Analysis
-
max time kernel
117s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
08-07-2024 09:31
Static task
static1
Behavioral task
behavioral1
Sample
Bank Details.exe
Resource
win7-20240705-en
General
-
Target
Bank Details.exe
-
Size
3.5MB
-
MD5
72541dff5041b2d243e0502ecb452ef1
-
SHA1
8afb4d29dee980bedefb058453ed11e1c151f938
-
SHA256
152831911e38d9e20c6c82b22cd65258fab41c3c1017d2127854b91c8331a685
-
SHA512
f4877723eb06c98b0ede4868331cc0a64a09e7c02cebad044f3b6e5d1e741d45393ee7d1937fa031e26c463dc1370037ecb0bbe3eb42fd7dda8868c844bfd7d0
-
SSDEEP
49152:KOb699GhOeeYrHhxNg0Dobuh9CYW/jgFdfUH8SIP1wJ5+BPtk6S:q9vYrdnw8SIKJYBP
Malware Config
Extracted
nanocore
1.2.2.0
arkseven7002.ddns.net:7727
10a66da6-234d-4e15-acda-574830a08fca
-
activate_away_mode
true
-
backup_connection_host
arkseven7002.ddns.net
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2024-04-18T01:03:25.467183836Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
false
-
clear_zone_identifier
true
-
connect_delay
4000
-
connection_port
7727
-
default_group
BLESSED BOTS
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
10a66da6-234d-4e15-acda-574830a08fca
-
mutex_timeout
5000
-
prevent_system_sleep
true
-
primary_connection_host
arkseven7002.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
CasPol.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TCP Subsystem = "C:\\Program Files (x86)\\TCP Subsystem\\tcpss.exe" CasPol.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Bank Details.exedescription pid process target process PID 2368 set thread context of 1952 2368 Bank Details.exe CasPol.exe -
Drops file in Program Files directory 2 IoCs
Processes:
CasPol.exedescription ioc process File created C:\Program Files (x86)\TCP Subsystem\tcpss.exe CasPol.exe File opened for modification C:\Program Files (x86)\TCP Subsystem\tcpss.exe CasPol.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
CasPol.exepid process 1952 CasPol.exe 1952 CasPol.exe 1952 CasPol.exe 1952 CasPol.exe 1952 CasPol.exe 1952 CasPol.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
CasPol.exepid process 1952 CasPol.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
CasPol.exedescription pid process Token: SeDebugPrivilege 1952 CasPol.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Bank Details.exedescription pid process target process PID 2368 wrote to memory of 1952 2368 Bank Details.exe CasPol.exe PID 2368 wrote to memory of 1952 2368 Bank Details.exe CasPol.exe PID 2368 wrote to memory of 1952 2368 Bank Details.exe CasPol.exe PID 2368 wrote to memory of 1952 2368 Bank Details.exe CasPol.exe PID 2368 wrote to memory of 1952 2368 Bank Details.exe CasPol.exe PID 2368 wrote to memory of 1952 2368 Bank Details.exe CasPol.exe PID 2368 wrote to memory of 1952 2368 Bank Details.exe CasPol.exe PID 2368 wrote to memory of 1952 2368 Bank Details.exe CasPol.exe PID 2368 wrote to memory of 1952 2368 Bank Details.exe CasPol.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Bank Details.exe"C:\Users\Admin\AppData\Local\Temp\Bank Details.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"2⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1952-10-0x00000000004F0000-0x000000000050E000-memory.dmpFilesize
120KB
-
memory/1952-9-0x00000000004E0000-0x00000000004EA000-memory.dmpFilesize
40KB
-
memory/1952-6-0x0000000074C80000-0x000000007536E000-memory.dmpFilesize
6.9MB
-
memory/1952-5-0x0000000074C8E000-0x0000000074C8F000-memory.dmpFilesize
4KB
-
memory/1952-4-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1952-2-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1952-0-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1952-11-0x0000000000510000-0x000000000051A000-memory.dmpFilesize
40KB
-
memory/1952-15-0x0000000000840000-0x000000000085A000-memory.dmpFilesize
104KB
-
memory/1952-14-0x00000000007E0000-0x00000000007F2000-memory.dmpFilesize
72KB
-
memory/1952-17-0x00000000020C0000-0x00000000020D2000-memory.dmpFilesize
72KB
-
memory/1952-19-0x00000000020E0000-0x00000000020EC000-memory.dmpFilesize
48KB
-
memory/1952-20-0x00000000020F0000-0x0000000002104000-memory.dmpFilesize
80KB
-
memory/1952-16-0x0000000000A20000-0x0000000000A2E000-memory.dmpFilesize
56KB
-
memory/1952-18-0x00000000020D0000-0x00000000020DE000-memory.dmpFilesize
56KB
-
memory/1952-21-0x0000000002140000-0x0000000002150000-memory.dmpFilesize
64KB
-
memory/1952-22-0x0000000002250000-0x0000000002264000-memory.dmpFilesize
80KB
-
memory/1952-23-0x0000000002260000-0x000000000226E000-memory.dmpFilesize
56KB
-
memory/1952-24-0x00000000022D0000-0x00000000022FE000-memory.dmpFilesize
184KB
-
memory/1952-25-0x0000000002280000-0x0000000002294000-memory.dmpFilesize
80KB
-
memory/1952-27-0x0000000074C8E000-0x0000000074C8F000-memory.dmpFilesize
4KB
-
memory/1952-28-0x0000000074C80000-0x000000007536E000-memory.dmpFilesize
6.9MB