Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 12:12
Static task
static1
Behavioral task
behavioral1
Sample
reciept,pdf.exe
Resource
win7-20220414-en
General
-
Target
reciept,pdf.exe
-
Size
433KB
-
MD5
583dccf7e7b91fdb4e836e7a8ddb6f2b
-
SHA1
9afea6cd42317fc15631c4930ba70f5561de0061
-
SHA256
fd319dbcfcafada38eeb43f81d7f46d3b9067e4dacf535667a12ed992691faea
-
SHA512
8aa676fbcb80025f16ff549264aa1de72a2a6d21811612853d50c75ae6610cf80ad3fb3841fc51f317f727045f4109d2f746c3af4796f581bb399dc734a15f7a
Malware Config
Extracted
nanocore
1.2.2.0
megida123.ddns.net:9900
64aa071e-5b44-426b-ad7e-e6d42b713d32
-
activate_away_mode
true
- backup_connection_host
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-03-01T17:02:01.784418836Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
9900
-
default_group
00000
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
64aa071e-5b44-426b-ad7e-e6d42b713d32
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
megida123.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
reciept,pdf.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion reciept,pdf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion reciept,pdf.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
MSBuild.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DSL Service = "C:\\Program Files (x86)\\DSL Service\\dslsvc.exe" MSBuild.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
reciept,pdf.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 reciept,pdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum reciept,pdf.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
reciept,pdf.exedescription pid process target process PID 1644 set thread context of 1268 1644 reciept,pdf.exe MSBuild.exe -
Drops file in Program Files directory 2 IoCs
Processes:
MSBuild.exedescription ioc process File opened for modification C:\Program Files (x86)\DSL Service\dslsvc.exe MSBuild.exe File created C:\Program Files (x86)\DSL Service\dslsvc.exe MSBuild.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
reciept,pdf.exeMSBuild.exepid process 1644 reciept,pdf.exe 1268 MSBuild.exe 1268 MSBuild.exe 1268 MSBuild.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
MSBuild.exepid process 1268 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
reciept,pdf.exeMSBuild.exedescription pid process Token: SeDebugPrivilege 1644 reciept,pdf.exe Token: SeDebugPrivilege 1268 MSBuild.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
reciept,pdf.exedescription pid process target process PID 1644 wrote to memory of 2012 1644 reciept,pdf.exe schtasks.exe PID 1644 wrote to memory of 2012 1644 reciept,pdf.exe schtasks.exe PID 1644 wrote to memory of 2012 1644 reciept,pdf.exe schtasks.exe PID 1644 wrote to memory of 2012 1644 reciept,pdf.exe schtasks.exe PID 1644 wrote to memory of 1268 1644 reciept,pdf.exe MSBuild.exe PID 1644 wrote to memory of 1268 1644 reciept,pdf.exe MSBuild.exe PID 1644 wrote to memory of 1268 1644 reciept,pdf.exe MSBuild.exe PID 1644 wrote to memory of 1268 1644 reciept,pdf.exe MSBuild.exe PID 1644 wrote to memory of 1268 1644 reciept,pdf.exe MSBuild.exe PID 1644 wrote to memory of 1268 1644 reciept,pdf.exe MSBuild.exe PID 1644 wrote to memory of 1268 1644 reciept,pdf.exe MSBuild.exe PID 1644 wrote to memory of 1268 1644 reciept,pdf.exe MSBuild.exe PID 1644 wrote to memory of 1268 1644 reciept,pdf.exe MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\reciept,pdf.exe"C:\Users\Admin\AppData\Local\Temp\reciept,pdf.exe"1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qrfTTNaN" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEBC6.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"{path}"2⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpEBC6.tmpFilesize
1KB
MD5ce89942cea00f86d48e9f0522513b253
SHA1aa7493b7089666aa6b4353d74a5fabeac13d925b
SHA2563ffd3e49e06b08443e962046f811f67a663e98c2ba33693abecf6490f24507e3
SHA51266407faa9ea27dfc386f33605e4878b63c463c50087a1e710bb40200b3d0738dcc9fc29262fac648d7e20837043328dc6619cb4a02d0aa08a8b05de99125ab63
-
memory/1268-59-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1268-61-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1268-62-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1268-64-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1268-58-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1268-65-0x000000000041E792-mapping.dmp
-
memory/1268-67-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1268-69-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1268-71-0x0000000074A70000-0x000000007501B000-memory.dmpFilesize
5.7MB
-
memory/1268-72-0x00000000021C6000-0x00000000021D7000-memory.dmpFilesize
68KB
-
memory/1644-55-0x0000000074A70000-0x000000007501B000-memory.dmpFilesize
5.7MB
-
memory/1644-54-0x0000000076781000-0x0000000076783000-memory.dmpFilesize
8KB
-
memory/2012-56-0x0000000000000000-mapping.dmp