Analysis
-
max time kernel
154s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
11-10-2022 09:52
Static task
static1
Behavioral task
behavioral1
Sample
NEWORDER736648833.scr.exe
Resource
win7-20220901-en
General
-
Target
NEWORDER736648833.scr.exe
-
Size
1.2MB
-
MD5
35e0c0fe9fbec6f870542d34703544a3
-
SHA1
c11b28d1a26745b9eb19f84619d1362c64d05df8
-
SHA256
b0c5a3e2456d9df495e299db88e2431ab0133ea2327d885f6234ecf8ba5805e9
-
SHA512
e52163770da3030b034f700b7d46f4f2a7ba5db9b5b06244598b0d843fcc3ca9184a9cf134f2d4e711c74f037401cf8a5b4e90703cf705ca60ddbf86e9f70863
-
SSDEEP
24576:0AOcZ2i7H0AknChev6tUM2y0waKKV8gyUcztVqEubl83o9ZkbgH:iG0Pnx5yvqV8gJWfqEUU2ZkE
Malware Config
Extracted
nanocore
1.2.2.0
mrjeffy.duckdns.org:43147
762143b0-4a71-4961-bdc0-dc92d1e3db2b
-
activate_away_mode
true
-
backup_connection_host
mrjeffy.duckdns.org
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2022-07-15T08:44:26.326041736Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
43147
-
default_group
MY TIME HAS COME
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
762143b0-4a71-4961-bdc0-dc92d1e3db2b
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
mrjeffy.duckdns.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
avbndwivx.exeRegSvcs.exepid process 4720 avbndwivx.exe 3476 RegSvcs.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
NEWORDER736648833.scr.exeWScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation NEWORDER736648833.scr.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation WScript.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
avbndwivx.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run avbndwivx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\GOOGLECHROME = "0\\6_93\\avbndwivx.exe 0\\6_93\\muhveetsa.mba" avbndwivx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AutoUpdate = "0\\6_93\\Update.vbs" avbndwivx.exe -
Processes:
avbndwivx.exeRegSvcs.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA avbndwivx.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
avbndwivx.exedescription pid process target process PID 4720 set thread context of 3476 4720 avbndwivx.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 2 IoCs
Processes:
NEWORDER736648833.scr.exeWScript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings NEWORDER736648833.scr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ WScript.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
RegSvcs.exeavbndwivx.exepid process 3476 RegSvcs.exe 3476 RegSvcs.exe 3476 RegSvcs.exe 3476 RegSvcs.exe 4720 avbndwivx.exe 4720 avbndwivx.exe 4720 avbndwivx.exe 4720 avbndwivx.exe 4720 avbndwivx.exe 4720 avbndwivx.exe 4720 avbndwivx.exe 4720 avbndwivx.exe 4720 avbndwivx.exe 4720 avbndwivx.exe 4720 avbndwivx.exe 4720 avbndwivx.exe 4720 avbndwivx.exe 4720 avbndwivx.exe 4720 avbndwivx.exe 4720 avbndwivx.exe 4720 avbndwivx.exe 4720 avbndwivx.exe 4720 avbndwivx.exe 4720 avbndwivx.exe 4720 avbndwivx.exe 4720 avbndwivx.exe 4720 avbndwivx.exe 4720 avbndwivx.exe 4720 avbndwivx.exe 4720 avbndwivx.exe 4720 avbndwivx.exe 4720 avbndwivx.exe 4720 avbndwivx.exe 4720 avbndwivx.exe 4720 avbndwivx.exe 4720 avbndwivx.exe 4720 avbndwivx.exe 4720 avbndwivx.exe 4720 avbndwivx.exe 4720 avbndwivx.exe 4720 avbndwivx.exe 4720 avbndwivx.exe 4720 avbndwivx.exe 4720 avbndwivx.exe 4720 avbndwivx.exe 4720 avbndwivx.exe 4720 avbndwivx.exe 4720 avbndwivx.exe 4720 avbndwivx.exe 4720 avbndwivx.exe 4720 avbndwivx.exe 4720 avbndwivx.exe 4720 avbndwivx.exe 4720 avbndwivx.exe 4720 avbndwivx.exe 4720 avbndwivx.exe 4720 avbndwivx.exe 4720 avbndwivx.exe 4720 avbndwivx.exe 4720 avbndwivx.exe 4720 avbndwivx.exe 4720 avbndwivx.exe 4720 avbndwivx.exe 4720 avbndwivx.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegSvcs.exepid process 3476 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 3476 RegSvcs.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
NEWORDER736648833.scr.exeWScript.exeavbndwivx.exedescription pid process target process PID 4984 wrote to memory of 4360 4984 NEWORDER736648833.scr.exe WScript.exe PID 4984 wrote to memory of 4360 4984 NEWORDER736648833.scr.exe WScript.exe PID 4984 wrote to memory of 4360 4984 NEWORDER736648833.scr.exe WScript.exe PID 4360 wrote to memory of 4720 4360 WScript.exe avbndwivx.exe PID 4360 wrote to memory of 4720 4360 WScript.exe avbndwivx.exe PID 4360 wrote to memory of 4720 4360 WScript.exe avbndwivx.exe PID 4720 wrote to memory of 3476 4720 avbndwivx.exe RegSvcs.exe PID 4720 wrote to memory of 3476 4720 avbndwivx.exe RegSvcs.exe PID 4720 wrote to memory of 3476 4720 avbndwivx.exe RegSvcs.exe PID 4720 wrote to memory of 3476 4720 avbndwivx.exe RegSvcs.exe PID 4720 wrote to memory of 3476 4720 avbndwivx.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEWORDER736648833.scr.exe"C:\Users\Admin\AppData\Local\Temp\NEWORDER736648833.scr.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\temp\6_93\bqxwed.vbe"2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\6_93\avbndwivx.exe"C:\Users\Admin\AppData\Local\Temp\6_93\avbndwivx.exe" muhveetsa.mba3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\6_93\avbndwivx.exeFilesize
999KB
MD51dbba7abb9198c4247cbfb258fe5233d
SHA1cd5a35e75ec61b6d7c3bbeb7b882d0d2d79b05be
SHA2566a18e69d28b177619e672f93fd97bdbfd13160faecd63f942728dc18254afb88
SHA512503cb461c0f60c62bada9b1aefa787ed97480192d8f91455e08ac8781919c1b61751a091ce647d9c92995e925429f0ae616f4d7c2187717397f7a1e6fd811e98
-
C:\Users\Admin\AppData\Local\Temp\6_93\avbndwivx.exeFilesize
999KB
MD51dbba7abb9198c4247cbfb258fe5233d
SHA1cd5a35e75ec61b6d7c3bbeb7b882d0d2d79b05be
SHA2566a18e69d28b177619e672f93fd97bdbfd13160faecd63f942728dc18254afb88
SHA512503cb461c0f60c62bada9b1aefa787ed97480192d8f91455e08ac8781919c1b61751a091ce647d9c92995e925429f0ae616f4d7c2187717397f7a1e6fd811e98
-
C:\Users\Admin\AppData\Local\Temp\6_93\kvfqovb.qlgFilesize
405KB
MD5b1f6ffe2cfd1a5f5d074cc7daeb4977c
SHA1e437b81e6dae9091fee8e441a171a9bdcfc9155f
SHA256a9290d9bc4b74469df41a4721cda0c03b51f492fbd4d58e8e2e29d208c8af849
SHA51210f35fddf12cdb140c6a86d2aa4a8ac09064a05088c1bc0510c7d960d70fb4c409a81da50cd05b30e5702262eec85aba116d60b651e0824b3e4563434bd22fc2
-
C:\Users\Admin\AppData\Local\Temp\6_93\monagbatm.bmpFilesize
60KB
MD505e06967ce6f8f18c257e89dad1d9ccf
SHA1c3294181a626cd6f854d3a39f997976e63410aff
SHA2563917ced15bbde2fda1f313285a878900718e61624b9bd09304243c6f647b4ae6
SHA51207cbc2da758b9e38062a10792835212826ede71a3185d3b41b41ca6ac6622b710bd6464daa124332e6b7e0be5520ac92c9769469847fa53a29a0b093b6a711ed
-
C:\Users\Admin\AppData\Local\Temp\6_93\muhveetsa.mbaFilesize
153.9MB
MD5f2785eec51e8dabfd92f0499e819ff06
SHA13cd670814b88fb1eb175e195f3cc0797dee09e5d
SHA256e8c63a6ef9f95c810f0c0af05e15a7a0f0405ed00172ea761297bd340b67f8f0
SHA5124f9d119ac3d55e1ab0b5bb377ac87e9bcac65204004183af2972cf350c40c66796d75c1fe26ea8b7ab2f535f4e9c99c23ed95928dd6ed6dced3446ab8e5fd542
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exeFilesize
44KB
MD59d352bc46709f0cb5ec974633a0c3c94
SHA11969771b2f022f9a86d77ac4d4d239becdf08d07
SHA2562c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA51213c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exeFilesize
44KB
MD59d352bc46709f0cb5ec974633a0c3c94
SHA11969771b2f022f9a86d77ac4d4d239becdf08d07
SHA2562c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA51213c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b
-
C:\Users\Admin\AppData\Local\temp\6_93\bqxwed.vbeFilesize
32KB
MD5c5cf50f07a23884e342b75707653b90d
SHA1511141c70c3cce8ffa0299a9de39ecc081ec5ce2
SHA2565005fb971703554085a1ca21509adc432d3b28d4abf075061a6126fd049b57a9
SHA512df444357933e5e6427d242dd046aca63482a412d296bf8ed8652dfff29d7f554805c56733daab9a6256bdcf90c0d4bf1b57f568ed388301374ea338d4aa6dfc7
-
memory/3476-140-0x0000000000500000-0x0000000000B8B000-memory.dmpFilesize
6.5MB
-
memory/3476-141-0x000000000051E792-mapping.dmp
-
memory/3476-144-0x0000000000500000-0x0000000000538000-memory.dmpFilesize
224KB
-
memory/3476-145-0x00000000057B0000-0x0000000005D54000-memory.dmpFilesize
5.6MB
-
memory/3476-146-0x00000000052A0000-0x0000000005332000-memory.dmpFilesize
584KB
-
memory/3476-147-0x00000000053E0000-0x000000000547C000-memory.dmpFilesize
624KB
-
memory/3476-148-0x0000000005350000-0x000000000535A000-memory.dmpFilesize
40KB
-
memory/3476-149-0x0000000000F80000-0x0000000000FE6000-memory.dmpFilesize
408KB
-
memory/4360-132-0x0000000000000000-mapping.dmp
-
memory/4720-135-0x0000000000000000-mapping.dmp