Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
04-05-2021 15:22
Static task
static1
Behavioral task
behavioral1
Sample
Invoice No F1019855_PDF.vbs
Resource
win7v20210410
General
-
Target
Invoice No F1019855_PDF.vbs
-
Size
486KB
-
MD5
ce4dcec84bfeba49404fa70f5d137645
-
SHA1
c31021953c59af126d0095bea70c26ca02a2d954
-
SHA256
ca85b069b028fc30a2af436344eae332ad6afe8a7e3904a48ee63948ab6c3133
-
SHA512
206f93128c63f78891cd55aff0a2ffe74696845df2f1d2a359bd569716f2a8a7d68c9b12c724c3b5e35963664eba8ce41d8eb65c54f5f36d256fb850635e7b01
Malware Config
Extracted
nanocore
1.2.2.0
sys2021.linkpc.net:11940
191.96.25.26:11940
ac555290-50d4-4120-9390-e76e4f948dd7
-
activate_away_mode
true
-
backup_connection_host
191.96.25.26
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2021-02-01T07:39:23.093861436Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
11940
-
default_group
Start Up
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
ac555290-50d4-4120-9390-e76e4f948dd7
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
sys2021.linkpc.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Contains code to disable Windows Defender 4 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\ame.exe disable_win_def C:\Users\Admin\AppData\Local\Temp\ame.exe disable_win_def C:\Users\Admin\AppData\Roaming\Notepads.exe disable_win_def C:\Users\Admin\AppData\Roaming\Notepads.exe disable_win_def -
Async RAT payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\ame.exe asyncrat C:\Users\Admin\AppData\Local\Temp\ame.exe asyncrat C:\Users\Admin\AppData\Roaming\Notepads.exe asyncrat C:\Users\Admin\AppData\Roaming\Notepads.exe asyncrat -
Executes dropped EXE 3 IoCs
Processes:
ame.exefi.exeNotepads.exepid process 1956 ame.exe 1760 fi.exe 1736 Notepads.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
fi.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LAN Host = "C:\\Program Files (x86)\\LAN Host\\lanhost.exe" fi.exe -
Processes:
fi.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fi.exe -
Drops file in Program Files directory 2 IoCs
Processes:
fi.exedescription ioc process File created C:\Program Files (x86)\LAN Host\lanhost.exe fi.exe File opened for modification C:\Program Files (x86)\LAN Host\lanhost.exe fi.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
fi.exeame.exeNotepads.exepid process 1760 fi.exe 1760 fi.exe 1760 fi.exe 1956 ame.exe 1956 ame.exe 1956 ame.exe 1956 ame.exe 1956 ame.exe 1956 ame.exe 1956 ame.exe 1956 ame.exe 1956 ame.exe 1956 ame.exe 1956 ame.exe 1956 ame.exe 1956 ame.exe 1736 Notepads.exe 1736 Notepads.exe 1736 Notepads.exe 1736 Notepads.exe 1736 Notepads.exe 1736 Notepads.exe 1736 Notepads.exe 1736 Notepads.exe 1736 Notepads.exe 1736 Notepads.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
fi.exepid process 1760 fi.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
fi.exeame.exeNotepads.exedescription pid process Token: SeDebugPrivilege 1760 fi.exe Token: SeDebugPrivilege 1956 ame.exe Token: SeDebugPrivilege 1736 Notepads.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
WScript.exeame.exeWScript.exedescription pid process target process PID 1072 wrote to memory of 1956 1072 WScript.exe ame.exe PID 1072 wrote to memory of 1956 1072 WScript.exe ame.exe PID 1072 wrote to memory of 1956 1072 WScript.exe ame.exe PID 1072 wrote to memory of 1760 1072 WScript.exe fi.exe PID 1072 wrote to memory of 1760 1072 WScript.exe fi.exe PID 1072 wrote to memory of 1760 1072 WScript.exe fi.exe PID 1072 wrote to memory of 1760 1072 WScript.exe fi.exe PID 1956 wrote to memory of 284 1956 ame.exe WScript.exe PID 1956 wrote to memory of 284 1956 ame.exe WScript.exe PID 1956 wrote to memory of 284 1956 ame.exe WScript.exe PID 284 wrote to memory of 1012 284 WScript.exe schtasks.exe PID 284 wrote to memory of 1012 284 WScript.exe schtasks.exe PID 284 wrote to memory of 1012 284 WScript.exe schtasks.exe PID 1956 wrote to memory of 1736 1956 ame.exe Notepads.exe PID 1956 wrote to memory of 1736 1956 ame.exe Notepads.exe PID 1956 wrote to memory of 1736 1956 ame.exe Notepads.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Invoice No F1019855_PDF.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ame.exe"C:\Users\Admin\AppData\Local\Temp\ame.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tmp2E51.tmp.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc onlogon /rl highest /tn Notepads.exe /tr "C:\Users\Admin\AppData\Roaming\Notepads.exe4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Notepads.exe"C:\Users\Admin\AppData\Roaming\Notepads.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\fi.exe"C:\Users\Admin\AppData\Local\Temp\fi.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ame.exeMD5
f7f64ec1756119f19d52fb140e22382f
SHA1c4fa973b801d954562fe00ac7bd2c6d051ae6e2f
SHA256c676638b019d810ce392cadcf8f0719f76f305d380d69ba93a6fc60a3f92e2c7
SHA512f29a10012a4e7ef6989bcea75554b12a17415fba4d8181c6a2b3ae0e663fe59b4c5ed910583f898d5c36a5178041a9adcf92ec758b45cea082165e596d7061ba
-
C:\Users\Admin\AppData\Local\Temp\ame.exeMD5
f7f64ec1756119f19d52fb140e22382f
SHA1c4fa973b801d954562fe00ac7bd2c6d051ae6e2f
SHA256c676638b019d810ce392cadcf8f0719f76f305d380d69ba93a6fc60a3f92e2c7
SHA512f29a10012a4e7ef6989bcea75554b12a17415fba4d8181c6a2b3ae0e663fe59b4c5ed910583f898d5c36a5178041a9adcf92ec758b45cea082165e596d7061ba
-
C:\Users\Admin\AppData\Local\Temp\fi.exeMD5
86a588c5a10a04af998dbad9ff9a31d1
SHA18ac3e114d36f6674bf64d7f45221207e8575ea62
SHA256b9f40a82eb141d2c09e9fdf133b80dceb4163c89471cec7af84db2141c5d51a5
SHA5128978104324435b461be67e148d44271a04a86550c7c1d8c5f474b1a7e63da32fd9400f63a767555f13a2cfb21eec32aac6ca387f39c048fd4e36333cf6747ec9
-
C:\Users\Admin\AppData\Local\Temp\fi.exeMD5
86a588c5a10a04af998dbad9ff9a31d1
SHA18ac3e114d36f6674bf64d7f45221207e8575ea62
SHA256b9f40a82eb141d2c09e9fdf133b80dceb4163c89471cec7af84db2141c5d51a5
SHA5128978104324435b461be67e148d44271a04a86550c7c1d8c5f474b1a7e63da32fd9400f63a767555f13a2cfb21eec32aac6ca387f39c048fd4e36333cf6747ec9
-
C:\Users\Admin\AppData\Local\Temp\tmp2E51.tmp.vbsMD5
93be4fdb10eed452d4f027b2bdd3aab9
SHA1d49dec91f4ef2aceeaf66bc7aa2ab04e6db53f06
SHA256a37de9a3fcdd78e747502dbd9185df33a7ed1d1a2af7b2cecad6c5ebf34e8b0c
SHA5127ad2f021cb3ce07df310c4d291773c004a9c1c61eef739c0dde5be6588a9d0eebc497b5d4ae446c44c9e2e700e5693f25ec479f2a61f0427ffd988b703ad35e8
-
C:\Users\Admin\AppData\Roaming\Notepads.exeMD5
f7f64ec1756119f19d52fb140e22382f
SHA1c4fa973b801d954562fe00ac7bd2c6d051ae6e2f
SHA256c676638b019d810ce392cadcf8f0719f76f305d380d69ba93a6fc60a3f92e2c7
SHA512f29a10012a4e7ef6989bcea75554b12a17415fba4d8181c6a2b3ae0e663fe59b4c5ed910583f898d5c36a5178041a9adcf92ec758b45cea082165e596d7061ba
-
C:\Users\Admin\AppData\Roaming\Notepads.exeMD5
f7f64ec1756119f19d52fb140e22382f
SHA1c4fa973b801d954562fe00ac7bd2c6d051ae6e2f
SHA256c676638b019d810ce392cadcf8f0719f76f305d380d69ba93a6fc60a3f92e2c7
SHA512f29a10012a4e7ef6989bcea75554b12a17415fba4d8181c6a2b3ae0e663fe59b4c5ed910583f898d5c36a5178041a9adcf92ec758b45cea082165e596d7061ba
-
memory/284-72-0x0000000000000000-mapping.dmp
-
memory/1012-75-0x0000000000000000-mapping.dmp
-
memory/1072-60-0x000007FEFBAB1000-0x000007FEFBAB3000-memory.dmpFilesize
8KB
-
memory/1736-81-0x000000001B010000-0x000000001B012000-memory.dmpFilesize
8KB
-
memory/1736-79-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/1736-76-0x0000000000000000-mapping.dmp
-
memory/1760-64-0x0000000000000000-mapping.dmp
-
memory/1760-70-0x0000000000BF0000-0x0000000000BF1000-memory.dmpFilesize
4KB
-
memory/1760-69-0x0000000075411000-0x0000000075413000-memory.dmpFilesize
8KB
-
memory/1956-71-0x0000000000440000-0x0000000000442000-memory.dmpFilesize
8KB
-
memory/1956-67-0x00000000002E0000-0x00000000002E1000-memory.dmpFilesize
4KB
-
memory/1956-61-0x0000000000000000-mapping.dmp