Analysis
-
max time kernel
147s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
13-05-2024 13:13
Static task
static1
Behavioral task
behavioral1
Sample
New Purchase Order_2018112.scr
Resource
win7-20240221-en
General
-
Target
New Purchase Order_2018112.scr
-
Size
593KB
-
MD5
5ce1ee1212648449257a2aa2b6d41f13
-
SHA1
26949870e850861b7c009c4d792b3a63b2bb11e2
-
SHA256
0d7303671aea9516ab03e2f2e4b0d38784c489aa7555d9db21a5d12f504958e9
-
SHA512
debe7efdb7b2cbfb08631605788b5f097d6da402a031eb8f774cbeea593c6a87712a1600a1a265b7f2b04d65d81875ef9cfc7bd4722bf58beedede490a790044
-
SSDEEP
12288:8oV49yW8M/hvz6N6JIPomHSswTEdlB5yBS6EjvXDIiTEbW5gqtcL/Eh0/UIWu/gq:V45fS6SPylTw5yBS6ErDIiyWKqtcoiX
Malware Config
Extracted
nanocore
1.2.2.0
185.244.30.98:5634
0bc99ce5-af2f-4fe0-961e-2736f2c8bbce
-
activate_away_mode
true
- backup_connection_host
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2018-08-03T02:29:02.000467136Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
5634
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
0bc99ce5-af2f-4fe0-961e-2736f2c8bbce
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
185.244.30.98
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
filename.exefilename.exepid process 2232 filename.exe 2616 filename.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exefilename.exepid process 2084 cmd.exe 2232 filename.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exefilename.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DDP Service = "C:\\Program Files (x86)\\DDP Service\\ddpsv.exe" filename.exe -
Processes:
filename.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA filename.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
filename.exedescription pid process target process PID 2232 set thread context of 2616 2232 filename.exe filename.exe -
Drops file in Program Files directory 2 IoCs
Processes:
filename.exedescription ioc process File created C:\Program Files (x86)\DDP Service\ddpsv.exe filename.exe File opened for modification C:\Program Files (x86)\DDP Service\ddpsv.exe filename.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2568 schtasks.exe 2424 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
filename.exepid process 2616 filename.exe 2616 filename.exe 2616 filename.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
filename.exepid process 2616 filename.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
New Purchase Order_2018112.scrfilename.exefilename.exedescription pid process Token: SeDebugPrivilege 2180 New Purchase Order_2018112.scr Token: SeDebugPrivilege 2232 filename.exe Token: SeDebugPrivilege 2616 filename.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
New Purchase Order_2018112.scrcmd.exefilename.execmd.exefilename.exedescription pid process target process PID 2180 wrote to memory of 2084 2180 New Purchase Order_2018112.scr cmd.exe PID 2180 wrote to memory of 2084 2180 New Purchase Order_2018112.scr cmd.exe PID 2180 wrote to memory of 2084 2180 New Purchase Order_2018112.scr cmd.exe PID 2180 wrote to memory of 2084 2180 New Purchase Order_2018112.scr cmd.exe PID 2084 wrote to memory of 2232 2084 cmd.exe filename.exe PID 2084 wrote to memory of 2232 2084 cmd.exe filename.exe PID 2084 wrote to memory of 2232 2084 cmd.exe filename.exe PID 2084 wrote to memory of 2232 2084 cmd.exe filename.exe PID 2232 wrote to memory of 2872 2232 filename.exe cmd.exe PID 2232 wrote to memory of 2872 2232 filename.exe cmd.exe PID 2232 wrote to memory of 2872 2232 filename.exe cmd.exe PID 2232 wrote to memory of 2872 2232 filename.exe cmd.exe PID 2872 wrote to memory of 2612 2872 cmd.exe reg.exe PID 2872 wrote to memory of 2612 2872 cmd.exe reg.exe PID 2872 wrote to memory of 2612 2872 cmd.exe reg.exe PID 2872 wrote to memory of 2612 2872 cmd.exe reg.exe PID 2232 wrote to memory of 2616 2232 filename.exe filename.exe PID 2232 wrote to memory of 2616 2232 filename.exe filename.exe PID 2232 wrote to memory of 2616 2232 filename.exe filename.exe PID 2232 wrote to memory of 2616 2232 filename.exe filename.exe PID 2232 wrote to memory of 2616 2232 filename.exe filename.exe PID 2232 wrote to memory of 2616 2232 filename.exe filename.exe PID 2232 wrote to memory of 2616 2232 filename.exe filename.exe PID 2232 wrote to memory of 2616 2232 filename.exe filename.exe PID 2232 wrote to memory of 2616 2232 filename.exe filename.exe PID 2616 wrote to memory of 2568 2616 filename.exe schtasks.exe PID 2616 wrote to memory of 2568 2616 filename.exe schtasks.exe PID 2616 wrote to memory of 2568 2616 filename.exe schtasks.exe PID 2616 wrote to memory of 2568 2616 filename.exe schtasks.exe PID 2616 wrote to memory of 2424 2616 filename.exe schtasks.exe PID 2616 wrote to memory of 2424 2616 filename.exe schtasks.exe PID 2616 wrote to memory of 2424 2616 filename.exe schtasks.exe PID 2616 wrote to memory of 2424 2616 filename.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\New Purchase Order_2018112.scr"C:\Users\Admin\AppData\Local\Temp\New Purchase Order_2018112.scr" /S1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Desktop\filename.exe"C:\Users\Admin\Desktop\filename.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"5⤵
- Adds Run key to start application
-
C:\Users\Admin\Desktop\filename.exe"C:\Users\Admin\Desktop\filename.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DDP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp8517.tmp"5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DDP Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp892E.tmp"5⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp8517.tmpFilesize
1KB
MD53e69cfdc97414457ef33010fb54c2ede
SHA13cd07f08434a402260b205263eb1de499853b1a1
SHA256b55422096b144e40a6061d9e894cdb17d2690792ed8939329c4755099a0d73d8
SHA51201f50c544e2bb42c36aed9bedf6202a204187cc247cf4c76b5071127f4098e635eb25c4fd922aea64cd34abd728fcea3491af658286db1eda2f3e89e547a282c
-
C:\Users\Admin\AppData\Local\Temp\tmp892E.tmpFilesize
1KB
MD593d357e6194c8eb8d0616a9f592cc4bf
SHA15cc3a3d95d82cb88f65cb6dc6c188595fa272808
SHA256a18de0ef2102d2546c7afd07ad1d7a071a0e59aff0868cf3937a145f24feb713
SHA5124df079387f6a76e0deb96ab4c11f6cffa62a8b42dc4970e885dab10351fade2d9e933663c141b76409657f85f1bf9dbb533d92dce52dc62598aafc4793743f7f
-
C:\Users\Admin\Desktop\filename.exeFilesize
593KB
MD55ce1ee1212648449257a2aa2b6d41f13
SHA126949870e850861b7c009c4d792b3a63b2bb11e2
SHA2560d7303671aea9516ab03e2f2e4b0d38784c489aa7555d9db21a5d12f504958e9
SHA512debe7efdb7b2cbfb08631605788b5f097d6da402a031eb8f774cbeea593c6a87712a1600a1a265b7f2b04d65d81875ef9cfc7bd4722bf58beedede490a790044
-
memory/2180-1-0x0000000074000000-0x00000000745AB000-memory.dmpFilesize
5.7MB
-
memory/2180-2-0x0000000074000000-0x00000000745AB000-memory.dmpFilesize
5.7MB
-
memory/2180-7-0x0000000074000000-0x00000000745AB000-memory.dmpFilesize
5.7MB
-
memory/2180-0-0x0000000074001000-0x0000000074002000-memory.dmpFilesize
4KB
-
memory/2232-28-0x0000000074000000-0x00000000745AB000-memory.dmpFilesize
5.7MB
-
memory/2232-8-0x0000000074000000-0x00000000745AB000-memory.dmpFilesize
5.7MB
-
memory/2232-9-0x0000000074000000-0x00000000745AB000-memory.dmpFilesize
5.7MB
-
memory/2616-27-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2616-20-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2616-18-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2616-16-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2616-13-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2616-22-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2616-25-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2616-14-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB