Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
05-08-2024 02:06
Static task
static1
Behavioral task
behavioral1
Sample
350d5e7320be3cf579bf1afacdbb46c0N.exe
Resource
win7-20240705-en
General
-
Target
350d5e7320be3cf579bf1afacdbb46c0N.exe
-
Size
506KB
-
MD5
350d5e7320be3cf579bf1afacdbb46c0
-
SHA1
f7220fb639e1c780f6ea23b1d657964f22bcf49a
-
SHA256
f65d1cded5374ab70cfb0f316f045bc01a0f7dba4cb1cb1edf19a923282b525d
-
SHA512
82d08ec44f4d8153ccdd42996604cf2ceab26c853d1a0b1a87257710b6ce115f9bde9dbd3ad93e54bed2f6337872fd877db994050926b0ff315f2bb7fa9ffdde
-
SSDEEP
12288:0zQFwN0QMq3ZyMliWHt3hewrmrvTKdnMgmuCy:+QFmN3ZhlPt3hewyTK
Malware Config
Extracted
nanocore
1.2.2.0
savagesquad.ooguy.com:5314
ffbf0a1f-4996-4697-ad52-3b9f73eda21c
-
activate_away_mode
true
- backup_connection_host
- backup_dns_server
-
buffer_size
65535
-
build_time
2019-07-07T02:55:03.718306736Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
true
-
connect_delay
4000
-
connection_port
5314
-
default_group
FUD
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
ffbf0a1f-4996-4697-ad52-3b9f73eda21c
-
mutex_timeout
5000
-
prevent_system_sleep
true
-
primary_connection_host
savagesquad.ooguy.com
- primary_dns_server
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Processes:
350d5e7320be3cf579bf1afacdbb46c0N.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 350d5e7320be3cf579bf1afacdbb46c0N.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
350d5e7320be3cf579bf1afacdbb46c0N.exedescription pid process target process PID 1904 set thread context of 2652 1904 350d5e7320be3cf579bf1afacdbb46c0N.exe 350d5e7320be3cf579bf1afacdbb46c0N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
schtasks.exe350d5e7320be3cf579bf1afacdbb46c0N.exe350d5e7320be3cf579bf1afacdbb46c0N.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 350d5e7320be3cf579bf1afacdbb46c0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 350d5e7320be3cf579bf1afacdbb46c0N.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
350d5e7320be3cf579bf1afacdbb46c0N.exepid process 2652 350d5e7320be3cf579bf1afacdbb46c0N.exe 2652 350d5e7320be3cf579bf1afacdbb46c0N.exe 2652 350d5e7320be3cf579bf1afacdbb46c0N.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
350d5e7320be3cf579bf1afacdbb46c0N.exepid process 2652 350d5e7320be3cf579bf1afacdbb46c0N.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
350d5e7320be3cf579bf1afacdbb46c0N.exedescription pid process Token: SeDebugPrivilege 2652 350d5e7320be3cf579bf1afacdbb46c0N.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
350d5e7320be3cf579bf1afacdbb46c0N.exedescription pid process target process PID 1904 wrote to memory of 2892 1904 350d5e7320be3cf579bf1afacdbb46c0N.exe schtasks.exe PID 1904 wrote to memory of 2892 1904 350d5e7320be3cf579bf1afacdbb46c0N.exe schtasks.exe PID 1904 wrote to memory of 2892 1904 350d5e7320be3cf579bf1afacdbb46c0N.exe schtasks.exe PID 1904 wrote to memory of 2892 1904 350d5e7320be3cf579bf1afacdbb46c0N.exe schtasks.exe PID 1904 wrote to memory of 2652 1904 350d5e7320be3cf579bf1afacdbb46c0N.exe 350d5e7320be3cf579bf1afacdbb46c0N.exe PID 1904 wrote to memory of 2652 1904 350d5e7320be3cf579bf1afacdbb46c0N.exe 350d5e7320be3cf579bf1afacdbb46c0N.exe PID 1904 wrote to memory of 2652 1904 350d5e7320be3cf579bf1afacdbb46c0N.exe 350d5e7320be3cf579bf1afacdbb46c0N.exe PID 1904 wrote to memory of 2652 1904 350d5e7320be3cf579bf1afacdbb46c0N.exe 350d5e7320be3cf579bf1afacdbb46c0N.exe PID 1904 wrote to memory of 2652 1904 350d5e7320be3cf579bf1afacdbb46c0N.exe 350d5e7320be3cf579bf1afacdbb46c0N.exe PID 1904 wrote to memory of 2652 1904 350d5e7320be3cf579bf1afacdbb46c0N.exe 350d5e7320be3cf579bf1afacdbb46c0N.exe PID 1904 wrote to memory of 2652 1904 350d5e7320be3cf579bf1afacdbb46c0N.exe 350d5e7320be3cf579bf1afacdbb46c0N.exe PID 1904 wrote to memory of 2652 1904 350d5e7320be3cf579bf1afacdbb46c0N.exe 350d5e7320be3cf579bf1afacdbb46c0N.exe PID 1904 wrote to memory of 2652 1904 350d5e7320be3cf579bf1afacdbb46c0N.exe 350d5e7320be3cf579bf1afacdbb46c0N.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe"C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VsRwbjnFmPB" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC19A.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2892 -
C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe"C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe"2⤵
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2652
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD509a669719a8aef5a1830387b41feaaba
SHA1dcae3f4a7d37dd475c248fed96c32a3b18684b01
SHA256122d53a5f99860ab687e68bf5c9e4be1d3e0f06307a1157f214f4749e6f2f360
SHA512a0eba5e54e8a16bb1ad012475650752dbd3cda12a16d6067d66fac214c39d7bbd510c57788512a303877dbe9573bbb5a13cac23cfae660010de3c872671adaf9