Analysis
-
max time kernel
117s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
06-08-2024 15:38
Static task
static1
Behavioral task
behavioral1
Sample
c7d3425a23b5b8d3d00eded5b83c0710N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
c7d3425a23b5b8d3d00eded5b83c0710N.exe
Resource
win10v2004-20240802-en
General
-
Target
c7d3425a23b5b8d3d00eded5b83c0710N.exe
-
Size
281KB
-
MD5
c7d3425a23b5b8d3d00eded5b83c0710
-
SHA1
f58026846eeb92e4999fbca16578d41c144fceed
-
SHA256
c9e7703faad3960594c4a4135f5ca3a6dca4dd0113af162e56b50c30fc55fa45
-
SHA512
f3a7408856bcf97d22bfb2a6f07bfe45252b306bca374aa43cffccf7408864a6095d48af90930fb983fe9820b2f7797c8752fc4405d10927d3620aa279087a50
-
SSDEEP
6144:boy5p178U0MURaGyNXYWQzHazRfXrwSRnWwhrQ66fK8:boSeGUA5YZazpXUmZhZ6S8
Malware Config
Extracted
nanocore
1.2.2.0
sysupdate24.ddns.net:45400
ae82ab7f-db07-49ee-9d2b-76075d76f37f
-
activate_away_mode
true
- backup_connection_host
- backup_dns_server
-
buffer_size
65535
-
build_time
2020-04-24T17:41:53.492468936Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
45400
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
ae82ab7f-db07-49ee-9d2b-76075d76f37f
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
sysupdate24.ddns.net
- primary_dns_server
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
a1punf5t2of.exea1punf5t2of.exepid process 2664 a1punf5t2of.exe 3004 a1punf5t2of.exe -
Loads dropped DLL 2 IoCs
Processes:
c7d3425a23b5b8d3d00eded5b83c0710N.exea1punf5t2of.exepid process 2080 c7d3425a23b5b8d3d00eded5b83c0710N.exe 2664 a1punf5t2of.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
c7d3425a23b5b8d3d00eded5b83c0710N.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\b1b2dqljdx3 = "C:\\Users\\Admin\\AppData\\Roaming\\b1b2dqljdx3\\a1punf5t2of.exe" c7d3425a23b5b8d3d00eded5b83c0710N.exe -
Processes:
a1punf5t2of.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA a1punf5t2of.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
a1punf5t2of.exedescription pid process target process PID 2664 set thread context of 3004 2664 a1punf5t2of.exe a1punf5t2of.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
a1punf5t2of.exea1punf5t2of.exec7d3425a23b5b8d3d00eded5b83c0710N.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a1punf5t2of.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a1punf5t2of.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c7d3425a23b5b8d3d00eded5b83c0710N.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
a1punf5t2of.exepid process 3004 a1punf5t2of.exe 3004 a1punf5t2of.exe 3004 a1punf5t2of.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
a1punf5t2of.exepid process 3004 a1punf5t2of.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
a1punf5t2of.exedescription pid process Token: SeDebugPrivilege 3004 a1punf5t2of.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
c7d3425a23b5b8d3d00eded5b83c0710N.exea1punf5t2of.exedescription pid process target process PID 2080 wrote to memory of 2664 2080 c7d3425a23b5b8d3d00eded5b83c0710N.exe a1punf5t2of.exe PID 2080 wrote to memory of 2664 2080 c7d3425a23b5b8d3d00eded5b83c0710N.exe a1punf5t2of.exe PID 2080 wrote to memory of 2664 2080 c7d3425a23b5b8d3d00eded5b83c0710N.exe a1punf5t2of.exe PID 2080 wrote to memory of 2664 2080 c7d3425a23b5b8d3d00eded5b83c0710N.exe a1punf5t2of.exe PID 2080 wrote to memory of 2664 2080 c7d3425a23b5b8d3d00eded5b83c0710N.exe a1punf5t2of.exe PID 2080 wrote to memory of 2664 2080 c7d3425a23b5b8d3d00eded5b83c0710N.exe a1punf5t2of.exe PID 2080 wrote to memory of 2664 2080 c7d3425a23b5b8d3d00eded5b83c0710N.exe a1punf5t2of.exe PID 2664 wrote to memory of 3004 2664 a1punf5t2of.exe a1punf5t2of.exe PID 2664 wrote to memory of 3004 2664 a1punf5t2of.exe a1punf5t2of.exe PID 2664 wrote to memory of 3004 2664 a1punf5t2of.exe a1punf5t2of.exe PID 2664 wrote to memory of 3004 2664 a1punf5t2of.exe a1punf5t2of.exe PID 2664 wrote to memory of 3004 2664 a1punf5t2of.exe a1punf5t2of.exe PID 2664 wrote to memory of 3004 2664 a1punf5t2of.exe a1punf5t2of.exe PID 2664 wrote to memory of 3004 2664 a1punf5t2of.exe a1punf5t2of.exe PID 2664 wrote to memory of 3004 2664 a1punf5t2of.exe a1punf5t2of.exe PID 2664 wrote to memory of 3004 2664 a1punf5t2of.exe a1punf5t2of.exe PID 2664 wrote to memory of 3004 2664 a1punf5t2of.exe a1punf5t2of.exe PID 2664 wrote to memory of 3004 2664 a1punf5t2of.exe a1punf5t2of.exe PID 2664 wrote to memory of 3004 2664 a1punf5t2of.exe a1punf5t2of.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c7d3425a23b5b8d3d00eded5b83c0710N.exe"C:\Users\Admin\AppData\Local\Temp\c7d3425a23b5b8d3d00eded5b83c0710N.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3004
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
281KB
MD5a1aeefe191425c6e3451128223426746
SHA1469900583db4053d7f1a880e417800b5254fc549
SHA25679034208c8ab9c9c2f46a36dbc8a1495281f439adf395c60d6a8d1117117553b
SHA5124805a6e792ede974340208ea2f40a12bf007ed0243bf30e52575eb91c28559a375bb853f7446aa50b3f0e17ec2844ba4d5af617cf172736c18c7e4773e903576