Analysis
-
max time kernel
153s -
max time network
192s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 01:22
Static task
static1
Behavioral task
behavioral1
Sample
New Order PDF.exe
Resource
win7-20220414-en
General
-
Target
New Order PDF.exe
-
Size
824KB
-
MD5
2010151b23cf4e4fb41b586293a05f67
-
SHA1
5ded93668295d7c1ca31c6616410cc44a749dc81
-
SHA256
6ac9298fc6f29358afc13c6a0a28286352165f2d67c25a8622e464c171810f7c
-
SHA512
1aa8279daf5ab104707c286dcc6172b52af8a83df34a4533d786e78cb54372bec3b956240b2f024898f719b1d8ea813deedb817fc824051168ada9d62863f0a7
Malware Config
Extracted
nanocore
1.2.2.0
bbenson.ddns.net:3080
eda53875-a284-4c1e-9e92-bae099ad007c
-
activate_away_mode
true
-
backup_connection_host
bbenson.ddns.net
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-05-10T13:56:14.708459336Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
3080
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
eda53875-a284-4c1e-9e92-bae099ad007c
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
bbenson.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
New Order PDF.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ARP Service = "C:\\Program Files (x86)\\ARP Service\\arpsvc.exe" New Order PDF.exe -
Processes:
New Order PDF.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA New Order PDF.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
New Order PDF.exedescription pid process target process PID 1364 set thread context of 520 1364 New Order PDF.exe New Order PDF.exe -
Drops file in Program Files directory 2 IoCs
Processes:
New Order PDF.exedescription ioc process File created C:\Program Files (x86)\ARP Service\arpsvc.exe New Order PDF.exe File opened for modification C:\Program Files (x86)\ARP Service\arpsvc.exe New Order PDF.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 952 schtasks.exe 1092 schtasks.exe 1504 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
New Order PDF.exeNew Order PDF.exepid process 1364 New Order PDF.exe 520 New Order PDF.exe 520 New Order PDF.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
New Order PDF.exepid process 520 New Order PDF.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
New Order PDF.exeNew Order PDF.exedescription pid process Token: SeDebugPrivilege 1364 New Order PDF.exe Token: SeDebugPrivilege 520 New Order PDF.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
New Order PDF.exeNew Order PDF.exedescription pid process target process PID 1364 wrote to memory of 952 1364 New Order PDF.exe schtasks.exe PID 1364 wrote to memory of 952 1364 New Order PDF.exe schtasks.exe PID 1364 wrote to memory of 952 1364 New Order PDF.exe schtasks.exe PID 1364 wrote to memory of 952 1364 New Order PDF.exe schtasks.exe PID 1364 wrote to memory of 520 1364 New Order PDF.exe New Order PDF.exe PID 1364 wrote to memory of 520 1364 New Order PDF.exe New Order PDF.exe PID 1364 wrote to memory of 520 1364 New Order PDF.exe New Order PDF.exe PID 1364 wrote to memory of 520 1364 New Order PDF.exe New Order PDF.exe PID 1364 wrote to memory of 520 1364 New Order PDF.exe New Order PDF.exe PID 1364 wrote to memory of 520 1364 New Order PDF.exe New Order PDF.exe PID 1364 wrote to memory of 520 1364 New Order PDF.exe New Order PDF.exe PID 1364 wrote to memory of 520 1364 New Order PDF.exe New Order PDF.exe PID 1364 wrote to memory of 520 1364 New Order PDF.exe New Order PDF.exe PID 520 wrote to memory of 1092 520 New Order PDF.exe schtasks.exe PID 520 wrote to memory of 1092 520 New Order PDF.exe schtasks.exe PID 520 wrote to memory of 1092 520 New Order PDF.exe schtasks.exe PID 520 wrote to memory of 1092 520 New Order PDF.exe schtasks.exe PID 520 wrote to memory of 1504 520 New Order PDF.exe schtasks.exe PID 520 wrote to memory of 1504 520 New Order PDF.exe schtasks.exe PID 520 wrote to memory of 1504 520 New Order PDF.exe schtasks.exe PID 520 wrote to memory of 1504 520 New Order PDF.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\New Order PDF.exe"C:\Users\Admin\AppData\Local\Temp\New Order PDF.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jRolbSAyfuRH" /XML "C:\Users\Admin\AppData\Local\Temp\tmp651A.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\New Order PDF.exe"C:\Users\Admin\AppData\Local\Temp\New Order PDF.exe"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "ARP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp9ACA.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "ARP Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp9C51.tmp"3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp651A.tmpFilesize
1KB
MD561e5d4548961954ccf0ad44b80b53f1c
SHA162a33e1cda8e250f958fd33313404719f1aa8e4a
SHA256c24fd004118a4caa3f9ebd8d19da54412deac21052570e6e57ec826ec863933f
SHA512ede47646e66bc2a3c9adf6e87166037b1dade868401541606cff2d24b45a9133afc59fbf2170c49c94323ab9a6eddd2a7d4f85bfdb562ee2d18fee84e703ccea
-
C:\Users\Admin\AppData\Local\Temp\tmp9ACA.tmpFilesize
1KB
MD587014e2cb57aaeadfd636576411d8c4a
SHA16a2889017090dbf4a68fcacd635cec532e2a604c
SHA256eb66cdfb963f5a579b58d652cfb6163a9b4f3683a7206af45f110579fca85e56
SHA5126d5a4a2f100965c597be01c9a1a8f7c92a85481cbb3f6a5374a2f1dd7ab7cd3753fd1d12247c88498dfb6d432d59d8757b696102b13a6bb06e55eae48ddfbe08
-
C:\Users\Admin\AppData\Local\Temp\tmp9C51.tmpFilesize
1KB
MD51badb6e2b29a1c4bfff3c179d53ab96b
SHA14b2ad3e5f3826d252d1c8bf1c8f0702f39129fa1
SHA2566259ac4e6859a1b528d77ccea12b378f7dfa1eff359d9b8899414b4b1c484699
SHA51236338e2a74fd85c5f2c84be009981a7260692c1bcb121a42018209031082da69bf65640702d53e28b54871f9d44e65fdbebaf4771c530699c3e93981b58129b4
-
memory/520-78-0x00000000005A0000-0x00000000005AA000-memory.dmpFilesize
40KB
-
memory/520-72-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/520-79-0x00000000005D0000-0x00000000005EE000-memory.dmpFilesize
120KB
-
memory/520-80-0x00000000005B0000-0x00000000005BA000-memory.dmpFilesize
40KB
-
memory/520-61-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/520-62-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/520-64-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/520-65-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/520-67-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/520-68-0x000000000041E792-mapping.dmp
-
memory/520-70-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/952-59-0x0000000000000000-mapping.dmp
-
memory/1092-74-0x0000000000000000-mapping.dmp
-
memory/1364-54-0x0000000000320000-0x00000000003F4000-memory.dmpFilesize
848KB
-
memory/1364-58-0x0000000001E80000-0x0000000001EBA000-memory.dmpFilesize
232KB
-
memory/1364-57-0x0000000004E80000-0x0000000004ED4000-memory.dmpFilesize
336KB
-
memory/1364-56-0x0000000000660000-0x000000000066A000-memory.dmpFilesize
40KB
-
memory/1364-55-0x0000000075951000-0x0000000075953000-memory.dmpFilesize
8KB
-
memory/1504-76-0x0000000000000000-mapping.dmp