Analysis
-
max time kernel
118s -
max time network
27s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
15-08-2024 01:40
Static task
static1
Behavioral task
behavioral1
Sample
dfc22ad60a3e5c942e56e20a9b634aa0N.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
dfc22ad60a3e5c942e56e20a9b634aa0N.exe
Resource
win10v2004-20240802-en
General
-
Target
dfc22ad60a3e5c942e56e20a9b634aa0N.exe
-
Size
281KB
-
MD5
dfc22ad60a3e5c942e56e20a9b634aa0
-
SHA1
24cba7c577b7083f4c403d041fe9ae3eae8e7ad5
-
SHA256
ad519fbe45377b1ba91db0b8bf615a733950433ad6b913f6dda64e1b9f6fa9f8
-
SHA512
86da6334ba54bd75250044bd498781f8ab8e0ff30321fc5905ca38f85ba5e2d6b57298d4d45ce553693ae0b9a864294dfc99acf0706eb4c398a54c1e415e5f77
-
SSDEEP
6144:boy5p178U0MURaGyNXYWQzHazRfXrwSRnWwhrQ66fKkfv:boSeGUA5YZazpXUmZhZ6Si
Malware Config
Extracted
nanocore
1.2.2.0
sysupdate24.ddns.net:45400
ae82ab7f-db07-49ee-9d2b-76075d76f37f
-
activate_away_mode
true
- backup_connection_host
- backup_dns_server
-
buffer_size
65535
-
build_time
2020-04-24T17:41:53.492468936Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
45400
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
ae82ab7f-db07-49ee-9d2b-76075d76f37f
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
sysupdate24.ddns.net
- primary_dns_server
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
a1punf5t2of.exea1punf5t2of.exepid process 2768 a1punf5t2of.exe 2448 a1punf5t2of.exe -
Loads dropped DLL 2 IoCs
Processes:
dfc22ad60a3e5c942e56e20a9b634aa0N.exea1punf5t2of.exepid process 2252 dfc22ad60a3e5c942e56e20a9b634aa0N.exe 2768 a1punf5t2of.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
dfc22ad60a3e5c942e56e20a9b634aa0N.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\b1b2dqljdx3 = "C:\\Users\\Admin\\AppData\\Roaming\\b1b2dqljdx3\\a1punf5t2of.exe" dfc22ad60a3e5c942e56e20a9b634aa0N.exe -
Processes:
a1punf5t2of.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA a1punf5t2of.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
a1punf5t2of.exedescription pid process target process PID 2768 set thread context of 2448 2768 a1punf5t2of.exe a1punf5t2of.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
a1punf5t2of.exea1punf5t2of.exedfc22ad60a3e5c942e56e20a9b634aa0N.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a1punf5t2of.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a1punf5t2of.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dfc22ad60a3e5c942e56e20a9b634aa0N.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
a1punf5t2of.exepid process 2448 a1punf5t2of.exe 2448 a1punf5t2of.exe 2448 a1punf5t2of.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
a1punf5t2of.exepid process 2448 a1punf5t2of.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
a1punf5t2of.exedescription pid process Token: SeDebugPrivilege 2448 a1punf5t2of.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
dfc22ad60a3e5c942e56e20a9b634aa0N.exea1punf5t2of.exedescription pid process target process PID 2252 wrote to memory of 2768 2252 dfc22ad60a3e5c942e56e20a9b634aa0N.exe a1punf5t2of.exe PID 2252 wrote to memory of 2768 2252 dfc22ad60a3e5c942e56e20a9b634aa0N.exe a1punf5t2of.exe PID 2252 wrote to memory of 2768 2252 dfc22ad60a3e5c942e56e20a9b634aa0N.exe a1punf5t2of.exe PID 2252 wrote to memory of 2768 2252 dfc22ad60a3e5c942e56e20a9b634aa0N.exe a1punf5t2of.exe PID 2252 wrote to memory of 2768 2252 dfc22ad60a3e5c942e56e20a9b634aa0N.exe a1punf5t2of.exe PID 2252 wrote to memory of 2768 2252 dfc22ad60a3e5c942e56e20a9b634aa0N.exe a1punf5t2of.exe PID 2252 wrote to memory of 2768 2252 dfc22ad60a3e5c942e56e20a9b634aa0N.exe a1punf5t2of.exe PID 2768 wrote to memory of 2448 2768 a1punf5t2of.exe a1punf5t2of.exe PID 2768 wrote to memory of 2448 2768 a1punf5t2of.exe a1punf5t2of.exe PID 2768 wrote to memory of 2448 2768 a1punf5t2of.exe a1punf5t2of.exe PID 2768 wrote to memory of 2448 2768 a1punf5t2of.exe a1punf5t2of.exe PID 2768 wrote to memory of 2448 2768 a1punf5t2of.exe a1punf5t2of.exe PID 2768 wrote to memory of 2448 2768 a1punf5t2of.exe a1punf5t2of.exe PID 2768 wrote to memory of 2448 2768 a1punf5t2of.exe a1punf5t2of.exe PID 2768 wrote to memory of 2448 2768 a1punf5t2of.exe a1punf5t2of.exe PID 2768 wrote to memory of 2448 2768 a1punf5t2of.exe a1punf5t2of.exe PID 2768 wrote to memory of 2448 2768 a1punf5t2of.exe a1punf5t2of.exe PID 2768 wrote to memory of 2448 2768 a1punf5t2of.exe a1punf5t2of.exe PID 2768 wrote to memory of 2448 2768 a1punf5t2of.exe a1punf5t2of.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dfc22ad60a3e5c942e56e20a9b634aa0N.exe"C:\Users\Admin\AppData\Local\Temp\dfc22ad60a3e5c942e56e20a9b634aa0N.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2448
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
281KB
MD51fa19948812447d0ebfc6ee1ba472e84
SHA175370d75f473db15d32169e7828f9e7478a182f6
SHA2569a08e0a0a4c17562129e5731c7c2e25360f9613b775f5fbc444a2564ce509462
SHA5124c976b7b2db8a44422300e03d21185ac2e0b01f929cdb68ee33926898caf97630e30e3d2fb89becf0f4b2cd320f899d4a9db1c964b6c4df9f734f6134ab8de36