Analysis
-
max time kernel
48s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
20-10-2022 10:42
Static task
static1
Behavioral task
behavioral1
Sample
PO Order.pdf.exe
Resource
win7-20220901-en
General
-
Target
PO Order.pdf.exe
-
Size
344KB
-
MD5
532dacf2cd445b16dc5d134c3b3b9a44
-
SHA1
f28b6e11ef47c15ee939beda3772f1d35357fbf0
-
SHA256
12c5688e077824b181e38335ed2d314c7775c5b31012092e717ba7ba952d36c9
-
SHA512
d034c19d5122bed3c55be40233f67e19cfd8eb74af3e0e9e8dc44967d03c7eb311dec5275c621328eae813d0df181e0c6cfbd6291e852451681ff35d19f9c398
-
SSDEEP
6144:mbE/HUbBoBFqB8Bm2NHm9SjEtw2G3PMnS3noAwXZaMey1fPWm2pWW7n4CqbRk:mb/BGqBMtg9SEw13PMandwXUyNPF6lnf
Malware Config
Extracted
nanocore
1.2.2.0
chibuikelight.ddns.net:1122
d2cbe170-91e2-41f9-913f-0880782b9838
-
activate_away_mode
true
- backup_connection_host
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2022-07-30T23:43:32.343213436Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
1122
-
default_group
love
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
d2cbe170-91e2-41f9-913f-0880782b9838
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
chibuikelight.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
xpgyulgf.exepid process 616 xpgyulgf.exe -
Loads dropped DLL 3 IoCs
Processes:
PO Order.pdf.exexpgyulgf.exexpgyulgf.exepid process 1460 PO Order.pdf.exe 616 xpgyulgf.exe 1728 xpgyulgf.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
xpgyulgf.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\vjcvkqh = "C:\\Users\\Admin\\AppData\\Roaming\\ktwysttooghyi\\lrfflxe.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\xpgyulgf.exe\"" xpgyulgf.exe -
Processes:
xpgyulgf.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xpgyulgf.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
xpgyulgf.exedescription pid process target process PID 616 set thread context of 1728 616 xpgyulgf.exe xpgyulgf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
xpgyulgf.exepid process 1728 xpgyulgf.exe 1728 xpgyulgf.exe 1728 xpgyulgf.exe 1728 xpgyulgf.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
xpgyulgf.exepid process 1728 xpgyulgf.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
xpgyulgf.exedescription pid process Token: SeDebugPrivilege 1728 xpgyulgf.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
PO Order.pdf.exexpgyulgf.exedescription pid process target process PID 1460 wrote to memory of 616 1460 PO Order.pdf.exe xpgyulgf.exe PID 1460 wrote to memory of 616 1460 PO Order.pdf.exe xpgyulgf.exe PID 1460 wrote to memory of 616 1460 PO Order.pdf.exe xpgyulgf.exe PID 1460 wrote to memory of 616 1460 PO Order.pdf.exe xpgyulgf.exe PID 616 wrote to memory of 1728 616 xpgyulgf.exe xpgyulgf.exe PID 616 wrote to memory of 1728 616 xpgyulgf.exe xpgyulgf.exe PID 616 wrote to memory of 1728 616 xpgyulgf.exe xpgyulgf.exe PID 616 wrote to memory of 1728 616 xpgyulgf.exe xpgyulgf.exe PID 616 wrote to memory of 1728 616 xpgyulgf.exe xpgyulgf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO Order.pdf.exe"C:\Users\Admin\AppData\Local\Temp\PO Order.pdf.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Users\Admin\AppData\Local\Temp\xpgyulgf.exe"C:\Users\Admin\AppData\Local\Temp\xpgyulgf.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:616 -
C:\Users\Admin\AppData\Local\Temp\xpgyulgf.exe"C:\Users\Admin\AppData\Local\Temp\xpgyulgf.exe"3⤵
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1728
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280KB
MD525881806c8508afe30a354ae2af5347d
SHA1c65b407a2f9f69f702fc84bdb6c9a189d87e0be0
SHA256b19d1fc37a65f161444764173bd45910b763cf6117d11ac6d3d64a00f70ec483
SHA512dc3beb98e22eed576e47234893dd7ffb531e89dc592acee6692d8b2d91f5595eb926cd717557662b0e7e9ae69d46ba8f83a7b346fdbe3013b3e072eaf907d978
-
Filesize
6KB
MD5eb9955586c083c89861d9627120297c6
SHA13eb394c03d21cd4ceb39e8061b93e2e491638a6c
SHA256c2510cd245277bf98ff10288901443c3fbabdee2020d45d8b16c03caf80adb1d
SHA512743317a894582591f8f59e371be8bec5569c67e9c65d036c92f5fa3d5b0d0105d46b20d182db2feff43e8aa3bb12fe50c254de44e942c9163838fe93a0c8bb60
-
Filesize
58KB
MD5e1d08d3966e34ae8e9016603229c311d
SHA134308e175e2b4e98a2e03764de19b3fba136ef9c
SHA25650d6641bcea26c34b6f8dfbe3780518de13c9f10dfd776224774a9f6b1f92d59
SHA512441fa5821b11eedd2abba19c65ed1ec14ddbdc81599dec8ffc6ab1100655329326373cc99784fe740bb477cc5d9f4c468216b6cb710993391db4d54a59f5d35f
-
Filesize
58KB
MD5e1d08d3966e34ae8e9016603229c311d
SHA134308e175e2b4e98a2e03764de19b3fba136ef9c
SHA25650d6641bcea26c34b6f8dfbe3780518de13c9f10dfd776224774a9f6b1f92d59
SHA512441fa5821b11eedd2abba19c65ed1ec14ddbdc81599dec8ffc6ab1100655329326373cc99784fe740bb477cc5d9f4c468216b6cb710993391db4d54a59f5d35f
-
Filesize
58KB
MD5e1d08d3966e34ae8e9016603229c311d
SHA134308e175e2b4e98a2e03764de19b3fba136ef9c
SHA25650d6641bcea26c34b6f8dfbe3780518de13c9f10dfd776224774a9f6b1f92d59
SHA512441fa5821b11eedd2abba19c65ed1ec14ddbdc81599dec8ffc6ab1100655329326373cc99784fe740bb477cc5d9f4c468216b6cb710993391db4d54a59f5d35f
-
Filesize
58KB
MD5e1d08d3966e34ae8e9016603229c311d
SHA134308e175e2b4e98a2e03764de19b3fba136ef9c
SHA25650d6641bcea26c34b6f8dfbe3780518de13c9f10dfd776224774a9f6b1f92d59
SHA512441fa5821b11eedd2abba19c65ed1ec14ddbdc81599dec8ffc6ab1100655329326373cc99784fe740bb477cc5d9f4c468216b6cb710993391db4d54a59f5d35f
-
Filesize
58KB
MD5e1d08d3966e34ae8e9016603229c311d
SHA134308e175e2b4e98a2e03764de19b3fba136ef9c
SHA25650d6641bcea26c34b6f8dfbe3780518de13c9f10dfd776224774a9f6b1f92d59
SHA512441fa5821b11eedd2abba19c65ed1ec14ddbdc81599dec8ffc6ab1100655329326373cc99784fe740bb477cc5d9f4c468216b6cb710993391db4d54a59f5d35f