Analysis
-
max time kernel
178s -
max time network
209s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
24-11-2022 22:06
Static task
static1
Behavioral task
behavioral1
Sample
order 201233.exe
Resource
win7-20221111-en
General
-
Target
order 201233.exe
-
Size
247KB
-
MD5
11631f12ae7944e8d4441bfce27616c7
-
SHA1
76c25fc619e8b493fef04c6bc8eaa51e7e2d18be
-
SHA256
d5cf0f84fb06a4d4295186edda23d54c7bbc694770c916875c7b5f4a1b9472ad
-
SHA512
43c86d25b6a293442f49cdbb3d681700e6633aa1daf6f77c5196e47f43b2f3e3687a1c4955885cbf0816ed7fb6b021585917d4875a31e5023b7a22fea97ffb69
-
SSDEEP
6144:no/hzvKTHlLCnyCOMFGaISfxFaLklWgq1AWZQjkAqZ:nVTFAyCFIuFaOWHFgkRZ
Malware Config
Extracted
nanocore
1.2.0.0
new555.ddns.net:9033
8c6886dd-00a9-4e78-8687-7d54c16b36b3
-
activate_away_mode
true
-
backup_connection_host
new555.ddns.net
- backup_dns_server
-
buffer_size
65535
-
build_time
2014-08-19T18:58:32.196379736Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
true
-
connect_delay
4000
-
connection_port
9033
-
default_group
german
-
enable_debug_mode
true
-
gc_threshold
1.0448576e+08
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.0448576e+08
-
mutex
8c6886dd-00a9-4e78-8687-7d54c16b36b3
-
mutex_timeout
5000
-
prevent_system_sleep
true
-
primary_connection_host
new555.ddns.net
- primary_dns_server
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.0.0
-
wan_timeout
8000
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Users\\Admin\\AppData\\Roaming\\nSZU8duT\\od92plM.exe,explorer.exe" reg.exe -
Executes dropped EXE 1 IoCs
Processes:
order 201233.exepid process 1264 order 201233.exe -
Loads dropped DLL 2 IoCs
Processes:
order 201233.exepid process 1552 order 201233.exe 1552 order 201233.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
order 201233.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PCI Subsystem = "C:\\Program Files (x86)\\PCI Subsystem\\pciss.exe" order 201233.exe -
Processes:
order 201233.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA order 201233.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
order 201233.exedescription pid process target process PID 1552 set thread context of 1264 1552 order 201233.exe order 201233.exe -
Drops file in Program Files directory 2 IoCs
Processes:
order 201233.exedescription ioc process File created C:\Program Files (x86)\PCI Subsystem\pciss.exe order 201233.exe File opened for modification C:\Program Files (x86)\PCI Subsystem\pciss.exe order 201233.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
order 201233.exeorder 201233.exepid process 1552 order 201233.exe 1264 order 201233.exe 1264 order 201233.exe 1264 order 201233.exe 1264 order 201233.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
order 201233.exepid process 1264 order 201233.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
order 201233.exeorder 201233.exedescription pid process Token: SeDebugPrivilege 1552 order 201233.exe Token: SeDebugPrivilege 1264 order 201233.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
order 201233.execmd.exedescription pid process target process PID 1552 wrote to memory of 1680 1552 order 201233.exe cmd.exe PID 1552 wrote to memory of 1680 1552 order 201233.exe cmd.exe PID 1552 wrote to memory of 1680 1552 order 201233.exe cmd.exe PID 1552 wrote to memory of 1680 1552 order 201233.exe cmd.exe PID 1680 wrote to memory of 1528 1680 cmd.exe reg.exe PID 1680 wrote to memory of 1528 1680 cmd.exe reg.exe PID 1680 wrote to memory of 1528 1680 cmd.exe reg.exe PID 1680 wrote to memory of 1528 1680 cmd.exe reg.exe PID 1552 wrote to memory of 1264 1552 order 201233.exe order 201233.exe PID 1552 wrote to memory of 1264 1552 order 201233.exe order 201233.exe PID 1552 wrote to memory of 1264 1552 order 201233.exe order 201233.exe PID 1552 wrote to memory of 1264 1552 order 201233.exe order 201233.exe PID 1552 wrote to memory of 1264 1552 order 201233.exe order 201233.exe PID 1552 wrote to memory of 1264 1552 order 201233.exe order 201233.exe PID 1552 wrote to memory of 1264 1552 order 201233.exe order 201233.exe PID 1552 wrote to memory of 1264 1552 order 201233.exe order 201233.exe PID 1552 wrote to memory of 1264 1552 order 201233.exe order 201233.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\order 201233.exe"C:\Users\Admin\AppData\Local\Temp\order 201233.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\nSZU8duT\od92plM.exe,explorer.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\nSZU8duT\od92plM.exe,explorer.exe"3⤵
- Modifies WinLogon for persistence
-
C:\Users\Admin\AppData\Local\Temp\order 201233.exe"C:\Users\Admin\AppData\Local\Temp\order 201233.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\order 201233.exeFilesize
247KB
MD511631f12ae7944e8d4441bfce27616c7
SHA176c25fc619e8b493fef04c6bc8eaa51e7e2d18be
SHA256d5cf0f84fb06a4d4295186edda23d54c7bbc694770c916875c7b5f4a1b9472ad
SHA51243c86d25b6a293442f49cdbb3d681700e6633aa1daf6f77c5196e47f43b2f3e3687a1c4955885cbf0816ed7fb6b021585917d4875a31e5023b7a22fea97ffb69
-
\Users\Admin\AppData\Local\Temp\order 201233.exeFilesize
247KB
MD511631f12ae7944e8d4441bfce27616c7
SHA176c25fc619e8b493fef04c6bc8eaa51e7e2d18be
SHA256d5cf0f84fb06a4d4295186edda23d54c7bbc694770c916875c7b5f4a1b9472ad
SHA51243c86d25b6a293442f49cdbb3d681700e6633aa1daf6f77c5196e47f43b2f3e3687a1c4955885cbf0816ed7fb6b021585917d4875a31e5023b7a22fea97ffb69
-
\Users\Admin\AppData\Roaming\nSZU8duT\od92plM.exeFilesize
247KB
MD511631f12ae7944e8d4441bfce27616c7
SHA176c25fc619e8b493fef04c6bc8eaa51e7e2d18be
SHA256d5cf0f84fb06a4d4295186edda23d54c7bbc694770c916875c7b5f4a1b9472ad
SHA51243c86d25b6a293442f49cdbb3d681700e6633aa1daf6f77c5196e47f43b2f3e3687a1c4955885cbf0816ed7fb6b021585917d4875a31e5023b7a22fea97ffb69
-
memory/1264-68-0x000000000041D8D6-mapping.dmp
-
memory/1264-64-0x0000000000400000-0x0000000000436000-memory.dmpFilesize
216KB
-
memory/1264-77-0x0000000073EB0000-0x000000007445B000-memory.dmpFilesize
5.7MB
-
memory/1264-76-0x0000000073EB0000-0x000000007445B000-memory.dmpFilesize
5.7MB
-
memory/1264-61-0x0000000000400000-0x0000000000436000-memory.dmpFilesize
216KB
-
memory/1264-62-0x0000000000400000-0x0000000000436000-memory.dmpFilesize
216KB
-
memory/1264-65-0x0000000000400000-0x0000000000436000-memory.dmpFilesize
216KB
-
memory/1264-73-0x0000000000400000-0x0000000000436000-memory.dmpFilesize
216KB
-
memory/1264-67-0x0000000000400000-0x0000000000436000-memory.dmpFilesize
216KB
-
memory/1264-71-0x0000000000400000-0x0000000000436000-memory.dmpFilesize
216KB
-
memory/1528-59-0x0000000000000000-mapping.dmp
-
memory/1552-55-0x0000000073EB0000-0x000000007445B000-memory.dmpFilesize
5.7MB
-
memory/1552-54-0x0000000074DA1000-0x0000000074DA3000-memory.dmpFilesize
8KB
-
memory/1552-75-0x0000000073EB0000-0x000000007445B000-memory.dmpFilesize
5.7MB
-
memory/1552-56-0x0000000073EB0000-0x000000007445B000-memory.dmpFilesize
5.7MB
-
memory/1680-58-0x0000000000000000-mapping.dmp