Analysis
-
max time kernel
146s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 12:11
Static task
static1
Behavioral task
behavioral1
Sample
INVOICE.exe
Resource
win7-20220414-en
General
-
Target
INVOICE.exe
-
Size
257KB
-
MD5
0b29c9cf3ca1bdda38b97e9fb32c7b4a
-
SHA1
1ff3b96d090ea2f0151f09231528583be26ef318
-
SHA256
0e60fbf96ee79935f57b028842bdab9f9b6c08787e0a477f5f20dcd5be5599d7
-
SHA512
75fa27a78908056a89031121dd496eddf9ac9bbebae8095a491774cd5694cb5327a23bc3a1905f4b09c66502fc0a1e2d538c08a0deae7d83ebd2c968221d958b
Malware Config
Extracted
nanocore
1.2.2.0
u852117.nvpn.to:5638
c20191a5-cd52-4887-8771-2d1dca5667b7
-
activate_away_mode
true
-
backup_connection_host
u852117.nvpn.to
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-03-19T15:09:07.734275836Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
5638
-
default_group
BEGINS
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
c20191a5-cd52-4887-8771-2d1dca5667b7
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
u852117.nvpn.to
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Processes:
INVOICE.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA INVOICE.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
INVOICE.exedescription pid process target process PID 1880 set thread context of 896 1880 INVOICE.exe INVOICE.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
INVOICE.exepid process 896 INVOICE.exe 896 INVOICE.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
INVOICE.exepid process 896 INVOICE.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
INVOICE.exedescription pid process Token: SeDebugPrivilege 896 INVOICE.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
INVOICE.exedescription pid process target process PID 1880 wrote to memory of 896 1880 INVOICE.exe INVOICE.exe PID 1880 wrote to memory of 896 1880 INVOICE.exe INVOICE.exe PID 1880 wrote to memory of 896 1880 INVOICE.exe INVOICE.exe PID 1880 wrote to memory of 896 1880 INVOICE.exe INVOICE.exe PID 1880 wrote to memory of 896 1880 INVOICE.exe INVOICE.exe PID 1880 wrote to memory of 896 1880 INVOICE.exe INVOICE.exe PID 1880 wrote to memory of 896 1880 INVOICE.exe INVOICE.exe PID 1880 wrote to memory of 896 1880 INVOICE.exe INVOICE.exe PID 1880 wrote to memory of 896 1880 INVOICE.exe INVOICE.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\INVOICE.exe"C:\Users\Admin\AppData\Local\Temp\INVOICE.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\INVOICE.exe"C:\Users\Admin\AppData\Local\Temp\INVOICE.exe"2⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/896-56-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/896-57-0x000000000041E792-mapping.dmp
-
memory/896-61-0x0000000000402000-0x000000000041E800-memory.dmpFilesize
114KB
-
memory/896-60-0x0000000000402000-0x000000000041E800-memory.dmpFilesize
114KB
-
memory/896-63-0x0000000074230000-0x00000000747DB000-memory.dmpFilesize
5.7MB
-
memory/1880-54-0x00000000755A1000-0x00000000755A3000-memory.dmpFilesize
8KB
-
memory/1880-55-0x00000000740A0000-0x000000007464B000-memory.dmpFilesize
5.7MB
-
memory/1880-58-0x00000000007C0000-0x00000000007EB000-memory.dmpFilesize
172KB