Analysis
-
max time kernel
148s -
max time network
142s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
24-06-2020 15:05
Static task
static1
Behavioral task
behavioral1
Sample
9174832 Invoice.exe
Resource
win7v200430
General
-
Target
9174832 Invoice.exe
-
Size
1.3MB
-
MD5
bf4ce7216c42ffe8a611fd43fdf34067
-
SHA1
9a4e72401d131a71c240572b21b78eeb7f358ccd
-
SHA256
15d88e59e80b15ed7b24ffd1a496ff718b76a6a7d06cc2be0d1f91e460871c12
-
SHA512
0abd978399d1d6175e4010662340390888d91ea8eeb0b792cc9b4e616e85ccd0b20b90d4282dc3372cacca8d09bebc369fe826ecc238802e9a72de0c6186695b
Malware Config
Extracted
nanocore
1.2.2.0
omojune.duckdns.org:8090
dcf5c8b2-cf5c-4745-a999-a029dd2150f1
-
activate_away_mode
true
-
backup_connection_host
omojune.duckdns.org
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-03-25T16:41:24.051441936Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
8090
-
default_group
omo june
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
dcf5c8b2-cf5c-4745-a999-a029dd2150f1
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
omojune.duckdns.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
9174832 Invoice.exepid process 1292 9174832 Invoice.exe 1292 9174832 Invoice.exe 1292 9174832 Invoice.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
MSBuild.exe9174832 Invoice.exepid process 240 MSBuild.exe 240 MSBuild.exe 1292 9174832 Invoice.exe 1292 9174832 Invoice.exe 1292 9174832 Invoice.exe 1292 9174832 Invoice.exe 1292 9174832 Invoice.exe 1292 9174832 Invoice.exe 1292 9174832 Invoice.exe 1292 9174832 Invoice.exe 1292 9174832 Invoice.exe 1292 9174832 Invoice.exe 1292 9174832 Invoice.exe 1292 9174832 Invoice.exe -
Processes:
MSBuild.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MSBuild.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
9174832 Invoice.exepid process 1292 9174832 Invoice.exe 1292 9174832 Invoice.exe 1292 9174832 Invoice.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
9174832 Invoice.exedescription pid process target process PID 1292 wrote to memory of 240 1292 9174832 Invoice.exe MSBuild.exe PID 1292 wrote to memory of 240 1292 9174832 Invoice.exe MSBuild.exe PID 1292 wrote to memory of 240 1292 9174832 Invoice.exe MSBuild.exe PID 1292 wrote to memory of 240 1292 9174832 Invoice.exe MSBuild.exe PID 1292 wrote to memory of 240 1292 9174832 Invoice.exe MSBuild.exe PID 1292 wrote to memory of 240 1292 9174832 Invoice.exe MSBuild.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
9174832 Invoice.exedescription pid process target process PID 1292 set thread context of 240 1292 9174832 Invoice.exe MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
MSBuild.exedescription pid process Token: SeDebugPrivilege 240 MSBuild.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
MSBuild.exepid process 240 MSBuild.exe -
Drops startup file 1 IoCs
Processes:
9174832 Invoice.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\timeout.url 9174832 Invoice.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9174832 Invoice.exe"C:\Users\Admin\AppData\Local\Temp\9174832 Invoice.exe"1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Drops startup file
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\MSBuild.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: GetForegroundWindowSpam