Analysis
-
max time kernel
153s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 12:10
Static task
static1
Behavioral task
behavioral1
Sample
Purchase order#54.exe
Resource
win7-20220414-en
General
-
Target
Purchase order#54.exe
-
Size
562KB
-
MD5
1dfe52d38f7819e0117483241e5d2b43
-
SHA1
f6013c4762c6357fb672248ff522625f8548e397
-
SHA256
b3278c2b73f1b45d1d440b080dd563191b03794243f1ded305ff62b288accd75
-
SHA512
296b767294a9783df427da72e60486be5c65d5e3f9b6a50545af00ae591c41cc6e53edb0fb7639289c40ba36a3cfa2cd31fc4fa9ee9396f29a466fbdcd0ee218
Malware Config
Extracted
nanocore
1.2.2.0
onyekaj.hopto.org:6634
185.140.53.34:6634
b2aa75e1-3a74-4a5f-b74d-28e6dd90be29
-
activate_away_mode
true
-
backup_connection_host
185.140.53.34
-
backup_dns_server
185.140.53.34
-
buffer_size
65535
-
build_time
2020-05-11T01:26:52.110301936Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
6634
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
b2aa75e1-3a74-4a5f-b74d-28e6dd90be29
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
onyekaj.hopto.org
-
primary_dns_server
onyekaj.hopto.org
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Purchase order#54.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation Purchase order#54.exe -
Unexpected DNS network traffic destination 2 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 185.140.53.34 Destination IP 185.140.53.34 -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Purchase order#54.exedescription pid process target process PID 4772 set thread context of 3736 4772 Purchase order#54.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1988 schtasks.exe 2284 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
Purchase order#54.exevbc.exepid process 4772 Purchase order#54.exe 4772 Purchase order#54.exe 4772 Purchase order#54.exe 3736 vbc.exe 3736 vbc.exe 3736 vbc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
vbc.exepid process 3736 vbc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Purchase order#54.exevbc.exedescription pid process Token: SeDebugPrivilege 4772 Purchase order#54.exe Token: SeDebugPrivilege 3736 vbc.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
Purchase order#54.exevbc.exedescription pid process target process PID 4772 wrote to memory of 1988 4772 Purchase order#54.exe schtasks.exe PID 4772 wrote to memory of 1988 4772 Purchase order#54.exe schtasks.exe PID 4772 wrote to memory of 1988 4772 Purchase order#54.exe schtasks.exe PID 4772 wrote to memory of 3736 4772 Purchase order#54.exe vbc.exe PID 4772 wrote to memory of 3736 4772 Purchase order#54.exe vbc.exe PID 4772 wrote to memory of 3736 4772 Purchase order#54.exe vbc.exe PID 4772 wrote to memory of 3736 4772 Purchase order#54.exe vbc.exe PID 4772 wrote to memory of 3736 4772 Purchase order#54.exe vbc.exe PID 4772 wrote to memory of 3736 4772 Purchase order#54.exe vbc.exe PID 4772 wrote to memory of 3736 4772 Purchase order#54.exe vbc.exe PID 4772 wrote to memory of 3736 4772 Purchase order#54.exe vbc.exe PID 3736 wrote to memory of 2284 3736 vbc.exe schtasks.exe PID 3736 wrote to memory of 2284 3736 vbc.exe schtasks.exe PID 3736 wrote to memory of 2284 3736 vbc.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Purchase order#54.exe"C:\Users\Admin\AppData\Local\Temp\Purchase order#54.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\&startupname&" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3F37.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "SCSI Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp49C6.tmp"3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp3F37.tmpFilesize
1KB
MD5d49b1a0b5a08ed1df869f23aedb3c8ca
SHA1f22cc9413d67d36b88bec3a3788c0eef02b64577
SHA2564adeb4eedb7bcda76f1b6f910fbb87d34f776e6fce58521c2398243585d6dfe6
SHA5120f5626ba83c2173a43fc6e552030258ef8f87ce92bd340ab1b94ec873dbd7040b3d478af057d9294abf8e3368c330abf4c02c70f5809c51112cfc5798d508255
-
C:\Users\Admin\AppData\Local\Temp\tmp49C6.tmpFilesize
1KB
MD5808c6e96c170c90d0db522e8947eb2bd
SHA144583694c3c23410d637bb96c0df0921363533ad
SHA256c6b75fb7740d34d55d74b8664ff1ea778638a4916c2b52348ea34de60edd3afc
SHA512928b85e9fddfd7c93623e954dc53367aaf355f74a14601d77e45612ebdb77f3d6c0fc853e154f91f61e64306361885467c16fc211cf1bbdc023658ad35dba1eb
-
memory/1988-136-0x0000000000000000-mapping.dmp
-
memory/2284-140-0x0000000000000000-mapping.dmp
-
memory/3736-138-0x0000000000000000-mapping.dmp
-
memory/3736-139-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/4772-130-0x00000000001B0000-0x0000000000242000-memory.dmpFilesize
584KB
-
memory/4772-131-0x0000000007440000-0x00000000074DC000-memory.dmpFilesize
624KB
-
memory/4772-132-0x0000000007A90000-0x0000000008034000-memory.dmpFilesize
5.6MB
-
memory/4772-133-0x0000000007580000-0x0000000007612000-memory.dmpFilesize
584KB
-
memory/4772-134-0x0000000007430000-0x000000000743A000-memory.dmpFilesize
40KB
-
memory/4772-135-0x0000000007720000-0x0000000007776000-memory.dmpFilesize
344KB