Analysis
-
max time kernel
117s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
13-08-2024 00:44
Static task
static1
Behavioral task
behavioral1
Sample
0d47828b888817ccc0b40056b40211e0N.exe
Resource
win7-20240704-en
General
-
Target
0d47828b888817ccc0b40056b40211e0N.exe
-
Size
281KB
-
MD5
0d47828b888817ccc0b40056b40211e0
-
SHA1
d8972a78e2593118b123aa162d5ceec313f3f47e
-
SHA256
bd5cd250cd8e3bb4b497cc273411ca4efa1b366e27d956be38be62881f2758b2
-
SHA512
60638944eacdaccb577335636d4774e6cd143a68b484e825627901a8828cb8a15a1bd8d08c8bdbbec0d0718f640f10f4817da3c4ad28c44be105639a2013cc7a
-
SSDEEP
6144:boy5p178U0MURaGyNXYWQzHazRfXrwSRnWwhrQ66fKkfn:boSeGUA5YZazpXUmZhZ6SC
Malware Config
Extracted
nanocore
1.2.2.0
sysupdate24.ddns.net:45400
ae82ab7f-db07-49ee-9d2b-76075d76f37f
-
activate_away_mode
true
- backup_connection_host
- backup_dns_server
-
buffer_size
65535
-
build_time
2020-04-24T17:41:53.492468936Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
45400
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
ae82ab7f-db07-49ee-9d2b-76075d76f37f
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
sysupdate24.ddns.net
- primary_dns_server
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
a1punf5t2of.exea1punf5t2of.exepid process 2908 a1punf5t2of.exe 2664 a1punf5t2of.exe -
Loads dropped DLL 2 IoCs
Processes:
0d47828b888817ccc0b40056b40211e0N.exea1punf5t2of.exepid process 2224 0d47828b888817ccc0b40056b40211e0N.exe 2908 a1punf5t2of.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0d47828b888817ccc0b40056b40211e0N.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\b1b2dqljdx3 = "C:\\Users\\Admin\\AppData\\Roaming\\b1b2dqljdx3\\a1punf5t2of.exe" 0d47828b888817ccc0b40056b40211e0N.exe -
Processes:
a1punf5t2of.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA a1punf5t2of.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
a1punf5t2of.exedescription pid process target process PID 2908 set thread context of 2664 2908 a1punf5t2of.exe a1punf5t2of.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
a1punf5t2of.exe0d47828b888817ccc0b40056b40211e0N.exea1punf5t2of.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a1punf5t2of.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0d47828b888817ccc0b40056b40211e0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a1punf5t2of.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
a1punf5t2of.exepid process 2664 a1punf5t2of.exe 2664 a1punf5t2of.exe 2664 a1punf5t2of.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
a1punf5t2of.exepid process 2664 a1punf5t2of.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
a1punf5t2of.exedescription pid process Token: SeDebugPrivilege 2664 a1punf5t2of.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
0d47828b888817ccc0b40056b40211e0N.exea1punf5t2of.exedescription pid process target process PID 2224 wrote to memory of 2908 2224 0d47828b888817ccc0b40056b40211e0N.exe a1punf5t2of.exe PID 2224 wrote to memory of 2908 2224 0d47828b888817ccc0b40056b40211e0N.exe a1punf5t2of.exe PID 2224 wrote to memory of 2908 2224 0d47828b888817ccc0b40056b40211e0N.exe a1punf5t2of.exe PID 2224 wrote to memory of 2908 2224 0d47828b888817ccc0b40056b40211e0N.exe a1punf5t2of.exe PID 2224 wrote to memory of 2908 2224 0d47828b888817ccc0b40056b40211e0N.exe a1punf5t2of.exe PID 2224 wrote to memory of 2908 2224 0d47828b888817ccc0b40056b40211e0N.exe a1punf5t2of.exe PID 2224 wrote to memory of 2908 2224 0d47828b888817ccc0b40056b40211e0N.exe a1punf5t2of.exe PID 2908 wrote to memory of 2664 2908 a1punf5t2of.exe a1punf5t2of.exe PID 2908 wrote to memory of 2664 2908 a1punf5t2of.exe a1punf5t2of.exe PID 2908 wrote to memory of 2664 2908 a1punf5t2of.exe a1punf5t2of.exe PID 2908 wrote to memory of 2664 2908 a1punf5t2of.exe a1punf5t2of.exe PID 2908 wrote to memory of 2664 2908 a1punf5t2of.exe a1punf5t2of.exe PID 2908 wrote to memory of 2664 2908 a1punf5t2of.exe a1punf5t2of.exe PID 2908 wrote to memory of 2664 2908 a1punf5t2of.exe a1punf5t2of.exe PID 2908 wrote to memory of 2664 2908 a1punf5t2of.exe a1punf5t2of.exe PID 2908 wrote to memory of 2664 2908 a1punf5t2of.exe a1punf5t2of.exe PID 2908 wrote to memory of 2664 2908 a1punf5t2of.exe a1punf5t2of.exe PID 2908 wrote to memory of 2664 2908 a1punf5t2of.exe a1punf5t2of.exe PID 2908 wrote to memory of 2664 2908 a1punf5t2of.exe a1punf5t2of.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d47828b888817ccc0b40056b40211e0N.exe"C:\Users\Admin\AppData\Local\Temp\0d47828b888817ccc0b40056b40211e0N.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2664
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
281KB
MD5e8519238e16e8a5e76edbaddd511cb36
SHA1fdf86ab0123245192bbf96ea732b0c2526445925
SHA256bde33c354b895773feda99175fa0d92f4c05c208012e7c2e2b3edf358fe30788
SHA5126b6d39662329035aa311f21443fae6dd282f08667db5b1d7f2395ab6da31b3cc860bb12d42aa8381bf242c5caf829ed70b81f7e70c4ee265546b6c90619ff69f