Analysis
-
max time kernel
136s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
29-09-2022 05:33
Static task
static1
Behavioral task
behavioral1
Sample
new order.exe
Resource
win7-20220812-en
General
-
Target
new order.exe
-
Size
929KB
-
MD5
450aa1d2ac8e10a3b8363fe2945462bd
-
SHA1
173275f693a10f8919c45dfb21f8035c7bc45fb6
-
SHA256
316ff42588b6cf8c5a435efb67d44d08a2d860bab89612fc3e85ec6e9f4b4455
-
SHA512
c3f95286f4bd09c87dd41acb12c1279b0cf6a547fed73c7c073c21728503ae8fec4974bdec351b9049acbb3a42f497a9731496073a39ccc6f08234f6df20dc99
-
SSDEEP
24576:q/hIikSs/wzknb6gT3wvFHANcvqpbInfDcvkCqvH:q/eNhYkbQvp8cNnbcsCqvH
Malware Config
Extracted
nanocore
1.2.2.0
146.70.76.43:56281
6a8dc68c-2ae6-4a66-b5dc-80cfa679c766
-
activate_away_mode
true
- backup_connection_host
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2022-03-18T21:54:26.619077736Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
true
-
connect_delay
4000
-
connection_port
56281
-
default_group
jop
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
6a8dc68c-2ae6-4a66-b5dc-80cfa679c766
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
146.70.76.43
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
9
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
new order.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation new order.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
new order.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Luqkasd = "\"C:\\Users\\Admin\\AppData\\Roaming\\Znxqmfqxv\\Luqkasd.exe\"" new order.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
new order.exedescription pid process target process PID 3752 set thread context of 2736 3752 new order.exe InstallUtil.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exeInstallUtil.exepid process 4240 powershell.exe 4240 powershell.exe 2736 InstallUtil.exe 2736 InstallUtil.exe 2736 InstallUtil.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
InstallUtil.exepid process 2736 InstallUtil.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exenew order.exeInstallUtil.exedescription pid process Token: SeDebugPrivilege 4240 powershell.exe Token: SeDebugPrivilege 3752 new order.exe Token: SeDebugPrivilege 2736 InstallUtil.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
new order.exedescription pid process target process PID 3752 wrote to memory of 4240 3752 new order.exe powershell.exe PID 3752 wrote to memory of 4240 3752 new order.exe powershell.exe PID 3752 wrote to memory of 4240 3752 new order.exe powershell.exe PID 3752 wrote to memory of 2736 3752 new order.exe InstallUtil.exe PID 3752 wrote to memory of 2736 3752 new order.exe InstallUtil.exe PID 3752 wrote to memory of 2736 3752 new order.exe InstallUtil.exe PID 3752 wrote to memory of 2736 3752 new order.exe InstallUtil.exe PID 3752 wrote to memory of 2736 3752 new order.exe InstallUtil.exe PID 3752 wrote to memory of 2736 3752 new order.exe InstallUtil.exe PID 3752 wrote to memory of 2736 3752 new order.exe InstallUtil.exe PID 3752 wrote to memory of 2736 3752 new order.exe InstallUtil.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\new order.exe"C:\Users\Admin\AppData\Local\Temp\new order.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANgAwAA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2736-142-0x0000000000000000-mapping.dmp
-
memory/2736-147-0x0000000005480000-0x000000000548A000-memory.dmpFilesize
40KB
-
memory/2736-146-0x0000000005580000-0x000000000561C000-memory.dmpFilesize
624KB
-
memory/2736-145-0x00000000054E0000-0x0000000005572000-memory.dmpFilesize
584KB
-
memory/2736-144-0x0000000005A90000-0x0000000006034000-memory.dmpFilesize
5.6MB
-
memory/2736-143-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB
-
memory/3752-133-0x0000000005100000-0x0000000005122000-memory.dmpFilesize
136KB
-
memory/3752-132-0x0000000000360000-0x000000000044C000-memory.dmpFilesize
944KB
-
memory/4240-136-0x00000000051F0000-0x0000000005818000-memory.dmpFilesize
6.2MB
-
memory/4240-141-0x00000000064F0000-0x000000000650A000-memory.dmpFilesize
104KB
-
memory/4240-140-0x0000000007630000-0x0000000007CAA000-memory.dmpFilesize
6.5MB
-
memory/4240-139-0x0000000005FE0000-0x0000000005FFE000-memory.dmpFilesize
120KB
-
memory/4240-138-0x00000000059D0000-0x0000000005A36000-memory.dmpFilesize
408KB
-
memory/4240-137-0x0000000005160000-0x00000000051C6000-memory.dmpFilesize
408KB
-
memory/4240-135-0x0000000004A00000-0x0000000004A36000-memory.dmpFilesize
216KB
-
memory/4240-134-0x0000000000000000-mapping.dmp