Analysis
-
max time kernel
118s -
max time network
151s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
19-10-2021 18:47
Static task
static1
Behavioral task
behavioral1
Sample
Invoice and waybill.exe
Resource
win7-en-20210920
General
-
Target
Invoice and waybill.exe
-
Size
522KB
-
MD5
9cae0efc5e46764e812450c11f385dfd
-
SHA1
a3d56b062283d8acc79cc7310b4dcfca60a7b66f
-
SHA256
e9431fe2082e51e40fe79444314c55e511a90ef1d8abdf9304e653cf24d22d78
-
SHA512
eb4152cf8e038ec0b21dd4e200a78f6697eeadabef7c6b3449375c922b70fb470d80735d4507e16ada92947dfb5c4bedd140b388402f28371f3742c1dd7b039e
Malware Config
Extracted
nanocore
1.2.2.0
kamuchehddhgfgf.ddns.net:1187
37.0.10.22:1187
9ff0e8a4-a323-4111-bc49-0daecb63120d
-
activate_away_mode
true
-
backup_connection_host
37.0.10.22
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2021-07-17T00:05:39.048278936Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
1187
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
9ff0e8a4-a323-4111-bc49-0daecb63120d
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
kamuchehddhgfgf.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
suricata: ET MALWARE Possible NanoCore C2 60B
suricata: ET MALWARE Possible NanoCore C2 60B
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Invoice and waybill.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SMTP Manager = "C:\\Program Files (x86)\\SMTP Manager\\smtpmgr.exe" Invoice and waybill.exe -
Processes:
Invoice and waybill.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Invoice and waybill.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Invoice and waybill.exedescription pid process target process PID 2324 set thread context of 1736 2324 Invoice and waybill.exe Invoice and waybill.exe -
Drops file in Program Files directory 2 IoCs
Processes:
Invoice and waybill.exedescription ioc process File created C:\Program Files (x86)\SMTP Manager\smtpmgr.exe Invoice and waybill.exe File opened for modification C:\Program Files (x86)\SMTP Manager\smtpmgr.exe Invoice and waybill.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
Invoice and waybill.exepid process 1736 Invoice and waybill.exe 1736 Invoice and waybill.exe 1736 Invoice and waybill.exe 1736 Invoice and waybill.exe 1736 Invoice and waybill.exe 1736 Invoice and waybill.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Invoice and waybill.exepid process 1736 Invoice and waybill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Invoice and waybill.exedescription pid process Token: SeDebugPrivilege 1736 Invoice and waybill.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Invoice and waybill.exedescription pid process target process PID 2324 wrote to memory of 1736 2324 Invoice and waybill.exe Invoice and waybill.exe PID 2324 wrote to memory of 1736 2324 Invoice and waybill.exe Invoice and waybill.exe PID 2324 wrote to memory of 1736 2324 Invoice and waybill.exe Invoice and waybill.exe PID 2324 wrote to memory of 1736 2324 Invoice and waybill.exe Invoice and waybill.exe PID 2324 wrote to memory of 1736 2324 Invoice and waybill.exe Invoice and waybill.exe PID 2324 wrote to memory of 1736 2324 Invoice and waybill.exe Invoice and waybill.exe PID 2324 wrote to memory of 1736 2324 Invoice and waybill.exe Invoice and waybill.exe PID 2324 wrote to memory of 1736 2324 Invoice and waybill.exe Invoice and waybill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Invoice and waybill.exe"C:\Users\Admin\AppData\Local\Temp\Invoice and waybill.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Invoice and waybill.exe"C:\Users\Admin\AppData\Local\Temp\Invoice and waybill.exe"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Invoice and waybill.exe.logMD5
ef140ef600b2463c9e7dbf064a104046
SHA1c08fd1853877be95575ea2e860dd8cafef31f54c
SHA256ad8ae97fdeb174b20f02c7ddf9466981856d77d51133599b5954f48f78a1b616
SHA512bf16df0994080bdc832cb39a312e0095de57608256fcf0d04d589e0bdf3283f918fb0d6ec86ea28a4b1af6db12813c52a724028f02330ebc3a9d32a4fcda706c
-
memory/1736-118-0x000000000041E792-mapping.dmp
-
memory/1736-117-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1736-120-0x0000000002E80000-0x0000000002E81000-memory.dmpFilesize
4KB
-
memory/2324-115-0x00000000009F0000-0x0000000000A9E000-memory.dmpFilesize
696KB
-
memory/2324-116-0x00000000009F0000-0x0000000000A9E000-memory.dmpFilesize
696KB