Analysis
-
max time kernel
61s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
01-04-2023 11:26
Static task
static1
Behavioral task
behavioral1
Sample
Doc40323031190.exe
Resource
win7-20230220-en
General
-
Target
Doc40323031190.exe
-
Size
627KB
-
MD5
58137f8f0a140e5cb05326723364d2d2
-
SHA1
dba225f7f06c06408566fa1f8084ec20ad16e210
-
SHA256
2b56563eb45d2817c958bc4e9ab607385d5e1eebdbfb7b84d9cceff5b5f77a0d
-
SHA512
09e719769ed1188791bb39363eca8da870dc2b7fe864af7f3854809f3e5fa506bd3b91582b3e8c690bfbfd3d4121ec2c7bea9263be7c71a2ce2ccafdbca40222
-
SSDEEP
6144:kA66yvqwVOBZYcg+Vn0W2Yi0WY/S+aI4bb7GNR60/7ZFiYhztHFKcjvXBbFNcKjl:kqyywVcZY75W2Yi06jbfcb/tZ1vx0ed
Malware Config
Extracted
nanocore
1.2.2.0
nanjuly.duckdns.org:2025
a37c0b29-615a-4111-a03b-4213f55dda53
-
activate_away_mode
true
-
backup_connection_host
nanjuly.duckdns.org
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2023-01-11T08:03:54.326544136Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
2025
-
default_group
AE
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
a37c0b29-615a-4111-a03b-4213f55dda53
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
nanjuly.duckdns.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Doc40323031190.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation Doc40323031190.exe -
Processes:
Doc40323031190.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Doc40323031190.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Doc40323031190.exedescription pid process target process PID 2176 set thread context of 1300 2176 Doc40323031190.exe Doc40323031190.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 3296 schtasks.exe 5076 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
Doc40323031190.exeDoc40323031190.exepid process 2176 Doc40323031190.exe 1300 Doc40323031190.exe 1300 Doc40323031190.exe 1300 Doc40323031190.exe 1300 Doc40323031190.exe 1300 Doc40323031190.exe 1300 Doc40323031190.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Doc40323031190.exepid process 1300 Doc40323031190.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Doc40323031190.exeDoc40323031190.exedescription pid process Token: SeDebugPrivilege 2176 Doc40323031190.exe Token: SeDebugPrivilege 1300 Doc40323031190.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
Doc40323031190.exeDoc40323031190.exedescription pid process target process PID 2176 wrote to memory of 3296 2176 Doc40323031190.exe schtasks.exe PID 2176 wrote to memory of 3296 2176 Doc40323031190.exe schtasks.exe PID 2176 wrote to memory of 3296 2176 Doc40323031190.exe schtasks.exe PID 2176 wrote to memory of 1300 2176 Doc40323031190.exe Doc40323031190.exe PID 2176 wrote to memory of 1300 2176 Doc40323031190.exe Doc40323031190.exe PID 2176 wrote to memory of 1300 2176 Doc40323031190.exe Doc40323031190.exe PID 2176 wrote to memory of 1300 2176 Doc40323031190.exe Doc40323031190.exe PID 2176 wrote to memory of 1300 2176 Doc40323031190.exe Doc40323031190.exe PID 2176 wrote to memory of 1300 2176 Doc40323031190.exe Doc40323031190.exe PID 2176 wrote to memory of 1300 2176 Doc40323031190.exe Doc40323031190.exe PID 2176 wrote to memory of 1300 2176 Doc40323031190.exe Doc40323031190.exe PID 1300 wrote to memory of 5076 1300 Doc40323031190.exe schtasks.exe PID 1300 wrote to memory of 5076 1300 Doc40323031190.exe schtasks.exe PID 1300 wrote to memory of 5076 1300 Doc40323031190.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Doc40323031190.exe"C:\Users\Admin\AppData\Local\Temp\Doc40323031190.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VhKotlyA" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE033.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Doc40323031190.exe"{path}"2⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DPI Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmpE5E0.tmp"3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Doc40323031190.exe.logFilesize
1KB
MD517573558c4e714f606f997e5157afaac
SHA113e16e9415ceef429aaf124139671ebeca09ed23
SHA256c18db6aecad2436da4a63ff26af4e3a337cca48f01c21b8db494fe5ccc60e553
SHA512f4edf13f05a0d142e4dd42802098c8c44988ee8869621a62c2b565a77c9a95857f636583ff8d6d9baa366603d98b9bfbf1fc75bc6f9f8f83c80cb1215b2941cc
-
C:\Users\Admin\AppData\Local\Temp\tmpE033.tmpFilesize
1KB
MD5a11259a53cd50b4980796845decfb86b
SHA137689fedb4da81a09c45c6325fb1379c58ca5914
SHA256a4b1eed97e763d8d1d130fbf66a2bef3e41ca1b5a3dae9de50c54a1b37a23ec7
SHA512c3337382e116c79656d56dd715b6fed98cd11b8aaf74eb0d4d1e0bd3ff5902626836053fe392fe355b892a161471e458e03439295371b547ad11bc67246270d3
-
C:\Users\Admin\AppData\Local\Temp\tmpE5E0.tmpFilesize
1KB
MD5bf48273a4dc728d205b52627e164b35a
SHA18f450b7f3b0b3361d1dfe73ab0ea8ab11521c407
SHA2564c7d54d5f18efc9fc022a717ee162c558e8bfde9da12cd793b9389820c46883c
SHA512971dcf841de20f1e693ab5b4d3804402ad2db4bfad94d67a9a7a711e855499bf2f26e222187f0beb451a3538db78d896c4b9ec7effd6b37c95997d72a46f8547
-
memory/1300-156-0x00000000055D0000-0x00000000055E0000-memory.dmpFilesize
64KB
-
memory/1300-154-0x0000000006FE0000-0x0000000007046000-memory.dmpFilesize
408KB
-
memory/1300-147-0x00000000055D0000-0x00000000055E0000-memory.dmpFilesize
64KB
-
memory/1300-144-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2176-136-0x0000000004DE0000-0x0000000004E72000-memory.dmpFilesize
584KB
-
memory/2176-140-0x0000000004DC0000-0x0000000004DD0000-memory.dmpFilesize
64KB
-
memory/2176-139-0x0000000004DC0000-0x0000000004DD0000-memory.dmpFilesize
64KB
-
memory/2176-138-0x0000000005000000-0x0000000005056000-memory.dmpFilesize
344KB
-
memory/2176-137-0x0000000004D60000-0x0000000004D6A000-memory.dmpFilesize
40KB
-
memory/2176-133-0x0000000000260000-0x0000000000302000-memory.dmpFilesize
648KB
-
memory/2176-135-0x00000000052F0000-0x0000000005894000-memory.dmpFilesize
5.6MB
-
memory/2176-134-0x0000000004CA0000-0x0000000004D3C000-memory.dmpFilesize
624KB