Analysis
-
max time kernel
65s -
max time network
145s -
platform
windows10_x64 -
resource
win10 -
submitted
07-07-2020 10:24
Static task
static1
Behavioral task
behavioral1
Sample
DEMAND.DOC.exe
Resource
win7v200430
General
-
Target
DEMAND.DOC.exe
-
Size
471KB
-
MD5
631ca0db7718d5e9b99256ec227f7afb
-
SHA1
8a2da86dfc5146b9f2dd149f21403f0c74877334
-
SHA256
ec4a44be83f7d379837e91f10d5ea17fdd9d6ac00dfc125324ee71dc17e17e6f
-
SHA512
7686cb8ca95f484858e7b091f3582a2195dab0585d825ea1c32dd9e0c4525f8a9dc9d778cfeaf8cac7304dfc6bca0c8c1e1cee20047735607c207cc7e86fe326
Malware Config
Extracted
nanocore
1.2.2.0
frank3000.ddns.net:4983
53dd63cb-dcb6-4eb8-bea2-1c572110bc62
-
activate_away_mode
true
- backup_connection_host
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-04-10T23:12:52.316007036Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
true
-
connect_delay
4000
-
connection_port
4983
-
default_group
Frank
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
53dd63cb-dcb6-4eb8-bea2-1c572110bc62
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
frank3000.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 3796 schtasks.exe 3472 schtasks.exe -
Processes:
MSBuild.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
DEMAND.DOC.exeMSBuild.exevbc.exepid process 3588 DEMAND.DOC.exe 3588 DEMAND.DOC.exe 3588 DEMAND.DOC.exe 3908 MSBuild.exe 3908 MSBuild.exe 3908 MSBuild.exe 3908 MSBuild.exe 3908 MSBuild.exe 3908 MSBuild.exe 744 vbc.exe 744 vbc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
DEMAND.DOC.exeMSBuild.exedescription pid process Token: SeDebugPrivilege 3588 DEMAND.DOC.exe Token: SeDebugPrivilege 3908 MSBuild.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
DEMAND.DOC.exeMSBuild.exedescription pid process target process PID 3588 set thread context of 3908 3588 DEMAND.DOC.exe MSBuild.exe PID 3908 set thread context of 2568 3908 MSBuild.exe vbc.exe PID 3908 set thread context of 744 3908 MSBuild.exe vbc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
MSBuild.exepid process 3908 MSBuild.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
DEMAND.DOC.exeMSBuild.exedescription pid process target process PID 3588 wrote to memory of 3796 3588 DEMAND.DOC.exe schtasks.exe PID 3588 wrote to memory of 3796 3588 DEMAND.DOC.exe schtasks.exe PID 3588 wrote to memory of 3796 3588 DEMAND.DOC.exe schtasks.exe PID 3588 wrote to memory of 3888 3588 DEMAND.DOC.exe MSBuild.exe PID 3588 wrote to memory of 3888 3588 DEMAND.DOC.exe MSBuild.exe PID 3588 wrote to memory of 3888 3588 DEMAND.DOC.exe MSBuild.exe PID 3588 wrote to memory of 3908 3588 DEMAND.DOC.exe MSBuild.exe PID 3588 wrote to memory of 3908 3588 DEMAND.DOC.exe MSBuild.exe PID 3588 wrote to memory of 3908 3588 DEMAND.DOC.exe MSBuild.exe PID 3588 wrote to memory of 3908 3588 DEMAND.DOC.exe MSBuild.exe PID 3588 wrote to memory of 3908 3588 DEMAND.DOC.exe MSBuild.exe PID 3588 wrote to memory of 3908 3588 DEMAND.DOC.exe MSBuild.exe PID 3588 wrote to memory of 3908 3588 DEMAND.DOC.exe MSBuild.exe PID 3588 wrote to memory of 3908 3588 DEMAND.DOC.exe MSBuild.exe PID 3908 wrote to memory of 3472 3908 MSBuild.exe schtasks.exe PID 3908 wrote to memory of 3472 3908 MSBuild.exe schtasks.exe PID 3908 wrote to memory of 3472 3908 MSBuild.exe schtasks.exe PID 3908 wrote to memory of 2568 3908 MSBuild.exe vbc.exe PID 3908 wrote to memory of 2568 3908 MSBuild.exe vbc.exe PID 3908 wrote to memory of 2568 3908 MSBuild.exe vbc.exe PID 3908 wrote to memory of 2568 3908 MSBuild.exe vbc.exe PID 3908 wrote to memory of 2568 3908 MSBuild.exe vbc.exe PID 3908 wrote to memory of 2568 3908 MSBuild.exe vbc.exe PID 3908 wrote to memory of 2568 3908 MSBuild.exe vbc.exe PID 3908 wrote to memory of 2568 3908 MSBuild.exe vbc.exe PID 3908 wrote to memory of 2568 3908 MSBuild.exe vbc.exe PID 3908 wrote to memory of 744 3908 MSBuild.exe vbc.exe PID 3908 wrote to memory of 744 3908 MSBuild.exe vbc.exe PID 3908 wrote to memory of 744 3908 MSBuild.exe vbc.exe PID 3908 wrote to memory of 744 3908 MSBuild.exe vbc.exe PID 3908 wrote to memory of 744 3908 MSBuild.exe vbc.exe PID 3908 wrote to memory of 744 3908 MSBuild.exe vbc.exe PID 3908 wrote to memory of 744 3908 MSBuild.exe vbc.exe PID 3908 wrote to memory of 744 3908 MSBuild.exe vbc.exe PID 3908 wrote to memory of 744 3908 MSBuild.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DEMAND.DOC.exe"C:\Users\Admin\AppData\Local\Temp\DEMAND.DOC.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3588 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UnQWZljPSLttGy" /XML "C:\Users\Admin\AppData\Local\Temp\tmp748F.tmp"2⤵
- Creates scheduled task(s)
PID:3796 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"{path}"2⤵PID:3888
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"{path}"2⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3908 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DDP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp7877.tmp"3⤵
- Creates scheduled task(s)
PID:3472 -
\??\c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe"c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe" /shtml "C:\Users\Admin\AppData\Local\Temp\v0bbn1to.nuc"3⤵PID:2568
-
\??\c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe"c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe" /shtml "C:\Users\Admin\AppData\Local\Temp\ydgccxog.dlt"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:744