Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 11:54
Static task
static1
Behavioral task
behavioral1
Sample
invoice copy.pdf.exe
Resource
win7-20220414-en
General
-
Target
invoice copy.pdf.exe
-
Size
935KB
-
MD5
8b2f9a3638a60c5cc706ad212528784d
-
SHA1
5289963f790c86ec11f85948197fa132d70d6f38
-
SHA256
4de6466841226eea95bef6fe6868d1c3d5808d8fafa3449e333f0b6d03253c84
-
SHA512
e868d26932365d1c170148d1f02b298c1bd561cea91b965724441440f122861a76c5112855cf056ed0c4fc77da2e733f4793555453af1d3bb39146dc8cab4156
Malware Config
Extracted
nanocore
1.2.2.0
weddinglight.ddns.net:4040
0786f2c0-e128-4479-a9aa-d40c52591ebf
-
activate_away_mode
true
- backup_connection_host
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-04-25T20:55:59.623925336Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
4040
-
default_group
wedding
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
0786f2c0-e128-4479-a9aa-d40c52591ebf
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
weddinglight.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Processes:
invoice copy.pdf.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA invoice copy.pdf.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
invoice copy.pdf.exedescription pid process target process PID 560 set thread context of 908 560 invoice copy.pdf.exe invoice copy.pdf.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
invoice copy.pdf.exeinvoice copy.pdf.exepid process 560 invoice copy.pdf.exe 908 invoice copy.pdf.exe 908 invoice copy.pdf.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
invoice copy.pdf.exepid process 908 invoice copy.pdf.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
invoice copy.pdf.exepid process 560 invoice copy.pdf.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
invoice copy.pdf.exedescription pid process Token: SeDebugPrivilege 908 invoice copy.pdf.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
invoice copy.pdf.exedescription pid process target process PID 560 wrote to memory of 908 560 invoice copy.pdf.exe invoice copy.pdf.exe PID 560 wrote to memory of 908 560 invoice copy.pdf.exe invoice copy.pdf.exe PID 560 wrote to memory of 908 560 invoice copy.pdf.exe invoice copy.pdf.exe PID 560 wrote to memory of 908 560 invoice copy.pdf.exe invoice copy.pdf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe"C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe"C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe"2⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/560-54-0x0000000075271000-0x0000000075273000-memory.dmpFilesize
8KB
-
memory/560-56-0x0000000000400000-0x00000000004F0000-memory.dmpFilesize
960KB
-
memory/908-55-0x000000000047D4C0-mapping.dmp
-
memory/908-57-0x00000000006E0000-0x0000000000718000-memory.dmpFilesize
224KB
-
memory/908-58-0x00000000006E0000-0x0000000000718000-memory.dmpFilesize
224KB
-
memory/908-60-0x00000000743D0000-0x000000007497B000-memory.dmpFilesize
5.7MB