Analysis
-
max time kernel
146s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25/01/2025, 22:58
Static task
static1
Behavioral task
behavioral1
Sample
5367a32045767b8af7e9bdcb26ce5589be82f4df2bae6c54c8f632fbbd48e51d.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
5367a32045767b8af7e9bdcb26ce5589be82f4df2bae6c54c8f632fbbd48e51d.exe
Resource
win10v2004-20241007-en
General
-
Target
5367a32045767b8af7e9bdcb26ce5589be82f4df2bae6c54c8f632fbbd48e51d.exe
-
Size
280KB
-
MD5
9eba144eb34351954d5cb58220c7c72c
-
SHA1
94d629fae72f9e251a30281cb0838af086107a44
-
SHA256
5367a32045767b8af7e9bdcb26ce5589be82f4df2bae6c54c8f632fbbd48e51d
-
SHA512
f14c59e4bb494093da204344e5c55ad8ea7cd3e1260fb0083b258b3e1ffa3a94d55e02ba7bf9e449dcb5378044c49d7694f63a595c4dcd5fe1dc51db0ae696d3
-
SSDEEP
6144:boy5p178U0MURaGyNXYWQzHazRfXrwSRnWwhrQ66fb:boSeGUA5YZazpXUmZhZ6T
Malware Config
Extracted
nanocore
1.2.2.0
sysupdate24.ddns.net:45400
ae82ab7f-db07-49ee-9d2b-76075d76f37f
-
activate_away_mode
true
- backup_connection_host
- backup_dns_server
-
buffer_size
65535
-
build_time
2020-04-24T17:41:53.492468936Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
45400
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
ae82ab7f-db07-49ee-9d2b-76075d76f37f
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
sysupdate24.ddns.net
- primary_dns_server
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Nanocore family
-
Executes dropped EXE 2 IoCs
pid Process 2924 a1punf5t2of.exe 2928 a1punf5t2of.exe -
Loads dropped DLL 2 IoCs
pid Process 2316 5367a32045767b8af7e9bdcb26ce5589be82f4df2bae6c54c8f632fbbd48e51d.exe 2924 a1punf5t2of.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\b1b2dqljdx3 = "C:\\Users\\Admin\\AppData\\Roaming\\b1b2dqljdx3\\a1punf5t2of.exe" 5367a32045767b8af7e9bdcb26ce5589be82f4df2bae6c54c8f632fbbd48e51d.exe -
Checks whether UAC is enabled 1 TTPs 1 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA a1punf5t2of.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2924 set thread context of 2928 2924 a1punf5t2of.exe 31 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5367a32045767b8af7e9bdcb26ce5589be82f4df2bae6c54c8f632fbbd48e51d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a1punf5t2of.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a1punf5t2of.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2928 a1punf5t2of.exe 2928 a1punf5t2of.exe 2928 a1punf5t2of.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2928 a1punf5t2of.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2928 a1punf5t2of.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 2316 wrote to memory of 2924 2316 5367a32045767b8af7e9bdcb26ce5589be82f4df2bae6c54c8f632fbbd48e51d.exe 30 PID 2316 wrote to memory of 2924 2316 5367a32045767b8af7e9bdcb26ce5589be82f4df2bae6c54c8f632fbbd48e51d.exe 30 PID 2316 wrote to memory of 2924 2316 5367a32045767b8af7e9bdcb26ce5589be82f4df2bae6c54c8f632fbbd48e51d.exe 30 PID 2316 wrote to memory of 2924 2316 5367a32045767b8af7e9bdcb26ce5589be82f4df2bae6c54c8f632fbbd48e51d.exe 30 PID 2316 wrote to memory of 2924 2316 5367a32045767b8af7e9bdcb26ce5589be82f4df2bae6c54c8f632fbbd48e51d.exe 30 PID 2316 wrote to memory of 2924 2316 5367a32045767b8af7e9bdcb26ce5589be82f4df2bae6c54c8f632fbbd48e51d.exe 30 PID 2316 wrote to memory of 2924 2316 5367a32045767b8af7e9bdcb26ce5589be82f4df2bae6c54c8f632fbbd48e51d.exe 30 PID 2924 wrote to memory of 2928 2924 a1punf5t2of.exe 31 PID 2924 wrote to memory of 2928 2924 a1punf5t2of.exe 31 PID 2924 wrote to memory of 2928 2924 a1punf5t2of.exe 31 PID 2924 wrote to memory of 2928 2924 a1punf5t2of.exe 31 PID 2924 wrote to memory of 2928 2924 a1punf5t2of.exe 31 PID 2924 wrote to memory of 2928 2924 a1punf5t2of.exe 31 PID 2924 wrote to memory of 2928 2924 a1punf5t2of.exe 31 PID 2924 wrote to memory of 2928 2924 a1punf5t2of.exe 31 PID 2924 wrote to memory of 2928 2924 a1punf5t2of.exe 31 PID 2924 wrote to memory of 2928 2924 a1punf5t2of.exe 31 PID 2924 wrote to memory of 2928 2924 a1punf5t2of.exe 31 PID 2924 wrote to memory of 2928 2924 a1punf5t2of.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\5367a32045767b8af7e9bdcb26ce5589be82f4df2bae6c54c8f632fbbd48e51d.exe"C:\Users\Admin\AppData\Local\Temp\5367a32045767b8af7e9bdcb26ce5589be82f4df2bae6c54c8f632fbbd48e51d.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2928
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280KB
MD52cc48cd0b10f3c898475d43271848dd5
SHA1cb9fb12fb7583131a1e8dc2963e5d13c026486ef
SHA256cd4b2abbb5c47fec64cebfd9c8b55253fe5d3ad307fb3ecfc1e1108a37a9c0c1
SHA512fb675b02bb8561999200e9a7b53a47453bddbb97719022f477c396052311374d9be4164e5f2d6c741a2861b483ea52adbe7f19693f2bda9be3ec2c5016387423