Analysis
-
max time kernel
116s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-01-2025 21:29
Static task
static1
Behavioral task
behavioral1
Sample
5d5efb8b3e0d0212daab126301baa08836121677cea19be16f2eaf0be48636bbN.exe
Resource
win7-20241010-en
General
-
Target
5d5efb8b3e0d0212daab126301baa08836121677cea19be16f2eaf0be48636bbN.exe
-
Size
255KB
-
MD5
0dc657fa7ab7c78021acf37116d49b90
-
SHA1
5edb67feea3aa27cd73175fa20d695ea3b15d2d3
-
SHA256
5d5efb8b3e0d0212daab126301baa08836121677cea19be16f2eaf0be48636bb
-
SHA512
0a04711e5d17d274deca03cf0515b608ab157cc9d5f8816becdacb6b50d36ed1790f13a9300d55d7b7bd26ad92d6c17afbff3a1cefefed96690d420a265a8f8c
-
SSDEEP
6144:85p178U0MURaGyNXYWQzHazRfXrwSRnWwhrQSZ:EeGUA5YZazpXUmZhdZ
Malware Config
Extracted
nanocore
1.2.2.0
sysupdate24.ddns.net:45400
ae82ab7f-db07-49ee-9d2b-76075d76f37f
-
activate_away_mode
true
- backup_connection_host
- backup_dns_server
-
buffer_size
65535
-
build_time
2020-04-24T17:41:53.492468936Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
45400
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
ae82ab7f-db07-49ee-9d2b-76075d76f37f
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
sysupdate24.ddns.net
- primary_dns_server
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Nanocore family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation 5d5efb8b3e0d0212daab126301baa08836121677cea19be16f2eaf0be48636bbN.exe -
Executes dropped EXE 2 IoCs
pid Process 2952 a1punf5t2of.exe 2596 a1punf5t2of.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b1b2dqljdx3 = "C:\\Users\\Admin\\AppData\\Roaming\\b1b2dqljdx3\\a1punf5t2of.exe" 5d5efb8b3e0d0212daab126301baa08836121677cea19be16f2eaf0be48636bbN.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA a1punf5t2of.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2952 set thread context of 2596 2952 a1punf5t2of.exe 97 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5d5efb8b3e0d0212daab126301baa08836121677cea19be16f2eaf0be48636bbN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a1punf5t2of.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a1punf5t2of.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2596 a1punf5t2of.exe 2596 a1punf5t2of.exe 2596 a1punf5t2of.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2596 a1punf5t2of.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2596 a1punf5t2of.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2360 wrote to memory of 2952 2360 5d5efb8b3e0d0212daab126301baa08836121677cea19be16f2eaf0be48636bbN.exe 84 PID 2360 wrote to memory of 2952 2360 5d5efb8b3e0d0212daab126301baa08836121677cea19be16f2eaf0be48636bbN.exe 84 PID 2360 wrote to memory of 2952 2360 5d5efb8b3e0d0212daab126301baa08836121677cea19be16f2eaf0be48636bbN.exe 84 PID 2952 wrote to memory of 2596 2952 a1punf5t2of.exe 97 PID 2952 wrote to memory of 2596 2952 a1punf5t2of.exe 97 PID 2952 wrote to memory of 2596 2952 a1punf5t2of.exe 97 PID 2952 wrote to memory of 2596 2952 a1punf5t2of.exe 97 PID 2952 wrote to memory of 2596 2952 a1punf5t2of.exe 97 PID 2952 wrote to memory of 2596 2952 a1punf5t2of.exe 97 PID 2952 wrote to memory of 2596 2952 a1punf5t2of.exe 97 PID 2952 wrote to memory of 2596 2952 a1punf5t2of.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\5d5efb8b3e0d0212daab126301baa08836121677cea19be16f2eaf0be48636bbN.exe"C:\Users\Admin\AppData\Local\Temp\5d5efb8b3e0d0212daab126301baa08836121677cea19be16f2eaf0be48636bbN.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2596
-
-
Network
-
Remote address:8.8.8.8:53Request228.249.119.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request181.129.81.91.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request71.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request133.211.185.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestsysupdate24.ddns.netIN AResponsesysupdate24.ddns.netIN A0.0.0.0
-
Remote address:8.8.8.8:53Request200.163.202.172.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request171.39.242.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request160.50.123.104.in-addr.arpaIN PTRResponse160.50.123.104.in-addr.arpaIN PTRa104-123-50-160deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request162.50.123.104.in-addr.arpaIN PTRResponse162.50.123.104.in-addr.arpaIN PTRa104-123-50-162deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request155.50.123.104.in-addr.arpaIN PTRResponse155.50.123.104.in-addr.arpaIN PTRa104-123-50-155deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request29.243.111.52.in-addr.arpaIN PTRResponse
-
73 B 159 B 1 1
DNS Request
228.249.119.40.in-addr.arpa
-
72 B 147 B 1 1
DNS Request
181.129.81.91.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
71.159.190.20.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
133.211.185.52.in-addr.arpa
-
66 B 82 B 1 1
DNS Request
sysupdate24.ddns.net
DNS Response
0.0.0.0
-
74 B 160 B 1 1
DNS Request
200.163.202.172.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
171.39.242.20.in-addr.arpa
-
73 B 139 B 1 1
DNS Request
160.50.123.104.in-addr.arpa
-
73 B 139 B 1 1
DNS Request
162.50.123.104.in-addr.arpa
-
73 B 139 B 1 1
DNS Request
155.50.123.104.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
29.243.111.52.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD59aeafd75edb6e9a37b42ef1c37c0ecd0
SHA1cccc5a7f8c6cd5e4d4e881828d98c9a0232db48d
SHA25689c9099d335f4a5ca10908fcd781d4bacb9b413f31184bf23cd4fdfc3a358771
SHA51279ee288719864eafe573f445562f5fca6ed0bed655d1df0cef50098f2937d7d4889fa4ffadb8d362a90b5e90d94db76a8ca536aaf4f9adabc9dc74a6939b7389