Analysis
-
max time kernel
97s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
26-09-2022 13:46
Static task
static1
Behavioral task
behavioral1
Sample
outstanding statement.exe
Resource
win7-20220812-en
General
-
Target
outstanding statement.exe
-
Size
747KB
-
MD5
c83f7860b0c0f1ad76d8ca65c6bad689
-
SHA1
221ba6cf88de4c688583c69e8892ec9c3804a11e
-
SHA256
94bcc238e29903cc49036da98144dae0c7e10526669d6c50e3b87239f8e27262
-
SHA512
b0d67dc5e4f1bfdefd3785c33088823fabf690107b58b9efa88c617fe2c1f679b651e7826187106b5f8f4e5b44d4b92ff7d3b9e247a908e1ddc6591fb00c8307
-
SSDEEP
12288:PHK2xwKKFbHecmpYAf6GZPVNzBKUcY4oqwlsLhARylQ:/KvHBu1iizgUcGqwlsL+E
Malware Config
Extracted
nanocore
1.2.2.0
dera5nano.ddns.net:1010
107.182.129.248:1010
5a26bcef-e67f-486a-8e48-1748cc7891a2
-
activate_away_mode
true
-
backup_connection_host
107.182.129.248
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2022-06-06T12:07:01.612898436Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
1010
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
5a26bcef-e67f-486a-8e48-1748cc7891a2
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
dera5nano.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
outstanding statement.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation outstanding statement.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
outstanding statement.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DHCP Subsystem = "C:\\Program Files (x86)\\DHCP Subsystem\\dhcpss.exe" outstanding statement.exe -
Processes:
outstanding statement.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA outstanding statement.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
outstanding statement.exedescription pid process target process PID 2200 set thread context of 3428 2200 outstanding statement.exe outstanding statement.exe -
Drops file in Program Files directory 2 IoCs
Processes:
outstanding statement.exedescription ioc process File created C:\Program Files (x86)\DHCP Subsystem\dhcpss.exe outstanding statement.exe File opened for modification C:\Program Files (x86)\DHCP Subsystem\dhcpss.exe outstanding statement.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 4392 schtasks.exe 4196 schtasks.exe 3268 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
outstanding statement.exepid process 3428 outstanding statement.exe 3428 outstanding statement.exe 3428 outstanding statement.exe 3428 outstanding statement.exe 3428 outstanding statement.exe 3428 outstanding statement.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
outstanding statement.exepid process 3428 outstanding statement.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
outstanding statement.exedescription pid process Token: SeDebugPrivilege 3428 outstanding statement.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
outstanding statement.exeoutstanding statement.exedescription pid process target process PID 2200 wrote to memory of 4196 2200 outstanding statement.exe schtasks.exe PID 2200 wrote to memory of 4196 2200 outstanding statement.exe schtasks.exe PID 2200 wrote to memory of 4196 2200 outstanding statement.exe schtasks.exe PID 2200 wrote to memory of 3428 2200 outstanding statement.exe outstanding statement.exe PID 2200 wrote to memory of 3428 2200 outstanding statement.exe outstanding statement.exe PID 2200 wrote to memory of 3428 2200 outstanding statement.exe outstanding statement.exe PID 2200 wrote to memory of 3428 2200 outstanding statement.exe outstanding statement.exe PID 2200 wrote to memory of 3428 2200 outstanding statement.exe outstanding statement.exe PID 2200 wrote to memory of 3428 2200 outstanding statement.exe outstanding statement.exe PID 2200 wrote to memory of 3428 2200 outstanding statement.exe outstanding statement.exe PID 2200 wrote to memory of 3428 2200 outstanding statement.exe outstanding statement.exe PID 3428 wrote to memory of 3268 3428 outstanding statement.exe schtasks.exe PID 3428 wrote to memory of 3268 3428 outstanding statement.exe schtasks.exe PID 3428 wrote to memory of 3268 3428 outstanding statement.exe schtasks.exe PID 3428 wrote to memory of 4392 3428 outstanding statement.exe schtasks.exe PID 3428 wrote to memory of 4392 3428 outstanding statement.exe schtasks.exe PID 3428 wrote to memory of 4392 3428 outstanding statement.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\outstanding statement.exe"C:\Users\Admin\AppData\Local\Temp\outstanding statement.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OIdzpXTWJYUnz" /XML "C:\Users\Admin\AppData\Local\Temp\tmp541B.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\outstanding statement.exe"{path}"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DHCP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp58FD.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DHCP Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp596B.tmp"3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp541B.tmpFilesize
1KB
MD5a8ec3c2418c2d3ebab121e83378d4fba
SHA1b39dcdbe1124a001bc7644715440bb0af991a7b5
SHA256a9f46d76b1e5a94ede3840224dc486679cfa88c564410b3967f7cd304df37333
SHA512c306ba34bff39fedfebf2ada33cea7fe53b128d71e34635352b58a20a29df69d2f6540d065929f3a088e79c0cb82e79bd66b5029746b1e989a7d5972fb86df68
-
C:\Users\Admin\AppData\Local\Temp\tmp58FD.tmpFilesize
1KB
MD5c5d2ba6a2aad8ee1b0d7bf205a163cef
SHA1d4cf13be2e945f96a95db32e60d3661cc0d00c47
SHA256341917cad8660741290b81b12eb2aa21e05bd53f1e7411329d254c8b405fa937
SHA51205f0aa3671a166a5e7b2be436131fbf07ddb6c4e6933e8763c13779e7c398aaeefd208ef9c48db50b34b62d1f88ab8f8e346a52f3dcf760b7751f5b88e37a949
-
C:\Users\Admin\AppData\Local\Temp\tmp596B.tmpFilesize
1KB
MD52f26d92c1eeead3896820e56ec46f6f1
SHA1d95533b61eed7d89e4ada56bc566d60e42ac1f61
SHA25699a158463ce40c750bad6991ae1fceece305a0dbf8e209dd7147b5d539756bfa
SHA5126c1ed12d5e1afcd9e7f327e0153786fd8594f75a995f341c408ef014e69917452a9fe99c511f0249aceb57b3045b707f1fd3f404e4086cfbf0aadcb3318db892
-
memory/2200-135-0x0000000004C70000-0x0000000004D0C000-memory.dmpFilesize
624KB
-
memory/2200-136-0x0000000004BE0000-0x0000000004BEA000-memory.dmpFilesize
40KB
-
memory/2200-132-0x00000000000F0000-0x00000000001B0000-memory.dmpFilesize
768KB
-
memory/2200-134-0x0000000004B30000-0x0000000004BC2000-memory.dmpFilesize
584KB
-
memory/2200-133-0x00000000052E0000-0x0000000005884000-memory.dmpFilesize
5.6MB
-
memory/3268-141-0x0000000000000000-mapping.dmp
-
memory/3428-139-0x0000000000000000-mapping.dmp
-
memory/3428-140-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/3428-145-0x0000000006D30000-0x0000000006D96000-memory.dmpFilesize
408KB
-
memory/4196-137-0x0000000000000000-mapping.dmp
-
memory/4392-143-0x0000000000000000-mapping.dmp