Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
24-06-2020 15:05
Static task
static1
Behavioral task
behavioral1
Sample
9174832 Invoice.exe
Resource
win7v200430
General
-
Target
9174832 Invoice.exe
-
Size
1.3MB
-
MD5
bf4ce7216c42ffe8a611fd43fdf34067
-
SHA1
9a4e72401d131a71c240572b21b78eeb7f358ccd
-
SHA256
15d88e59e80b15ed7b24ffd1a496ff718b76a6a7d06cc2be0d1f91e460871c12
-
SHA512
0abd978399d1d6175e4010662340390888d91ea8eeb0b792cc9b4e616e85ccd0b20b90d4282dc3372cacca8d09bebc369fe826ecc238802e9a72de0c6186695b
Malware Config
Extracted
nanocore
1.2.2.0
omojune.duckdns.org:8090
dcf5c8b2-cf5c-4745-a999-a029dd2150f1
-
activate_away_mode
true
-
backup_connection_host
omojune.duckdns.org
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-03-25T16:41:24.051441936Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
8090
-
default_group
omo june
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
dcf5c8b2-cf5c-4745-a999-a029dd2150f1
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
omojune.duckdns.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
9174832 Invoice.exepid process 652 9174832 Invoice.exe 652 9174832 Invoice.exe 652 9174832 Invoice.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
9174832 Invoice.exedescription pid process target process PID 652 wrote to memory of 2588 652 9174832 Invoice.exe MSBuild.exe PID 652 wrote to memory of 2588 652 9174832 Invoice.exe MSBuild.exe PID 652 wrote to memory of 2588 652 9174832 Invoice.exe MSBuild.exe PID 652 wrote to memory of 2588 652 9174832 Invoice.exe MSBuild.exe PID 652 wrote to memory of 2588 652 9174832 Invoice.exe MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
MSBuild.exedescription pid process Token: SeDebugPrivilege 2588 MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 27 IoCs
Processes:
MSBuild.exe9174832 Invoice.exepid process 2588 MSBuild.exe 2588 MSBuild.exe 2588 MSBuild.exe 652 9174832 Invoice.exe 652 9174832 Invoice.exe 652 9174832 Invoice.exe 652 9174832 Invoice.exe 652 9174832 Invoice.exe 652 9174832 Invoice.exe 652 9174832 Invoice.exe 652 9174832 Invoice.exe 652 9174832 Invoice.exe 652 9174832 Invoice.exe 652 9174832 Invoice.exe 652 9174832 Invoice.exe 652 9174832 Invoice.exe 652 9174832 Invoice.exe 652 9174832 Invoice.exe 652 9174832 Invoice.exe 652 9174832 Invoice.exe 652 9174832 Invoice.exe 652 9174832 Invoice.exe 652 9174832 Invoice.exe 652 9174832 Invoice.exe 652 9174832 Invoice.exe 652 9174832 Invoice.exe 652 9174832 Invoice.exe -
Drops startup file 1 IoCs
Processes:
9174832 Invoice.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\timeout.url 9174832 Invoice.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
9174832 Invoice.exepid process 652 9174832 Invoice.exe 652 9174832 Invoice.exe 652 9174832 Invoice.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
9174832 Invoice.exedescription pid process target process PID 652 set thread context of 2588 652 9174832 Invoice.exe MSBuild.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
MSBuild.exepid process 2588 MSBuild.exe -
Processes:
MSBuild.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9174832 Invoice.exe"C:\Users\Admin\AppData\Local\Temp\9174832 Invoice.exe"1⤵
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Drops startup file
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\MSBuild.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Checks whether UAC is enabled