Analysis
-
max time kernel
150s -
max time network
158s -
platform
windows7_x64 -
resource
win7 -
submitted
10-07-2020 18:01
Static task
static1
Behavioral task
behavioral1
Sample
Payment Note.jpg.bat.exe
Resource
win7
Behavioral task
behavioral2
Sample
Payment Note.jpg.bat.exe
Resource
win10v200430
General
-
Target
Payment Note.jpg.bat.exe
-
Size
3.5MB
-
MD5
0a58823cf240ad64edd991a378a3190d
-
SHA1
37f333ef38ec5b0befea8082ee5f915ede76f9a6
-
SHA256
1676e36eec12118ae10d1f090b6bf269d3f3c3ff771ecb0422231946415b2b13
-
SHA512
5b0713b9b07f0fb6cd7f26fc154b85cd9ba66a7cc5223d8181e07dc2018addd45dbea243fff155c0d20d20f6013301e0938ffa638974402522d023bcfb650134
Malware Config
Extracted
nanocore
1.2.2.0
3.tcp.ngrok.io:20027
20027:20027
65111e8c-ec9f-4460-8960-7d4302c6de1c
-
activate_away_mode
true
-
backup_connection_host
20027
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-04-20T18:37:01.695556536Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
false
-
clear_zone_identifier
true
-
connect_delay
4000
-
connection_port
20027
-
default_group
NLH
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
65111e8c-ec9f-4460-8960-7d4302c6de1c
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
3.tcp.ngrok.io
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Bin.exepid process 1996 Bin.exe -
Drops file in Program Files directory 2 IoCs
Processes:
Bin.exedescription ioc process File created C:\Program Files (x86)\WAN Subsystem\wanss.exe Bin.exe File opened for modification C:\Program Files (x86)\WAN Subsystem\wanss.exe Bin.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
Payment Note.jpg.bat.exePayment Note.jpg.bat.exePayment Note.jpg.bat.exedescription pid process target process PID 1544 wrote to memory of 1692 1544 Payment Note.jpg.bat.exe Payment Note.jpg.bat.exe PID 1544 wrote to memory of 1692 1544 Payment Note.jpg.bat.exe Payment Note.jpg.bat.exe PID 1544 wrote to memory of 1692 1544 Payment Note.jpg.bat.exe Payment Note.jpg.bat.exe PID 1544 wrote to memory of 1692 1544 Payment Note.jpg.bat.exe Payment Note.jpg.bat.exe PID 1544 wrote to memory of 1692 1544 Payment Note.jpg.bat.exe Payment Note.jpg.bat.exe PID 1544 wrote to memory of 1692 1544 Payment Note.jpg.bat.exe Payment Note.jpg.bat.exe PID 1544 wrote to memory of 1692 1544 Payment Note.jpg.bat.exe Payment Note.jpg.bat.exe PID 1544 wrote to memory of 1692 1544 Payment Note.jpg.bat.exe Payment Note.jpg.bat.exe PID 1544 wrote to memory of 1692 1544 Payment Note.jpg.bat.exe Payment Note.jpg.bat.exe PID 1692 wrote to memory of 1580 1692 Payment Note.jpg.bat.exe Payment Note.jpg.bat.exe PID 1692 wrote to memory of 1580 1692 Payment Note.jpg.bat.exe Payment Note.jpg.bat.exe PID 1692 wrote to memory of 1580 1692 Payment Note.jpg.bat.exe Payment Note.jpg.bat.exe PID 1692 wrote to memory of 1580 1692 Payment Note.jpg.bat.exe Payment Note.jpg.bat.exe PID 1692 wrote to memory of 1580 1692 Payment Note.jpg.bat.exe Payment Note.jpg.bat.exe PID 1692 wrote to memory of 1580 1692 Payment Note.jpg.bat.exe Payment Note.jpg.bat.exe PID 1692 wrote to memory of 1580 1692 Payment Note.jpg.bat.exe Payment Note.jpg.bat.exe PID 1692 wrote to memory of 1580 1692 Payment Note.jpg.bat.exe Payment Note.jpg.bat.exe PID 1692 wrote to memory of 1580 1692 Payment Note.jpg.bat.exe Payment Note.jpg.bat.exe PID 1580 wrote to memory of 1996 1580 Payment Note.jpg.bat.exe Bin.exe PID 1580 wrote to memory of 1996 1580 Payment Note.jpg.bat.exe Bin.exe PID 1580 wrote to memory of 1996 1580 Payment Note.jpg.bat.exe Bin.exe PID 1580 wrote to memory of 1996 1580 Payment Note.jpg.bat.exe Bin.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
Payment Note.jpg.bat.exePayment Note.jpg.bat.exedescription pid process target process PID 1544 set thread context of 1692 1544 Payment Note.jpg.bat.exe Payment Note.jpg.bat.exe PID 1692 set thread context of 1580 1692 Payment Note.jpg.bat.exe Payment Note.jpg.bat.exe -
Loads dropped DLL 2 IoCs
Processes:
Payment Note.jpg.bat.exepid process 1580 Payment Note.jpg.bat.exe 1580 Payment Note.jpg.bat.exe -
Processes:
Bin.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Bin.exe -
Adds Run entry to start application 2 TTPs 1 IoCs
Processes:
Bin.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WAN Subsystem = "C:\\Program Files (x86)\\WAN Subsystem\\wanss.exe" Bin.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Payment Note.jpg.bat.exePayment Note.jpg.bat.exeBin.exedescription pid process Token: SeDebugPrivilege 1544 Payment Note.jpg.bat.exe Token: SeDebugPrivilege 1692 Payment Note.jpg.bat.exe Token: SeDebugPrivilege 1996 Bin.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
Payment Note.jpg.bat.exePayment Note.jpg.bat.exeBin.exepid process 1544 Payment Note.jpg.bat.exe 1544 Payment Note.jpg.bat.exe 1544 Payment Note.jpg.bat.exe 1692 Payment Note.jpg.bat.exe 1692 Payment Note.jpg.bat.exe 1692 Payment Note.jpg.bat.exe 1996 Bin.exe 1996 Bin.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Bin.exepid process 1996 Bin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment Note.jpg.bat.exe"C:\Users\Admin\AppData\Local\Temp\Payment Note.jpg.bat.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\Payment Note.jpg.bat.exe"C:\Users\Admin\AppData\Local\Temp\Payment Note.jpg.bat.exe"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\Payment Note.jpg.bat.exe"C:\Users\Admin\AppData\Local\Temp\Payment Note.jpg.bat.exe"3⤵
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Bin.exe"C:\Users\Admin\AppData\Roaming\Bin.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Checks whether UAC is enabled
- Adds Run entry to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Bin.exe
-
C:\Users\Admin\AppData\Roaming\Bin.exe
-
\Users\Admin\AppData\Roaming\Bin.exe
-
\Users\Admin\AppData\Roaming\Bin.exe
-
memory/1544-1-0x0000000000000000-0x0000000000000000-disk.dmp
-
memory/1580-10-0x0000000000400000-0x00000000004F0000-memory.dmpFilesize
960KB
-
memory/1580-11-0x00000000004EA3CE-mapping.dmp
-
memory/1580-12-0x0000000000560000-0x0000000000650000-memory.dmpFilesize
960KB
-
memory/1580-13-0x0000000000560000-0x0000000000650000-memory.dmpFilesize
960KB
-
memory/1692-6-0x00000000006D0000-0x00000000008A8000-memory.dmpFilesize
1.8MB
-
memory/1692-5-0x00000000006D0000-0x00000000008A8000-memory.dmpFilesize
1.8MB
-
memory/1692-4-0x00000000005D2D3E-mapping.dmp
-
memory/1996-16-0x0000000000000000-mapping.dmp