Analysis
-
max time kernel
156s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 02:53
Static task
static1
Behavioral task
behavioral1
Sample
invoice.exe
Resource
win7-20220414-en
General
-
Target
invoice.exe
-
Size
395KB
-
MD5
b9953aa6dc9d54b7c8151ce38ffe655d
-
SHA1
f007b4441b18466e270afb7d9f3df74b2d0b241a
-
SHA256
f3226374fbeefb1fcd90ab7d17d4570994dd63f8efb4bf59048eced4a042f0ba
-
SHA512
5533ad22a0c8c851372414fb93aa53508952844feb510d81fa0270252af90c32e68f6ecadd0659143c6b39919105af8bfcacd8a6db18c396d57c23b1656a6785
Malware Config
Extracted
nanocore
1.2.2.0
79.134.225.89:12190
4e4951f6-c9ee-4a8b-863c-f53c12df989f
-
activate_away_mode
true
-
backup_connection_host
79.134.225.89
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-02-17T01:50:29.200734436Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
12190
-
default_group
cpa
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
4e4951f6-c9ee-4a8b-863c-f53c12df989f
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
79.134.225.89
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
invoice.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation invoice.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
invoice.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WPA Service = "C:\\Program Files (x86)\\WPA Service\\wpasv.exe" invoice.exe -
Processes:
invoice.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA invoice.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
invoice.exedescription pid process target process PID 4344 set thread context of 3668 4344 invoice.exe invoice.exe -
Drops file in Program Files directory 2 IoCs
Processes:
invoice.exedescription ioc process File created C:\Program Files (x86)\WPA Service\wpasv.exe invoice.exe File opened for modification C:\Program Files (x86)\WPA Service\wpasv.exe invoice.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
invoice.exeinvoice.exepid process 4344 invoice.exe 4344 invoice.exe 4344 invoice.exe 4344 invoice.exe 3668 invoice.exe 3668 invoice.exe 3668 invoice.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
invoice.exepid process 3668 invoice.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
invoice.exeinvoice.exedescription pid process Token: SeDebugPrivilege 4344 invoice.exe Token: SeDebugPrivilege 3668 invoice.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
invoice.exedescription pid process target process PID 4344 wrote to memory of 224 4344 invoice.exe schtasks.exe PID 4344 wrote to memory of 224 4344 invoice.exe schtasks.exe PID 4344 wrote to memory of 224 4344 invoice.exe schtasks.exe PID 4344 wrote to memory of 3668 4344 invoice.exe invoice.exe PID 4344 wrote to memory of 3668 4344 invoice.exe invoice.exe PID 4344 wrote to memory of 3668 4344 invoice.exe invoice.exe PID 4344 wrote to memory of 3668 4344 invoice.exe invoice.exe PID 4344 wrote to memory of 3668 4344 invoice.exe invoice.exe PID 4344 wrote to memory of 3668 4344 invoice.exe invoice.exe PID 4344 wrote to memory of 3668 4344 invoice.exe invoice.exe PID 4344 wrote to memory of 3668 4344 invoice.exe invoice.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\invoice.exe"C:\Users\Admin\AppData\Local\Temp\invoice.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hFctIClQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5C58.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\invoice.exe"{path}"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp5C58.tmpFilesize
1KB
MD57bb798cb6a64d822e04020b728c811b1
SHA10799b6d8b5d758fdc5920a30d3ac5836d5a8214c
SHA256d1f2c26c5d13083572ee8c1c87f27caa1679c5e2b13610837e2318d3e4fe7cdb
SHA5127c8ee3f027462399473a2a1c0e0aa0b6b7597b801533b63c167e555bb94782676f7438f131724ad5af1533eca261362bd46f084a92f1dd6dbb1f16d860ca23a3
-
memory/224-131-0x0000000000000000-mapping.dmp
-
memory/3668-133-0x0000000000000000-mapping.dmp
-
memory/3668-134-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/3668-135-0x0000000074D20000-0x00000000752D1000-memory.dmpFilesize
5.7MB
-
memory/4344-130-0x0000000074D20000-0x00000000752D1000-memory.dmpFilesize
5.7MB