Analysis
-
max time kernel
181s -
max time network
187s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
01-07-2022 15:04
Static task
static1
Behavioral task
behavioral1
Sample
TRANSAC2.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
TRANSAC2.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
TRANSACT.exe
Resource
win7-20220414-en
General
-
Target
TRANSACT.exe
-
Size
1.3MB
-
MD5
94aeaa711304f24759074946ad18409e
-
SHA1
ccf1571a794c4e27df21ac9565d6cc5d9a9bb97e
-
SHA256
eb3700158ed1f2709e37c6c8fba95c397d1a04cb334ba82a0fb3feff0c2255c0
-
SHA512
f92583c7b695613804febfe481d644238d5bfdced88a8661422c31984efda7ab6ec67321a851c0eae3b7ceb2f2a9efa49a89e7bdcee5af7d0a577c6e524bfdbb
Malware Config
Extracted
nanocore
1.2.2.0
54.36.24.65:30301
103.194.171.108:30301
9b2ed16d-c582-447b-bb46-934e11de6bd8
-
activate_away_mode
true
-
backup_connection_host
103.194.171.108
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-02-25T05:41:03.288865736Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
30301
-
default_group
testtest
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
9b2ed16d-c582-447b-bb46-934e11de6bd8
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
54.36.24.65
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Drops startup file 1 IoCs
Processes:
TRANSACT.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DPTopologyAppv2_0.url TRANSACT.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
TRANSACT.exedescription pid process target process PID 3708 set thread context of 4448 3708 TRANSACT.exe MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
Processes:
MSBuild.exeTRANSACT.exepid process 4448 MSBuild.exe 4448 MSBuild.exe 4448 MSBuild.exe 3708 TRANSACT.exe 3708 TRANSACT.exe 3708 TRANSACT.exe 3708 TRANSACT.exe 3708 TRANSACT.exe 3708 TRANSACT.exe 3708 TRANSACT.exe 3708 TRANSACT.exe 3708 TRANSACT.exe 3708 TRANSACT.exe 3708 TRANSACT.exe 3708 TRANSACT.exe 3708 TRANSACT.exe 3708 TRANSACT.exe 3708 TRANSACT.exe 3708 TRANSACT.exe 3708 TRANSACT.exe 3708 TRANSACT.exe 3708 TRANSACT.exe 3708 TRANSACT.exe 3708 TRANSACT.exe 3708 TRANSACT.exe 3708 TRANSACT.exe 3708 TRANSACT.exe 3708 TRANSACT.exe 3708 TRANSACT.exe 3708 TRANSACT.exe 3708 TRANSACT.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
MSBuild.exepid process 4448 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
MSBuild.exedescription pid process Token: SeDebugPrivilege 4448 MSBuild.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
TRANSACT.exepid process 3708 TRANSACT.exe 3708 TRANSACT.exe 3708 TRANSACT.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
TRANSACT.exepid process 3708 TRANSACT.exe 3708 TRANSACT.exe 3708 TRANSACT.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
TRANSACT.exedescription pid process target process PID 3708 wrote to memory of 4448 3708 TRANSACT.exe MSBuild.exe PID 3708 wrote to memory of 4448 3708 TRANSACT.exe MSBuild.exe PID 3708 wrote to memory of 4448 3708 TRANSACT.exe MSBuild.exe PID 3708 wrote to memory of 4448 3708 TRANSACT.exe MSBuild.exe PID 3708 wrote to memory of 4448 3708 TRANSACT.exe MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\TRANSACT.exe"C:\Users\Admin\AppData\Local\Temp\TRANSACT.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\MSBuild.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3708-130-0x0000000001480000-0x00000000014E6000-memory.dmpFilesize
408KB
-
memory/3708-137-0x0000000003DA0000-0x0000000003E06000-memory.dmpFilesize
408KB
-
memory/4448-131-0x0000000000000000-mapping.dmp
-
memory/4448-132-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/4448-138-0x0000000073BB0000-0x0000000074161000-memory.dmpFilesize
5.7MB
-
memory/4448-139-0x0000000073BB0000-0x0000000074161000-memory.dmpFilesize
5.7MB