Analysis
-
max time kernel
142s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 18:40
Static task
static1
Behavioral task
behavioral1
Sample
DOC20200602FACEMASK.exe
Resource
win7-20220414-en
General
-
Target
DOC20200602FACEMASK.exe
-
Size
1.2MB
-
MD5
3fca62fe4fdde607ad0a4ebcfeffe3ce
-
SHA1
6374aaa5263ab37bbd59939febd9e94f2f5c1b0a
-
SHA256
ca05f7a026f3e7fe6cdb73437a37629a528a7a62564c4a1866bc00442a2f2750
-
SHA512
c5dcbcb222453829c451aacc2ff0d32cb2d43f29aaeef7ce471e286dad8d196cc2f15cf2b9c119418aedb8494357e312de5b5a1e95c4f02ec856521f606bb578
Malware Config
Extracted
nanocore
1.2.2.0
185.19.85.186:40510
413937f8-0b4a-417f-a2dd-7581a42c5078
-
activate_away_mode
true
-
backup_connection_host
185.19.85.186
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-03-14T02:56:31.129410036Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
40510
-
default_group
JUNE
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
413937f8-0b4a-417f-a2dd-7581a42c5078
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
185.19.85.186
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Drops startup file 1 IoCs
Processes:
DOC20200602FACEMASK.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\logman.url DOC20200602FACEMASK.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
MSBuild.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ARP Service = "C:\\Program Files (x86)\\ARP Service\\arpsvc.exe" MSBuild.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
DOC20200602FACEMASK.exedescription pid process target process PID 1080 set thread context of 2020 1080 DOC20200602FACEMASK.exe MSBuild.exe -
Drops file in Program Files directory 2 IoCs
Processes:
MSBuild.exedescription ioc process File created C:\Program Files (x86)\ARP Service\arpsvc.exe MSBuild.exe File opened for modification C:\Program Files (x86)\ARP Service\arpsvc.exe MSBuild.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 936 1080 WerFault.exe DOC20200602FACEMASK.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1728 schtasks.exe 1636 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
MSBuild.exepid process 2020 MSBuild.exe 2020 MSBuild.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
MSBuild.exepid process 2020 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
MSBuild.exedescription pid process Token: SeDebugPrivilege 2020 MSBuild.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
DOC20200602FACEMASK.exepid process 1080 DOC20200602FACEMASK.exe 1080 DOC20200602FACEMASK.exe 1080 DOC20200602FACEMASK.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
DOC20200602FACEMASK.exepid process 1080 DOC20200602FACEMASK.exe 1080 DOC20200602FACEMASK.exe 1080 DOC20200602FACEMASK.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
DOC20200602FACEMASK.exeMSBuild.exedescription pid process target process PID 1080 wrote to memory of 2020 1080 DOC20200602FACEMASK.exe MSBuild.exe PID 1080 wrote to memory of 2020 1080 DOC20200602FACEMASK.exe MSBuild.exe PID 1080 wrote to memory of 2020 1080 DOC20200602FACEMASK.exe MSBuild.exe PID 1080 wrote to memory of 2020 1080 DOC20200602FACEMASK.exe MSBuild.exe PID 1080 wrote to memory of 2020 1080 DOC20200602FACEMASK.exe MSBuild.exe PID 1080 wrote to memory of 2020 1080 DOC20200602FACEMASK.exe MSBuild.exe PID 1080 wrote to memory of 936 1080 DOC20200602FACEMASK.exe WerFault.exe PID 1080 wrote to memory of 936 1080 DOC20200602FACEMASK.exe WerFault.exe PID 1080 wrote to memory of 936 1080 DOC20200602FACEMASK.exe WerFault.exe PID 1080 wrote to memory of 936 1080 DOC20200602FACEMASK.exe WerFault.exe PID 2020 wrote to memory of 1728 2020 MSBuild.exe schtasks.exe PID 2020 wrote to memory of 1728 2020 MSBuild.exe schtasks.exe PID 2020 wrote to memory of 1728 2020 MSBuild.exe schtasks.exe PID 2020 wrote to memory of 1728 2020 MSBuild.exe schtasks.exe PID 2020 wrote to memory of 1636 2020 MSBuild.exe schtasks.exe PID 2020 wrote to memory of 1636 2020 MSBuild.exe schtasks.exe PID 2020 wrote to memory of 1636 2020 MSBuild.exe schtasks.exe PID 2020 wrote to memory of 1636 2020 MSBuild.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DOC20200602FACEMASK.exe"C:\Users\Admin\AppData\Local\Temp\DOC20200602FACEMASK.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\MSBuild.exe"2⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "ARP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmpE82E.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "ARP Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpEADD.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1080 -s 3162⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpE82E.tmpFilesize
1KB
MD5ae766004c0d8792953bafffe8f6a2e3b
SHA114b12f27543a401e2fe0af8052e116cab0032426
SHA2561abdd9b6a6b84e4ba1af1282dc84ce276c59ba253f4c4af05fea498a4fd99540
SHA512e530da4a5d4336fc37838d0e93b5eb3804b9c489c71f6954a47fc81a4c655bb72ec493e109cf96e6e3617d7623ac80697ad3bbd5ffc6281bafc8b34dca5e6567
-
C:\Users\Admin\AppData\Local\Temp\tmpEADD.tmpFilesize
1KB
MD51badb6e2b29a1c4bfff3c179d53ab96b
SHA14b2ad3e5f3826d252d1c8bf1c8f0702f39129fa1
SHA2566259ac4e6859a1b528d77ccea12b378f7dfa1eff359d9b8899414b4b1c484699
SHA51236338e2a74fd85c5f2c84be009981a7260692c1bcb121a42018209031082da69bf65640702d53e28b54871f9d44e65fdbebaf4771c530699c3e93981b58129b4
-
memory/936-65-0x0000000000000000-mapping.dmp
-
memory/1080-67-0x0000000001290000-0x00000000012F6000-memory.dmpFilesize
408KB
-
memory/1080-54-0x00000000759F1000-0x00000000759F3000-memory.dmpFilesize
8KB
-
memory/1080-66-0x0000000000E20000-0x0000000000E86000-memory.dmpFilesize
408KB
-
memory/1636-72-0x0000000000000000-mapping.dmp
-
memory/1728-70-0x0000000000000000-mapping.dmp
-
memory/2020-62-0x000000000041E792-mapping.dmp
-
memory/2020-69-0x0000000074420000-0x00000000749CB000-memory.dmpFilesize
5.7MB
-
memory/2020-64-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2020-63-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2020-57-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2020-55-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB