Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09-11-2024 00:00
Behavioral task
behavioral1
Sample
72e02c8fa5fd194031d15ad9ef3b35bde1d585aa325a07266870cdc12e99b67e.exe
Resource
win7-20240708-en
General
-
Target
72e02c8fa5fd194031d15ad9ef3b35bde1d585aa325a07266870cdc12e99b67e.exe
-
Size
3.0MB
-
MD5
fbf6b4d34c2060ca40052715a7a52b3b
-
SHA1
1044b0d5117dbc36afd31c3ce07597099b2c9a47
-
SHA256
72e02c8fa5fd194031d15ad9ef3b35bde1d585aa325a07266870cdc12e99b67e
-
SHA512
0498e4fb1c77463142d2b62dc47be8b12ed92c3cd0faf9ee5933ece4394ea4bcd8574e6b51ebc61ea6faa170ae633d8108cc38279fb4c3fb63965548798c6035
-
SSDEEP
98304:eUAOZ3UXWrNJj+RZJpOZ6UXWrNJj+RxJN:VAAkmrN83JpAJmrN8DJN
Malware Config
Extracted
nanocore
1.2.2.0
shamim.zapto.org:11457
tost.dynamic-dns.net:11457
8017d58d-7b7f-4b91-b6de-613adf085a1e
-
activate_away_mode
false
-
backup_connection_host
tost.dynamic-dns.net
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2018-12-01T22:40:08.386446536Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
11457
-
default_group
ALPHA
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
8017d58d-7b7f-4b91-b6de-613adf085a1e
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
shamim.zapto.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Extracted
webmonitor
foxtrott70.wm01.to:443
-
config_key
CgP1g6JMgy5yU7HEsH9MRrDBEE6yyIwF
-
private_key
mww7VgFA5
-
url_path
/recv4.php
Signatures
-
Nanocore family
-
RevcodeRat, WebMonitorRat
WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
-
WebMonitor payload 16 IoCs
resource yara_rule behavioral2/memory/4496-38-0x0000000000400000-0x00000000004C1000-memory.dmp family_webmonitor behavioral2/memory/4496-41-0x0000000000400000-0x00000000004C1000-memory.dmp family_webmonitor behavioral2/memory/4496-40-0x0000000000400000-0x00000000004C1000-memory.dmp family_webmonitor behavioral2/memory/4496-39-0x0000000000400000-0x00000000004C1000-memory.dmp family_webmonitor behavioral2/memory/4496-48-0x0000000000400000-0x00000000004C1000-memory.dmp family_webmonitor behavioral2/memory/4496-51-0x0000000000400000-0x00000000004C1000-memory.dmp family_webmonitor behavioral2/memory/4496-53-0x0000000000400000-0x00000000004C1000-memory.dmp family_webmonitor behavioral2/memory/4496-57-0x0000000000400000-0x00000000004C1000-memory.dmp family_webmonitor behavioral2/memory/4496-59-0x0000000000400000-0x00000000004C1000-memory.dmp family_webmonitor behavioral2/memory/4496-61-0x0000000000400000-0x00000000004C1000-memory.dmp family_webmonitor behavioral2/memory/4496-63-0x0000000000400000-0x00000000004C1000-memory.dmp family_webmonitor behavioral2/memory/4496-65-0x0000000000400000-0x00000000004C1000-memory.dmp family_webmonitor behavioral2/memory/4496-67-0x0000000000400000-0x00000000004C1000-memory.dmp family_webmonitor behavioral2/memory/4496-69-0x0000000000400000-0x00000000004C1000-memory.dmp family_webmonitor behavioral2/memory/4496-71-0x0000000000400000-0x00000000004C1000-memory.dmp family_webmonitor behavioral2/memory/4496-73-0x0000000000400000-0x00000000004C1000-memory.dmp family_webmonitor -
Webmonitor family
-
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktopimgdownldr.url 72e02c8fa5fd194031d15ad9ef3b35bde1d585aa325a07266870cdc12e99b67e.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.WARP.JITService.url wm.exe -
Executes dropped EXE 2 IoCs
pid Process 3724 wm.exe 4496 wm.exe -
Unexpected DNS network traffic destination 14 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 185.141.152.26 Destination IP 185.141.152.26 Destination IP 1.2.4.8 Destination IP 1.2.4.8 Destination IP 185.141.152.26 Destination IP 185.141.152.26 Destination IP 1.2.4.8 Destination IP 1.2.4.8 Destination IP 114.114.114.114 Destination IP 185.141.152.26 Destination IP 185.141.152.26 -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegAsm.exe -
AutoIT Executable 4 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4500-6-0x0000000000700000-0x0000000000BCE000-memory.dmp autoit_exe behavioral2/memory/3724-8-0x0000000000400000-0x00000000005DD000-memory.dmp autoit_exe behavioral2/memory/3724-9-0x0000000000400000-0x00000000005DD000-memory.dmp autoit_exe behavioral2/memory/3724-45-0x0000000000400000-0x00000000005DD000-memory.dmp autoit_exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4500 set thread context of 3944 4500 72e02c8fa5fd194031d15ad9ef3b35bde1d585aa325a07266870cdc12e99b67e.exe 100 PID 3724 set thread context of 4496 3724 wm.exe 102 -
resource yara_rule behavioral2/memory/4500-0-0x0000000000700000-0x0000000000BCE000-memory.dmp upx behavioral2/files/0x0009000000023c93-3.dat upx behavioral2/memory/3724-4-0x0000000000400000-0x00000000005DD000-memory.dmp upx behavioral2/memory/4500-6-0x0000000000700000-0x0000000000BCE000-memory.dmp upx behavioral2/memory/3724-8-0x0000000000400000-0x00000000005DD000-memory.dmp upx behavioral2/memory/3724-9-0x0000000000400000-0x00000000005DD000-memory.dmp upx behavioral2/memory/4496-37-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral2/memory/4496-38-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral2/memory/4496-41-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral2/memory/4496-40-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral2/memory/4496-39-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral2/memory/4496-31-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral2/memory/4496-36-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral2/memory/3724-45-0x0000000000400000-0x00000000005DD000-memory.dmp upx behavioral2/memory/4496-48-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral2/memory/4496-51-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral2/memory/4496-53-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral2/memory/4496-57-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral2/memory/4496-59-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral2/memory/4496-61-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral2/memory/4496-63-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral2/memory/4496-65-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral2/memory/4496-67-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral2/memory/4496-69-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral2/memory/4496-71-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral2/memory/4496-73-0x0000000000400000-0x00000000004C1000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 72e02c8fa5fd194031d15ad9ef3b35bde1d585aa325a07266870cdc12e99b67e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wm.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4500 72e02c8fa5fd194031d15ad9ef3b35bde1d585aa325a07266870cdc12e99b67e.exe 4500 72e02c8fa5fd194031d15ad9ef3b35bde1d585aa325a07266870cdc12e99b67e.exe 4500 72e02c8fa5fd194031d15ad9ef3b35bde1d585aa325a07266870cdc12e99b67e.exe 4500 72e02c8fa5fd194031d15ad9ef3b35bde1d585aa325a07266870cdc12e99b67e.exe 4500 72e02c8fa5fd194031d15ad9ef3b35bde1d585aa325a07266870cdc12e99b67e.exe 4500 72e02c8fa5fd194031d15ad9ef3b35bde1d585aa325a07266870cdc12e99b67e.exe 4500 72e02c8fa5fd194031d15ad9ef3b35bde1d585aa325a07266870cdc12e99b67e.exe 4500 72e02c8fa5fd194031d15ad9ef3b35bde1d585aa325a07266870cdc12e99b67e.exe 4500 72e02c8fa5fd194031d15ad9ef3b35bde1d585aa325a07266870cdc12e99b67e.exe 4500 72e02c8fa5fd194031d15ad9ef3b35bde1d585aa325a07266870cdc12e99b67e.exe 4500 72e02c8fa5fd194031d15ad9ef3b35bde1d585aa325a07266870cdc12e99b67e.exe 4500 72e02c8fa5fd194031d15ad9ef3b35bde1d585aa325a07266870cdc12e99b67e.exe 4500 72e02c8fa5fd194031d15ad9ef3b35bde1d585aa325a07266870cdc12e99b67e.exe 4500 72e02c8fa5fd194031d15ad9ef3b35bde1d585aa325a07266870cdc12e99b67e.exe 4500 72e02c8fa5fd194031d15ad9ef3b35bde1d585aa325a07266870cdc12e99b67e.exe 4500 72e02c8fa5fd194031d15ad9ef3b35bde1d585aa325a07266870cdc12e99b67e.exe 4500 72e02c8fa5fd194031d15ad9ef3b35bde1d585aa325a07266870cdc12e99b67e.exe 4500 72e02c8fa5fd194031d15ad9ef3b35bde1d585aa325a07266870cdc12e99b67e.exe 4500 72e02c8fa5fd194031d15ad9ef3b35bde1d585aa325a07266870cdc12e99b67e.exe 4500 72e02c8fa5fd194031d15ad9ef3b35bde1d585aa325a07266870cdc12e99b67e.exe 4500 72e02c8fa5fd194031d15ad9ef3b35bde1d585aa325a07266870cdc12e99b67e.exe 4500 72e02c8fa5fd194031d15ad9ef3b35bde1d585aa325a07266870cdc12e99b67e.exe 4500 72e02c8fa5fd194031d15ad9ef3b35bde1d585aa325a07266870cdc12e99b67e.exe 4500 72e02c8fa5fd194031d15ad9ef3b35bde1d585aa325a07266870cdc12e99b67e.exe 4500 72e02c8fa5fd194031d15ad9ef3b35bde1d585aa325a07266870cdc12e99b67e.exe 4500 72e02c8fa5fd194031d15ad9ef3b35bde1d585aa325a07266870cdc12e99b67e.exe 4500 72e02c8fa5fd194031d15ad9ef3b35bde1d585aa325a07266870cdc12e99b67e.exe 4500 72e02c8fa5fd194031d15ad9ef3b35bde1d585aa325a07266870cdc12e99b67e.exe 4500 72e02c8fa5fd194031d15ad9ef3b35bde1d585aa325a07266870cdc12e99b67e.exe 4500 72e02c8fa5fd194031d15ad9ef3b35bde1d585aa325a07266870cdc12e99b67e.exe 4500 72e02c8fa5fd194031d15ad9ef3b35bde1d585aa325a07266870cdc12e99b67e.exe 4500 72e02c8fa5fd194031d15ad9ef3b35bde1d585aa325a07266870cdc12e99b67e.exe 4500 72e02c8fa5fd194031d15ad9ef3b35bde1d585aa325a07266870cdc12e99b67e.exe 4500 72e02c8fa5fd194031d15ad9ef3b35bde1d585aa325a07266870cdc12e99b67e.exe 4500 72e02c8fa5fd194031d15ad9ef3b35bde1d585aa325a07266870cdc12e99b67e.exe 4500 72e02c8fa5fd194031d15ad9ef3b35bde1d585aa325a07266870cdc12e99b67e.exe 4500 72e02c8fa5fd194031d15ad9ef3b35bde1d585aa325a07266870cdc12e99b67e.exe 4500 72e02c8fa5fd194031d15ad9ef3b35bde1d585aa325a07266870cdc12e99b67e.exe 4500 72e02c8fa5fd194031d15ad9ef3b35bde1d585aa325a07266870cdc12e99b67e.exe 4500 72e02c8fa5fd194031d15ad9ef3b35bde1d585aa325a07266870cdc12e99b67e.exe 4500 72e02c8fa5fd194031d15ad9ef3b35bde1d585aa325a07266870cdc12e99b67e.exe 4500 72e02c8fa5fd194031d15ad9ef3b35bde1d585aa325a07266870cdc12e99b67e.exe 4500 72e02c8fa5fd194031d15ad9ef3b35bde1d585aa325a07266870cdc12e99b67e.exe 4500 72e02c8fa5fd194031d15ad9ef3b35bde1d585aa325a07266870cdc12e99b67e.exe 4500 72e02c8fa5fd194031d15ad9ef3b35bde1d585aa325a07266870cdc12e99b67e.exe 4500 72e02c8fa5fd194031d15ad9ef3b35bde1d585aa325a07266870cdc12e99b67e.exe 4500 72e02c8fa5fd194031d15ad9ef3b35bde1d585aa325a07266870cdc12e99b67e.exe 4500 72e02c8fa5fd194031d15ad9ef3b35bde1d585aa325a07266870cdc12e99b67e.exe 4500 72e02c8fa5fd194031d15ad9ef3b35bde1d585aa325a07266870cdc12e99b67e.exe 4500 72e02c8fa5fd194031d15ad9ef3b35bde1d585aa325a07266870cdc12e99b67e.exe 4500 72e02c8fa5fd194031d15ad9ef3b35bde1d585aa325a07266870cdc12e99b67e.exe 4500 72e02c8fa5fd194031d15ad9ef3b35bde1d585aa325a07266870cdc12e99b67e.exe 4500 72e02c8fa5fd194031d15ad9ef3b35bde1d585aa325a07266870cdc12e99b67e.exe 4500 72e02c8fa5fd194031d15ad9ef3b35bde1d585aa325a07266870cdc12e99b67e.exe 4500 72e02c8fa5fd194031d15ad9ef3b35bde1d585aa325a07266870cdc12e99b67e.exe 4500 72e02c8fa5fd194031d15ad9ef3b35bde1d585aa325a07266870cdc12e99b67e.exe 4500 72e02c8fa5fd194031d15ad9ef3b35bde1d585aa325a07266870cdc12e99b67e.exe 4500 72e02c8fa5fd194031d15ad9ef3b35bde1d585aa325a07266870cdc12e99b67e.exe 4500 72e02c8fa5fd194031d15ad9ef3b35bde1d585aa325a07266870cdc12e99b67e.exe 4500 72e02c8fa5fd194031d15ad9ef3b35bde1d585aa325a07266870cdc12e99b67e.exe 4500 72e02c8fa5fd194031d15ad9ef3b35bde1d585aa325a07266870cdc12e99b67e.exe 4500 72e02c8fa5fd194031d15ad9ef3b35bde1d585aa325a07266870cdc12e99b67e.exe 4500 72e02c8fa5fd194031d15ad9ef3b35bde1d585aa325a07266870cdc12e99b67e.exe 4500 72e02c8fa5fd194031d15ad9ef3b35bde1d585aa325a07266870cdc12e99b67e.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3944 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3944 RegAsm.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
pid Process 4500 72e02c8fa5fd194031d15ad9ef3b35bde1d585aa325a07266870cdc12e99b67e.exe 4500 72e02c8fa5fd194031d15ad9ef3b35bde1d585aa325a07266870cdc12e99b67e.exe 4500 72e02c8fa5fd194031d15ad9ef3b35bde1d585aa325a07266870cdc12e99b67e.exe 3724 wm.exe 3724 wm.exe 3724 wm.exe -
Suspicious use of SendNotifyMessage 6 IoCs
pid Process 4500 72e02c8fa5fd194031d15ad9ef3b35bde1d585aa325a07266870cdc12e99b67e.exe 4500 72e02c8fa5fd194031d15ad9ef3b35bde1d585aa325a07266870cdc12e99b67e.exe 4500 72e02c8fa5fd194031d15ad9ef3b35bde1d585aa325a07266870cdc12e99b67e.exe 3724 wm.exe 3724 wm.exe 3724 wm.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 4500 wrote to memory of 3724 4500 72e02c8fa5fd194031d15ad9ef3b35bde1d585aa325a07266870cdc12e99b67e.exe 84 PID 4500 wrote to memory of 3724 4500 72e02c8fa5fd194031d15ad9ef3b35bde1d585aa325a07266870cdc12e99b67e.exe 84 PID 4500 wrote to memory of 3724 4500 72e02c8fa5fd194031d15ad9ef3b35bde1d585aa325a07266870cdc12e99b67e.exe 84 PID 4500 wrote to memory of 3944 4500 72e02c8fa5fd194031d15ad9ef3b35bde1d585aa325a07266870cdc12e99b67e.exe 100 PID 4500 wrote to memory of 3944 4500 72e02c8fa5fd194031d15ad9ef3b35bde1d585aa325a07266870cdc12e99b67e.exe 100 PID 4500 wrote to memory of 3944 4500 72e02c8fa5fd194031d15ad9ef3b35bde1d585aa325a07266870cdc12e99b67e.exe 100 PID 4500 wrote to memory of 3944 4500 72e02c8fa5fd194031d15ad9ef3b35bde1d585aa325a07266870cdc12e99b67e.exe 100 PID 4500 wrote to memory of 3944 4500 72e02c8fa5fd194031d15ad9ef3b35bde1d585aa325a07266870cdc12e99b67e.exe 100 PID 3724 wrote to memory of 4496 3724 wm.exe 102 PID 3724 wrote to memory of 4496 3724 wm.exe 102 PID 3724 wrote to memory of 4496 3724 wm.exe 102 PID 3724 wrote to memory of 4496 3724 wm.exe 102 PID 3724 wrote to memory of 4496 3724 wm.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\72e02c8fa5fd194031d15ad9ef3b35bde1d585aa325a07266870cdc12e99b67e.exe"C:\Users\Admin\AppData\Local\Temp\72e02c8fa5fd194031d15ad9ef3b35bde1d585aa325a07266870cdc12e99b67e.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Users\Admin\AppData\Local\Temp\wm.exeC:\Users\Admin\AppData\Local\Temp\wm.exe2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3724 -
C:\Users\Admin\AppData\Local\Temp\wm.exe"C:\Users\Admin\AppData\Local\Temp\wm.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4496
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3944
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
866KB
MD5aceb6f1163e7677ebac3083b5880c3bb
SHA19b9e04865c51d628bf9da081a882967f18e2f421
SHA256c33a38b09773d59ba1cf9be16f16d7706fc735d73bd2af132cf600de83cf29b5
SHA512b48c50c00516a9ba8258356c77aee98a14766e876d048be9b9f05f39a56796ede5f7942f94dffe08ea6dc64e718900f560cba03fd7f5c29ce9e7581b0149a004