Analysis
-
max time kernel
145s -
max time network
138s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
24-06-2020 15:09
Static task
static1
Behavioral task
behavioral1
Sample
PO 4993837.exe
Resource
win7v200430
General
-
Target
PO 4993837.exe
-
Size
1.3MB
-
MD5
54c5c7e6e79dee508851549861c453a9
-
SHA1
a92f515a0510feaf981f0d2b544aa602a346177b
-
SHA256
582ec0985f0066dab40c455d1f8e6c414d9d5d0c156f673c6327efb901d97542
-
SHA512
52400a6a6a6c2e272c792e80238fc82d2e0d987f54d521b15ffa456a8dae471b97efd8806cc876ef54992149b2563366ea0eaf97902088a0b17e309a0da76a68
Malware Config
Extracted
nanocore
1.2.2.0
185.140.53.12:1985
76b99e5b-25c3-4464-b518-9c818a6b16d3
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-03-16T15:41:37.080532036Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
false
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
1985
-
default_group
kdott
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
76b99e5b-25c3-4464-b518-9c818a6b16d3
-
mutex_timeout
5000
-
prevent_system_sleep
true
-
primary_connection_host
185.140.53.12
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
PO 4993837.exedescription pid process target process PID 2540 wrote to memory of 2812 2540 PO 4993837.exe MSBuild.exe PID 2540 wrote to memory of 2812 2540 PO 4993837.exe MSBuild.exe PID 2540 wrote to memory of 2812 2540 PO 4993837.exe MSBuild.exe PID 2540 wrote to memory of 2812 2540 PO 4993837.exe MSBuild.exe PID 2540 wrote to memory of 2812 2540 PO 4993837.exe MSBuild.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PO 4993837.exedescription pid process target process PID 2540 set thread context of 2812 2540 PO 4993837.exe MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 29 IoCs
Processes:
MSBuild.exePO 4993837.exepid process 2812 MSBuild.exe 2812 MSBuild.exe 2812 MSBuild.exe 2540 PO 4993837.exe 2540 PO 4993837.exe 2540 PO 4993837.exe 2540 PO 4993837.exe 2540 PO 4993837.exe 2540 PO 4993837.exe 2540 PO 4993837.exe 2540 PO 4993837.exe 2540 PO 4993837.exe 2540 PO 4993837.exe 2540 PO 4993837.exe 2540 PO 4993837.exe 2540 PO 4993837.exe 2540 PO 4993837.exe 2540 PO 4993837.exe 2540 PO 4993837.exe 2540 PO 4993837.exe 2540 PO 4993837.exe 2540 PO 4993837.exe 2540 PO 4993837.exe 2540 PO 4993837.exe 2540 PO 4993837.exe 2540 PO 4993837.exe 2540 PO 4993837.exe 2540 PO 4993837.exe 2540 PO 4993837.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
MSBuild.exepid process 2812 MSBuild.exe -
Processes:
MSBuild.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MSBuild.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
PO 4993837.exepid process 2540 PO 4993837.exe 2540 PO 4993837.exe 2540 PO 4993837.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
PO 4993837.exepid process 2540 PO 4993837.exe 2540 PO 4993837.exe 2540 PO 4993837.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
MSBuild.exedescription pid process Token: SeDebugPrivilege 2812 MSBuild.exe -
Drops startup file 1 IoCs
Processes:
PO 4993837.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DataStoreCacheDumpTool.url PO 4993837.exe -
Drops file in Program Files directory 2 IoCs
Processes:
MSBuild.exedescription ioc process File created C:\Program Files (x86)\SCSI Manager\scsimgr.exe MSBuild.exe File opened for modification C:\Program Files (x86)\SCSI Manager\scsimgr.exe MSBuild.exe -
Adds Run entry to start application 2 TTPs 1 IoCs
Processes:
MSBuild.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SCSI Manager = "C:\\Program Files (x86)\\SCSI Manager\\scsimgr.exe" MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO 4993837.exe"C:\Users\Admin\AppData\Local\Temp\PO 4993837.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Drops startup file
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\MSBuild.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Drops file in Program Files directory
- Adds Run entry to start application