Analysis
-
max time kernel
148s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 12:12
Static task
static1
Behavioral task
behavioral1
Sample
reciept,pdf.exe
Resource
win7-20220414-en
General
-
Target
reciept,pdf.exe
-
Size
433KB
-
MD5
583dccf7e7b91fdb4e836e7a8ddb6f2b
-
SHA1
9afea6cd42317fc15631c4930ba70f5561de0061
-
SHA256
fd319dbcfcafada38eeb43f81d7f46d3b9067e4dacf535667a12ed992691faea
-
SHA512
8aa676fbcb80025f16ff549264aa1de72a2a6d21811612853d50c75ae6610cf80ad3fb3841fc51f317f727045f4109d2f746c3af4796f581bb399dc734a15f7a
Malware Config
Extracted
nanocore
1.2.2.0
megida123.ddns.net:9900
64aa071e-5b44-426b-ad7e-e6d42b713d32
-
activate_away_mode
true
- backup_connection_host
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-03-01T17:02:01.784418836Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
9900
-
default_group
00000
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
64aa071e-5b44-426b-ad7e-e6d42b713d32
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
megida123.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
reciept,pdf.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion reciept,pdf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion reciept,pdf.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
reciept,pdf.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation reciept,pdf.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
MSBuild.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WPA Monitor = "C:\\Program Files (x86)\\WPA Monitor\\wpamon.exe" MSBuild.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
reciept,pdf.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum reciept,pdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 reciept,pdf.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
reciept,pdf.exedescription pid process target process PID 1708 set thread context of 3644 1708 reciept,pdf.exe MSBuild.exe -
Drops file in Program Files directory 2 IoCs
Processes:
MSBuild.exedescription ioc process File created C:\Program Files (x86)\WPA Monitor\wpamon.exe MSBuild.exe File opened for modification C:\Program Files (x86)\WPA Monitor\wpamon.exe MSBuild.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
reciept,pdf.exeMSBuild.exepid process 1708 reciept,pdf.exe 3644 MSBuild.exe 3644 MSBuild.exe 3644 MSBuild.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
MSBuild.exepid process 3644 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
reciept,pdf.exeMSBuild.exedescription pid process Token: SeDebugPrivilege 1708 reciept,pdf.exe Token: SeDebugPrivilege 3644 MSBuild.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
reciept,pdf.exedescription pid process target process PID 1708 wrote to memory of 2128 1708 reciept,pdf.exe schtasks.exe PID 1708 wrote to memory of 2128 1708 reciept,pdf.exe schtasks.exe PID 1708 wrote to memory of 2128 1708 reciept,pdf.exe schtasks.exe PID 1708 wrote to memory of 3644 1708 reciept,pdf.exe MSBuild.exe PID 1708 wrote to memory of 3644 1708 reciept,pdf.exe MSBuild.exe PID 1708 wrote to memory of 3644 1708 reciept,pdf.exe MSBuild.exe PID 1708 wrote to memory of 3644 1708 reciept,pdf.exe MSBuild.exe PID 1708 wrote to memory of 3644 1708 reciept,pdf.exe MSBuild.exe PID 1708 wrote to memory of 3644 1708 reciept,pdf.exe MSBuild.exe PID 1708 wrote to memory of 3644 1708 reciept,pdf.exe MSBuild.exe PID 1708 wrote to memory of 3644 1708 reciept,pdf.exe MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\reciept,pdf.exe"C:\Users\Admin\AppData\Local\Temp\reciept,pdf.exe"1⤵
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qrfTTNaN" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7C73.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"{path}"2⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp7C73.tmpFilesize
1KB
MD586d4fd5fe3e69e6f7dc234aa651f9e37
SHA15b2e48dfc46bc24e7b3e55ea4d7f27f0246de140
SHA25655eca2b0d796553d2137acfa6405e83c82e98f3f42ccd37bb74dd69fcc11c63e
SHA5123f5a1898d681af202530be6eb25e965f0929bf6ee74d3d78aa8593b8d71120ffe6f8ae4802ee6b09e7bbaabf93ca749ffc48f7ce7bf4cddecd5da2c3c14782d6
-
memory/1708-130-0x0000000074770000-0x0000000074D21000-memory.dmpFilesize
5.7MB
-
memory/2128-131-0x0000000000000000-mapping.dmp
-
memory/3644-133-0x0000000000000000-mapping.dmp
-
memory/3644-134-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/3644-135-0x0000000074770000-0x0000000074D21000-memory.dmpFilesize
5.7MB