Analysis
-
max time kernel
92s -
max time network
166s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
14-10-2021 14:54
Static task
static1
Behavioral task
behavioral1
Sample
31578_Invoice_receipt.exe
Resource
win7-en-20210920
General
-
Target
31578_Invoice_receipt.exe
-
Size
763KB
-
MD5
182b6a3b80b6290f55b6670edf9efd0e
-
SHA1
f6e60d4d0be6547af5822760bc0c0195884b012d
-
SHA256
12b9d16dc98af934b38e22cf08b7c10cb55bfd8bbb3084dcf5699eb0ab35a073
-
SHA512
1aebfcb9df20cc07c3bff03e1294fe479910bfb9b169e1aa895702f9210f19e4993470b5bf08c1181952facca3ad8689031361abe7768d57515c50d31607407a
Malware Config
Extracted
nanocore
1.2.2.0
sunnysept.duckdns.org:5500
af905a54-91e0-44a6-90a1-2d1125da804b
-
activate_away_mode
true
-
backup_connection_host
sunnysept.duckdns.org
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2021-06-21T21:09:02.390615436Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
5500
-
default_group
septe123
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
af905a54-91e0-44a6-90a1-2d1125da804b
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
sunnysept.duckdns.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Processes:
31578_Invoice_receipt.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths 31578_Invoice_receipt.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions 31578_Invoice_receipt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Microsoft.NET\Framework\鑮鑙鑠鐪鑙鐧鑂鐰鑘鑙鐯鑜鐪鑋鑘\svchost.exe = "0" 31578_Invoice_receipt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\31578_Invoice_receipt.exe = "0" 31578_Invoice_receipt.exe -
Processes:
31578_Invoice_receipt.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 31578_Invoice_receipt.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 15 IoCs
Processes:
31578_Invoice_receipt.exepid process 2428 31578_Invoice_receipt.exe 2428 31578_Invoice_receipt.exe 2428 31578_Invoice_receipt.exe 2428 31578_Invoice_receipt.exe 2428 31578_Invoice_receipt.exe 2428 31578_Invoice_receipt.exe 2428 31578_Invoice_receipt.exe 2428 31578_Invoice_receipt.exe 2428 31578_Invoice_receipt.exe 2428 31578_Invoice_receipt.exe 2428 31578_Invoice_receipt.exe 2428 31578_Invoice_receipt.exe 2428 31578_Invoice_receipt.exe 2428 31578_Invoice_receipt.exe 2428 31578_Invoice_receipt.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
31578_Invoice_receipt.exedescription pid process target process PID 2428 set thread context of 696 2428 31578_Invoice_receipt.exe 31578_Invoice_receipt.exe -
Drops file in Windows directory 2 IoCs
Processes:
31578_Invoice_receipt.exedescription ioc process File created C:\Windows\Microsoft.NET\Framework\鑮鑙鑠鐪鑙鐧鑂鐰鑘鑙鐯鑜鐪鑋鑘\svchost.exe 31578_Invoice_receipt.exe File opened for modification C:\Windows\Microsoft.NET\Framework\鑮鑙鑠鐪鑙鐧鑂鐰鑘鑙鐯鑜鐪鑋鑘\svchost.exe 31578_Invoice_receipt.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3020 2428 WerFault.exe 31578_Invoice_receipt.exe -
Suspicious behavior: EnumeratesProcesses 38 IoCs
Processes:
powershell.exepowershell.exe31578_Invoice_receipt.exepowershell.exe31578_Invoice_receipt.exeWerFault.exepid process 3376 powershell.exe 1108 powershell.exe 2428 31578_Invoice_receipt.exe 1768 powershell.exe 2428 31578_Invoice_receipt.exe 2428 31578_Invoice_receipt.exe 696 31578_Invoice_receipt.exe 696 31578_Invoice_receipt.exe 696 31578_Invoice_receipt.exe 1768 powershell.exe 1108 powershell.exe 3376 powershell.exe 696 31578_Invoice_receipt.exe 696 31578_Invoice_receipt.exe 696 31578_Invoice_receipt.exe 1768 powershell.exe 1108 powershell.exe 3376 powershell.exe 3020 WerFault.exe 3020 WerFault.exe 3020 WerFault.exe 3020 WerFault.exe 3020 WerFault.exe 3020 WerFault.exe 3020 WerFault.exe 3020 WerFault.exe 3020 WerFault.exe 3020 WerFault.exe 3020 WerFault.exe 3020 WerFault.exe 3020 WerFault.exe 3020 WerFault.exe 696 31578_Invoice_receipt.exe 696 31578_Invoice_receipt.exe 696 31578_Invoice_receipt.exe 696 31578_Invoice_receipt.exe 696 31578_Invoice_receipt.exe 696 31578_Invoice_receipt.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
31578_Invoice_receipt.exepid process 696 31578_Invoice_receipt.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
31578_Invoice_receipt.exepowershell.exepowershell.exepowershell.exe31578_Invoice_receipt.exeWerFault.exedescription pid process Token: SeDebugPrivilege 2428 31578_Invoice_receipt.exe Token: SeDebugPrivilege 3376 powershell.exe Token: SeDebugPrivilege 1108 powershell.exe Token: SeDebugPrivilege 1768 powershell.exe Token: SeDebugPrivilege 696 31578_Invoice_receipt.exe Token: SeRestorePrivilege 3020 WerFault.exe Token: SeBackupPrivilege 3020 WerFault.exe Token: SeDebugPrivilege 3020 WerFault.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
31578_Invoice_receipt.exedescription pid process target process PID 2428 wrote to memory of 1108 2428 31578_Invoice_receipt.exe powershell.exe PID 2428 wrote to memory of 1108 2428 31578_Invoice_receipt.exe powershell.exe PID 2428 wrote to memory of 1108 2428 31578_Invoice_receipt.exe powershell.exe PID 2428 wrote to memory of 1768 2428 31578_Invoice_receipt.exe powershell.exe PID 2428 wrote to memory of 1768 2428 31578_Invoice_receipt.exe powershell.exe PID 2428 wrote to memory of 1768 2428 31578_Invoice_receipt.exe powershell.exe PID 2428 wrote to memory of 3376 2428 31578_Invoice_receipt.exe powershell.exe PID 2428 wrote to memory of 3376 2428 31578_Invoice_receipt.exe powershell.exe PID 2428 wrote to memory of 3376 2428 31578_Invoice_receipt.exe powershell.exe PID 2428 wrote to memory of 696 2428 31578_Invoice_receipt.exe 31578_Invoice_receipt.exe PID 2428 wrote to memory of 696 2428 31578_Invoice_receipt.exe 31578_Invoice_receipt.exe PID 2428 wrote to memory of 696 2428 31578_Invoice_receipt.exe 31578_Invoice_receipt.exe PID 2428 wrote to memory of 696 2428 31578_Invoice_receipt.exe 31578_Invoice_receipt.exe PID 2428 wrote to memory of 696 2428 31578_Invoice_receipt.exe 31578_Invoice_receipt.exe PID 2428 wrote to memory of 696 2428 31578_Invoice_receipt.exe 31578_Invoice_receipt.exe PID 2428 wrote to memory of 696 2428 31578_Invoice_receipt.exe 31578_Invoice_receipt.exe PID 2428 wrote to memory of 696 2428 31578_Invoice_receipt.exe 31578_Invoice_receipt.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\31578_Invoice_receipt.exe"C:\Users\Admin\AppData\Local\Temp\31578_Invoice_receipt.exe"1⤵
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\鑮鑙鑠鐪鑙鐧鑂鐰鑘鑙鐯鑜鐪鑋鑘\svchost.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\31578_Invoice_receipt.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\鑮鑙鑠鐪鑙鐧鑂鐰鑘鑙鐯鑜鐪鑋鑘\svchost.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\31578_Invoice_receipt.exe"C:\Users\Admin\AppData\Local\Temp\31578_Invoice_receipt.exe"2⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 21842⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
1c19c16e21c97ed42d5beabc93391fc5
SHA18ad83f8e0b3acf8dfbbf87931e41f0d664c4df68
SHA2561bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05
SHA5127d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
7247129cd0644457905b7d6bf17fd078
SHA1dbf9139b5a1b72141f170d2eae911bbbe7e128c8
SHA256dfa6e0d79449f29310b2a0400dc7fa5a3a6b08182233147a81902d1f80a0f8e4
SHA5129b1ebd7fe485811f10ec02778d90a7f7eccafa0231027b640b94eaed8408107051da7fcc4f17a9aa0eef900fa2595f44be7fd115331fb6da9b10076f5fcf87e0
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
0b5d94d20be9eecbaed3dddd04143f07
SHA1c677d0355f4cc7301075a554adc889bce502e15a
SHA2563c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c
SHA512395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
ac84204052f6aed8ae3bcad812dc1a64
SHA192e4613a3518b6bca074df448943fca15fd63ff6
SHA256a3537c5eb92e1fd2faa9c9aa67bcbc7552c101282d2aff5dbd56c3fb3c77b7bf
SHA512fa8765bc3603a02e0c7ce4cb36d9091fc60765984f803438c616e806b03de887917a46bacc7aa6d6a7c3bef4d71bef71ff9eaf7f82730d7cc149092b40ef321b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
aa340181b1cde83d65b514b18515edbe
SHA1a632760271df91d983b6ba88dfcbc93d1c15737f
SHA2568de8fa184e28096c2a11e41042ba720d7295b618d3e5b6ecb71a200083a81633
SHA512205085f3406605b64dba3735f701079a857c0d2a8add92f7fc94bb75a2dc994634b9acbbf1092acbb0f3cfe8a455fba8d789bf34cf6d3590223c89c3717136b8
-
memory/696-169-0x00000000065B0000-0x00000000065B3000-memory.dmpFilesize
12KB
-
memory/696-174-0x0000000006AD0000-0x0000000006ADD000-memory.dmpFilesize
52KB
-
memory/696-167-0x00000000058F0000-0x00000000058F5000-memory.dmpFilesize
20KB
-
memory/696-150-0x000000000041E792-mapping.dmp
-
memory/696-149-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/696-181-0x0000000006ED0000-0x0000000006ED7000-memory.dmpFilesize
28KB
-
memory/696-179-0x0000000006EB0000-0x0000000006EBC000-memory.dmpFilesize
48KB
-
memory/696-180-0x0000000006EC0000-0x0000000006EC6000-memory.dmpFilesize
24KB
-
memory/696-178-0x0000000006E90000-0x0000000006E96000-memory.dmpFilesize
24KB
-
memory/696-183-0x0000000006EF0000-0x0000000006EF9000-memory.dmpFilesize
36KB
-
memory/696-177-0x0000000006E70000-0x0000000006E85000-memory.dmpFilesize
84KB
-
memory/696-184-0x0000000007040000-0x000000000704F000-memory.dmpFilesize
60KB
-
memory/696-168-0x0000000005900000-0x0000000005919000-memory.dmpFilesize
100KB
-
memory/696-182-0x0000000006EE0000-0x0000000006EED000-memory.dmpFilesize
52KB
-
memory/696-186-0x0000000007070000-0x0000000007099000-memory.dmpFilesize
164KB
-
memory/696-185-0x0000000007060000-0x000000000706A000-memory.dmpFilesize
40KB
-
memory/696-187-0x00000000070B0000-0x00000000070BF000-memory.dmpFilesize
60KB
-
memory/696-166-0x0000000005930000-0x0000000005E2E000-memory.dmpFilesize
5.0MB
-
memory/1108-143-0x0000000006702000-0x0000000006703000-memory.dmpFilesize
4KB
-
memory/1108-170-0x00000000074A0000-0x00000000074A1000-memory.dmpFilesize
4KB
-
memory/1108-135-0x0000000006700000-0x0000000006701000-memory.dmpFilesize
4KB
-
memory/1108-146-0x00000000073E0000-0x00000000073E1000-memory.dmpFilesize
4KB
-
memory/1108-126-0x0000000000CB0000-0x0000000000CB1000-memory.dmpFilesize
4KB
-
memory/1108-125-0x0000000000CB0000-0x0000000000CB1000-memory.dmpFilesize
4KB
-
memory/1108-257-0x0000000006703000-0x0000000006704000-memory.dmpFilesize
4KB
-
memory/1108-123-0x0000000000000000-mapping.dmp
-
memory/1108-226-0x000000007F940000-0x000000007F941000-memory.dmpFilesize
4KB
-
memory/1768-128-0x0000000000EB0000-0x0000000000EB1000-memory.dmpFilesize
4KB
-
memory/1768-223-0x000000007F100000-0x000000007F101000-memory.dmpFilesize
4KB
-
memory/1768-124-0x0000000000000000-mapping.dmp
-
memory/1768-127-0x0000000000EB0000-0x0000000000EB1000-memory.dmpFilesize
4KB
-
memory/1768-142-0x0000000001192000-0x0000000001193000-memory.dmpFilesize
4KB
-
memory/1768-134-0x0000000001190000-0x0000000001191000-memory.dmpFilesize
4KB
-
memory/1768-173-0x00000000084C0000-0x00000000084C1000-memory.dmpFilesize
4KB
-
memory/1768-256-0x0000000001193000-0x0000000001194000-memory.dmpFilesize
4KB
-
memory/1768-129-0x00000000010C0000-0x00000000010C1000-memory.dmpFilesize
4KB
-
memory/2428-115-0x0000000000160000-0x0000000000161000-memory.dmpFilesize
4KB
-
memory/2428-144-0x0000000007EF0000-0x0000000007EF1000-memory.dmpFilesize
4KB
-
memory/2428-145-0x0000000007C10000-0x0000000007C11000-memory.dmpFilesize
4KB
-
memory/2428-122-0x0000000007B30000-0x0000000007B31000-memory.dmpFilesize
4KB
-
memory/2428-121-0x0000000007F90000-0x0000000007F91000-memory.dmpFilesize
4KB
-
memory/2428-120-0x0000000006700000-0x0000000006701000-memory.dmpFilesize
4KB
-
memory/2428-119-0x00000000044B0000-0x0000000004540000-memory.dmpFilesize
576KB
-
memory/2428-118-0x0000000004CF0000-0x0000000004CF1000-memory.dmpFilesize
4KB
-
memory/2428-117-0x0000000004A90000-0x0000000004A91000-memory.dmpFilesize
4KB
-
memory/3376-132-0x00000000001D0000-0x00000000001D1000-memory.dmpFilesize
4KB
-
memory/3376-163-0x00000000075D0000-0x00000000075D1000-memory.dmpFilesize
4KB
-
memory/3376-229-0x000000007F600000-0x000000007F601000-memory.dmpFilesize
4KB
-
memory/3376-160-0x0000000006E00000-0x0000000006E01000-memory.dmpFilesize
4KB
-
memory/3376-156-0x0000000006BE0000-0x0000000006BE1000-memory.dmpFilesize
4KB
-
memory/3376-255-0x00000000009F3000-0x00000000009F4000-memory.dmpFilesize
4KB
-
memory/3376-140-0x00000000009F0000-0x00000000009F1000-memory.dmpFilesize
4KB
-
memory/3376-141-0x00000000009F2000-0x00000000009F3000-memory.dmpFilesize
4KB
-
memory/3376-137-0x0000000006FA0000-0x0000000006FA1000-memory.dmpFilesize
4KB
-
memory/3376-133-0x00000000001D0000-0x00000000001D1000-memory.dmpFilesize
4KB
-
memory/3376-131-0x0000000000000000-mapping.dmp