Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
15-06-2024 08:58
Static task
static1
Behavioral task
behavioral1
Sample
Quotation_Request_Sheet_0089600090944833933.exe
Resource
win7-20231129-en
General
-
Target
Quotation_Request_Sheet_0089600090944833933.exe
-
Size
437KB
-
MD5
700cedae278fb3092153285d13bafbfe
-
SHA1
8e291c02383b22a4baa40fe09fa9bccc8a21b689
-
SHA256
8397aac7952f0432c2aff655eb67d09f849e41389f00a663d6e8cb681f21c2dd
-
SHA512
99671a59e3a45b81a0ee557adb97360e02f51eb1c8d9830e4e16fe7a0c7cd171249d21c87777e215a5cdd6f4b3a8f3c1f864cbb1a209c55068774206b1604de3
-
SSDEEP
6144:n1UuE2wWm+f6hmQPUDQcFBZUKi1+OO7x3t0omda:4o1QmUB10x3ON
Malware Config
Extracted
nanocore
1.2.2.0
185.125.205.71:6789
omada1.ddns.net:6789
1e6a039e-ec2c-48e8-b50f-442df5e4a007
-
activate_away_mode
true
-
backup_connection_host
omada1.ddns.net
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2018-04-28T10:38:03.742178936Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
true
-
connect_delay
4000
-
connection_port
6789
-
default_group
15 star
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
1e6a039e-ec2c-48e8-b50f-442df5e4a007
-
mutex_timeout
5000
-
prevent_system_sleep
true
-
primary_connection_host
185.125.205.71
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Drops startup file 1 IoCs
Processes:
Quotation_Request_Sheet_0089600090944833933.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HcLRYd.url Quotation_Request_Sheet_0089600090944833933.exe -
Processes:
RegAsm.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Quotation_Request_Sheet_0089600090944833933.exedescription pid process target process PID 3024 set thread context of 2640 3024 Quotation_Request_Sheet_0089600090944833933.exe RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
Quotation_Request_Sheet_0089600090944833933.exeRegAsm.exepid process 3024 Quotation_Request_Sheet_0089600090944833933.exe 3024 Quotation_Request_Sheet_0089600090944833933.exe 2640 RegAsm.exe 2640 RegAsm.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegAsm.exepid process 2640 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Quotation_Request_Sheet_0089600090944833933.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 3024 Quotation_Request_Sheet_0089600090944833933.exe Token: SeDebugPrivilege 2640 RegAsm.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
Quotation_Request_Sheet_0089600090944833933.execsc.exedescription pid process target process PID 3024 wrote to memory of 1448 3024 Quotation_Request_Sheet_0089600090944833933.exe csc.exe PID 3024 wrote to memory of 1448 3024 Quotation_Request_Sheet_0089600090944833933.exe csc.exe PID 3024 wrote to memory of 1448 3024 Quotation_Request_Sheet_0089600090944833933.exe csc.exe PID 3024 wrote to memory of 1448 3024 Quotation_Request_Sheet_0089600090944833933.exe csc.exe PID 1448 wrote to memory of 2764 1448 csc.exe cvtres.exe PID 1448 wrote to memory of 2764 1448 csc.exe cvtres.exe PID 1448 wrote to memory of 2764 1448 csc.exe cvtres.exe PID 1448 wrote to memory of 2764 1448 csc.exe cvtres.exe PID 3024 wrote to memory of 2640 3024 Quotation_Request_Sheet_0089600090944833933.exe RegAsm.exe PID 3024 wrote to memory of 2640 3024 Quotation_Request_Sheet_0089600090944833933.exe RegAsm.exe PID 3024 wrote to memory of 2640 3024 Quotation_Request_Sheet_0089600090944833933.exe RegAsm.exe PID 3024 wrote to memory of 2640 3024 Quotation_Request_Sheet_0089600090944833933.exe RegAsm.exe PID 3024 wrote to memory of 2640 3024 Quotation_Request_Sheet_0089600090944833933.exe RegAsm.exe PID 3024 wrote to memory of 2640 3024 Quotation_Request_Sheet_0089600090944833933.exe RegAsm.exe PID 3024 wrote to memory of 2640 3024 Quotation_Request_Sheet_0089600090944833933.exe RegAsm.exe PID 3024 wrote to memory of 2640 3024 Quotation_Request_Sheet_0089600090944833933.exe RegAsm.exe PID 3024 wrote to memory of 2640 3024 Quotation_Request_Sheet_0089600090944833933.exe RegAsm.exe PID 3024 wrote to memory of 2640 3024 Quotation_Request_Sheet_0089600090944833933.exe RegAsm.exe PID 3024 wrote to memory of 2640 3024 Quotation_Request_Sheet_0089600090944833933.exe RegAsm.exe PID 3024 wrote to memory of 2640 3024 Quotation_Request_Sheet_0089600090944833933.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Quotation_Request_Sheet_0089600090944833933.exe"C:\Users\Admin\AppData\Local\Temp\Quotation_Request_Sheet_0089600090944833933.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nue5xcyv\nue5xcyv.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1C76.tmp" "c:\Users\Admin\AppData\Local\Temp\nue5xcyv\CSC67A023D2C1044EE8B4785184C4F5CC5.TMP"3⤵PID:2764
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2640
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES1C76.tmpFilesize
1KB
MD5b9b6b2ed0c87b30c0e8e28f115647257
SHA1775774c51fbbba4e5610549e34288d0514f7bd66
SHA25685a5cd1c35433834a9a19dc92d5fb0e9f11f6c37d36987b919f389613d059072
SHA512c673e6052432abb59ae1c517d6886b53fd7c41a2f2ce5423b84286816b083f8c04eeab93d02feb2035bc0c90b8a7d2f1f98ebff3660565af362bfd4862a0a42a
-
C:\Users\Admin\AppData\Local\Temp\nue5xcyv\nue5xcyv.dllFilesize
9KB
MD52cc70c8b7627676d3f280c51f953593f
SHA1a2c8a193a720790b1688380a06d816fd12378882
SHA25673d31773b199af66c4fcefbe9031a78c3447f9a2558852c4b0b85e53115aa041
SHA51235a1c367804f0edf6be2d05b831491bfd394ae03c3dccadbd81d995db96447f031cac77de66d02a847a856da8c4cce88d27bfa88f251db3fd16022a69410999a
-
C:\Users\Admin\AppData\Local\Temp\nue5xcyv\nue5xcyv.pdbFilesize
29KB
MD5f40c18a3557ac7fb58cbb2e78aa81b3f
SHA1707b2bb71ddc96ddfdddcc671a58db11ee12fa93
SHA256b18974171243e3677bedd26e5fcfd9ce9320a34fd134ce30d87884a1e984aca4
SHA512d0069139feffad55d195fe2fa4b050dff201efb1887806a65271329616668c77113493d4205341a9960cac8e31dcdaf52a62eb7fd5dce24b83cee5c94f839273
-
\??\c:\Users\Admin\AppData\Local\Temp\nue5xcyv\CSC67A023D2C1044EE8B4785184C4F5CC5.TMPFilesize
1KB
MD540a60c9ef7ab7332bfaf6230c84e8b40
SHA12221f2abb192c85f2ef5e82188c8b2914f4a593d
SHA256f9bde7623139d1dc698ee475dcfcfed5d3b7646d9defc06fc70ff170c8ac7689
SHA512841d0f15c2b8cf63a16786b4babdb15376413ecd71b5aa489c07dc294a390998f1b368af3e5fb058ce733a494383c78d2c4b083c1aed8fa88c433f9debeeee88
-
\??\c:\Users\Admin\AppData\Local\Temp\nue5xcyv\nue5xcyv.0.csFilesize
10KB
MD54801a7d3498045d0e79c845b4750557d
SHA1479bae8d7b735b8d24225d173bdbf47b940e4da0
SHA256e724633ba5babd87fd8d3a24cca85f213e0c8827ddc44aba0e470d42ae3f5e31
SHA5124f0aa3c16cf13ab8c071dd5bc2176861216ba51cebe9bf6f4bd94ca23af7c1e629238afc829cecd493ae02a06b3e1213edefc78c42a4941be9958feb10db7e36
-
\??\c:\Users\Admin\AppData\Local\Temp\nue5xcyv\nue5xcyv.cmdlineFilesize
312B
MD53131deac5c2136e027dfea093fbf238f
SHA1a2ee1fd66c527c9609485bd37eaea25f35017cf4
SHA2562ff9d7ee1f81e4e0a1a681c7767d18d461f66f5b24165d928007a33a1f6b6baf
SHA512b61bbf22a63632ee72746882c5f1eafef37d905ec7515e26ab07da9cbbe6a622b051ba6daca6ed48b024000cf1613433194f6a8d260c837af0453fd3724ad4fd
-
memory/2640-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2640-27-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2640-34-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2640-32-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2640-24-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2640-26-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2640-30-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2640-25-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/3024-23-0x0000000000870000-0x00000000008A8000-memory.dmpFilesize
224KB
-
memory/3024-0-0x0000000074BFE000-0x0000000074BFF000-memory.dmpFilesize
4KB
-
memory/3024-5-0x0000000074BF0000-0x00000000752DE000-memory.dmpFilesize
6.9MB
-
memory/3024-20-0x0000000000460000-0x000000000046C000-memory.dmpFilesize
48KB
-
memory/3024-19-0x0000000000760000-0x00000000007A2000-memory.dmpFilesize
264KB
-
memory/3024-17-0x0000000000220000-0x0000000000228000-memory.dmpFilesize
32KB
-
memory/3024-1-0x0000000000230000-0x00000000002A4000-memory.dmpFilesize
464KB
-
memory/3024-35-0x0000000074BF0000-0x00000000752DE000-memory.dmpFilesize
6.9MB