Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13-05-2024 13:13
Static task
static1
Behavioral task
behavioral1
Sample
New Purchase Order_2018112.scr
Resource
win7-20240221-en
General
-
Target
New Purchase Order_2018112.scr
-
Size
593KB
-
MD5
5ce1ee1212648449257a2aa2b6d41f13
-
SHA1
26949870e850861b7c009c4d792b3a63b2bb11e2
-
SHA256
0d7303671aea9516ab03e2f2e4b0d38784c489aa7555d9db21a5d12f504958e9
-
SHA512
debe7efdb7b2cbfb08631605788b5f097d6da402a031eb8f774cbeea593c6a87712a1600a1a265b7f2b04d65d81875ef9cfc7bd4722bf58beedede490a790044
-
SSDEEP
12288:8oV49yW8M/hvz6N6JIPomHSswTEdlB5yBS6EjvXDIiTEbW5gqtcL/Eh0/UIWu/gq:V45fS6SPylTw5yBS6ErDIiyWKqtcoiX
Malware Config
Extracted
nanocore
1.2.2.0
185.244.30.98:5634
0bc99ce5-af2f-4fe0-961e-2736f2c8bbce
-
activate_away_mode
true
- backup_connection_host
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2018-08-03T02:29:02.000467136Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
5634
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
0bc99ce5-af2f-4fe0-961e-2736f2c8bbce
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
185.244.30.98
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
filename.exefilename.exepid process 1140 filename.exe 4888 filename.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exefilename.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt | cmd" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DHCP Service = "C:\\Program Files (x86)\\DHCP Service\\dhcpsv.exe" filename.exe -
Processes:
filename.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA filename.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
filename.exedescription pid process target process PID 1140 set thread context of 4888 1140 filename.exe filename.exe -
Drops file in Program Files directory 2 IoCs
Processes:
filename.exedescription ioc process File created C:\Program Files (x86)\DHCP Service\dhcpsv.exe filename.exe File opened for modification C:\Program Files (x86)\DHCP Service\dhcpsv.exe filename.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 4876 schtasks.exe 3300 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
filename.exepid process 4888 filename.exe 4888 filename.exe 4888 filename.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
filename.exepid process 4888 filename.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
New Purchase Order_2018112.scrfilename.exefilename.exedescription pid process Token: SeDebugPrivilege 4788 New Purchase Order_2018112.scr Token: SeDebugPrivilege 1140 filename.exe Token: SeDebugPrivilege 4888 filename.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
New Purchase Order_2018112.scrcmd.exefilename.execmd.exefilename.exedescription pid process target process PID 4788 wrote to memory of 3492 4788 New Purchase Order_2018112.scr cmd.exe PID 4788 wrote to memory of 3492 4788 New Purchase Order_2018112.scr cmd.exe PID 4788 wrote to memory of 3492 4788 New Purchase Order_2018112.scr cmd.exe PID 3492 wrote to memory of 1140 3492 cmd.exe filename.exe PID 3492 wrote to memory of 1140 3492 cmd.exe filename.exe PID 3492 wrote to memory of 1140 3492 cmd.exe filename.exe PID 1140 wrote to memory of 2844 1140 filename.exe cmd.exe PID 1140 wrote to memory of 2844 1140 filename.exe cmd.exe PID 1140 wrote to memory of 2844 1140 filename.exe cmd.exe PID 2844 wrote to memory of 940 2844 cmd.exe reg.exe PID 2844 wrote to memory of 940 2844 cmd.exe reg.exe PID 2844 wrote to memory of 940 2844 cmd.exe reg.exe PID 1140 wrote to memory of 4888 1140 filename.exe filename.exe PID 1140 wrote to memory of 4888 1140 filename.exe filename.exe PID 1140 wrote to memory of 4888 1140 filename.exe filename.exe PID 1140 wrote to memory of 4888 1140 filename.exe filename.exe PID 1140 wrote to memory of 4888 1140 filename.exe filename.exe PID 1140 wrote to memory of 4888 1140 filename.exe filename.exe PID 1140 wrote to memory of 4888 1140 filename.exe filename.exe PID 1140 wrote to memory of 4888 1140 filename.exe filename.exe PID 4888 wrote to memory of 4876 4888 filename.exe schtasks.exe PID 4888 wrote to memory of 4876 4888 filename.exe schtasks.exe PID 4888 wrote to memory of 4876 4888 filename.exe schtasks.exe PID 4888 wrote to memory of 3300 4888 filename.exe schtasks.exe PID 4888 wrote to memory of 3300 4888 filename.exe schtasks.exe PID 4888 wrote to memory of 3300 4888 filename.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\New Purchase Order_2018112.scr"C:\Users\Admin\AppData\Local\Temp\New Purchase Order_2018112.scr" /S1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Desktop\filename.exe"C:\Users\Admin\Desktop\filename.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"5⤵
- Adds Run key to start application
-
C:\Users\Admin\Desktop\filename.exe"C:\Users\Admin\Desktop\filename.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DHCP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp48E0.tmp"5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DHCP Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp4E50.tmp"5⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\filename.exe.logFilesize
223B
MD5cde6529abeea500fb852f29ba0da6115
SHA145f2f48492417ae6a0eade8aaa808d3d1d760743
SHA256d7f4964443470b6729865676d76f5f1f416da633033071c34ea5eb19cdea53b5
SHA512c95fa7faf6a90f32060dba70f79c4d66c68d6eec587306fb98f36fc3ba5d377ebf9dabf47298b71db208fb10f7ccb4e0ed82236c8f26bcc746552588bbb38234
-
C:\Users\Admin\AppData\Local\Temp\tmp48E0.tmpFilesize
1KB
MD53e69cfdc97414457ef33010fb54c2ede
SHA13cd07f08434a402260b205263eb1de499853b1a1
SHA256b55422096b144e40a6061d9e894cdb17d2690792ed8939329c4755099a0d73d8
SHA51201f50c544e2bb42c36aed9bedf6202a204187cc247cf4c76b5071127f4098e635eb25c4fd922aea64cd34abd728fcea3491af658286db1eda2f3e89e547a282c
-
C:\Users\Admin\AppData\Local\Temp\tmp4E50.tmpFilesize
1KB
MD5a77c223a0fc492dccd6fb9975f7a8766
SHA15e813636ae9b8138d78919348a5da3a6e8bd74b5
SHA256589df7325d42409c50827600fedb240171ee4bdab85916474a37800c2382829e
SHA512315cea8fde3c594404f5d3c96c710af1214cff6d08ccdb40634a739e108ff810e02624735a2b8c3e3720157b4a55327f317c3c23c3a681b46b9ab0f19060f7c0
-
C:\Users\Admin\Desktop\filename.exeFilesize
593KB
MD55ce1ee1212648449257a2aa2b6d41f13
SHA126949870e850861b7c009c4d792b3a63b2bb11e2
SHA2560d7303671aea9516ab03e2f2e4b0d38784c489aa7555d9db21a5d12f504958e9
SHA512debe7efdb7b2cbfb08631605788b5f097d6da402a031eb8f774cbeea593c6a87712a1600a1a265b7f2b04d65d81875ef9cfc7bd4722bf58beedede490a790044
-
memory/1140-17-0x0000000074C10000-0x00000000751C1000-memory.dmpFilesize
5.7MB
-
memory/1140-11-0x0000000074C10000-0x00000000751C1000-memory.dmpFilesize
5.7MB
-
memory/1140-10-0x0000000074C10000-0x00000000751C1000-memory.dmpFilesize
5.7MB
-
memory/1140-8-0x0000000074C10000-0x00000000751C1000-memory.dmpFilesize
5.7MB
-
memory/4788-9-0x0000000074C10000-0x00000000751C1000-memory.dmpFilesize
5.7MB
-
memory/4788-0-0x0000000074C12000-0x0000000074C13000-memory.dmpFilesize
4KB
-
memory/4788-2-0x0000000074C10000-0x00000000751C1000-memory.dmpFilesize
5.7MB
-
memory/4788-1-0x0000000074C10000-0x00000000751C1000-memory.dmpFilesize
5.7MB
-
memory/4888-19-0x0000000074C10000-0x00000000751C1000-memory.dmpFilesize
5.7MB
-
memory/4888-18-0x0000000074C10000-0x00000000751C1000-memory.dmpFilesize
5.7MB
-
memory/4888-13-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/4888-27-0x0000000074C10000-0x00000000751C1000-memory.dmpFilesize
5.7MB