Analysis
-
max time kernel
151s -
max time network
175s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 12:23
Static task
static1
Behavioral task
behavioral1
Sample
BOOKING.exe
Resource
win7-20220414-en
General
-
Target
BOOKING.exe
-
Size
291KB
-
MD5
c97d31e6c4311d688c7de8a19ba9f488
-
SHA1
2c0aa234321581f6414535e165a832b8cd4a4704
-
SHA256
1fbae4f859c40f9446d06e76a4acf496fe0a43fb93b87f87d1077ab8a4490480
-
SHA512
62ffa02b28fa3105aa8da596d3f1fa3d26e820909de85e63dc1b539ac02305e08d5e77ec06a462f9864c281d3ff5db71fb8c9f624ea973c99981da080fa8b0ee
Malware Config
Extracted
nanocore
1.2.2.0
u852117.nvpn.so:5638
31a1bd10-70b4-4419-9b7f-75dbc4160d94
-
activate_away_mode
true
-
backup_connection_host
u852117.nvpn.so
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-02-11T21:26:44.406621436Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
5638
-
default_group
NEW COMCASTED
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
31a1bd10-70b4-4419-9b7f-75dbc4160d94
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
u852117.nvpn.so
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
BOOKING.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TCP Service = "C:\\Program Files (x86)\\TCP Service\\tcpsvc.exe" BOOKING.exe -
Processes:
BOOKING.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA BOOKING.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
BOOKING.exedescription pid process target process PID 2724 set thread context of 3492 2724 BOOKING.exe BOOKING.exe -
Drops file in Program Files directory 2 IoCs
Processes:
BOOKING.exedescription ioc process File created C:\Program Files (x86)\TCP Service\tcpsvc.exe BOOKING.exe File opened for modification C:\Program Files (x86)\TCP Service\tcpsvc.exe BOOKING.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
BOOKING.exepid process 3492 BOOKING.exe 3492 BOOKING.exe 3492 BOOKING.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
BOOKING.exepid process 3492 BOOKING.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
BOOKING.exedescription pid process Token: SeDebugPrivilege 3492 BOOKING.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
BOOKING.exedescription pid process target process PID 2724 wrote to memory of 3492 2724 BOOKING.exe BOOKING.exe PID 2724 wrote to memory of 3492 2724 BOOKING.exe BOOKING.exe PID 2724 wrote to memory of 3492 2724 BOOKING.exe BOOKING.exe PID 2724 wrote to memory of 3492 2724 BOOKING.exe BOOKING.exe PID 2724 wrote to memory of 3492 2724 BOOKING.exe BOOKING.exe PID 2724 wrote to memory of 3492 2724 BOOKING.exe BOOKING.exe PID 2724 wrote to memory of 3492 2724 BOOKING.exe BOOKING.exe PID 2724 wrote to memory of 3492 2724 BOOKING.exe BOOKING.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\BOOKING.exe"C:\Users\Admin\AppData\Local\Temp\BOOKING.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\BOOKING.exeC:\Users\Admin\AppData\Local\Temp\BOOKING.exe2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BOOKING.exe.logFilesize
42B
MD584cfdb4b995b1dbf543b26b86c863adc
SHA1d2f47764908bf30036cf8248b9ff5541e2711fa2
SHA256d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b
SHA512485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce
-
memory/2724-130-0x00000000002B0000-0x00000000002CB000-memory.dmpFilesize
108KB
-
memory/2724-134-0x0000000004F50000-0x0000000005040000-memory.dmpFilesize
960KB
-
memory/3492-131-0x0000000000000000-mapping.dmp
-
memory/3492-132-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/3492-135-0x00000000053E0000-0x0000000005984000-memory.dmpFilesize
5.6MB
-
memory/3492-136-0x0000000004E30000-0x0000000004EC2000-memory.dmpFilesize
584KB
-
memory/3492-137-0x0000000004F70000-0x000000000500C000-memory.dmpFilesize
624KB
-
memory/3492-138-0x0000000004ED0000-0x0000000004EDA000-memory.dmpFilesize
40KB