Analysis
-
max time kernel
121s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
24/09/2024, 01:19 UTC
Static task
static1
Behavioral task
behavioral1
Sample
4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe
Resource
win7-20240903-en
General
-
Target
4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe
-
Size
629KB
-
MD5
280baa14b25c23e63122a4028928dff0
-
SHA1
8070c5e450768312a50c64be6edc386b009bea77
-
SHA256
4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226
-
SHA512
26b96a7b246c3abaa02a989ea1e90a9ede181133f8a1e1b9605b3812f1505527d4164e14c169c73773e5872881bfa512793cffb381110c4a3b4f160e307f0f6f
-
SSDEEP
12288:6dbG8Q1q8vDd/e6REdJqTu5XWN62tlN3d8SPzG2gvXqQ4tqXZUwxTJ:n8C7pecAMC5XKvNt8S7Nsy4FlJ
Malware Config
Extracted
nanocore
1.2.2.0
pnauco5.ddns.net:1664
cde38e58-d99c-4068-b775-59569bc2e8ce
-
activate_away_mode
true
-
backup_connection_host
pnauco5.ddns.net
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2024-07-03T06:48:27.569053036Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
1664
-
default_group
NEW
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
cde38e58-d99c-4068-b775-59569bc2e8ce
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
pnauco5.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1972 powershell.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\IMAP Monitor = "C:\\Program Files (x86)\\IMAP Monitor\\imapmon.exe" 4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2516 set thread context of 2332 2516 4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe 32 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\IMAP Monitor\imapmon.exe 4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe File opened for modification C:\Program Files (x86)\IMAP Monitor\imapmon.exe 4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2808 schtasks.exe 2656 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 2332 4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe 2332 4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe 2332 4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe 1972 powershell.exe 2332 4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe 2332 4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe 2332 4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2332 4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2332 4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe Token: SeDebugPrivilege 1972 powershell.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2516 wrote to memory of 1972 2516 4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe 30 PID 2516 wrote to memory of 1972 2516 4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe 30 PID 2516 wrote to memory of 1972 2516 4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe 30 PID 2516 wrote to memory of 1972 2516 4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe 30 PID 2516 wrote to memory of 2332 2516 4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe 32 PID 2516 wrote to memory of 2332 2516 4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe 32 PID 2516 wrote to memory of 2332 2516 4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe 32 PID 2516 wrote to memory of 2332 2516 4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe 32 PID 2516 wrote to memory of 2332 2516 4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe 32 PID 2516 wrote to memory of 2332 2516 4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe 32 PID 2516 wrote to memory of 2332 2516 4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe 32 PID 2516 wrote to memory of 2332 2516 4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe 32 PID 2516 wrote to memory of 2332 2516 4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe 32 PID 2332 wrote to memory of 2808 2332 4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe 33 PID 2332 wrote to memory of 2808 2332 4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe 33 PID 2332 wrote to memory of 2808 2332 4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe 33 PID 2332 wrote to memory of 2808 2332 4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe 33 PID 2332 wrote to memory of 2656 2332 4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe 35 PID 2332 wrote to memory of 2656 2332 4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe 35 PID 2332 wrote to memory of 2656 2332 4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe 35 PID 2332 wrote to memory of 2656 2332 4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe"C:\Users\Admin\AppData\Local\Temp\4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1972
-
-
C:\Users\Admin\AppData\Local\Temp\4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe"C:\Users\Admin\AppData\Local\Temp\4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "IMAP Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmp4328.tmp"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2808
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "IMAP Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp43D5.tmp"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2656
-
-
Network
-
Remote address:8.8.8.8:53Requestpnauco5.ddns.netIN AResponsepnauco5.ddns.netIN A103.207.37.72
-
103.207.37.72:1664pnauco5.ddns.net4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe15.6kB 391.3kB 285 395
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD51ba3298e956e427c9e9e4bd39f6a4769
SHA129d0b963437e7c25ca335515dc23b8851b62bada
SHA256ef5aaf504b9f3d6bfb28c79e91dec9f212a47971f28a269870c50590a32f00ab
SHA512aa915d74ba0ede9d1c71dc2ae48ac4ea8b29f749b3e484554feb6c37e9481963f55905a15d05e75cb45a9e7889051121edaaa77bcee106160cb82e4619294d08
-
Filesize
1KB
MD5d2d6911d94b06e405e7687a2437eafec
SHA19f28f9e7d8d5179d44ddaa6ca266984ed7521dea
SHA2562dc87169ad53fbdd7abb08f49777cb8fb05adbff4e6f6616b4c89942af8cad0f
SHA512b5983de701ff98e944283a25f1770c1e792d52148dc1671f1d19203f8b9d10b056abcf79a17ca536a5f88ccf52f6445d8f3e75fce628666640ad8bad697dcfd1