Analysis
-
max time kernel
144s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
14-06-2024 18:41
Static task
static1
Behavioral task
behavioral1
Sample
0e4c4d9f7b2ee56acdd9b3da668e2da3.exe
Resource
win7-20240611-en
General
-
Target
0e4c4d9f7b2ee56acdd9b3da668e2da3.exe
-
Size
820KB
-
MD5
0e4c4d9f7b2ee56acdd9b3da668e2da3
-
SHA1
11189f4174bdeb36fb31ff8a7b2489641dd144be
-
SHA256
e346a199826939f2970cdd5337010e08cd761c0dfa35965afb404a04489ec0ed
-
SHA512
a0b5de3eef3de57468a770f596c98d066eae36d538a9bc0d3e8550d6a4b21c0974deab2cc093bc612a89d935cde902c571ca92f2a61ec6d40bea0d52047df9b9
-
SSDEEP
12288:xxtg61jjk0LAta9AjjNw5DI+J/0oI3QCdiOc8f/TTRptDGiwFMdWefQS4XhEc:xg61jjk0LAta9AODIz88f///dbfQSeK
Malware Config
Extracted
nanocore
1.2.2.0
vjhelena.duckdns.org:54880
alibabaforwader10.ddns.net:54880
a387c389-48e1-4208-8dfc-04ffe53ec013
-
activate_away_mode
true
-
backup_connection_host
alibabaforwader10.ddns.net
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2024-02-09T13:56:51.135504536Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
54880
-
default_group
MAY
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
a387c389-48e1-4208-8dfc-04ffe53ec013
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
vjhelena.duckdns.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid process 4728 powershell.exe 4168 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0e4c4d9f7b2ee56acdd9b3da668e2da3.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 0e4c4d9f7b2ee56acdd9b3da668e2da3.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
0e4c4d9f7b2ee56acdd9b3da668e2da3.exedescription pid process target process PID 2408 set thread context of 1648 2408 0e4c4d9f7b2ee56acdd9b3da668e2da3.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
0e4c4d9f7b2ee56acdd9b3da668e2da3.exepowershell.exepowershell.exeRegSvcs.exepid process 2408 0e4c4d9f7b2ee56acdd9b3da668e2da3.exe 2408 0e4c4d9f7b2ee56acdd9b3da668e2da3.exe 2408 0e4c4d9f7b2ee56acdd9b3da668e2da3.exe 2408 0e4c4d9f7b2ee56acdd9b3da668e2da3.exe 2408 0e4c4d9f7b2ee56acdd9b3da668e2da3.exe 2408 0e4c4d9f7b2ee56acdd9b3da668e2da3.exe 4728 powershell.exe 4168 powershell.exe 2408 0e4c4d9f7b2ee56acdd9b3da668e2da3.exe 4168 powershell.exe 1648 RegSvcs.exe 1648 RegSvcs.exe 1648 RegSvcs.exe 4728 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegSvcs.exepid process 1648 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
0e4c4d9f7b2ee56acdd9b3da668e2da3.exepowershell.exepowershell.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 2408 0e4c4d9f7b2ee56acdd9b3da668e2da3.exe Token: SeDebugPrivilege 4728 powershell.exe Token: SeDebugPrivilege 4168 powershell.exe Token: SeDebugPrivilege 1648 RegSvcs.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
0e4c4d9f7b2ee56acdd9b3da668e2da3.exedescription pid process target process PID 2408 wrote to memory of 4728 2408 0e4c4d9f7b2ee56acdd9b3da668e2da3.exe powershell.exe PID 2408 wrote to memory of 4728 2408 0e4c4d9f7b2ee56acdd9b3da668e2da3.exe powershell.exe PID 2408 wrote to memory of 4728 2408 0e4c4d9f7b2ee56acdd9b3da668e2da3.exe powershell.exe PID 2408 wrote to memory of 4168 2408 0e4c4d9f7b2ee56acdd9b3da668e2da3.exe powershell.exe PID 2408 wrote to memory of 4168 2408 0e4c4d9f7b2ee56acdd9b3da668e2da3.exe powershell.exe PID 2408 wrote to memory of 4168 2408 0e4c4d9f7b2ee56acdd9b3da668e2da3.exe powershell.exe PID 2408 wrote to memory of 3676 2408 0e4c4d9f7b2ee56acdd9b3da668e2da3.exe schtasks.exe PID 2408 wrote to memory of 3676 2408 0e4c4d9f7b2ee56acdd9b3da668e2da3.exe schtasks.exe PID 2408 wrote to memory of 3676 2408 0e4c4d9f7b2ee56acdd9b3da668e2da3.exe schtasks.exe PID 2408 wrote to memory of 1648 2408 0e4c4d9f7b2ee56acdd9b3da668e2da3.exe RegSvcs.exe PID 2408 wrote to memory of 1648 2408 0e4c4d9f7b2ee56acdd9b3da668e2da3.exe RegSvcs.exe PID 2408 wrote to memory of 1648 2408 0e4c4d9f7b2ee56acdd9b3da668e2da3.exe RegSvcs.exe PID 2408 wrote to memory of 1648 2408 0e4c4d9f7b2ee56acdd9b3da668e2da3.exe RegSvcs.exe PID 2408 wrote to memory of 1648 2408 0e4c4d9f7b2ee56acdd9b3da668e2da3.exe RegSvcs.exe PID 2408 wrote to memory of 1648 2408 0e4c4d9f7b2ee56acdd9b3da668e2da3.exe RegSvcs.exe PID 2408 wrote to memory of 1648 2408 0e4c4d9f7b2ee56acdd9b3da668e2da3.exe RegSvcs.exe PID 2408 wrote to memory of 1648 2408 0e4c4d9f7b2ee56acdd9b3da668e2da3.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e4c4d9f7b2ee56acdd9b3da668e2da3.exe"C:\Users\Admin\AppData\Local\Temp\0e4c4d9f7b2ee56acdd9b3da668e2da3.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\0e4c4d9f7b2ee56acdd9b3da668e2da3.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4728 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\PKoUYTS.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4168 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PKoUYTS" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9470.tmp"2⤵
- Creates scheduled task(s)
PID:3676 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1648
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD5ccef651c9cf2ca5fdccc9c6d8b7ca994
SHA100cf505b1902d8f5421a4786445d99867d1e206c
SHA2567fa2e3e4728bfd5fa3fbac9e5b8e9a96b2f54e388a4f04344ed8ad37f188c9a7
SHA5123b9ecf3a41c759d670734e771153197fc71292488f32fd970fe978a948277dc65e2825af44b257649141414db318544e16a41b82de1328978f95b0f3f8efd940
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2u2rfri4.cuj.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\tmp9470.tmpFilesize
1KB
MD5900ee64c6573f7e902edbc9578aab965
SHA1a5939be7bf75a581b3724530f0bfc47e6f810026
SHA2560fe92752b984b795ada00f45e9cb299f491d22f3c30d5861f82ae0c4b14d0a4d
SHA51201cf8fbb4171a96f1082f4defa00b5266473e989e637094c45225f3d9164a4f1da36e760a83b9657a47b0592b83084f11c716ebda03b19e2fc1b506800142059
-
memory/1648-50-0x00000000056A0000-0x00000000056AA000-memory.dmpFilesize
40KB
-
memory/1648-45-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1648-52-0x00000000056B0000-0x00000000056CE000-memory.dmpFilesize
120KB
-
memory/1648-53-0x00000000063A0000-0x00000000063AA000-memory.dmpFilesize
40KB
-
memory/2408-17-0x0000000075240000-0x00000000759F0000-memory.dmpFilesize
7.7MB
-
memory/2408-6-0x0000000008700000-0x000000000871A000-memory.dmpFilesize
104KB
-
memory/2408-9-0x000000000ADF0000-0x000000000AE8C000-memory.dmpFilesize
624KB
-
memory/2408-4-0x0000000003630000-0x000000000363A000-memory.dmpFilesize
40KB
-
memory/2408-7-0x0000000006D00000-0x0000000006D10000-memory.dmpFilesize
64KB
-
memory/2408-5-0x0000000075240000-0x00000000759F0000-memory.dmpFilesize
7.7MB
-
memory/2408-3-0x0000000005AA0000-0x0000000005B32000-memory.dmpFilesize
584KB
-
memory/2408-47-0x0000000075240000-0x00000000759F0000-memory.dmpFilesize
7.7MB
-
memory/2408-0-0x000000007524E000-0x000000007524F000-memory.dmpFilesize
4KB
-
memory/2408-12-0x000000007524E000-0x000000007524F000-memory.dmpFilesize
4KB
-
memory/2408-2-0x0000000006050000-0x00000000065F4000-memory.dmpFilesize
5.6MB
-
memory/2408-8-0x0000000006FD0000-0x000000000704A000-memory.dmpFilesize
488KB
-
memory/2408-1-0x0000000000FF0000-0x00000000010C4000-memory.dmpFilesize
848KB
-
memory/4168-23-0x0000000005870000-0x0000000005892000-memory.dmpFilesize
136KB
-
memory/4168-83-0x0000000007570000-0x0000000007584000-memory.dmpFilesize
80KB
-
memory/4168-20-0x0000000075240000-0x00000000759F0000-memory.dmpFilesize
7.7MB
-
memory/4168-44-0x0000000005AF0000-0x0000000005E44000-memory.dmpFilesize
3.3MB
-
memory/4168-85-0x0000000007650000-0x0000000007658000-memory.dmpFilesize
32KB
-
memory/4168-48-0x0000000005FE0000-0x0000000005FFE000-memory.dmpFilesize
120KB
-
memory/4168-51-0x00000000065D0000-0x000000000661C000-memory.dmpFilesize
304KB
-
memory/4168-21-0x0000000075240000-0x00000000759F0000-memory.dmpFilesize
7.7MB
-
memory/4168-92-0x0000000075240000-0x00000000759F0000-memory.dmpFilesize
7.7MB
-
memory/4168-78-0x0000000007330000-0x000000000734A000-memory.dmpFilesize
104KB
-
memory/4168-55-0x0000000075AF0000-0x0000000075B3C000-memory.dmpFilesize
304KB
-
memory/4168-82-0x0000000007560000-0x000000000756E000-memory.dmpFilesize
56KB
-
memory/4168-80-0x00000000075B0000-0x0000000007646000-memory.dmpFilesize
600KB
-
memory/4168-74-0x0000000006550000-0x000000000656E000-memory.dmpFilesize
120KB
-
memory/4168-76-0x0000000007010000-0x00000000070B3000-memory.dmpFilesize
652KB
-
memory/4168-79-0x00000000073A0000-0x00000000073AA000-memory.dmpFilesize
40KB
-
memory/4728-16-0x0000000005250000-0x0000000005878000-memory.dmpFilesize
6.2MB
-
memory/4728-77-0x0000000007AD0000-0x000000000814A000-memory.dmpFilesize
6.5MB
-
memory/4728-54-0x00000000072E0000-0x0000000007312000-memory.dmpFilesize
200KB
-
memory/4728-81-0x0000000007690000-0x00000000076A1000-memory.dmpFilesize
68KB
-
memory/4728-56-0x0000000075AF0000-0x0000000075B3C000-memory.dmpFilesize
304KB
-
memory/4728-29-0x0000000005A80000-0x0000000005AE6000-memory.dmpFilesize
408KB
-
memory/4728-84-0x00000000077D0000-0x00000000077EA000-memory.dmpFilesize
104KB
-
memory/4728-30-0x0000000005B60000-0x0000000005BC6000-memory.dmpFilesize
408KB
-
memory/4728-19-0x0000000075240000-0x00000000759F0000-memory.dmpFilesize
7.7MB
-
memory/4728-18-0x0000000075240000-0x00000000759F0000-memory.dmpFilesize
7.7MB
-
memory/4728-15-0x0000000004B90000-0x0000000004BC6000-memory.dmpFilesize
216KB
-
memory/4728-91-0x0000000075240000-0x00000000759F0000-memory.dmpFilesize
7.7MB