Analysis
-
max time kernel
121s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
29-06-2024 09:31
Static task
static1
Behavioral task
behavioral1
Sample
virussign.com_ec03c8da575fa5ee4745506b340968e.exe
Resource
win7-20240221-en
General
-
Target
virussign.com_ec03c8da575fa5ee4745506b340968e.exe
-
Size
296KB
-
MD5
ec03c8da575fa5ee4745506b340968e6
-
SHA1
357374aa9b28d6571ebcf3b535b3cd8fe85eebba
-
SHA256
26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7
-
SHA512
2d01fa27ef375f77db7e3a896877db902ea52578aaa13aaec2aef3ce8a0199b1de56ca70602bac24f4fd2278ed5835e2c373c0626a05e95929deb93abb94137a
-
SSDEEP
6144:ou+rdxKERB7nPpuU8Dh1tUS/fqLaiU6xVB3Y8TTp6VmSyp7jk:gdxK8B7nAU87tabNNTd6VnypU
Malware Config
Extracted
nanocore
1.2.2.0
munan.duckdns.org:3637
munabc.duckdns.org:3637
4d5a1bc9-ba60-4ed4-85d1-96a1836c92b0
-
activate_away_mode
true
-
backup_connection_host
munabc.duckdns.org
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2023-09-24T00:04:44.813706136Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
3637
-
default_group
MUNA
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
4d5a1bc9-ba60-4ed4-85d1-96a1836c92b0
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
munan.duckdns.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
DDfiles.exeDDfiles.exepid process 1700 DDfiles.exe 2880 DDfiles.exe -
Processes:
RegAsm.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegAsm.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
virussign.com_ec03c8da575fa5ee4745506b340968e.exeDDfiles.exeDDfiles.exedescription pid process target process PID 2208 set thread context of 2192 2208 virussign.com_ec03c8da575fa5ee4745506b340968e.exe RegAsm.exe PID 1700 set thread context of 324 1700 DDfiles.exe RegAsm.exe PID 2880 set thread context of 620 2880 DDfiles.exe RegAsm.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 2588 schtasks.exe 1500 schtasks.exe 1364 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
RegAsm.exepid process 2192 RegAsm.exe 2192 RegAsm.exe 2192 RegAsm.exe 2192 RegAsm.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegAsm.exepid process 2192 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegAsm.exedescription pid process Token: SeDebugPrivilege 2192 RegAsm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
virussign.com_ec03c8da575fa5ee4745506b340968e.execmd.exetaskeng.exeDDfiles.execmd.exedescription pid process target process PID 2208 wrote to memory of 2192 2208 virussign.com_ec03c8da575fa5ee4745506b340968e.exe RegAsm.exe PID 2208 wrote to memory of 2192 2208 virussign.com_ec03c8da575fa5ee4745506b340968e.exe RegAsm.exe PID 2208 wrote to memory of 2192 2208 virussign.com_ec03c8da575fa5ee4745506b340968e.exe RegAsm.exe PID 2208 wrote to memory of 2192 2208 virussign.com_ec03c8da575fa5ee4745506b340968e.exe RegAsm.exe PID 2208 wrote to memory of 2192 2208 virussign.com_ec03c8da575fa5ee4745506b340968e.exe RegAsm.exe PID 2208 wrote to memory of 2192 2208 virussign.com_ec03c8da575fa5ee4745506b340968e.exe RegAsm.exe PID 2208 wrote to memory of 2192 2208 virussign.com_ec03c8da575fa5ee4745506b340968e.exe RegAsm.exe PID 2208 wrote to memory of 2192 2208 virussign.com_ec03c8da575fa5ee4745506b340968e.exe RegAsm.exe PID 2208 wrote to memory of 2192 2208 virussign.com_ec03c8da575fa5ee4745506b340968e.exe RegAsm.exe PID 2208 wrote to memory of 2192 2208 virussign.com_ec03c8da575fa5ee4745506b340968e.exe RegAsm.exe PID 2208 wrote to memory of 2192 2208 virussign.com_ec03c8da575fa5ee4745506b340968e.exe RegAsm.exe PID 2208 wrote to memory of 2192 2208 virussign.com_ec03c8da575fa5ee4745506b340968e.exe RegAsm.exe PID 2208 wrote to memory of 1728 2208 virussign.com_ec03c8da575fa5ee4745506b340968e.exe cmd.exe PID 2208 wrote to memory of 1728 2208 virussign.com_ec03c8da575fa5ee4745506b340968e.exe cmd.exe PID 2208 wrote to memory of 1728 2208 virussign.com_ec03c8da575fa5ee4745506b340968e.exe cmd.exe PID 2208 wrote to memory of 1728 2208 virussign.com_ec03c8da575fa5ee4745506b340968e.exe cmd.exe PID 2208 wrote to memory of 2600 2208 virussign.com_ec03c8da575fa5ee4745506b340968e.exe cmd.exe PID 2208 wrote to memory of 2600 2208 virussign.com_ec03c8da575fa5ee4745506b340968e.exe cmd.exe PID 2208 wrote to memory of 2600 2208 virussign.com_ec03c8da575fa5ee4745506b340968e.exe cmd.exe PID 2208 wrote to memory of 2600 2208 virussign.com_ec03c8da575fa5ee4745506b340968e.exe cmd.exe PID 2208 wrote to memory of 2608 2208 virussign.com_ec03c8da575fa5ee4745506b340968e.exe cmd.exe PID 2208 wrote to memory of 2608 2208 virussign.com_ec03c8da575fa5ee4745506b340968e.exe cmd.exe PID 2208 wrote to memory of 2608 2208 virussign.com_ec03c8da575fa5ee4745506b340968e.exe cmd.exe PID 2208 wrote to memory of 2608 2208 virussign.com_ec03c8da575fa5ee4745506b340968e.exe cmd.exe PID 2600 wrote to memory of 2588 2600 cmd.exe schtasks.exe PID 2600 wrote to memory of 2588 2600 cmd.exe schtasks.exe PID 2600 wrote to memory of 2588 2600 cmd.exe schtasks.exe PID 2600 wrote to memory of 2588 2600 cmd.exe schtasks.exe PID 892 wrote to memory of 1700 892 taskeng.exe DDfiles.exe PID 892 wrote to memory of 1700 892 taskeng.exe DDfiles.exe PID 892 wrote to memory of 1700 892 taskeng.exe DDfiles.exe PID 892 wrote to memory of 1700 892 taskeng.exe DDfiles.exe PID 1700 wrote to memory of 324 1700 DDfiles.exe RegAsm.exe PID 1700 wrote to memory of 324 1700 DDfiles.exe RegAsm.exe PID 1700 wrote to memory of 324 1700 DDfiles.exe RegAsm.exe PID 1700 wrote to memory of 324 1700 DDfiles.exe RegAsm.exe PID 1700 wrote to memory of 324 1700 DDfiles.exe RegAsm.exe PID 1700 wrote to memory of 324 1700 DDfiles.exe RegAsm.exe PID 1700 wrote to memory of 324 1700 DDfiles.exe RegAsm.exe PID 1700 wrote to memory of 324 1700 DDfiles.exe RegAsm.exe PID 1700 wrote to memory of 324 1700 DDfiles.exe RegAsm.exe PID 1700 wrote to memory of 324 1700 DDfiles.exe RegAsm.exe PID 1700 wrote to memory of 324 1700 DDfiles.exe RegAsm.exe PID 1700 wrote to memory of 324 1700 DDfiles.exe RegAsm.exe PID 1700 wrote to memory of 2560 1700 DDfiles.exe cmd.exe PID 1700 wrote to memory of 2560 1700 DDfiles.exe cmd.exe PID 1700 wrote to memory of 2560 1700 DDfiles.exe cmd.exe PID 1700 wrote to memory of 2560 1700 DDfiles.exe cmd.exe PID 1700 wrote to memory of 2704 1700 DDfiles.exe cmd.exe PID 1700 wrote to memory of 2704 1700 DDfiles.exe cmd.exe PID 1700 wrote to memory of 2704 1700 DDfiles.exe cmd.exe PID 1700 wrote to memory of 2704 1700 DDfiles.exe cmd.exe PID 1700 wrote to memory of 2700 1700 DDfiles.exe cmd.exe PID 1700 wrote to memory of 2700 1700 DDfiles.exe cmd.exe PID 1700 wrote to memory of 2700 1700 DDfiles.exe cmd.exe PID 1700 wrote to memory of 2700 1700 DDfiles.exe cmd.exe PID 2704 wrote to memory of 1500 2704 cmd.exe schtasks.exe PID 2704 wrote to memory of 1500 2704 cmd.exe schtasks.exe PID 2704 wrote to memory of 1500 2704 cmd.exe schtasks.exe PID 2704 wrote to memory of 1500 2704 cmd.exe schtasks.exe PID 892 wrote to memory of 2880 892 taskeng.exe DDfiles.exe PID 892 wrote to memory of 2880 892 taskeng.exe DDfiles.exe PID 892 wrote to memory of 2880 892 taskeng.exe DDfiles.exe PID 892 wrote to memory of 2880 892 taskeng.exe DDfiles.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\virussign.com_ec03c8da575fa5ee4745506b340968e.exe"C:\Users\Admin\AppData\Local\Temp\virussign.com_ec03c8da575fa5ee4745506b340968e.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\DDfiles"2⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe'" /f3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\virussign.com_ec03c8da575fa5ee4745506b340968e.exe" "C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe"2⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {C6464580-D798-41D2-B536-4D1F7C54852A} S-1-5-21-1298544033-3225604241-2703760938-1000:IZKCKOTP\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exeC:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\DDfiles"3⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe'" /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe'" /f4⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe" "C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exeC:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\DDfiles"3⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe'" /f3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe'" /f4⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe" "C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exeFilesize
296KB
MD5ec03c8da575fa5ee4745506b340968e6
SHA1357374aa9b28d6571ebcf3b535b3cd8fe85eebba
SHA25626321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7
SHA5122d01fa27ef375f77db7e3a896877db902ea52578aaa13aaec2aef3ce8a0199b1de56ca70602bac24f4fd2278ed5835e2c373c0626a05e95929deb93abb94137a
-
memory/324-47-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1700-38-0x0000000000C00000-0x0000000000C50000-memory.dmpFilesize
320KB
-
memory/2192-20-0x00000000005D0000-0x00000000005EE000-memory.dmpFilesize
120KB
-
memory/2192-24-0x0000000000680000-0x000000000068C000-memory.dmpFilesize
48KB
-
memory/2192-9-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/2192-13-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/2192-11-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/2192-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2192-6-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/2192-5-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/2192-3-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/2192-18-0x00000000005A0000-0x00000000005AA000-memory.dmpFilesize
40KB
-
memory/2192-19-0x00000000005C0000-0x00000000005CC000-memory.dmpFilesize
48KB
-
memory/2192-34-0x0000000002360000-0x0000000002374000-memory.dmpFilesize
80KB
-
memory/2192-21-0x0000000000610000-0x000000000061A000-memory.dmpFilesize
40KB
-
memory/2192-4-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/2192-25-0x00000000007E0000-0x00000000007FA000-memory.dmpFilesize
104KB
-
memory/2192-26-0x0000000000750000-0x000000000075E000-memory.dmpFilesize
56KB
-
memory/2192-33-0x0000000004B60000-0x0000000004B8E000-memory.dmpFilesize
184KB
-
memory/2192-32-0x0000000000DE0000-0x0000000000DEE000-memory.dmpFilesize
56KB
-
memory/2192-31-0x0000000000DD0000-0x0000000000DE4000-memory.dmpFilesize
80KB
-
memory/2192-30-0x0000000000DC0000-0x0000000000DD4000-memory.dmpFilesize
80KB
-
memory/2192-29-0x0000000000870000-0x000000000087E000-memory.dmpFilesize
56KB
-
memory/2192-28-0x0000000000860000-0x000000000086C000-memory.dmpFilesize
48KB
-
memory/2192-27-0x0000000000810000-0x0000000000822000-memory.dmpFilesize
72KB
-
memory/2208-0-0x000000007466E000-0x000000007466F000-memory.dmpFilesize
4KB
-
memory/2208-14-0x0000000074660000-0x0000000074D4E000-memory.dmpFilesize
6.9MB
-
memory/2208-2-0x0000000074660000-0x0000000074D4E000-memory.dmpFilesize
6.9MB
-
memory/2208-1-0x0000000000330000-0x0000000000380000-memory.dmpFilesize
320KB
-
memory/2880-52-0x00000000001A0000-0x00000000001F0000-memory.dmpFilesize
320KB