.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegSvcs.exepid process 2464 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
0e4c4d9f7b2ee56acdd9b3da668e2da3.exepowershell.exepowershell.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 2372 0e4c4d9f7b2ee56acdd9b3da668e2da3.exe Token: SeDebugPrivilege 2624 powershell.exe Token: SeDebugPrivilege 2960 powershell.exe Token: SeDebugPrivilege 2464 RegSvcs.exe -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
0e4c4d9f7b2ee56acdd9b3da668e2da3.exedescription pid process target process PID 2372 wrote to memory of 2960 2372 0e4c4d9f7b2ee56acdd9b3da668e2da3.exe powershell.exe PID 2372 wrote to memory of 2960 2372 0e4c4d9f7b2ee56acdd9b3da668e2da3.exe powershell.exe PID 2372 wrote to memory of 2960 2372 0e4c4d9f7b2ee56acdd9b3da668e2da3.exe powershell.exe PID 2372 wrote to memory of 2960 2372 0e4c4d9f7b2ee56acdd9b3da668e2da3.exe powershell.exe PID 2372 wrote to memory of 2624 2372 0e4c4d9f7b2ee56acdd9b3da668e2da3.exe powershell.exe PID 2372 wrote to memory of 2624 2372 0e4c4d9f7b2ee56acdd9b3da668e2da3.exe powershell.exe PID 2372 wrote to memory of 2624 2372 0e4c4d9f7b2ee56acdd9b3da668e2da3.exe powershell.exe PID 2372 wrote to memory of 2624 2372 0e4c4d9f7b2ee56acdd9b3da668e2da3.exe powershell.exe PID 2372 wrote to memory of 2644 2372 0e4c4d9f7b2ee56acdd9b3da668e2da3.exe schtasks.exe PID 2372 wrote to memory of 2644 2372 0e4c4d9f7b2ee56acdd9b3da668e2da3.exe schtasks.exe PID 2372 wrote to memory of 2644 2372 0e4c4d9f7b2ee56acdd9b3da668e2da3.exe schtasks.exe PID 2372 wrote to memory of 2644 2372 0e4c4d9f7b2ee56acdd9b3da668e2da3.exe schtasks.exe PID 2372 wrote to memory of 2580 2372 0e4c4d9f7b2ee56acdd9b3da668e2da3.exe RegSvcs.exe PID 2372 wrote to memory of 2580 2372 0e4c4d9f7b2ee56acdd9b3da668e2da3.exe RegSvcs.exe PID 2372 wrote to memory of 2580 2372 0e4c4d9f7b2ee56acdd9b3da668e2da3.exe RegSvcs.exe PID 2372 wrote to memory of 2580 2372 0e4c4d9f7b2ee56acdd9b3da668e2da3.exe RegSvcs.exe PID 2372 wrote to memory of 2580 2372 0e4c4d9f7b2ee56acdd9b3da668e2da3.exe RegSvcs.exe PID 2372 wrote to memory of 2580 2372 0e4c4d9f7b2ee56acdd9b3da668e2da3.exe RegSvcs.exe PID 2372 wrote to memory of 2580 2372 0e4c4d9f7b2ee56acdd9b3da668e2da3.exe RegSvcs.exe PID 2372 wrote to memory of 2588 2372 0e4c4d9f7b2ee56acdd9b3da668e2da3.exe RegSvcs.exe PID 2372 wrote to memory of 2588 2372 0e4c4d9f7b2ee56acdd9b3da668e2da3.exe RegSvcs.exe PID 2372 wrote to memory of 2588 2372 0e4c4d9f7b2ee56acdd9b3da668e2da3.exe RegSvcs.exe PID 2372 wrote to memory of 2588 2372 0e4c4d9f7b2ee56acdd9b3da668e2da3.exe RegSvcs.exe PID 2372 wrote to memory of 2588 2372 0e4c4d9f7b2ee56acdd9b3da668e2da3.exe RegSvcs.exe PID 2372 wrote to memory of 2588 2372 0e4c4d9f7b2ee56acdd9b3da668e2da3.exe RegSvcs.exe PID 2372 wrote to memory of 2588 2372 0e4c4d9f7b2ee56acdd9b3da668e2da3.exe RegSvcs.exe PID 2372 wrote to memory of 2464 2372 0e4c4d9f7b2ee56acdd9b3da668e2da3.exe RegSvcs.exe PID 2372 wrote to memory of 2464 2372 0e4c4d9f7b2ee56acdd9b3da668e2da3.exe RegSvcs.exe PID 2372 wrote to memory of 2464 2372 0e4c4d9f7b2ee56acdd9b3da668e2da3.exe RegSvcs.exe PID 2372 wrote to memory of 2464 2372 0e4c4d9f7b2ee56acdd9b3da668e2da3.exe RegSvcs.exe PID 2372 wrote to memory of 2464 2372 0e4c4d9f7b2ee56acdd9b3da668e2da3.exe RegSvcs.exe PID 2372 wrote to memory of 2464 2372 0e4c4d9f7b2ee56acdd9b3da668e2da3.exe RegSvcs.exe PID 2372 wrote to memory of 2464 2372 0e4c4d9f7b2ee56acdd9b3da668e2da3.exe RegSvcs.exe PID 2372 wrote to memory of 2464 2372 0e4c4d9f7b2ee56acdd9b3da668e2da3.exe RegSvcs.exe PID 2372 wrote to memory of 2464 2372 0e4c4d9f7b2ee56acdd9b3da668e2da3.exe RegSvcs.exe PID 2372 wrote to memory of 2464 2372 0e4c4d9f7b2ee56acdd9b3da668e2da3.exe RegSvcs.exe PID 2372 wrote to memory of 2464 2372 0e4c4d9f7b2ee56acdd9b3da668e2da3.exe RegSvcs.exe PID 2372 wrote to memory of 2464 2372 0e4c4d9f7b2ee56acdd9b3da668e2da3.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e4c4d9f7b2ee56acdd9b3da668e2da3.exe"C:\Users\Admin\AppData\Local\Temp\0e4c4d9f7b2ee56acdd9b3da668e2da3.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\0e4c4d9f7b2ee56acdd9b3da668e2da3.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2960 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\PKoUYTS.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2624 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PKoUYTS" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5EA4.tmp"2⤵
- Creates scheduled task(s)
PID:2644 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵PID:2580
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵PID:2588
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2464
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp5EA4.tmpFilesize
1KB
MD5fcd374e62a33ec39905684b1391d47e4
SHA1d4c95f6a1cc1a741a5115638eda26401e266c7d1
SHA256467513ad2f94a392bace2c9c0ade6ea09a2f36e107d40d242c1a689b5eb9b941
SHA512f7f3431217de05b53eafdfb36ef4bdf939f11c6c1929e27c4491c358b9b2b2097ba86be132c2fb5060eb850873657d1d6267259f5187fec8f87e610690905dde
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD5a5e557210cd87172211d50707732148f
SHA1a75ea7f18d5d93113746e18b0744738bd89650f6
SHA2567080da3ae45ceb24be485399df1405bdc9be27a0ad037887df0c9314ef48c01b
SHA512a4a2de69e61298ac0b3de63d7e22daffe3d47695376ca7a53004b39935512daca6430d01b33386e22bda685fe62013b7f8010219d7bcaac1aa7f6232e2ff0acd
-
memory/2372-0-0x000000007469E000-0x000000007469F000-memory.dmpFilesize
4KB
-
memory/2372-1-0x00000000012C0000-0x0000000001394000-memory.dmpFilesize
848KB
-
memory/2372-2-0x0000000074690000-0x0000000074D7E000-memory.dmpFilesize
6.9MB
-
memory/2372-3-0x00000000006C0000-0x00000000006DA000-memory.dmpFilesize
104KB
-
memory/2372-4-0x0000000000460000-0x0000000000470000-memory.dmpFilesize
64KB
-
memory/2372-5-0x0000000005C40000-0x0000000005CBA000-memory.dmpFilesize
488KB
-
memory/2372-30-0x0000000074690000-0x0000000074D7E000-memory.dmpFilesize
6.9MB
-
memory/2464-27-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2464-24-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2464-29-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2464-28-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2464-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2464-22-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2464-20-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2464-19-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2464-32-0x0000000000610000-0x000000000061A000-memory.dmpFilesize
40KB
-
memory/2464-33-0x0000000000660000-0x000000000067E000-memory.dmpFilesize
120KB
-
memory/2464-34-0x0000000000680000-0x000000000068A000-memory.dmpFilesize
40KB