Analysis
-
max time kernel
183s -
max time network
177s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 23:45
Static task
static1
Behavioral task
behavioral1
Sample
PURCHASE ORDER.exe
Resource
win7-20220414-en
General
-
Target
PURCHASE ORDER.exe
-
Size
506KB
-
MD5
37ca2dcb84070656527a45c9b3ff8589
-
SHA1
142947a1c23026c9dd723979bf8fd16d4f0e5f8b
-
SHA256
f0bdd59b67a442209f68d9adf125fbadd7e99324ca917822d5f5f29e976b5b26
-
SHA512
cf5e369bc7944bd56007816f1eadb0c2452f63d3212fb73ba806c54dd24cda259cdd1415036642fd8fd8c248e13054d9e07fbb5bdfd51f712a7e72a7294e14ab
Malware Config
Extracted
nanocore
1.2.2.0
apaduckdns.duckdns.org:54984
c854b3d3-3dd5-404d-a1d0-365efd3c6134
-
activate_away_mode
true
-
backup_connection_host
apaduckdns.duckdns.org
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-03-14T03:04:44.373669836Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
54984
-
default_group
ZipoHouse
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
c854b3d3-3dd5-404d-a1d0-365efd3c6134
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
apaduckdns.duckdns.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WPA Subsystem = "C:\\Program Files (x86)\\WPA Subsystem\\wpass.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PURCHASE ORDER.exedescription pid process target process PID 868 set thread context of 1984 868 PURCHASE ORDER.exe RegSvcs.exe -
Drops file in Program Files directory 2 IoCs
Processes:
RegSvcs.exedescription ioc process File created C:\Program Files (x86)\WPA Subsystem\wpass.exe RegSvcs.exe File opened for modification C:\Program Files (x86)\WPA Subsystem\wpass.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
PURCHASE ORDER.exeRegSvcs.exepid process 868 PURCHASE ORDER.exe 1984 RegSvcs.exe 1984 RegSvcs.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegSvcs.exepid process 1984 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
PURCHASE ORDER.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 868 PURCHASE ORDER.exe Token: SeDebugPrivilege 1984 RegSvcs.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
PURCHASE ORDER.exedescription pid process target process PID 868 wrote to memory of 1720 868 PURCHASE ORDER.exe schtasks.exe PID 868 wrote to memory of 1720 868 PURCHASE ORDER.exe schtasks.exe PID 868 wrote to memory of 1720 868 PURCHASE ORDER.exe schtasks.exe PID 868 wrote to memory of 1720 868 PURCHASE ORDER.exe schtasks.exe PID 868 wrote to memory of 1984 868 PURCHASE ORDER.exe RegSvcs.exe PID 868 wrote to memory of 1984 868 PURCHASE ORDER.exe RegSvcs.exe PID 868 wrote to memory of 1984 868 PURCHASE ORDER.exe RegSvcs.exe PID 868 wrote to memory of 1984 868 PURCHASE ORDER.exe RegSvcs.exe PID 868 wrote to memory of 1984 868 PURCHASE ORDER.exe RegSvcs.exe PID 868 wrote to memory of 1984 868 PURCHASE ORDER.exe RegSvcs.exe PID 868 wrote to memory of 1984 868 PURCHASE ORDER.exe RegSvcs.exe PID 868 wrote to memory of 1984 868 PURCHASE ORDER.exe RegSvcs.exe PID 868 wrote to memory of 1984 868 PURCHASE ORDER.exe RegSvcs.exe PID 868 wrote to memory of 1984 868 PURCHASE ORDER.exe RegSvcs.exe PID 868 wrote to memory of 1984 868 PURCHASE ORDER.exe RegSvcs.exe PID 868 wrote to memory of 1984 868 PURCHASE ORDER.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe"C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LvkhcBfBS" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2FF7.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"{path}"2⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp2FF7.tmpFilesize
1KB
MD5b129f2a3ebbe527d98028fde735c2eaf
SHA111a1094400fd493b719bdf9904d4f446a5cd2418
SHA256e4e25f49590bbb09c30b5f49f61c2c581c7650c2e7d78df42d05044aff9f86ac
SHA512217677a764b3eb8836d4ee86920dce8a0b8d9957d733a47b5f782c68a5491ff8d0df057f74764d4fa1fd20ea993eb047ac6986529db6330690707ac90a173fff
-
memory/868-54-0x0000000075C51000-0x0000000075C53000-memory.dmpFilesize
8KB
-
memory/868-55-0x0000000074F10000-0x00000000754BB000-memory.dmpFilesize
5.7MB
-
memory/1720-56-0x0000000000000000-mapping.dmp
-
memory/1984-61-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1984-59-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1984-58-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1984-62-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1984-64-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1984-65-0x000000000041E792-mapping.dmp
-
memory/1984-67-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1984-69-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1984-71-0x0000000074F10000-0x00000000754BB000-memory.dmpFilesize
5.7MB
-
memory/1984-72-0x0000000000BE6000-0x0000000000BF7000-memory.dmpFilesize
68KB