Analysis
-
max time kernel
168s -
max time network
175s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 01:20
Static task
static1
Behavioral task
behavioral1
Sample
Incentive Doc.exe
Resource
win7-20220414-en
General
-
Target
Incentive Doc.exe
-
Size
391KB
-
MD5
6b48de13978e73af6eafabeeefebab51
-
SHA1
e7118497e55b204f7b1d4b5500a5ae332507d109
-
SHA256
2a9cf930b5e11dee35842ff73179a0467f820a95e23560d774f7ea05111de351
-
SHA512
40a76b85aa60446c1cf4beb31960bdf9269ef895500773f639afacf6a7ed909a564f9ea585d6e47fcab4ba64eac4894056913039ef2970260e2d4b67d9fe4f49
Malware Config
Extracted
nanocore
1.2.2.0
masterwork.ydns.eu:2310
127.0.0.1:2310
7dacfffd-e900-45d5-a878-74cb2c59d5c1
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-05-24T15:02:46.236911836Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
2310
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
true
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
7dacfffd-e900-45d5-a878-74cb2c59d5c1
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
masterwork.ydns.eu
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Processes:
Incentive Doc.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Incentive Doc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Incentive Doc.exedescription pid process target process PID 336 set thread context of 1956 336 Incentive Doc.exe Incentive Doc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
Incentive Doc.exeIncentive Doc.exepid process 336 Incentive Doc.exe 336 Incentive Doc.exe 336 Incentive Doc.exe 1956 Incentive Doc.exe 1956 Incentive Doc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Incentive Doc.exepid process 1956 Incentive Doc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Incentive Doc.exeIncentive Doc.exedescription pid process Token: SeDebugPrivilege 336 Incentive Doc.exe Token: SeDebugPrivilege 1956 Incentive Doc.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
Incentive Doc.exedescription pid process target process PID 336 wrote to memory of 1308 336 Incentive Doc.exe schtasks.exe PID 336 wrote to memory of 1308 336 Incentive Doc.exe schtasks.exe PID 336 wrote to memory of 1308 336 Incentive Doc.exe schtasks.exe PID 336 wrote to memory of 1308 336 Incentive Doc.exe schtasks.exe PID 336 wrote to memory of 1956 336 Incentive Doc.exe Incentive Doc.exe PID 336 wrote to memory of 1956 336 Incentive Doc.exe Incentive Doc.exe PID 336 wrote to memory of 1956 336 Incentive Doc.exe Incentive Doc.exe PID 336 wrote to memory of 1956 336 Incentive Doc.exe Incentive Doc.exe PID 336 wrote to memory of 1956 336 Incentive Doc.exe Incentive Doc.exe PID 336 wrote to memory of 1956 336 Incentive Doc.exe Incentive Doc.exe PID 336 wrote to memory of 1956 336 Incentive Doc.exe Incentive Doc.exe PID 336 wrote to memory of 1956 336 Incentive Doc.exe Incentive Doc.exe PID 336 wrote to memory of 1956 336 Incentive Doc.exe Incentive Doc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Incentive Doc.exe"C:\Users\Admin\AppData\Local\Temp\Incentive Doc.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QQTkQqFCJswyiG" /XML "C:\Users\Admin\AppData\Local\Temp\tmp207D.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Incentive Doc.exe"{path}"2⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp207D.tmpFilesize
1KB
MD58094481d003d6ade61756549a9f84f87
SHA1b7366c82e0419edf363e044e9a4ecaa19d88e86e
SHA256f3c294f46f914ba865db12435013f66907ab03a968755b5daa382ab74674899b
SHA512b1f84af3c47200bd95e20bd1f9b03ba14a4abe06d49ceb04be404ad7863d5fa53ca43d2df568a0a96085358de612984f84a0d23ae089d5529cde1c486e70ede7
-
memory/336-54-0x0000000001330000-0x0000000001398000-memory.dmpFilesize
416KB
-
memory/336-55-0x0000000075711000-0x0000000075713000-memory.dmpFilesize
8KB
-
memory/336-56-0x00000000006E0000-0x00000000006EA000-memory.dmpFilesize
40KB
-
memory/336-57-0x0000000000B60000-0x0000000000BBE000-memory.dmpFilesize
376KB
-
memory/336-58-0x0000000001250000-0x0000000001288000-memory.dmpFilesize
224KB
-
memory/1308-59-0x0000000000000000-mapping.dmp
-
memory/1956-62-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1956-61-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1956-64-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1956-65-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1956-67-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1956-68-0x000000000041E792-mapping.dmp
-
memory/1956-70-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1956-72-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1956-74-0x0000000000440000-0x000000000044A000-memory.dmpFilesize
40KB
-
memory/1956-75-0x0000000000450000-0x000000000046E000-memory.dmpFilesize
120KB
-
memory/1956-76-0x0000000000570000-0x000000000057A000-memory.dmpFilesize
40KB