Analysis
-
max time kernel
147s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03-10-2024 19:08
Static task
static1
Behavioral task
behavioral1
Sample
097c3cce81877cecdb775d6f754335d3ab6ad8db5f9d524bb2db03fba3222baf.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
097c3cce81877cecdb775d6f754335d3ab6ad8db5f9d524bb2db03fba3222baf.exe
Resource
win10v2004-20240802-en
General
-
Target
097c3cce81877cecdb775d6f754335d3ab6ad8db5f9d524bb2db03fba3222baf.exe
-
Size
282KB
-
MD5
3fdfed2627088eb9c5a42ea698fdea68
-
SHA1
bc59331c2b825fe5c16417eed4d4e804c664cea7
-
SHA256
097c3cce81877cecdb775d6f754335d3ab6ad8db5f9d524bb2db03fba3222baf
-
SHA512
fd14b5f5dc0653306b7a614ac6e18c8def5dc325761301a6c43f96080b59d14f5607e9d7506f109439a07f37691cd9954ee78916edea8e68370d458a9a1853cf
-
SSDEEP
6144:boy5p178U0MURaGyNXYWQzHazRfXrwSRnWwhrQ66fKkf4:boSeGUA5YZazpXUmZhZ6SZ
Malware Config
Extracted
nanocore
1.2.2.0
sysupdate24.ddns.net:45400
ae82ab7f-db07-49ee-9d2b-76075d76f37f
-
activate_away_mode
true
- backup_connection_host
- backup_dns_server
-
buffer_size
65535
-
build_time
2020-04-24T17:41:53.492468936Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
45400
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
ae82ab7f-db07-49ee-9d2b-76075d76f37f
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
sysupdate24.ddns.net
- primary_dns_server
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
a1punf5t2of.exea1punf5t2of.exepid Process 2688 a1punf5t2of.exe 2012 a1punf5t2of.exe -
Loads dropped DLL 2 IoCs
Processes:
097c3cce81877cecdb775d6f754335d3ab6ad8db5f9d524bb2db03fba3222baf.exea1punf5t2of.exepid Process 3008 097c3cce81877cecdb775d6f754335d3ab6ad8db5f9d524bb2db03fba3222baf.exe 2688 a1punf5t2of.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
097c3cce81877cecdb775d6f754335d3ab6ad8db5f9d524bb2db03fba3222baf.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\b1b2dqljdx3 = "C:\\Users\\Admin\\AppData\\Roaming\\b1b2dqljdx3\\a1punf5t2of.exe" 097c3cce81877cecdb775d6f754335d3ab6ad8db5f9d524bb2db03fba3222baf.exe -
Processes:
a1punf5t2of.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA a1punf5t2of.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
a1punf5t2of.exedescription pid Process procid_target PID 2688 set thread context of 2012 2688 a1punf5t2of.exe 32 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
097c3cce81877cecdb775d6f754335d3ab6ad8db5f9d524bb2db03fba3222baf.exea1punf5t2of.exea1punf5t2of.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 097c3cce81877cecdb775d6f754335d3ab6ad8db5f9d524bb2db03fba3222baf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a1punf5t2of.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a1punf5t2of.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
a1punf5t2of.exepid Process 2012 a1punf5t2of.exe 2012 a1punf5t2of.exe 2012 a1punf5t2of.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
a1punf5t2of.exepid Process 2012 a1punf5t2of.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
a1punf5t2of.exedescription pid Process Token: SeDebugPrivilege 2012 a1punf5t2of.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
097c3cce81877cecdb775d6f754335d3ab6ad8db5f9d524bb2db03fba3222baf.exea1punf5t2of.exedescription pid Process procid_target PID 3008 wrote to memory of 2688 3008 097c3cce81877cecdb775d6f754335d3ab6ad8db5f9d524bb2db03fba3222baf.exe 31 PID 3008 wrote to memory of 2688 3008 097c3cce81877cecdb775d6f754335d3ab6ad8db5f9d524bb2db03fba3222baf.exe 31 PID 3008 wrote to memory of 2688 3008 097c3cce81877cecdb775d6f754335d3ab6ad8db5f9d524bb2db03fba3222baf.exe 31 PID 3008 wrote to memory of 2688 3008 097c3cce81877cecdb775d6f754335d3ab6ad8db5f9d524bb2db03fba3222baf.exe 31 PID 3008 wrote to memory of 2688 3008 097c3cce81877cecdb775d6f754335d3ab6ad8db5f9d524bb2db03fba3222baf.exe 31 PID 3008 wrote to memory of 2688 3008 097c3cce81877cecdb775d6f754335d3ab6ad8db5f9d524bb2db03fba3222baf.exe 31 PID 3008 wrote to memory of 2688 3008 097c3cce81877cecdb775d6f754335d3ab6ad8db5f9d524bb2db03fba3222baf.exe 31 PID 2688 wrote to memory of 2012 2688 a1punf5t2of.exe 32 PID 2688 wrote to memory of 2012 2688 a1punf5t2of.exe 32 PID 2688 wrote to memory of 2012 2688 a1punf5t2of.exe 32 PID 2688 wrote to memory of 2012 2688 a1punf5t2of.exe 32 PID 2688 wrote to memory of 2012 2688 a1punf5t2of.exe 32 PID 2688 wrote to memory of 2012 2688 a1punf5t2of.exe 32 PID 2688 wrote to memory of 2012 2688 a1punf5t2of.exe 32 PID 2688 wrote to memory of 2012 2688 a1punf5t2of.exe 32 PID 2688 wrote to memory of 2012 2688 a1punf5t2of.exe 32 PID 2688 wrote to memory of 2012 2688 a1punf5t2of.exe 32 PID 2688 wrote to memory of 2012 2688 a1punf5t2of.exe 32 PID 2688 wrote to memory of 2012 2688 a1punf5t2of.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\097c3cce81877cecdb775d6f754335d3ab6ad8db5f9d524bb2db03fba3222baf.exe"C:\Users\Admin\AppData\Local\Temp\097c3cce81877cecdb775d6f754335d3ab6ad8db5f9d524bb2db03fba3222baf.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2012
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
282KB
MD5d7deb0e7c0800d4cfeffa93fe088c16e
SHA1f1868bd1a42268d4cd26ab68f474bdf8ec55f99d
SHA2561deeab13ade34e2cebefe3653188e447f90c80dd4df990aaf40636d468f10a37
SHA512163e6c01df97bcf5fc7c8f39e6eb4eac4d2644637331ffd0578bf9e258ea0c91ac3b5ecb040768def9a8af8d8facdf39cb1c51ce57feb6498e9cf7f6af4a01bd