Analysis
-
max time kernel
70s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
01-04-2023 11:26
Static task
static1
Behavioral task
behavioral1
Sample
Doc40323031190.exe
Resource
win7-20230220-en
General
-
Target
Doc40323031190.exe
-
Size
627KB
-
MD5
58137f8f0a140e5cb05326723364d2d2
-
SHA1
dba225f7f06c06408566fa1f8084ec20ad16e210
-
SHA256
2b56563eb45d2817c958bc4e9ab607385d5e1eebdbfb7b84d9cceff5b5f77a0d
-
SHA512
09e719769ed1188791bb39363eca8da870dc2b7fe864af7f3854809f3e5fa506bd3b91582b3e8c690bfbfd3d4121ec2c7bea9263be7c71a2ce2ccafdbca40222
-
SSDEEP
6144:kA66yvqwVOBZYcg+Vn0W2Yi0WY/S+aI4bb7GNR60/7ZFiYhztHFKcjvXBbFNcKjl:kqyywVcZY75W2Yi06jbfcb/tZ1vx0ed
Malware Config
Extracted
nanocore
1.2.2.0
nanjuly.duckdns.org:2025
a37c0b29-615a-4111-a03b-4213f55dda53
-
activate_away_mode
true
-
backup_connection_host
nanjuly.duckdns.org
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2023-01-11T08:03:54.326544136Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
2025
-
default_group
AE
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
a37c0b29-615a-4111-a03b-4213f55dda53
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
nanjuly.duckdns.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Processes:
Doc40323031190.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Doc40323031190.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Doc40323031190.exedescription pid process target process PID 1188 set thread context of 1680 1188 Doc40323031190.exe Doc40323031190.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
Doc40323031190.exeDoc40323031190.exepid process 1188 Doc40323031190.exe 1680 Doc40323031190.exe 1680 Doc40323031190.exe 1680 Doc40323031190.exe 1680 Doc40323031190.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Doc40323031190.exepid process 1680 Doc40323031190.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Doc40323031190.exeDoc40323031190.exedescription pid process Token: SeDebugPrivilege 1188 Doc40323031190.exe Token: SeDebugPrivilege 1680 Doc40323031190.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
Doc40323031190.exeDoc40323031190.exedescription pid process target process PID 1188 wrote to memory of 268 1188 Doc40323031190.exe schtasks.exe PID 1188 wrote to memory of 268 1188 Doc40323031190.exe schtasks.exe PID 1188 wrote to memory of 268 1188 Doc40323031190.exe schtasks.exe PID 1188 wrote to memory of 268 1188 Doc40323031190.exe schtasks.exe PID 1188 wrote to memory of 1680 1188 Doc40323031190.exe Doc40323031190.exe PID 1188 wrote to memory of 1680 1188 Doc40323031190.exe Doc40323031190.exe PID 1188 wrote to memory of 1680 1188 Doc40323031190.exe Doc40323031190.exe PID 1188 wrote to memory of 1680 1188 Doc40323031190.exe Doc40323031190.exe PID 1188 wrote to memory of 1680 1188 Doc40323031190.exe Doc40323031190.exe PID 1188 wrote to memory of 1680 1188 Doc40323031190.exe Doc40323031190.exe PID 1188 wrote to memory of 1680 1188 Doc40323031190.exe Doc40323031190.exe PID 1188 wrote to memory of 1680 1188 Doc40323031190.exe Doc40323031190.exe PID 1188 wrote to memory of 1680 1188 Doc40323031190.exe Doc40323031190.exe PID 1680 wrote to memory of 1600 1680 Doc40323031190.exe schtasks.exe PID 1680 wrote to memory of 1600 1680 Doc40323031190.exe schtasks.exe PID 1680 wrote to memory of 1600 1680 Doc40323031190.exe schtasks.exe PID 1680 wrote to memory of 1600 1680 Doc40323031190.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Doc40323031190.exe"C:\Users\Admin\AppData\Local\Temp\Doc40323031190.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VhKotlyA" /XML "C:\Users\Admin\AppData\Local\Temp\tmpED0E.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Doc40323031190.exe"{path}"2⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "ISS Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmpF3B2.tmp"3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpED0E.tmpFilesize
1KB
MD51865b2f1171c691adc3cf3038754c218
SHA14debfcb6297db43456742014e94ed9a6f50a13ea
SHA256b02cd7fab41863c7b1b9738949359b9747a06e409dfd540c175e71a9e3779153
SHA512b1759e7ccab2e13b97f0c6bedae776086d701588b4b40c2fab814c72273eed06fbef0e74d152ce0bbc87eb01ee388a7239cf3e28f3a8d11cbcf29bee21b4e717
-
C:\Users\Admin\AppData\Local\Temp\tmpF3B2.tmpFilesize
1KB
MD5bf48273a4dc728d205b52627e164b35a
SHA18f450b7f3b0b3361d1dfe73ab0ea8ab11521c407
SHA2564c7d54d5f18efc9fc022a717ee162c558e8bfde9da12cd793b9389820c46883c
SHA512971dcf841de20f1e693ab5b4d3804402ad2db4bfad94d67a9a7a711e855499bf2f26e222187f0beb451a3538db78d896c4b9ec7effd6b37c95997d72a46f8547
-
memory/1188-54-0x0000000000A80000-0x0000000000B22000-memory.dmpFilesize
648KB
-
memory/1188-55-0x00000000048D0000-0x0000000004910000-memory.dmpFilesize
256KB
-
memory/1188-56-0x00000000001D0000-0x00000000001DC000-memory.dmpFilesize
48KB
-
memory/1188-57-0x00000000048D0000-0x0000000004910000-memory.dmpFilesize
256KB
-
memory/1188-58-0x00000000052D0000-0x000000000535C000-memory.dmpFilesize
560KB
-
memory/1188-59-0x0000000000920000-0x000000000095A000-memory.dmpFilesize
232KB
-
memory/1680-64-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1680-84-0x0000000001FD0000-0x0000000001FEA000-memory.dmpFilesize
104KB
-
memory/1680-66-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1680-67-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1680-68-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1680-70-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1680-72-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1680-73-0x0000000004330000-0x0000000004370000-memory.dmpFilesize
256KB
-
memory/1680-63-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1680-78-0x00000000004D0000-0x00000000004DA000-memory.dmpFilesize
40KB
-
memory/1680-79-0x0000000000930000-0x000000000094E000-memory.dmpFilesize
120KB
-
memory/1680-80-0x00000000004F0000-0x00000000004FA000-memory.dmpFilesize
40KB
-
memory/1680-83-0x0000000000A60000-0x0000000000A72000-memory.dmpFilesize
72KB
-
memory/1680-65-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1680-85-0x0000000002030000-0x000000000203E000-memory.dmpFilesize
56KB
-
memory/1680-86-0x00000000020D0000-0x00000000020E2000-memory.dmpFilesize
72KB
-
memory/1680-87-0x0000000002120000-0x000000000212C000-memory.dmpFilesize
48KB
-
memory/1680-88-0x0000000002250000-0x000000000225E000-memory.dmpFilesize
56KB
-
memory/1680-89-0x0000000002260000-0x0000000002274000-memory.dmpFilesize
80KB
-
memory/1680-90-0x0000000002270000-0x0000000002280000-memory.dmpFilesize
64KB
-
memory/1680-91-0x0000000004370000-0x0000000004384000-memory.dmpFilesize
80KB
-
memory/1680-92-0x0000000004380000-0x000000000438E000-memory.dmpFilesize
56KB
-
memory/1680-93-0x00000000044A0000-0x00000000044CE000-memory.dmpFilesize
184KB
-
memory/1680-94-0x0000000004520000-0x0000000004534000-memory.dmpFilesize
80KB
-
memory/1680-96-0x0000000004330000-0x0000000004370000-memory.dmpFilesize
256KB