Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 02:53
Static task
static1
Behavioral task
behavioral1
Sample
invoice.exe
Resource
win7-20220414-en
General
-
Target
invoice.exe
-
Size
395KB
-
MD5
b9953aa6dc9d54b7c8151ce38ffe655d
-
SHA1
f007b4441b18466e270afb7d9f3df74b2d0b241a
-
SHA256
f3226374fbeefb1fcd90ab7d17d4570994dd63f8efb4bf59048eced4a042f0ba
-
SHA512
5533ad22a0c8c851372414fb93aa53508952844feb510d81fa0270252af90c32e68f6ecadd0659143c6b39919105af8bfcacd8a6db18c396d57c23b1656a6785
Malware Config
Extracted
nanocore
1.2.2.0
79.134.225.89:12190
4e4951f6-c9ee-4a8b-863c-f53c12df989f
-
activate_away_mode
true
-
backup_connection_host
79.134.225.89
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-02-17T01:50:29.200734436Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
12190
-
default_group
cpa
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
4e4951f6-c9ee-4a8b-863c-f53c12df989f
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
79.134.225.89
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
invoice.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DSL Service = "C:\\Program Files (x86)\\DSL Service\\dslsvc.exe" invoice.exe -
Processes:
invoice.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA invoice.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
invoice.exedescription pid process target process PID 1564 set thread context of 1204 1564 invoice.exe invoice.exe -
Drops file in Program Files directory 2 IoCs
Processes:
invoice.exedescription ioc process File opened for modification C:\Program Files (x86)\DSL Service\dslsvc.exe invoice.exe File created C:\Program Files (x86)\DSL Service\dslsvc.exe invoice.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
invoice.exeinvoice.exepid process 1564 invoice.exe 1564 invoice.exe 1564 invoice.exe 1204 invoice.exe 1204 invoice.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
invoice.exepid process 1204 invoice.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
invoice.exeinvoice.exedescription pid process Token: SeDebugPrivilege 1564 invoice.exe Token: SeDebugPrivilege 1204 invoice.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
invoice.exedescription pid process target process PID 1564 wrote to memory of 1268 1564 invoice.exe schtasks.exe PID 1564 wrote to memory of 1268 1564 invoice.exe schtasks.exe PID 1564 wrote to memory of 1268 1564 invoice.exe schtasks.exe PID 1564 wrote to memory of 1268 1564 invoice.exe schtasks.exe PID 1564 wrote to memory of 1204 1564 invoice.exe invoice.exe PID 1564 wrote to memory of 1204 1564 invoice.exe invoice.exe PID 1564 wrote to memory of 1204 1564 invoice.exe invoice.exe PID 1564 wrote to memory of 1204 1564 invoice.exe invoice.exe PID 1564 wrote to memory of 1204 1564 invoice.exe invoice.exe PID 1564 wrote to memory of 1204 1564 invoice.exe invoice.exe PID 1564 wrote to memory of 1204 1564 invoice.exe invoice.exe PID 1564 wrote to memory of 1204 1564 invoice.exe invoice.exe PID 1564 wrote to memory of 1204 1564 invoice.exe invoice.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\invoice.exe"C:\Users\Admin\AppData\Local\Temp\invoice.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hFctIClQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp86A.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\invoice.exe"{path}"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp86A.tmpFilesize
1KB
MD5cf1aeac292d0697b98f6561c4429fc05
SHA11ad54c43e96948a25be90f5af419d64f88087ff6
SHA2562c33a45d653cb0ca57a6f885b8ab6106b1362f521dda0d0c03e078e1142097a0
SHA51269713b70107b574da97879436a227ddf416b34eaca7f0c9514c256240700a36854d867bf7a641ccc9294dafb111f9ac057d01f6ea4d5928386f4a9e01a5f76cb
-
memory/1204-61-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1204-58-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1204-59-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1204-62-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1204-65-0x000000000041E792-mapping.dmp
-
memory/1204-64-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1204-67-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1204-69-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1204-71-0x0000000074990000-0x0000000074F3B000-memory.dmpFilesize
5.7MB
-
memory/1268-56-0x0000000000000000-mapping.dmp
-
memory/1564-55-0x0000000074990000-0x0000000074F3B000-memory.dmpFilesize
5.7MB
-
memory/1564-54-0x0000000075CD1000-0x0000000075CD3000-memory.dmpFilesize
8KB