Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
11-05-2024 19:33
Static task
static1
Behavioral task
behavioral1
Sample
NEWORDER.js
Resource
win7-20240221-en
General
-
Target
NEWORDER.js
-
Size
1.8MB
-
MD5
c935ad37b346743dd3cc5cbd07e19c39
-
SHA1
5efd9af7fc2b6074de4b417b9891f82feb98873c
-
SHA256
91bdfedc2da70a3d6b9833c1ec2ba2598428672d7ae5c1e8ff80b45a2099a105
-
SHA512
7512c09100504a96a339cd043d2733e699985bb0088f870b92e21bef657527a4e9fc5fe62da1f22a5eddc62e75e32438043db8d3c0c36a01ac0d7b9875fdbb4a
-
SSDEEP
49152:3ubSF8mUKlydc5sfMvF1kXsibyhIUn06UXA7H:X
Malware Config
Extracted
nanocore
1.2.2.0
tats2lou.ddns.net:49251
91.192.100.55:49251
c483a38c-4f2b-4e4b-a6d3-acb09e977acd
-
activate_away_mode
false
-
backup_connection_host
91.192.100.55
- backup_dns_server
-
buffer_size
65538
-
build_time
2018-11-23T08:22:47.887793536Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
false
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
49251
-
default_group
PC2019
-
enable_debug_mode
true
-
gc_threshold
1.0485772e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.0485772e+07
-
mutex
c483a38c-4f2b-4e4b-a6d3-acb09e977acd
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
tats2lou.ddns.net
- primary_dns_server
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
false
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8009
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exegedlUKJKrNlQz.scrdescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation gedlUKJKrNlQz.scr -
Executes dropped EXE 4 IoCs
Processes:
gedlUKJKrNlQz.scrpch.exepch.exeRegSvcs.exepid process 2868 gedlUKJKrNlQz.scr 2288 pch.exe 4284 pch.exe 4984 RegSvcs.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
pch.exeRegSvcs.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\chrome = "C:\\Users\\Admin\\AppData\\Local\\Temp\\96804703\\pch.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\96804703\\OQN_CI~1" pch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DOS Host = "C:\\Program Files (x86)\\DOS Host\\doshost.exe" RegSvcs.exe -
Processes:
RegSvcs.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
pch.exedescription pid process target process PID 4284 set thread context of 4984 4284 pch.exe RegSvcs.exe -
Drops file in Program Files directory 2 IoCs
Processes:
RegSvcs.exedescription ioc process File created C:\Program Files (x86)\DOS Host\doshost.exe RegSvcs.exe File opened for modification C:\Program Files (x86)\DOS Host\doshost.exe RegSvcs.exe -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 4056 schtasks.exe 4260 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
pch.exeRegSvcs.exepid process 2288 pch.exe 2288 pch.exe 4984 RegSvcs.exe 4984 RegSvcs.exe 4984 RegSvcs.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegSvcs.exepid process 4984 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 4984 RegSvcs.exe Token: SeDebugPrivilege 4984 RegSvcs.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
wscript.exegedlUKJKrNlQz.scrpch.exepch.exeRegSvcs.exedescription pid process target process PID 4224 wrote to memory of 2868 4224 wscript.exe gedlUKJKrNlQz.scr PID 4224 wrote to memory of 2868 4224 wscript.exe gedlUKJKrNlQz.scr PID 4224 wrote to memory of 2868 4224 wscript.exe gedlUKJKrNlQz.scr PID 2868 wrote to memory of 2288 2868 gedlUKJKrNlQz.scr pch.exe PID 2868 wrote to memory of 2288 2868 gedlUKJKrNlQz.scr pch.exe PID 2868 wrote to memory of 2288 2868 gedlUKJKrNlQz.scr pch.exe PID 2288 wrote to memory of 4284 2288 pch.exe pch.exe PID 2288 wrote to memory of 4284 2288 pch.exe pch.exe PID 2288 wrote to memory of 4284 2288 pch.exe pch.exe PID 4284 wrote to memory of 4984 4284 pch.exe RegSvcs.exe PID 4284 wrote to memory of 4984 4284 pch.exe RegSvcs.exe PID 4284 wrote to memory of 4984 4284 pch.exe RegSvcs.exe PID 4284 wrote to memory of 4984 4284 pch.exe RegSvcs.exe PID 4284 wrote to memory of 4984 4284 pch.exe RegSvcs.exe PID 4284 wrote to memory of 4984 4284 pch.exe RegSvcs.exe PID 4284 wrote to memory of 4984 4284 pch.exe RegSvcs.exe PID 4284 wrote to memory of 4984 4284 pch.exe RegSvcs.exe PID 4984 wrote to memory of 4056 4984 RegSvcs.exe schtasks.exe PID 4984 wrote to memory of 4056 4984 RegSvcs.exe schtasks.exe PID 4984 wrote to memory of 4056 4984 RegSvcs.exe schtasks.exe PID 4984 wrote to memory of 4260 4984 RegSvcs.exe schtasks.exe PID 4984 wrote to memory of 4260 4984 RegSvcs.exe schtasks.exe PID 4984 wrote to memory of 4260 4984 RegSvcs.exe schtasks.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\NEWORDER.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\gedlUKJKrNlQz.scr"C:\Users\Admin\AppData\Local\Temp\gedlUKJKrNlQz.scr" /S2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\96804703\pch.exe"C:\Users\Admin\AppData\Local\Temp\96804703\pch.exe" oqn=cig3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\96804703\pch.exeC:\Users\Admin\AppData\Local\Temp\96804703\pch.exe C:\Users\Admin\AppData\Local\Temp\96804703\FTCND4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DOS Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmp5B30.tmp"6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DOS Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp5B9E.tmp"6⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\96804703\FTCNDFilesize
87KB
MD54071b384298ce6c5ffd7e6dfb251aa18
SHA14bccec7e56f11c99a0d735dd6db615758c6972f4
SHA256866040fe001a591fdfa46b6aae184d54956ca18e0b8293a86fabc508411b5d7c
SHA51281c65ebb969b9e71dafff0cc10b7ce9b41e6843e63692079d3548ef02075fe28a17befd3a3e3a42bab41a282a9d9c79535695f9d34ecbdea8f503d968cb83005
-
C:\Users\Admin\AppData\Local\Temp\96804703\GuiDateTimePicker.pdfFilesize
212B
MD5865e694624fba6b1bc7e5c03a497c88b
SHA16a6dfefeaa0391d7f500867b13f735c4eef8d96c
SHA256ff0a1e21dceec06c3c42ac82205d822a981122b59f21ba0762b8919b356953f5
SHA512b633fd1bb5105e3bf8a95fe7df118881f30917bc8a4ba55e53ca800a65351edffcd03796f7b9c5cec43d13e81a62d9bac7a0d3c46a1361d2a46032605b7c3b72
-
C:\Users\Admin\AppData\Local\Temp\96804703\TreeViewConstants.mp4Filesize
215B
MD5ee39dff8af4338139c3c24e420267985
SHA10838197af60c767fe800478f36e69825455b6140
SHA256ad2f1162dcd0c1d26fa5459a9623e9489c092b91da82c29747ed575a93188b74
SHA512c7c99f205f5d4af941199650bd9c34c09d45bf99a9ed2213cad9daf6bd9b276041487fe96ebf3445e25744312ce12b3812e140f6eea07f2c91b1903e67dcd6c9
-
C:\Users\Admin\AppData\Local\Temp\96804703\ikt.pptFilesize
650KB
MD5d6015cc7f1297ce85e1850ac02a49af8
SHA1382826c9bf9d1eb618794ae6a9990e917134319e
SHA256cafb2628b256e4b7007a26cea89937f07c5aa7369fb12c46838274cd7841969e
SHA512b14f01e64d5159c39b3d01308d493b7026d130674d3c9c1add5192c32b80855ed4e8557e69857739b1476e47a6850f5a0a39869cebb484dbcf939802a37c6ade
-
C:\Users\Admin\AppData\Local\Temp\96804703\oqn=cigFilesize
306KB
MD51c4fb77e47b3951eddc2cfb3e782ccda
SHA11c6fe18cf5ad5c052d1ab49887397345d66c735a
SHA256bbf1dea1a96dfa7f8a17e8c6b059eeaa9b3d4f0149262ea9d8d07529cbbad43b
SHA512a82e44e9376693598f515ef562139b09c7031a007d86d1ae5aad9a41aede7e5e6a9f63ab76355512a5043fe9568707058093f969e2bd59281483908f3e00b74f
-
C:\Users\Admin\AppData\Local\Temp\96804703\pch.exeFilesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exeFilesize
44KB
MD59d352bc46709f0cb5ec974633a0c3c94
SHA11969771b2f022f9a86d77ac4d4d239becdf08d07
SHA2562c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA51213c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b
-
C:\Users\Admin\AppData\Local\Temp\gedlUKJKrNlQz.scrFilesize
913KB
MD5d330c165854f498c2070c83a4678b7e0
SHA1415bde0275110c094bec9046442d58be135228b2
SHA256466589a859040e0d8c81a242548eea898254b4799bbef94918df31ee4680fc1b
SHA5129a9e9d59ebe12af73fdc549de04fb046b54daa64707e18e803d32b08868d00a272894e102bfd682963c2fe7bdb6064b79a374091aced59e1cf0a293506df56f6
-
C:\Users\Admin\AppData\Local\Temp\tmp5B30.tmpFilesize
1KB
MD595aceabc58acad5d73372b0966ee1b35
SHA12293b7ad4793cf574b1a5220e85f329b5601040a
SHA2568d9642e1c3cd1e0b5d1763de2fb5e605ba593e5a918b93eec15acbc5dcc48fd4
SHA51200760dfc9d8caf357f0cee5336e5448a4cca18e32cc63e1a69c16e34fe00ea29acd5b2cf278e86c6f9c3e66a1b176d27ed927361848212e6bf1fade7d3d06e74
-
C:\Users\Admin\AppData\Local\Temp\tmp5B9E.tmpFilesize
1KB
MD5e380299eb53398115b7125b2b75c4798
SHA1ee59b86ea0abf4097ff94bd940521c583803b036
SHA256edb658b6577a80126eaacdf2a566755b63d7b2438fe0bcf3aea83930036811f3
SHA512d9e3f3b1370fe4fce4a631a5d0669cef34bfe83dec146b606eff562c7cc450639304a732104f425a7ccfdded58064f28a98434a59ed8d93b595d64d1e1a2dde1
-
memory/4984-121-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/4984-126-0x0000000005970000-0x0000000005A0C000-memory.dmpFilesize
624KB
-
memory/4984-127-0x0000000005880000-0x000000000588A000-memory.dmpFilesize
40KB
-
memory/4984-125-0x00000000058C0000-0x0000000005952000-memory.dmpFilesize
584KB
-
memory/4984-124-0x0000000005F20000-0x00000000064C4000-memory.dmpFilesize
5.6MB
-
memory/4984-135-0x0000000005BC0000-0x0000000005BCA000-memory.dmpFilesize
40KB
-
memory/4984-136-0x0000000005BD0000-0x0000000005BDC000-memory.dmpFilesize
48KB
-
memory/4984-137-0x0000000005EF0000-0x0000000005F0E000-memory.dmpFilesize
120KB
-
memory/4984-138-0x0000000006B20000-0x0000000006B2A000-memory.dmpFilesize
40KB