Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 18:40
Static task
static1
Behavioral task
behavioral1
Sample
Purchase Order061720PDF.exe
Resource
win7-20220414-en
General
-
Target
Purchase Order061720PDF.exe
-
Size
1.3MB
-
MD5
087c73bf612b9d9694409a763b3c270a
-
SHA1
d033c49a30a38a59764d2a1a2eab537574b53e98
-
SHA256
17fa709f1a866d573f997f8f1288d537de382cccc5a4f9c1811db9da34c016b2
-
SHA512
0f767f635e0edf66333835ced8e0f377aa9158137ff891af3d7ebaa3e18193c61bd88f22896dc7269aa03d97eb1852c9dbb882fe03d637a7b8e2107150db11c3
Malware Config
Extracted
nanocore
1.2.2.0
forwork61420.ddns.net:3118
forwork61420.duckdns.org:3118
713ef177-b6be-471f-adec-854b1cda1062
-
activate_away_mode
true
-
backup_connection_host
forwork61420.duckdns.org
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-03-28T15:15:12.586904536Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
true
-
connect_delay
4000
-
connection_port
3118
-
default_group
TT
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
713ef177-b6be-471f-adec-854b1cda1062
-
mutex_timeout
5000
-
prevent_system_sleep
true
-
primary_connection_host
forwork61420.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Drops startup file 1 IoCs
Processes:
Purchase Order061720PDF.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hvax64.url Purchase Order061720PDF.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Purchase Order061720PDF.exedescription pid process target process PID 1452 set thread context of 992 1452 Purchase Order061720PDF.exe MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
MSBuild.exePurchase Order061720PDF.exepid process 992 MSBuild.exe 992 MSBuild.exe 1452 Purchase Order061720PDF.exe 1452 Purchase Order061720PDF.exe 1452 Purchase Order061720PDF.exe 1452 Purchase Order061720PDF.exe 1452 Purchase Order061720PDF.exe 1452 Purchase Order061720PDF.exe 1452 Purchase Order061720PDF.exe 1452 Purchase Order061720PDF.exe 1452 Purchase Order061720PDF.exe 1452 Purchase Order061720PDF.exe 1452 Purchase Order061720PDF.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
MSBuild.exepid process 992 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
MSBuild.exedescription pid process Token: SeDebugPrivilege 992 MSBuild.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
Purchase Order061720PDF.exepid process 1452 Purchase Order061720PDF.exe 1452 Purchase Order061720PDF.exe 1452 Purchase Order061720PDF.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
Purchase Order061720PDF.exepid process 1452 Purchase Order061720PDF.exe 1452 Purchase Order061720PDF.exe 1452 Purchase Order061720PDF.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
Purchase Order061720PDF.exedescription pid process target process PID 1452 wrote to memory of 992 1452 Purchase Order061720PDF.exe MSBuild.exe PID 1452 wrote to memory of 992 1452 Purchase Order061720PDF.exe MSBuild.exe PID 1452 wrote to memory of 992 1452 Purchase Order061720PDF.exe MSBuild.exe PID 1452 wrote to memory of 992 1452 Purchase Order061720PDF.exe MSBuild.exe PID 1452 wrote to memory of 992 1452 Purchase Order061720PDF.exe MSBuild.exe PID 1452 wrote to memory of 992 1452 Purchase Order061720PDF.exe MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Purchase Order061720PDF.exe"C:\Users\Admin\AppData\Local\Temp\Purchase Order061720PDF.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\MSBuild.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/992-55-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/992-57-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/992-62-0x000000000041E792-mapping.dmp
-
memory/992-63-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/992-64-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/992-68-0x0000000074330000-0x00000000748DB000-memory.dmpFilesize
5.7MB
-
memory/992-69-0x0000000002096000-0x00000000020A7000-memory.dmpFilesize
68KB
-
memory/1452-54-0x0000000075EF1000-0x0000000075EF3000-memory.dmpFilesize
8KB
-
memory/1452-66-0x00000000001D0000-0x0000000000236000-memory.dmpFilesize
408KB
-
memory/1452-67-0x0000000000340000-0x00000000003A6000-memory.dmpFilesize
408KB