Analysis
-
max time kernel
181s -
max time network
192s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 23:45
Static task
static1
Behavioral task
behavioral1
Sample
PURCHASE ORDER.exe
Resource
win7-20220414-en
General
-
Target
PURCHASE ORDER.exe
-
Size
506KB
-
MD5
37ca2dcb84070656527a45c9b3ff8589
-
SHA1
142947a1c23026c9dd723979bf8fd16d4f0e5f8b
-
SHA256
f0bdd59b67a442209f68d9adf125fbadd7e99324ca917822d5f5f29e976b5b26
-
SHA512
cf5e369bc7944bd56007816f1eadb0c2452f63d3212fb73ba806c54dd24cda259cdd1415036642fd8fd8c248e13054d9e07fbb5bdfd51f712a7e72a7294e14ab
Malware Config
Extracted
nanocore
1.2.2.0
apaduckdns.duckdns.org:54984
c854b3d3-3dd5-404d-a1d0-365efd3c6134
-
activate_away_mode
true
-
backup_connection_host
apaduckdns.duckdns.org
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-03-14T03:04:44.373669836Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
54984
-
default_group
ZipoHouse
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
c854b3d3-3dd5-404d-a1d0-365efd3c6134
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
apaduckdns.duckdns.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
PURCHASE ORDER.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation PURCHASE ORDER.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SCSI Subsystem = "C:\\Program Files (x86)\\SCSI Subsystem\\scsiss.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PURCHASE ORDER.exedescription pid process target process PID 3724 set thread context of 4436 3724 PURCHASE ORDER.exe RegSvcs.exe -
Drops file in Program Files directory 2 IoCs
Processes:
RegSvcs.exedescription ioc process File created C:\Program Files (x86)\SCSI Subsystem\scsiss.exe RegSvcs.exe File opened for modification C:\Program Files (x86)\SCSI Subsystem\scsiss.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
PURCHASE ORDER.exeRegSvcs.exepid process 3724 PURCHASE ORDER.exe 4436 RegSvcs.exe 4436 RegSvcs.exe 4436 RegSvcs.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegSvcs.exepid process 4436 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
PURCHASE ORDER.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 3724 PURCHASE ORDER.exe Token: SeDebugPrivilege 4436 RegSvcs.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
PURCHASE ORDER.exedescription pid process target process PID 3724 wrote to memory of 856 3724 PURCHASE ORDER.exe schtasks.exe PID 3724 wrote to memory of 856 3724 PURCHASE ORDER.exe schtasks.exe PID 3724 wrote to memory of 856 3724 PURCHASE ORDER.exe schtasks.exe PID 3724 wrote to memory of 4436 3724 PURCHASE ORDER.exe RegSvcs.exe PID 3724 wrote to memory of 4436 3724 PURCHASE ORDER.exe RegSvcs.exe PID 3724 wrote to memory of 4436 3724 PURCHASE ORDER.exe RegSvcs.exe PID 3724 wrote to memory of 4436 3724 PURCHASE ORDER.exe RegSvcs.exe PID 3724 wrote to memory of 4436 3724 PURCHASE ORDER.exe RegSvcs.exe PID 3724 wrote to memory of 4436 3724 PURCHASE ORDER.exe RegSvcs.exe PID 3724 wrote to memory of 4436 3724 PURCHASE ORDER.exe RegSvcs.exe PID 3724 wrote to memory of 4436 3724 PURCHASE ORDER.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe"C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LvkhcBfBS" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD6.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"{path}"2⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpD6.tmpFilesize
1KB
MD537817fcd9f8639645a05968004652c5d
SHA1e8d5937f476f6a4184f049bcfe3efd4073d70ee7
SHA256a252ac898d7b5bd5ed82bff50830a7653a1c3964f5b90327a2faa634be00c6ce
SHA512d60f8147f339fc3b8f40a7ec94fa90ceb666cf75880ff4051536e76de393cae4a5d71880c6656a249d5ca4967814f8b4fef84604e35aba0be8b710c1bf5eeaf7
-
memory/856-131-0x0000000000000000-mapping.dmp
-
memory/3724-130-0x0000000075540000-0x0000000075AF1000-memory.dmpFilesize
5.7MB
-
memory/4436-133-0x0000000000000000-mapping.dmp
-
memory/4436-134-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/4436-135-0x0000000075540000-0x0000000075AF1000-memory.dmpFilesize
5.7MB