Analysis
-
max time kernel
42s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
19-01-2021 12:00
Static task
static1
Behavioral task
behavioral1
Sample
Orden n.º STL21119, pdf.exe
Resource
win7v20201028
General
-
Target
Orden n.º STL21119, pdf.exe
-
Size
1.0MB
-
MD5
35ac4ad018dc2bcdfaeff01decd3e8fe
-
SHA1
6dbe8e66f9e1c0f59169b7c7aff0bcdb9c789ecc
-
SHA256
9a74f71ee76b3652042a3f5e1f5e4a8bacc97a3c72b28baa37008169170ab980
-
SHA512
259b55ab84d7088d58c1e4c8c819fa84ef7591bfa9f4f16f21b5471ebb69bb984521447428e41f26a3e51cacc540c63bec1f39b126461af2270d1974bad5c495
Malware Config
Extracted
nanocore
1.2.2.0
graceland777.ddns.net:7771
f7d05b5d-02c5-486b-afe2-be27c9d37bca
-
activate_away_mode
true
- backup_connection_host
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-10-30T18:30:48.730556136Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
true
-
connect_delay
3997
-
connection_port
7771
-
default_group
MAX GRACE
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
f7d05b5d-02c5-486b-afe2-be27c9d37bca
-
mutex_timeout
5000
-
prevent_system_sleep
true
-
primary_connection_host
graceland777.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
MSBuild.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WAN Service = "C:\\Program Files (x86)\\WAN Service\\wansv.exe" MSBuild.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Orden n.º STL21119, pdf.exedescription pid process target process PID 988 set thread context of 2688 988 Orden n.º STL21119, pdf.exe MSBuild.exe -
Drops file in Program Files directory 2 IoCs
Processes:
MSBuild.exedescription ioc process File created C:\Program Files (x86)\WAN Service\wansv.exe MSBuild.exe File opened for modification C:\Program Files (x86)\WAN Service\wansv.exe MSBuild.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 312 schtasks.exe 432 schtasks.exe 2144 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
Orden n.º STL21119, pdf.exeMSBuild.exepid process 988 Orden n.º STL21119, pdf.exe 2688 MSBuild.exe 2688 MSBuild.exe 2688 MSBuild.exe 2688 MSBuild.exe 2688 MSBuild.exe 2688 MSBuild.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
MSBuild.exepid process 2688 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Orden n.º STL21119, pdf.exeMSBuild.exedescription pid process Token: SeDebugPrivilege 988 Orden n.º STL21119, pdf.exe Token: SeDebugPrivilege 2688 MSBuild.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
Orden n.º STL21119, pdf.exeMSBuild.exedescription pid process target process PID 988 wrote to memory of 312 988 Orden n.º STL21119, pdf.exe schtasks.exe PID 988 wrote to memory of 312 988 Orden n.º STL21119, pdf.exe schtasks.exe PID 988 wrote to memory of 312 988 Orden n.º STL21119, pdf.exe schtasks.exe PID 988 wrote to memory of 2688 988 Orden n.º STL21119, pdf.exe MSBuild.exe PID 988 wrote to memory of 2688 988 Orden n.º STL21119, pdf.exe MSBuild.exe PID 988 wrote to memory of 2688 988 Orden n.º STL21119, pdf.exe MSBuild.exe PID 988 wrote to memory of 2688 988 Orden n.º STL21119, pdf.exe MSBuild.exe PID 988 wrote to memory of 2688 988 Orden n.º STL21119, pdf.exe MSBuild.exe PID 988 wrote to memory of 2688 988 Orden n.º STL21119, pdf.exe MSBuild.exe PID 988 wrote to memory of 2688 988 Orden n.º STL21119, pdf.exe MSBuild.exe PID 988 wrote to memory of 2688 988 Orden n.º STL21119, pdf.exe MSBuild.exe PID 2688 wrote to memory of 432 2688 MSBuild.exe schtasks.exe PID 2688 wrote to memory of 432 2688 MSBuild.exe schtasks.exe PID 2688 wrote to memory of 432 2688 MSBuild.exe schtasks.exe PID 2688 wrote to memory of 2144 2688 MSBuild.exe schtasks.exe PID 2688 wrote to memory of 2144 2688 MSBuild.exe schtasks.exe PID 2688 wrote to memory of 2144 2688 MSBuild.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Orden n.º STL21119, pdf.exe"C:\Users\Admin\AppData\Local\Temp\Orden n.º STL21119, pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kSLtgWcvnYChD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD71C.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"{path}"2⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "WAN Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmpDAF4.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "WAN Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpDB43.tmp"3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpD71C.tmpMD5
bd1d114ce4f1aca78775ed73046afe70
SHA1fc57360f36695f3cd0ebf6445709b2f2851f0dca
SHA256a1e9b00e1a1c44f22a8658a31759f1c331dce629eed69a492cb825d3f6fc4c48
SHA51295cfa710a43ee48d2fe13792e57e903392f41c2bd6dc9027c898e103279ac570f2afb573ce133d2715bd47eca206a5b42f7a2ead8a339087230df1fd9be74a23
-
C:\Users\Admin\AppData\Local\Temp\tmpDAF4.tmpMD5
ae766004c0d8792953bafffe8f6a2e3b
SHA114b12f27543a401e2fe0af8052e116cab0032426
SHA2561abdd9b6a6b84e4ba1af1282dc84ce276c59ba253f4c4af05fea498a4fd99540
SHA512e530da4a5d4336fc37838d0e93b5eb3804b9c489c71f6954a47fc81a4c655bb72ec493e109cf96e6e3617d7623ac80697ad3bbd5ffc6281bafc8b34dca5e6567
-
C:\Users\Admin\AppData\Local\Temp\tmpDB43.tmpMD5
eb527779d4a920bac8c3c59e8f4b4b4c
SHA14c9c48fd4ab89a983c87d810577133dc281160b4
SHA25697a200adfccc855ed435941fe1453a6add1a66b8390d033279c2f1a6a64c26a2
SHA512a48c1ca2310a4bceacca90d3b8748fdecc0169738905e0bc62a665ab048c1ae6bb801dc99f0f04d85287993c27bfd0a4e7f59d27a1c233b6662d6ba3ca586da0
-
memory/312-3-0x0000000000000000-mapping.dmp
-
memory/432-7-0x0000000000000000-mapping.dmp
-
memory/988-2-0x0000000002C40000-0x0000000002C41000-memory.dmpFilesize
4KB
-
memory/2144-10-0x0000000000000000-mapping.dmp
-
memory/2688-5-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2688-6-0x000000000041E792-mapping.dmp
-
memory/2688-9-0x0000000001270000-0x0000000001271000-memory.dmpFilesize
4KB
-
memory/2688-12-0x0000000001271000-0x0000000001272000-memory.dmpFilesize
4KB