Analysis
-
max time kernel
147s -
max time network
155s -
platform
windows7_x64 -
resource
win7 -
submitted
08-07-2020 06:22
Static task
static1
Behavioral task
behavioral1
Sample
1802IMLC2028.exe
Resource
win7
General
-
Target
1802IMLC2028.exe
-
Size
706KB
-
MD5
7156fe1fbd0ff21e67df080ba863336f
-
SHA1
aa8fd714b46421835a02d906f4770b4f8f8c718a
-
SHA256
db256170f60efdebefa6673fd5e985a7688c3ea5656aa827a61b9f3c600d0b00
-
SHA512
da29de24846e4f804efed3e50e656d7634e9d9896690b205f25641ef21c46793da85b872f3141d9342644d437a5a7b496d220294b47de1f05d0e43cbab1ffe47
Malware Config
Extracted
nanocore
1.2.2.0
INDOMIE.LINKPC.NET:1818
185.140.53.9:1818
c2760388-119a-4b64-9007-01bc88004481
-
activate_away_mode
true
-
backup_connection_host
185.140.53.9
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-03-19T16:48:01.198372836Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
1818
-
default_group
INDOMIE
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
c2760388-119a-4b64-9007-01bc88004481
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
INDOMIE.LINKPC.NET
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Drops startup file 1 IoCs
Processes:
notepad.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cf.vbs notepad.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
1802IMLC2028.exe1802IMLC2028.exepid process 1516 1802IMLC2028.exe 1764 1802IMLC2028.exe 1764 1802IMLC2028.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
1802IMLC2028.exepid process 1516 1802IMLC2028.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1802IMLC2028.exedescription pid process Token: SeDebugPrivilege 1764 1802IMLC2028.exe -
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
Processes:
resource yara_rule behavioral1/memory/1764-2-0x0000000000400000-0x000000000047F000-memory.dmp upx behavioral1/memory/1764-4-0x0000000000400000-0x000000000047F000-memory.dmp upx behavioral1/memory/1764-5-0x0000000000400000-0x000000000047F000-memory.dmp upx -
Processes:
1802IMLC2028.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 1802IMLC2028.exe -
Drops file in Program Files directory 2 IoCs
Processes:
1802IMLC2028.exedescription ioc process File opened for modification C:\Program Files (x86)\WAN Subsystem\wanss.exe 1802IMLC2028.exe File created C:\Program Files (x86)\WAN Subsystem\wanss.exe 1802IMLC2028.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
1802IMLC2028.exedescription pid process target process PID 1516 wrote to memory of 1804 1516 1802IMLC2028.exe notepad.exe PID 1516 wrote to memory of 1804 1516 1802IMLC2028.exe notepad.exe PID 1516 wrote to memory of 1804 1516 1802IMLC2028.exe notepad.exe PID 1516 wrote to memory of 1804 1516 1802IMLC2028.exe notepad.exe PID 1516 wrote to memory of 1804 1516 1802IMLC2028.exe notepad.exe PID 1516 wrote to memory of 1804 1516 1802IMLC2028.exe notepad.exe PID 1516 wrote to memory of 1764 1516 1802IMLC2028.exe 1802IMLC2028.exe PID 1516 wrote to memory of 1764 1516 1802IMLC2028.exe 1802IMLC2028.exe PID 1516 wrote to memory of 1764 1516 1802IMLC2028.exe 1802IMLC2028.exe PID 1516 wrote to memory of 1764 1516 1802IMLC2028.exe 1802IMLC2028.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
1802IMLC2028.exedescription pid process target process PID 1516 set thread context of 1764 1516 1802IMLC2028.exe 1802IMLC2028.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
1802IMLC2028.exepid process 1764 1802IMLC2028.exe -
Adds Run entry to start application 2 TTPs 1 IoCs
Processes:
1802IMLC2028.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WAN Subsystem = "C:\\Program Files (x86)\\WAN Subsystem\\wanss.exe" 1802IMLC2028.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1802IMLC2028.exe"C:\Users\Admin\AppData\Local\Temp\1802IMLC2028.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"2⤵
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\1802IMLC2028.exe"C:\Users\Admin\AppData\Local\Temp\1802IMLC2028.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Adds Run entry to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1764-2-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1764-3-0x000000000047D4C0-mapping.dmp
-
memory/1764-4-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1764-5-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1764-6-0x0000000000500000-0x0000000000538000-memory.dmpFilesize
224KB
-
memory/1764-7-0x0000000000552000-0x0000000000553000-memory.dmpFilesize
4KB
-
memory/1764-8-0x0000000000480000-0x00000000004B3000-memory.dmpFilesize
204KB
-
memory/1804-0-0x0000000000000000-mapping.dmp
-
memory/1804-1-0x0000000000090000-0x0000000000091000-memory.dmpFilesize
4KB