Analysis
-
max time kernel
120s -
max time network
149s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
19-10-2021 13:36
Static task
static1
Behavioral task
behavioral1
Sample
Invoice and waybill.exe
Resource
win7-en-20211014
General
-
Target
Invoice and waybill.exe
-
Size
522KB
-
MD5
9cae0efc5e46764e812450c11f385dfd
-
SHA1
a3d56b062283d8acc79cc7310b4dcfca60a7b66f
-
SHA256
e9431fe2082e51e40fe79444314c55e511a90ef1d8abdf9304e653cf24d22d78
-
SHA512
eb4152cf8e038ec0b21dd4e200a78f6697eeadabef7c6b3449375c922b70fb470d80735d4507e16ada92947dfb5c4bedd140b388402f28371f3742c1dd7b039e
Malware Config
Extracted
nanocore
1.2.2.0
kamuchehddhgfgf.ddns.net:1187
37.0.10.22:1187
9ff0e8a4-a323-4111-bc49-0daecb63120d
-
activate_away_mode
true
-
backup_connection_host
37.0.10.22
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2021-07-17T00:05:39.048278936Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
1187
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
9ff0e8a4-a323-4111-bc49-0daecb63120d
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
kamuchehddhgfgf.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Invoice and waybill.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SMTP Service = "C:\\Program Files (x86)\\SMTP Service\\smtpsvc.exe" Invoice and waybill.exe -
Processes:
Invoice and waybill.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Invoice and waybill.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Invoice and waybill.exedescription pid process target process PID 1336 set thread context of 268 1336 Invoice and waybill.exe Invoice and waybill.exe -
Drops file in Program Files directory 2 IoCs
Processes:
Invoice and waybill.exedescription ioc process File created C:\Program Files (x86)\SMTP Service\smtpsvc.exe Invoice and waybill.exe File opened for modification C:\Program Files (x86)\SMTP Service\smtpsvc.exe Invoice and waybill.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
Invoice and waybill.exeInvoice and waybill.exepid process 1336 Invoice and waybill.exe 268 Invoice and waybill.exe 268 Invoice and waybill.exe 268 Invoice and waybill.exe 268 Invoice and waybill.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Invoice and waybill.exepid process 268 Invoice and waybill.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Invoice and waybill.exeInvoice and waybill.exedescription pid process Token: SeDebugPrivilege 1336 Invoice and waybill.exe Token: SeDebugPrivilege 268 Invoice and waybill.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
Invoice and waybill.exedescription pid process target process PID 1336 wrote to memory of 1048 1336 Invoice and waybill.exe Invoice and waybill.exe PID 1336 wrote to memory of 1048 1336 Invoice and waybill.exe Invoice and waybill.exe PID 1336 wrote to memory of 1048 1336 Invoice and waybill.exe Invoice and waybill.exe PID 1336 wrote to memory of 1048 1336 Invoice and waybill.exe Invoice and waybill.exe PID 1336 wrote to memory of 268 1336 Invoice and waybill.exe Invoice and waybill.exe PID 1336 wrote to memory of 268 1336 Invoice and waybill.exe Invoice and waybill.exe PID 1336 wrote to memory of 268 1336 Invoice and waybill.exe Invoice and waybill.exe PID 1336 wrote to memory of 268 1336 Invoice and waybill.exe Invoice and waybill.exe PID 1336 wrote to memory of 268 1336 Invoice and waybill.exe Invoice and waybill.exe PID 1336 wrote to memory of 268 1336 Invoice and waybill.exe Invoice and waybill.exe PID 1336 wrote to memory of 268 1336 Invoice and waybill.exe Invoice and waybill.exe PID 1336 wrote to memory of 268 1336 Invoice and waybill.exe Invoice and waybill.exe PID 1336 wrote to memory of 268 1336 Invoice and waybill.exe Invoice and waybill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Invoice and waybill.exe"C:\Users\Admin\AppData\Local\Temp\Invoice and waybill.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Users\Admin\AppData\Local\Temp\Invoice and waybill.exe"C:\Users\Admin\AppData\Local\Temp\Invoice and waybill.exe"2⤵PID:1048
-
-
C:\Users\Admin\AppData\Local\Temp\Invoice and waybill.exe"C:\Users\Admin\AppData\Local\Temp\Invoice and waybill.exe"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:268
-