Resubmissions
15-08-2024 11:42
240815-nt6pgsvcmj 715-08-2024 11:37
240815-nrkz1avbpj 1015-08-2024 11:36
240815-nqyjpsvbmq 1015-08-2024 11:33
240815-npbcsavbjm 10Analysis
-
max time kernel
149s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
15-08-2024 11:37
Static task
static1
Behavioral task
behavioral1
Sample
ae1265e9fe0ac39bbe970a3fa66c64b0N.exe
Resource
win7-20240704-en
General
-
Target
ae1265e9fe0ac39bbe970a3fa66c64b0N.exe
-
Size
282KB
-
MD5
ae1265e9fe0ac39bbe970a3fa66c64b0
-
SHA1
9239a5d795a2d97e72e7bd9b48b125d0e2459960
-
SHA256
87a574cbf6233e2fd7a3872da22451ae49f6248cca5c900dab49207e0f0135b0
-
SHA512
ff66d820fd16cc06ee99b995b1de7aa22d545da35518a1b02c5d5dee6a2d6c8670d3c3ba6934c0f0ebeaadb577c9de91dd9db8f8b27d1636f4f7514a6b4430a5
-
SSDEEP
6144:boy5p178U0MURaGyNXYWQzHazRfXrwSRnWwhrQ66fKkfQ:boSeGUA5YZazpXUmZhZ6Sp
Malware Config
Extracted
nanocore
1.2.2.0
sysupdate24.ddns.net:45400
ae82ab7f-db07-49ee-9d2b-76075d76f37f
-
activate_away_mode
true
- backup_connection_host
- backup_dns_server
-
buffer_size
65535
-
build_time
2020-04-24T17:41:53.492468936Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
45400
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
ae82ab7f-db07-49ee-9d2b-76075d76f37f
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
sysupdate24.ddns.net
- primary_dns_server
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
a1punf5t2of.exea1punf5t2of.exepid process 2760 a1punf5t2of.exe 784 a1punf5t2of.exe -
Loads dropped DLL 2 IoCs
Processes:
ae1265e9fe0ac39bbe970a3fa66c64b0N.exea1punf5t2of.exepid process 2680 ae1265e9fe0ac39bbe970a3fa66c64b0N.exe 2760 a1punf5t2of.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ae1265e9fe0ac39bbe970a3fa66c64b0N.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\b1b2dqljdx3 = "C:\\Users\\Admin\\AppData\\Roaming\\b1b2dqljdx3\\a1punf5t2of.exe" ae1265e9fe0ac39bbe970a3fa66c64b0N.exe -
Processes:
a1punf5t2of.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA a1punf5t2of.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
a1punf5t2of.exedescription pid process target process PID 2760 set thread context of 784 2760 a1punf5t2of.exe a1punf5t2of.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
ae1265e9fe0ac39bbe970a3fa66c64b0N.exea1punf5t2of.exea1punf5t2of.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ae1265e9fe0ac39bbe970a3fa66c64b0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a1punf5t2of.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a1punf5t2of.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
a1punf5t2of.exepid process 784 a1punf5t2of.exe 784 a1punf5t2of.exe 784 a1punf5t2of.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
a1punf5t2of.exepid process 784 a1punf5t2of.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
a1punf5t2of.exedescription pid process Token: SeDebugPrivilege 784 a1punf5t2of.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
ae1265e9fe0ac39bbe970a3fa66c64b0N.exea1punf5t2of.exedescription pid process target process PID 2680 wrote to memory of 2760 2680 ae1265e9fe0ac39bbe970a3fa66c64b0N.exe a1punf5t2of.exe PID 2680 wrote to memory of 2760 2680 ae1265e9fe0ac39bbe970a3fa66c64b0N.exe a1punf5t2of.exe PID 2680 wrote to memory of 2760 2680 ae1265e9fe0ac39bbe970a3fa66c64b0N.exe a1punf5t2of.exe PID 2680 wrote to memory of 2760 2680 ae1265e9fe0ac39bbe970a3fa66c64b0N.exe a1punf5t2of.exe PID 2680 wrote to memory of 2760 2680 ae1265e9fe0ac39bbe970a3fa66c64b0N.exe a1punf5t2of.exe PID 2680 wrote to memory of 2760 2680 ae1265e9fe0ac39bbe970a3fa66c64b0N.exe a1punf5t2of.exe PID 2680 wrote to memory of 2760 2680 ae1265e9fe0ac39bbe970a3fa66c64b0N.exe a1punf5t2of.exe PID 2760 wrote to memory of 784 2760 a1punf5t2of.exe a1punf5t2of.exe PID 2760 wrote to memory of 784 2760 a1punf5t2of.exe a1punf5t2of.exe PID 2760 wrote to memory of 784 2760 a1punf5t2of.exe a1punf5t2of.exe PID 2760 wrote to memory of 784 2760 a1punf5t2of.exe a1punf5t2of.exe PID 2760 wrote to memory of 784 2760 a1punf5t2of.exe a1punf5t2of.exe PID 2760 wrote to memory of 784 2760 a1punf5t2of.exe a1punf5t2of.exe PID 2760 wrote to memory of 784 2760 a1punf5t2of.exe a1punf5t2of.exe PID 2760 wrote to memory of 784 2760 a1punf5t2of.exe a1punf5t2of.exe PID 2760 wrote to memory of 784 2760 a1punf5t2of.exe a1punf5t2of.exe PID 2760 wrote to memory of 784 2760 a1punf5t2of.exe a1punf5t2of.exe PID 2760 wrote to memory of 784 2760 a1punf5t2of.exe a1punf5t2of.exe PID 2760 wrote to memory of 784 2760 a1punf5t2of.exe a1punf5t2of.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ae1265e9fe0ac39bbe970a3fa66c64b0N.exe"C:\Users\Admin\AppData\Local\Temp\ae1265e9fe0ac39bbe970a3fa66c64b0N.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:784
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
282KB
MD585423174f78e73d2a8ead25cb88c9d41
SHA1c9d33fb79558507f432d2c0b289749fc6f730543
SHA25681fa0363a9099b04f3292ac387a35aec4ef7bf30ecbb055678fa450fbbefdb84
SHA5121f06af461294696f7a11bf30b0a928838f797a00e6a98dec6da8120927647786e83c405d33b9aa8b65640127568ca0172b9682c9791d14d5c05d2597bbde1f58