Analysis
-
max time kernel
168s -
max time network
188s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 22:06
Static task
static1
Behavioral task
behavioral1
Sample
order 201233.exe
Resource
win7-20221111-en
General
-
Target
order 201233.exe
-
Size
247KB
-
MD5
11631f12ae7944e8d4441bfce27616c7
-
SHA1
76c25fc619e8b493fef04c6bc8eaa51e7e2d18be
-
SHA256
d5cf0f84fb06a4d4295186edda23d54c7bbc694770c916875c7b5f4a1b9472ad
-
SHA512
43c86d25b6a293442f49cdbb3d681700e6633aa1daf6f77c5196e47f43b2f3e3687a1c4955885cbf0816ed7fb6b021585917d4875a31e5023b7a22fea97ffb69
-
SSDEEP
6144:no/hzvKTHlLCnyCOMFGaISfxFaLklWgq1AWZQjkAqZ:nVTFAyCFIuFaOWHFgkRZ
Malware Config
Extracted
nanocore
1.2.0.0
new555.ddns.net:9033
8c6886dd-00a9-4e78-8687-7d54c16b36b3
-
activate_away_mode
true
-
backup_connection_host
new555.ddns.net
- backup_dns_server
-
buffer_size
65535
-
build_time
2014-08-19T18:58:32.196379736Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
true
-
connect_delay
4000
-
connection_port
9033
-
default_group
german
-
enable_debug_mode
true
-
gc_threshold
1.0448576e+08
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.0448576e+08
-
mutex
8c6886dd-00a9-4e78-8687-7d54c16b36b3
-
mutex_timeout
5000
-
prevent_system_sleep
true
-
primary_connection_host
new555.ddns.net
- primary_dns_server
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.0.0
-
wan_timeout
8000
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Users\\Admin\\AppData\\Roaming\\nSZU8duT\\od92plM.exe,explorer.exe" reg.exe -
Executes dropped EXE 1 IoCs
Processes:
order 201233.exepid process 4908 order 201233.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
order 201233.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation order 201233.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
order 201233.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PCI Manager = "C:\\Program Files (x86)\\PCI Manager\\pcimgr.exe" order 201233.exe -
Processes:
order 201233.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA order 201233.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
order 201233.exedescription pid process target process PID 1636 set thread context of 4908 1636 order 201233.exe order 201233.exe -
Drops file in Program Files directory 2 IoCs
Processes:
order 201233.exedescription ioc process File created C:\Program Files (x86)\PCI Manager\pcimgr.exe order 201233.exe File opened for modification C:\Program Files (x86)\PCI Manager\pcimgr.exe order 201233.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
order 201233.exeorder 201233.exepid process 1636 order 201233.exe 1636 order 201233.exe 4908 order 201233.exe 4908 order 201233.exe 4908 order 201233.exe 4908 order 201233.exe 4908 order 201233.exe 4908 order 201233.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
order 201233.exepid process 4908 order 201233.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
order 201233.exeorder 201233.exedescription pid process Token: SeDebugPrivilege 1636 order 201233.exe Token: SeDebugPrivilege 4908 order 201233.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
order 201233.execmd.exedescription pid process target process PID 1636 wrote to memory of 948 1636 order 201233.exe cmd.exe PID 1636 wrote to memory of 948 1636 order 201233.exe cmd.exe PID 1636 wrote to memory of 948 1636 order 201233.exe cmd.exe PID 948 wrote to memory of 4644 948 cmd.exe reg.exe PID 948 wrote to memory of 4644 948 cmd.exe reg.exe PID 948 wrote to memory of 4644 948 cmd.exe reg.exe PID 1636 wrote to memory of 4908 1636 order 201233.exe order 201233.exe PID 1636 wrote to memory of 4908 1636 order 201233.exe order 201233.exe PID 1636 wrote to memory of 4908 1636 order 201233.exe order 201233.exe PID 1636 wrote to memory of 4908 1636 order 201233.exe order 201233.exe PID 1636 wrote to memory of 4908 1636 order 201233.exe order 201233.exe PID 1636 wrote to memory of 4908 1636 order 201233.exe order 201233.exe PID 1636 wrote to memory of 4908 1636 order 201233.exe order 201233.exe PID 1636 wrote to memory of 4908 1636 order 201233.exe order 201233.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\order 201233.exe"C:\Users\Admin\AppData\Local\Temp\order 201233.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\nSZU8duT\od92plM.exe,explorer.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\nSZU8duT\od92plM.exe,explorer.exe"3⤵
- Modifies WinLogon for persistence
-
C:\Users\Admin\AppData\Local\Temp\order 201233.exe"C:\Users\Admin\AppData\Local\Temp\order 201233.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\order 201233.exeFilesize
247KB
MD511631f12ae7944e8d4441bfce27616c7
SHA176c25fc619e8b493fef04c6bc8eaa51e7e2d18be
SHA256d5cf0f84fb06a4d4295186edda23d54c7bbc694770c916875c7b5f4a1b9472ad
SHA51243c86d25b6a293442f49cdbb3d681700e6633aa1daf6f77c5196e47f43b2f3e3687a1c4955885cbf0816ed7fb6b021585917d4875a31e5023b7a22fea97ffb69
-
memory/948-134-0x0000000000000000-mapping.dmp
-
memory/1636-132-0x0000000075120000-0x00000000756D1000-memory.dmpFilesize
5.7MB
-
memory/1636-133-0x0000000075120000-0x00000000756D1000-memory.dmpFilesize
5.7MB
-
memory/1636-139-0x0000000075120000-0x00000000756D1000-memory.dmpFilesize
5.7MB
-
memory/4644-135-0x0000000000000000-mapping.dmp
-
memory/4908-136-0x0000000000000000-mapping.dmp
-
memory/4908-137-0x0000000000400000-0x0000000000436000-memory.dmpFilesize
216KB
-
memory/4908-140-0x0000000075120000-0x00000000756D1000-memory.dmpFilesize
5.7MB
-
memory/4908-141-0x0000000075120000-0x00000000756D1000-memory.dmpFilesize
5.7MB