Analysis
-
max time kernel
47s -
max time network
153s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
19-01-2021 12:00
Static task
static1
Behavioral task
behavioral1
Sample
Orden n.º STL21119, pdf.exe
Resource
win7v20201028
General
-
Target
Orden n.º STL21119, pdf.exe
-
Size
1.0MB
-
MD5
35ac4ad018dc2bcdfaeff01decd3e8fe
-
SHA1
6dbe8e66f9e1c0f59169b7c7aff0bcdb9c789ecc
-
SHA256
9a74f71ee76b3652042a3f5e1f5e4a8bacc97a3c72b28baa37008169170ab980
-
SHA512
259b55ab84d7088d58c1e4c8c819fa84ef7591bfa9f4f16f21b5471ebb69bb984521447428e41f26a3e51cacc540c63bec1f39b126461af2270d1974bad5c495
Malware Config
Extracted
nanocore
1.2.2.0
graceland777.ddns.net:7771
f7d05b5d-02c5-486b-afe2-be27c9d37bca
-
activate_away_mode
true
- backup_connection_host
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-10-30T18:30:48.730556136Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
true
-
connect_delay
3997
-
connection_port
7771
-
default_group
MAX GRACE
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
f7d05b5d-02c5-486b-afe2-be27c9d37bca
-
mutex_timeout
5000
-
prevent_system_sleep
true
-
primary_connection_host
graceland777.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
MSBuild.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WPA Host = "C:\\Program Files (x86)\\WPA Host\\wpahost.exe" MSBuild.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Orden n.º STL21119, pdf.exedescription pid process target process PID 2028 set thread context of 2008 2028 Orden n.º STL21119, pdf.exe MSBuild.exe -
Drops file in Program Files directory 2 IoCs
Processes:
MSBuild.exedescription ioc process File created C:\Program Files (x86)\WPA Host\wpahost.exe MSBuild.exe File opened for modification C:\Program Files (x86)\WPA Host\wpahost.exe MSBuild.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 1532 schtasks.exe 1652 schtasks.exe 540 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
Orden n.º STL21119, pdf.exeMSBuild.exepid process 2028 Orden n.º STL21119, pdf.exe 2008 MSBuild.exe 2008 MSBuild.exe 2008 MSBuild.exe 2008 MSBuild.exe 2008 MSBuild.exe 2008 MSBuild.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
MSBuild.exepid process 2008 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Orden n.º STL21119, pdf.exeMSBuild.exedescription pid process Token: SeDebugPrivilege 2028 Orden n.º STL21119, pdf.exe Token: SeDebugPrivilege 2008 MSBuild.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
Orden n.º STL21119, pdf.exeMSBuild.exedescription pid process target process PID 2028 wrote to memory of 1652 2028 Orden n.º STL21119, pdf.exe schtasks.exe PID 2028 wrote to memory of 1652 2028 Orden n.º STL21119, pdf.exe schtasks.exe PID 2028 wrote to memory of 1652 2028 Orden n.º STL21119, pdf.exe schtasks.exe PID 2028 wrote to memory of 1652 2028 Orden n.º STL21119, pdf.exe schtasks.exe PID 2028 wrote to memory of 2008 2028 Orden n.º STL21119, pdf.exe MSBuild.exe PID 2028 wrote to memory of 2008 2028 Orden n.º STL21119, pdf.exe MSBuild.exe PID 2028 wrote to memory of 2008 2028 Orden n.º STL21119, pdf.exe MSBuild.exe PID 2028 wrote to memory of 2008 2028 Orden n.º STL21119, pdf.exe MSBuild.exe PID 2028 wrote to memory of 2008 2028 Orden n.º STL21119, pdf.exe MSBuild.exe PID 2028 wrote to memory of 2008 2028 Orden n.º STL21119, pdf.exe MSBuild.exe PID 2028 wrote to memory of 2008 2028 Orden n.º STL21119, pdf.exe MSBuild.exe PID 2028 wrote to memory of 2008 2028 Orden n.º STL21119, pdf.exe MSBuild.exe PID 2028 wrote to memory of 2008 2028 Orden n.º STL21119, pdf.exe MSBuild.exe PID 2008 wrote to memory of 540 2008 MSBuild.exe schtasks.exe PID 2008 wrote to memory of 540 2008 MSBuild.exe schtasks.exe PID 2008 wrote to memory of 540 2008 MSBuild.exe schtasks.exe PID 2008 wrote to memory of 540 2008 MSBuild.exe schtasks.exe PID 2008 wrote to memory of 1532 2008 MSBuild.exe schtasks.exe PID 2008 wrote to memory of 1532 2008 MSBuild.exe schtasks.exe PID 2008 wrote to memory of 1532 2008 MSBuild.exe schtasks.exe PID 2008 wrote to memory of 1532 2008 MSBuild.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Orden n.º STL21119, pdf.exe"C:\Users\Admin\AppData\Local\Temp\Orden n.º STL21119, pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kSLtgWcvnYChD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp99FE.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"{path}"2⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "WPA Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmp9D68.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "WPA Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp9E05.tmp"3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp99FE.tmpMD5
2cb26d5e0ed330d15594f0677d2a80ae
SHA16f34c99e31afa7c01e4fbc6373bc456a3996bf64
SHA256d46b0931b2b76fc7aa9d57d338c4b1e889c08525ce98a88f940c67b5e915804f
SHA51215f8f1951a3071563c993d3b5809a3e7e6e9ca601de7e65a7d027bfaa1361732fcc14ffcb59ec6eedffe8314298d88cb44554e083b1f5734059de625f173ebe7
-
C:\Users\Admin\AppData\Local\Temp\tmp9D68.tmpMD5
ae766004c0d8792953bafffe8f6a2e3b
SHA114b12f27543a401e2fe0af8052e116cab0032426
SHA2561abdd9b6a6b84e4ba1af1282dc84ce276c59ba253f4c4af05fea498a4fd99540
SHA512e530da4a5d4336fc37838d0e93b5eb3804b9c489c71f6954a47fc81a4c655bb72ec493e109cf96e6e3617d7623ac80697ad3bbd5ffc6281bafc8b34dca5e6567
-
C:\Users\Admin\AppData\Local\Temp\tmp9E05.tmpMD5
819bdbdac3be050783d203020e6c4c30
SHA1a373521fceb21cac8b93e55ee48578e40a6e740b
SHA2560e5dedca6d0d3c50ebcedb5bbf51ef3d434eb6b43da46764205de7636131f053
SHA512cece1c4d8b4db79fc6e3cd225efaccdf9d2493f28991b1d48439944af38aaa61a215bd00a0beedcbdecc4f1ec5be0843774375a483f3d4a573a3980c54798cbd
-
memory/540-10-0x0000000000000000-mapping.dmp
-
memory/1532-12-0x0000000000000000-mapping.dmp
-
memory/1652-5-0x0000000000000000-mapping.dmp
-
memory/2008-8-0x000000000041E792-mapping.dmp
-
memory/2008-7-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2008-13-0x00000000005E0000-0x00000000005E1000-memory.dmpFilesize
4KB
-
memory/2008-15-0x00000000005E1000-0x00000000005E2000-memory.dmpFilesize
4KB
-
memory/2008-16-0x00000000005E6000-0x00000000005F7000-memory.dmpFilesize
68KB
-
memory/2028-2-0x0000000075C31000-0x0000000075C33000-memory.dmpFilesize
8KB
-
memory/2028-4-0x00000000003E1000-0x00000000003E2000-memory.dmpFilesize
4KB
-
memory/2028-3-0x00000000003E0000-0x00000000003E1000-memory.dmpFilesize
4KB