Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
05-05-2024 02:05
Static task
static1
Behavioral task
behavioral1
Sample
Inquiry List.pdf.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Inquiry List.pdf.exe
Resource
win10v2004-20240419-en
General
-
Target
Inquiry List.pdf.exe
-
Size
1.7MB
-
MD5
89a2e99f3a510475dfbb36e7492967e9
-
SHA1
d51a45a4041951b84df7bb9bc08bd9dacb469015
-
SHA256
17f9b526e5aa96416862611bfa6ab84396209a3df8bb5b723240e8a57dc6d0e9
-
SHA512
171fe1bdfce0515372fffafde37e3906a5fb7325dfe24861c71d0f1c8cc6556b6e81194bfe175a7595ca73ac169b9038460500706c53982ff87a7b047041c40d
-
SSDEEP
24576:7ENXVpmPIXFp2Q3tnL0qb1szI4xIIrBB+XVpmPIXFp0iz:2VgPIXFU69uzI4xIY2VgPIXFh
Malware Config
Extracted
nanocore
1.2.2.0
baby.ausluggage.com:5656
mama.rnatrixgn.com:5656
06c90934-ef35-4223-aa27-fcdec34238e3
-
activate_away_mode
true
-
backup_connection_host
mama.rnatrixgn.com
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2019-12-23T09:42:15.812707836Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
true
-
connect_delay
4000
-
connection_port
5656
-
default_group
2020
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
06c90934-ef35-4223-aa27-fcdec34238e3
-
mutex_timeout
5000
-
prevent_system_sleep
true
-
primary_connection_host
baby.ausluggage.com
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Inquiry List.pdf.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\ezcqb = "C:\\QGTQZTRE\\ezcqbS\\ezcqbSMhP.vbs" Inquiry List.pdf.exe -
Processes:
RegAsm.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegAsm.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
Inquiry List.pdf.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Inquiry List.pdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 Inquiry List.pdf.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Inquiry List.pdf.exedescription pid process target process PID 2328 set thread context of 2984 2328 Inquiry List.pdf.exe RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegAsm.exepid process 2984 RegAsm.exe 2984 RegAsm.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegAsm.exepid process 2984 RegAsm.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
Inquiry List.pdf.exepid process 2328 Inquiry List.pdf.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegAsm.exedescription pid process Token: SeDebugPrivilege 2984 RegAsm.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Inquiry List.pdf.exedescription pid process target process PID 2328 wrote to memory of 2984 2328 Inquiry List.pdf.exe RegAsm.exe PID 2328 wrote to memory of 2984 2328 Inquiry List.pdf.exe RegAsm.exe PID 2328 wrote to memory of 2984 2328 Inquiry List.pdf.exe RegAsm.exe PID 2328 wrote to memory of 2984 2328 Inquiry List.pdf.exe RegAsm.exe PID 2328 wrote to memory of 2984 2328 Inquiry List.pdf.exe RegAsm.exe PID 2328 wrote to memory of 2984 2328 Inquiry List.pdf.exe RegAsm.exe PID 2328 wrote to memory of 2984 2328 Inquiry List.pdf.exe RegAsm.exe PID 2328 wrote to memory of 2984 2328 Inquiry List.pdf.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Inquiry List.pdf.exe"C:\Users\Admin\AppData\Local\Temp\Inquiry List.pdf.exe"1⤵
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"2⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2984