Analysis
-
max time kernel
134s -
max time network
144s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
08-07-2020 06:22
Static task
static1
Behavioral task
behavioral1
Sample
1802IMLC2028.exe
Resource
win7
General
-
Target
1802IMLC2028.exe
-
Size
706KB
-
MD5
7156fe1fbd0ff21e67df080ba863336f
-
SHA1
aa8fd714b46421835a02d906f4770b4f8f8c718a
-
SHA256
db256170f60efdebefa6673fd5e985a7688c3ea5656aa827a61b9f3c600d0b00
-
SHA512
da29de24846e4f804efed3e50e656d7634e9d9896690b205f25641ef21c46793da85b872f3141d9342644d437a5a7b496d220294b47de1f05d0e43cbab1ffe47
Malware Config
Extracted
nanocore
1.2.2.0
INDOMIE.LINKPC.NET:1818
185.140.53.9:1818
c2760388-119a-4b64-9007-01bc88004481
-
activate_away_mode
true
-
backup_connection_host
185.140.53.9
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-03-19T16:48:01.198372836Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
1818
-
default_group
INDOMIE
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
c2760388-119a-4b64-9007-01bc88004481
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
INDOMIE.LINKPC.NET
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Processes:
1802IMLC2028.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 1802IMLC2028.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1802IMLC2028.exedescription pid process Token: SeDebugPrivilege 2684 1802IMLC2028.exe -
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
Processes:
resource yara_rule behavioral2/memory/2684-1-0x0000000000400000-0x000000000047F000-memory.dmp upx behavioral2/memory/2684-3-0x0000000000400000-0x000000000047F000-memory.dmp upx behavioral2/memory/2684-4-0x0000000000400000-0x000000000047F000-memory.dmp upx -
Drops file in Program Files directory 2 IoCs
Processes:
1802IMLC2028.exedescription ioc process File created C:\Program Files (x86)\SCSI Manager\scsimgr.exe 1802IMLC2028.exe File opened for modification C:\Program Files (x86)\SCSI Manager\scsimgr.exe 1802IMLC2028.exe -
Adds Run entry to start application 2 TTPs 1 IoCs
Processes:
1802IMLC2028.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SCSI Manager = "C:\\Program Files (x86)\\SCSI Manager\\scsimgr.exe" 1802IMLC2028.exe -
Drops startup file 1 IoCs
Processes:
notepad.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cf.vbs notepad.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
1802IMLC2028.exe1802IMLC2028.exepid process 2416 1802IMLC2028.exe 2416 1802IMLC2028.exe 2684 1802IMLC2028.exe 2684 1802IMLC2028.exe 2684 1802IMLC2028.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
1802IMLC2028.exedescription pid process target process PID 2416 wrote to memory of 2644 2416 1802IMLC2028.exe notepad.exe PID 2416 wrote to memory of 2644 2416 1802IMLC2028.exe notepad.exe PID 2416 wrote to memory of 2644 2416 1802IMLC2028.exe notepad.exe PID 2416 wrote to memory of 2644 2416 1802IMLC2028.exe notepad.exe PID 2416 wrote to memory of 2644 2416 1802IMLC2028.exe notepad.exe PID 2416 wrote to memory of 2684 2416 1802IMLC2028.exe 1802IMLC2028.exe PID 2416 wrote to memory of 2684 2416 1802IMLC2028.exe 1802IMLC2028.exe PID 2416 wrote to memory of 2684 2416 1802IMLC2028.exe 1802IMLC2028.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
1802IMLC2028.exepid process 2416 1802IMLC2028.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
1802IMLC2028.exedescription pid process target process PID 2416 set thread context of 2684 2416 1802IMLC2028.exe 1802IMLC2028.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
1802IMLC2028.exepid process 2684 1802IMLC2028.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1802IMLC2028.exe"C:\Users\Admin\AppData\Local\Temp\1802IMLC2028.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"2⤵
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\1802IMLC2028.exe"C:\Users\Admin\AppData\Local\Temp\1802IMLC2028.exe"2⤵
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Drops file in Program Files directory
- Adds Run entry to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2644-0-0x0000000000000000-mapping.dmp
-
memory/2684-1-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/2684-2-0x000000000047D4C0-mapping.dmp
-
memory/2684-3-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/2684-4-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/2684-5-0x0000000000960000-0x0000000000998000-memory.dmpFilesize
224KB
-
memory/2684-6-0x00000000023E2000-0x00000000023E3000-memory.dmpFilesize
4KB