Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
16-06-2024 01:01
Static task
static1
Behavioral task
behavioral1
Sample
e346a199826939f2970cdd5337010e08cd761c0dfa35965afb404a04489ec0ed.exe
Resource
win7-20240611-en
General
-
Target
e346a199826939f2970cdd5337010e08cd761c0dfa35965afb404a04489ec0ed.exe
-
Size
820KB
-
MD5
0e4c4d9f7b2ee56acdd9b3da668e2da3
-
SHA1
11189f4174bdeb36fb31ff8a7b2489641dd144be
-
SHA256
e346a199826939f2970cdd5337010e08cd761c0dfa35965afb404a04489ec0ed
-
SHA512
a0b5de3eef3de57468a770f596c98d066eae36d538a9bc0d3e8550d6a4b21c0974deab2cc093bc612a89d935cde902c571ca92f2a61ec6d40bea0d52047df9b9
-
SSDEEP
12288:xxtg61jjk0LAta9AjjNw5DI+J/0oI3QCdiOc8f/TTRptDGiwFMdWefQS4XhEc:xg61jjk0LAta9AODIz88f///dbfQSeK
Malware Config
Extracted
nanocore
1.2.2.0
vjhelena.duckdns.org:54880
alibabaforwader10.ddns.net:54880
a387c389-48e1-4208-8dfc-04ffe53ec013
-
activate_away_mode
true
-
backup_connection_host
alibabaforwader10.ddns.net
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2024-02-09T13:56:51.135504536Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
54880
-
default_group
MAY
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
a387c389-48e1-4208-8dfc-04ffe53ec013
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
vjhelena.duckdns.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid process 2600 powershell.exe 2700 powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
e346a199826939f2970cdd5337010e08cd761c0dfa35965afb404a04489ec0ed.exedescription pid process target process PID 2652 set thread context of 2952 2652 e346a199826939f2970cdd5337010e08cd761c0dfa35965afb404a04489ec0ed.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
e346a199826939f2970cdd5337010e08cd761c0dfa35965afb404a04489ec0ed.exepowershell.exepowershell.exeRegSvcs.exepid process 2652 e346a199826939f2970cdd5337010e08cd761c0dfa35965afb404a04489ec0ed.exe 2652 e346a199826939f2970cdd5337010e08cd761c0dfa35965afb404a04489ec0ed.exe 2652 e346a199826939f2970cdd5337010e08cd761c0dfa35965afb404a04489ec0ed.exe 2652 e346a199826939f2970cdd5337010e08cd761c0dfa35965afb404a04489ec0ed.exe 2652 e346a199826939f2970cdd5337010e08cd761c0dfa35965afb404a04489ec0ed.exe 2652 e346a199826939f2970cdd5337010e08cd761c0dfa35965afb404a04489ec0ed.exe 2652 e346a199826939f2970cdd5337010e08cd761c0dfa35965afb404a04489ec0ed.exe 2652 e346a199826939f2970cdd5337010e08cd761c0dfa35965afb404a04489ec0ed.exe 2652 e346a199826939f2970cdd5337010e08cd761c0dfa35965afb404a04489ec0ed.exe 2600 powershell.exe 2700 powershell.exe 2952 RegSvcs.exe 2952 RegSvcs.exe 2952 RegSvcs.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegSvcs.exepid process 2952 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
e346a199826939f2970cdd5337010e08cd761c0dfa35965afb404a04489ec0ed.exepowershell.exepowershell.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 2652 e346a199826939f2970cdd5337010e08cd761c0dfa35965afb404a04489ec0ed.exe Token: SeDebugPrivilege 2600 powershell.exe Token: SeDebugPrivilege 2700 powershell.exe Token: SeDebugPrivilege 2952 RegSvcs.exe -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
e346a199826939f2970cdd5337010e08cd761c0dfa35965afb404a04489ec0ed.exedescription pid process target process PID 2652 wrote to memory of 2600 2652 e346a199826939f2970cdd5337010e08cd761c0dfa35965afb404a04489ec0ed.exe powershell.exe PID 2652 wrote to memory of 2600 2652 e346a199826939f2970cdd5337010e08cd761c0dfa35965afb404a04489ec0ed.exe powershell.exe PID 2652 wrote to memory of 2600 2652 e346a199826939f2970cdd5337010e08cd761c0dfa35965afb404a04489ec0ed.exe powershell.exe PID 2652 wrote to memory of 2600 2652 e346a199826939f2970cdd5337010e08cd761c0dfa35965afb404a04489ec0ed.exe powershell.exe PID 2652 wrote to memory of 2700 2652 e346a199826939f2970cdd5337010e08cd761c0dfa35965afb404a04489ec0ed.exe powershell.exe PID 2652 wrote to memory of 2700 2652 e346a199826939f2970cdd5337010e08cd761c0dfa35965afb404a04489ec0ed.exe powershell.exe PID 2652 wrote to memory of 2700 2652 e346a199826939f2970cdd5337010e08cd761c0dfa35965afb404a04489ec0ed.exe powershell.exe PID 2652 wrote to memory of 2700 2652 e346a199826939f2970cdd5337010e08cd761c0dfa35965afb404a04489ec0ed.exe powershell.exe PID 2652 wrote to memory of 2504 2652 e346a199826939f2970cdd5337010e08cd761c0dfa35965afb404a04489ec0ed.exe schtasks.exe PID 2652 wrote to memory of 2504 2652 e346a199826939f2970cdd5337010e08cd761c0dfa35965afb404a04489ec0ed.exe schtasks.exe PID 2652 wrote to memory of 2504 2652 e346a199826939f2970cdd5337010e08cd761c0dfa35965afb404a04489ec0ed.exe schtasks.exe PID 2652 wrote to memory of 2504 2652 e346a199826939f2970cdd5337010e08cd761c0dfa35965afb404a04489ec0ed.exe schtasks.exe PID 2652 wrote to memory of 2532 2652 e346a199826939f2970cdd5337010e08cd761c0dfa35965afb404a04489ec0ed.exe RegSvcs.exe PID 2652 wrote to memory of 2532 2652 e346a199826939f2970cdd5337010e08cd761c0dfa35965afb404a04489ec0ed.exe RegSvcs.exe PID 2652 wrote to memory of 2532 2652 e346a199826939f2970cdd5337010e08cd761c0dfa35965afb404a04489ec0ed.exe RegSvcs.exe PID 2652 wrote to memory of 2532 2652 e346a199826939f2970cdd5337010e08cd761c0dfa35965afb404a04489ec0ed.exe RegSvcs.exe PID 2652 wrote to memory of 2532 2652 e346a199826939f2970cdd5337010e08cd761c0dfa35965afb404a04489ec0ed.exe RegSvcs.exe PID 2652 wrote to memory of 2532 2652 e346a199826939f2970cdd5337010e08cd761c0dfa35965afb404a04489ec0ed.exe RegSvcs.exe PID 2652 wrote to memory of 2532 2652 e346a199826939f2970cdd5337010e08cd761c0dfa35965afb404a04489ec0ed.exe RegSvcs.exe PID 2652 wrote to memory of 2952 2652 e346a199826939f2970cdd5337010e08cd761c0dfa35965afb404a04489ec0ed.exe RegSvcs.exe PID 2652 wrote to memory of 2952 2652 e346a199826939f2970cdd5337010e08cd761c0dfa35965afb404a04489ec0ed.exe RegSvcs.exe PID 2652 wrote to memory of 2952 2652 e346a199826939f2970cdd5337010e08cd761c0dfa35965afb404a04489ec0ed.exe RegSvcs.exe PID 2652 wrote to memory of 2952 2652 e346a199826939f2970cdd5337010e08cd761c0dfa35965afb404a04489ec0ed.exe RegSvcs.exe PID 2652 wrote to memory of 2952 2652 e346a199826939f2970cdd5337010e08cd761c0dfa35965afb404a04489ec0ed.exe RegSvcs.exe PID 2652 wrote to memory of 2952 2652 e346a199826939f2970cdd5337010e08cd761c0dfa35965afb404a04489ec0ed.exe RegSvcs.exe PID 2652 wrote to memory of 2952 2652 e346a199826939f2970cdd5337010e08cd761c0dfa35965afb404a04489ec0ed.exe RegSvcs.exe PID 2652 wrote to memory of 2952 2652 e346a199826939f2970cdd5337010e08cd761c0dfa35965afb404a04489ec0ed.exe RegSvcs.exe PID 2652 wrote to memory of 2952 2652 e346a199826939f2970cdd5337010e08cd761c0dfa35965afb404a04489ec0ed.exe RegSvcs.exe PID 2652 wrote to memory of 2952 2652 e346a199826939f2970cdd5337010e08cd761c0dfa35965afb404a04489ec0ed.exe RegSvcs.exe PID 2652 wrote to memory of 2952 2652 e346a199826939f2970cdd5337010e08cd761c0dfa35965afb404a04489ec0ed.exe RegSvcs.exe PID 2652 wrote to memory of 2952 2652 e346a199826939f2970cdd5337010e08cd761c0dfa35965afb404a04489ec0ed.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e346a199826939f2970cdd5337010e08cd761c0dfa35965afb404a04489ec0ed.exe"C:\Users\Admin\AppData\Local\Temp\e346a199826939f2970cdd5337010e08cd761c0dfa35965afb404a04489ec0ed.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\e346a199826939f2970cdd5337010e08cd761c0dfa35965afb404a04489ec0ed.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2600 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\PKoUYTS.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2700 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PKoUYTS" /XML "C:\Users\Admin\AppData\Local\Temp\tmp781D.tmp"2⤵
- Creates scheduled task(s)
PID:2504 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵PID:2532
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2952
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp781D.tmpFilesize
1KB
MD5fcd374e62a33ec39905684b1391d47e4
SHA1d4c95f6a1cc1a741a5115638eda26401e266c7d1
SHA256467513ad2f94a392bace2c9c0ade6ea09a2f36e107d40d242c1a689b5eb9b941
SHA512f7f3431217de05b53eafdfb36ef4bdf939f11c6c1929e27c4491c358b9b2b2097ba86be132c2fb5060eb850873657d1d6267259f5187fec8f87e610690905dde
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\49BS3CWXX23X24C7FJHT.tempFilesize
7KB
MD59e82a1f4ca9d5c14c99ddeada7723885
SHA1a9cef3f9de614e2685ec505f580498e3e4ee3de9
SHA2563496eb65e275b8a2bd33699eb97a3854f8b5764eedd85109f99cfb7ad3ffadec
SHA512a151266d3a56317dbe5767eb2cb5cd5036523255b0120b41b6e1e006b1cd520d47683aef4302cee1f34a883da3cf1a84ea7f35a3aa858b1647d4efdf941544bd
-
memory/2652-0-0x0000000074A9E000-0x0000000074A9F000-memory.dmpFilesize
4KB
-
memory/2652-1-0x00000000013A0000-0x0000000001474000-memory.dmpFilesize
848KB
-
memory/2652-2-0x0000000074A90000-0x000000007517E000-memory.dmpFilesize
6.9MB
-
memory/2652-3-0x0000000000A10000-0x0000000000A2A000-memory.dmpFilesize
104KB
-
memory/2652-4-0x0000000000480000-0x0000000000490000-memory.dmpFilesize
64KB
-
memory/2652-5-0x0000000005DB0000-0x0000000005E2A000-memory.dmpFilesize
488KB
-
memory/2652-31-0x0000000074A90000-0x000000007517E000-memory.dmpFilesize
6.9MB
-
memory/2952-30-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2952-24-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2952-28-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2952-27-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2952-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2952-22-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2952-18-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2952-20-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2952-33-0x0000000000450000-0x000000000045A000-memory.dmpFilesize
40KB
-
memory/2952-34-0x0000000000580000-0x000000000059E000-memory.dmpFilesize
120KB
-
memory/2952-35-0x0000000000460000-0x000000000046A000-memory.dmpFilesize
40KB