Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25/01/2025, 23:07
Static task
static1
Behavioral task
behavioral1
Sample
5367a32045767b8af7e9bdcb26ce5589be82f4df2bae6c54c8f632fbbd48e51d.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
5367a32045767b8af7e9bdcb26ce5589be82f4df2bae6c54c8f632fbbd48e51d.exe
Resource
win10v2004-20241007-en
General
-
Target
5367a32045767b8af7e9bdcb26ce5589be82f4df2bae6c54c8f632fbbd48e51d.exe
-
Size
280KB
-
MD5
9eba144eb34351954d5cb58220c7c72c
-
SHA1
94d629fae72f9e251a30281cb0838af086107a44
-
SHA256
5367a32045767b8af7e9bdcb26ce5589be82f4df2bae6c54c8f632fbbd48e51d
-
SHA512
f14c59e4bb494093da204344e5c55ad8ea7cd3e1260fb0083b258b3e1ffa3a94d55e02ba7bf9e449dcb5378044c49d7694f63a595c4dcd5fe1dc51db0ae696d3
-
SSDEEP
6144:boy5p178U0MURaGyNXYWQzHazRfXrwSRnWwhrQ66fb:boSeGUA5YZazpXUmZhZ6T
Malware Config
Extracted
nanocore
1.2.2.0
sysupdate24.ddns.net:45400
ae82ab7f-db07-49ee-9d2b-76075d76f37f
-
activate_away_mode
true
- backup_connection_host
- backup_dns_server
-
buffer_size
65535
-
build_time
2020-04-24T17:41:53.492468936Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
45400
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
ae82ab7f-db07-49ee-9d2b-76075d76f37f
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
sysupdate24.ddns.net
- primary_dns_server
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Nanocore family
-
Executes dropped EXE 2 IoCs
pid Process 2688 a1punf5t2of.exe 2556 a1punf5t2of.exe -
Loads dropped DLL 2 IoCs
pid Process 1224 5367a32045767b8af7e9bdcb26ce5589be82f4df2bae6c54c8f632fbbd48e51d.exe 2688 a1punf5t2of.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\b1b2dqljdx3 = "C:\\Users\\Admin\\AppData\\Roaming\\b1b2dqljdx3\\a1punf5t2of.exe" 5367a32045767b8af7e9bdcb26ce5589be82f4df2bae6c54c8f632fbbd48e51d.exe -
Checks whether UAC is enabled 1 TTPs 1 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA a1punf5t2of.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2688 set thread context of 2556 2688 a1punf5t2of.exe 32 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5367a32045767b8af7e9bdcb26ce5589be82f4df2bae6c54c8f632fbbd48e51d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a1punf5t2of.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a1punf5t2of.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2556 a1punf5t2of.exe 2556 a1punf5t2of.exe 2556 a1punf5t2of.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2556 a1punf5t2of.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2556 a1punf5t2of.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 1224 wrote to memory of 2688 1224 5367a32045767b8af7e9bdcb26ce5589be82f4df2bae6c54c8f632fbbd48e51d.exe 31 PID 1224 wrote to memory of 2688 1224 5367a32045767b8af7e9bdcb26ce5589be82f4df2bae6c54c8f632fbbd48e51d.exe 31 PID 1224 wrote to memory of 2688 1224 5367a32045767b8af7e9bdcb26ce5589be82f4df2bae6c54c8f632fbbd48e51d.exe 31 PID 1224 wrote to memory of 2688 1224 5367a32045767b8af7e9bdcb26ce5589be82f4df2bae6c54c8f632fbbd48e51d.exe 31 PID 1224 wrote to memory of 2688 1224 5367a32045767b8af7e9bdcb26ce5589be82f4df2bae6c54c8f632fbbd48e51d.exe 31 PID 1224 wrote to memory of 2688 1224 5367a32045767b8af7e9bdcb26ce5589be82f4df2bae6c54c8f632fbbd48e51d.exe 31 PID 1224 wrote to memory of 2688 1224 5367a32045767b8af7e9bdcb26ce5589be82f4df2bae6c54c8f632fbbd48e51d.exe 31 PID 2688 wrote to memory of 2556 2688 a1punf5t2of.exe 32 PID 2688 wrote to memory of 2556 2688 a1punf5t2of.exe 32 PID 2688 wrote to memory of 2556 2688 a1punf5t2of.exe 32 PID 2688 wrote to memory of 2556 2688 a1punf5t2of.exe 32 PID 2688 wrote to memory of 2556 2688 a1punf5t2of.exe 32 PID 2688 wrote to memory of 2556 2688 a1punf5t2of.exe 32 PID 2688 wrote to memory of 2556 2688 a1punf5t2of.exe 32 PID 2688 wrote to memory of 2556 2688 a1punf5t2of.exe 32 PID 2688 wrote to memory of 2556 2688 a1punf5t2of.exe 32 PID 2688 wrote to memory of 2556 2688 a1punf5t2of.exe 32 PID 2688 wrote to memory of 2556 2688 a1punf5t2of.exe 32 PID 2688 wrote to memory of 2556 2688 a1punf5t2of.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\5367a32045767b8af7e9bdcb26ce5589be82f4df2bae6c54c8f632fbbd48e51d.exe"C:\Users\Admin\AppData\Local\Temp\5367a32045767b8af7e9bdcb26ce5589be82f4df2bae6c54c8f632fbbd48e51d.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2556
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280KB
MD56c72e2553b08dd26454d183e492b4817
SHA172adee03664fd54cf1a883e2a69bc84c79046a11
SHA256d66af870c6805000b57b3c97de6124e850bc7beea960d53f211374618aeb231d
SHA512ceefb5f85055a0a564535273e4b9f16894c6dd16d5b410942d28fda5991d56c341ef632bf12bb53789bd1647aaf485896b7da453a32f8bf900a1b697b14fe372