Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    04/12/2024, 21:35

General

  • Target

    b2c04bb4-1039-4836-bca6-bd4211df1190.exe

  • Size

    524KB

  • MD5

    81ffddf2c1d7905204a67f6577e2dc68

  • SHA1

    a89c37a3e12a46ac714887d509a1849791b4b244

  • SHA256

    5713df54ae15a1a47a87436d1c7ddc06338f9c31276880d6d2ae29d2655313e7

  • SHA512

    b871a001fa251a9af36788ceda94ece6772a5f318120db5cada7643e66da7978d0a0f373ab271c15b45a0947f1161ee60284c0621e25e07ea81864a3c8945e4a

  • SSDEEP

    6144:dLeno+U3zituONCfDq/ib4IKEQwpUgQ/Fn7r+DHZ8q6PTZKWCaYVZ6qXW4bPwDJr:sRC+ab4aQlhFnPA81X/Y1cNm+1v6pP

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

original-financial.gl.at.ply.gg:28916

Mutex

d516db18-d565-4fff-a872-0ad0fd1f18ca

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    original-financial.gl.at.ply.gg

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2024-09-13T19:32:56.304391136Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    28916

  • default_group

    Default

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    d516db18-d565-4fff-a872-0ad0fd1f18ca

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    true

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

  • Nanocore family
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 3 IoCs
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\b2c04bb4-1039-4836-bca6-bd4211df1190.exe
    "C:\Users\Admin\AppData\Local\Temp\b2c04bb4-1039-4836-bca6-bd4211df1190.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2124
    • C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe
      "C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe"
      2⤵
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      PID:1952
    • C:\Users\Admin\AppData\Local\Temp\injection.exe
      "C:\Users\Admin\AppData\Local\Temp\injection.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2392
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\wlanext.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1012
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'wlanext.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3024
    • C:\Users\Admin\AppData\Local\Temp\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:876
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2628
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {F17B1DB5-9529-40D8-9BE1-F727B7E1BE9F} S-1-5-21-4177215427-74451935-3209572229-1000:JSMURNPT\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:836
    • C:\Users\Admin\AppData\Roaming\wlanext.exe
      C:\Users\Admin\AppData\Roaming\wlanext.exe
      2⤵
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious use of AdjustPrivilegeToken
      PID:2128

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\111111111111111111111111111111111111.exe

    Filesize

    209KB

    MD5

    9258d024ee6fbfe283978e89e25cbc50

    SHA1

    123f1309dbc98824ec2ebb12f9883a07b873820e

    SHA256

    392a00e29a7305ead657c6c10d80b446f8b6bfe25a171e63e43439695f40410a

    SHA512

    993b2a16cfdc8dbd99753349f923a6baf1e801f79d7fb6aa39e15f617b4f798f355a9edddc9e7579ece562e1c254299e974ac46e70efe576a0985554fec15913

  • C:\Users\Admin\AppData\Local\Temp\Setup.exe

    Filesize

    124KB

    MD5

    fb47cb26a0c7480148a8d0c8f8e01be1

    SHA1

    bff6e89f3f724f79b136a4af7e6be03ff8d945e8

    SHA256

    255472e23f31eebe810f217212bf9caa39a30cac423dbe9893b554308da7db4b

    SHA512

    59bf831d10f9b2787e8152c2eea2abc8d131a9b45986da21d0cd6b38b43907becad39c332ed2c251bb3c28c14bfa022a7635487230a1f8643fb7ac20f1518ee7

  • C:\Users\Admin\AppData\Local\Temp\injection.exe

    Filesize

    399KB

    MD5

    153deb0e0ffc0b476d5bba8a69778dde

    SHA1

    4ef44b30281e61ffdb74c4b3c0ec5e5bab8fa08f

    SHA256

    4ba3120b20dadb2ba430ca2bb5cb492bf0adbb4a6685c4c757086e6f46d5d607

    SHA512

    00f58ffa67c2ee992f1904a3a923e80ee350956b4690eadd9dbfa8b4e6897ab4d598493f1bca3781cca0849184a3a40f21424efcc3e90d436d76540da5a89bf4

  • C:\Users\Admin\AppData\Roaming\BF99BEF1-312F-4726-8597-70228EF05E99\catalog.dat

    Filesize

    248B

    MD5

    061e700fe27d852034a5a44bf5985ccf

    SHA1

    15b072de6d6fdd92ae36f074345fa41985833e8d

    SHA256

    4bbb88af530693eb4a710b0591d4baf585837242c5690f5a821bf2fc9cc587cd

    SHA512

    cf6c5458ab50c859740490985d1e7e887d1116f3fa947ff2ec49af9997a42f3402c63ef42b93498544195d9859fbb19ccc295966564b30f5adb4a36d4e8886c6

  • C:\Users\Admin\AppData\Roaming\BF99BEF1-312F-4726-8597-70228EF05E99\run.dat

    Filesize

    8B

    MD5

    512d3a063e609f65ae9554749835b65e

    SHA1

    348d7f4bac538351dba1b5287c0161480d2b754c

    SHA256

    9454e04f1fed6d5ad100d5707f3b6f1e25040a0d1320569226691663edc426e4

    SHA512

    85120d1d575372bf001e37472c249dbfea6416d2fdc98dda7f9ba5ed6c8848b249d872e66aba26def5f3a5da1027ef515bfab2bc1d1059172adbeae49af3a84b

  • C:\Users\Admin\AppData\Roaming\BF99BEF1-312F-4726-8597-70228EF05E99\storage.dat

    Filesize

    423KB

    MD5

    7f0642b40d7f2ee4cf9d08601762f280

    SHA1

    db0a55e900fb8ab637f84815e8100de9ba391810

    SHA256

    e6a52cf6101cd8a5b0b276ba0507ab1fa3203267b842c4534f28f37ada40c02a

    SHA512

    108eb480e9ad78b3dd9783ed536b1406eb390f10cafe0e95f26da86d08b4e006fffce8ea389f87f4e6d92b0bfda20ea8fd0bd6094d7e6ea773807d0adbe1c2e1

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IWJWJU2QW0U0R9OKLZ29.temp

    Filesize

    7KB

    MD5

    2cd9305c912a4bad7d43a01badfafc28

    SHA1

    841e627ae94f2dd907bd35d7990e5ebad115762a

    SHA256

    8f3f310c71919fee2f4a8a3e8921a872c505391d3c54f382d8ce331afe98d22a

    SHA512

    0978c20aa88e6d011c6959971bd748a8ab248bb609bcfc6ce21bcb7f47490f87896dd0e6c434605a279c403d97b12a2f7eaf17ce0911f90d42ccc02df634a638

  • memory/1012-34-0x000000001B5A0000-0x000000001B882000-memory.dmp

    Filesize

    2.9MB

  • memory/1012-35-0x0000000001E90000-0x0000000001E98000-memory.dmp

    Filesize

    32KB

  • memory/1952-47-0x0000000000B40000-0x0000000000B80000-memory.dmp

    Filesize

    256KB

  • memory/1952-26-0x0000000000B40000-0x0000000000B80000-memory.dmp

    Filesize

    256KB

  • memory/2124-0-0x000007FEF5993000-0x000007FEF5994000-memory.dmp

    Filesize

    4KB

  • memory/2124-25-0x000007FEF5990000-0x000007FEF637C000-memory.dmp

    Filesize

    9.9MB

  • memory/2124-1-0x0000000001100000-0x0000000001188000-memory.dmp

    Filesize

    544KB

  • memory/2128-52-0x0000000000070000-0x00000000000DA000-memory.dmp

    Filesize

    424KB

  • memory/2128-53-0x00000000004D0000-0x000000000050A000-memory.dmp

    Filesize

    232KB

  • memory/2392-48-0x000007FEF5993000-0x000007FEF5994000-memory.dmp

    Filesize

    4KB

  • memory/2392-27-0x000007FEF5993000-0x000007FEF5994000-memory.dmp

    Filesize

    4KB

  • memory/2392-18-0x0000000001100000-0x000000000116A000-memory.dmp

    Filesize

    424KB

  • memory/3024-42-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

    Filesize

    32KB

  • memory/3024-41-0x000000001B630000-0x000000001B912000-memory.dmp

    Filesize

    2.9MB