Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
06-08-2024 22:16
Static task
static1
Behavioral task
behavioral1
Sample
5db52dc47ddbbde1f4de3f35348ce12b8d3a13f381e64e23afb01afd2a14bab3.exe
Resource
win7-20240704-en
General
-
Target
5db52dc47ddbbde1f4de3f35348ce12b8d3a13f381e64e23afb01afd2a14bab3.exe
-
Size
281KB
-
MD5
e2e03488307f8b2d60de71cde2cdc8ac
-
SHA1
5a4b5583bb23bdd6c0920d76d0be61f883f10c7f
-
SHA256
5db52dc47ddbbde1f4de3f35348ce12b8d3a13f381e64e23afb01afd2a14bab3
-
SHA512
4a3d65d5d946e616b8b65af0e8d797af1b6c3c95af56d38cafb3c13d3d06062d43c13da9d7f8ace5f8ef728515b79646782124b1975a39de124e70023df959ff
-
SSDEEP
6144:boy5p178U0MURaGyNXYWQzHazRfXrwSRnWwhrQ66fKkfv:boSeGUA5YZazpXUmZhZ6SK
Malware Config
Extracted
nanocore
1.2.2.0
sysupdate24.ddns.net:45400
ae82ab7f-db07-49ee-9d2b-76075d76f37f
-
activate_away_mode
true
- backup_connection_host
- backup_dns_server
-
buffer_size
65535
-
build_time
2020-04-24T17:41:53.492468936Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
45400
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
ae82ab7f-db07-49ee-9d2b-76075d76f37f
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
sysupdate24.ddns.net
- primary_dns_server
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
5db52dc47ddbbde1f4de3f35348ce12b8d3a13f381e64e23afb01afd2a14bab3.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation 5db52dc47ddbbde1f4de3f35348ce12b8d3a13f381e64e23afb01afd2a14bab3.exe -
Executes dropped EXE 2 IoCs
Processes:
a1punf5t2of.exea1punf5t2of.exepid process 1788 a1punf5t2of.exe 440 a1punf5t2of.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
5db52dc47ddbbde1f4de3f35348ce12b8d3a13f381e64e23afb01afd2a14bab3.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b1b2dqljdx3 = "C:\\Users\\Admin\\AppData\\Roaming\\b1b2dqljdx3\\a1punf5t2of.exe" 5db52dc47ddbbde1f4de3f35348ce12b8d3a13f381e64e23afb01afd2a14bab3.exe -
Processes:
a1punf5t2of.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA a1punf5t2of.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
a1punf5t2of.exedescription pid process target process PID 1788 set thread context of 440 1788 a1punf5t2of.exe a1punf5t2of.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
a1punf5t2of.exe5db52dc47ddbbde1f4de3f35348ce12b8d3a13f381e64e23afb01afd2a14bab3.exea1punf5t2of.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a1punf5t2of.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5db52dc47ddbbde1f4de3f35348ce12b8d3a13f381e64e23afb01afd2a14bab3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a1punf5t2of.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
a1punf5t2of.exepid process 440 a1punf5t2of.exe 440 a1punf5t2of.exe 440 a1punf5t2of.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
a1punf5t2of.exepid process 440 a1punf5t2of.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
a1punf5t2of.exedescription pid process Token: SeDebugPrivilege 440 a1punf5t2of.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
5db52dc47ddbbde1f4de3f35348ce12b8d3a13f381e64e23afb01afd2a14bab3.exea1punf5t2of.exedescription pid process target process PID 528 wrote to memory of 1788 528 5db52dc47ddbbde1f4de3f35348ce12b8d3a13f381e64e23afb01afd2a14bab3.exe a1punf5t2of.exe PID 528 wrote to memory of 1788 528 5db52dc47ddbbde1f4de3f35348ce12b8d3a13f381e64e23afb01afd2a14bab3.exe a1punf5t2of.exe PID 528 wrote to memory of 1788 528 5db52dc47ddbbde1f4de3f35348ce12b8d3a13f381e64e23afb01afd2a14bab3.exe a1punf5t2of.exe PID 1788 wrote to memory of 440 1788 a1punf5t2of.exe a1punf5t2of.exe PID 1788 wrote to memory of 440 1788 a1punf5t2of.exe a1punf5t2of.exe PID 1788 wrote to memory of 440 1788 a1punf5t2of.exe a1punf5t2of.exe PID 1788 wrote to memory of 440 1788 a1punf5t2of.exe a1punf5t2of.exe PID 1788 wrote to memory of 440 1788 a1punf5t2of.exe a1punf5t2of.exe PID 1788 wrote to memory of 440 1788 a1punf5t2of.exe a1punf5t2of.exe PID 1788 wrote to memory of 440 1788 a1punf5t2of.exe a1punf5t2of.exe PID 1788 wrote to memory of 440 1788 a1punf5t2of.exe a1punf5t2of.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5db52dc47ddbbde1f4de3f35348ce12b8d3a13f381e64e23afb01afd2a14bab3.exe"C:\Users\Admin\AppData\Local\Temp\5db52dc47ddbbde1f4de3f35348ce12b8d3a13f381e64e23afb01afd2a14bab3.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:528 -
C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:440
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
281KB
MD54fd9cffb67227daef8643293605ec917
SHA1b83553da97fb4b6f1af6f949f7bda40e2dc747a8
SHA256d406ef883dc6f43a701d37612b42b9728c089f1268bd960324e1173186090178
SHA51212e108d86b3ffe2abeb4c6e0d4230b531667e92277265b7c811cc4a72d6979fd7cfd22da1c19af9fa522f5a64cf2c837ee21eebc9fac215da1d08d128adef106