Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
15-06-2024 08:58
Static task
static1
Behavioral task
behavioral1
Sample
Quotation_Request_Sheet_0089600090944833933.exe
Resource
win7-20231129-en
General
-
Target
Quotation_Request_Sheet_0089600090944833933.exe
-
Size
437KB
-
MD5
700cedae278fb3092153285d13bafbfe
-
SHA1
8e291c02383b22a4baa40fe09fa9bccc8a21b689
-
SHA256
8397aac7952f0432c2aff655eb67d09f849e41389f00a663d6e8cb681f21c2dd
-
SHA512
99671a59e3a45b81a0ee557adb97360e02f51eb1c8d9830e4e16fe7a0c7cd171249d21c87777e215a5cdd6f4b3a8f3c1f864cbb1a209c55068774206b1604de3
-
SSDEEP
6144:n1UuE2wWm+f6hmQPUDQcFBZUKi1+OO7x3t0omda:4o1QmUB10x3ON
Malware Config
Extracted
nanocore
1.2.2.0
185.125.205.71:6789
omada1.ddns.net:6789
1e6a039e-ec2c-48e8-b50f-442df5e4a007
-
activate_away_mode
true
-
backup_connection_host
omada1.ddns.net
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2018-04-28T10:38:03.742178936Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
true
-
connect_delay
4000
-
connection_port
6789
-
default_group
15 star
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
1e6a039e-ec2c-48e8-b50f-442df5e4a007
-
mutex_timeout
5000
-
prevent_system_sleep
true
-
primary_connection_host
185.125.205.71
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Drops startup file 1 IoCs
Processes:
Quotation_Request_Sheet_0089600090944833933.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HcLRYd.url Quotation_Request_Sheet_0089600090944833933.exe -
Processes:
RegAsm.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Quotation_Request_Sheet_0089600090944833933.exedescription pid process target process PID 2788 set thread context of 4664 2788 Quotation_Request_Sheet_0089600090944833933.exe RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
Quotation_Request_Sheet_0089600090944833933.exeRegAsm.exepid process 2788 Quotation_Request_Sheet_0089600090944833933.exe 2788 Quotation_Request_Sheet_0089600090944833933.exe 4664 RegAsm.exe 4664 RegAsm.exe 4664 RegAsm.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegAsm.exepid process 4664 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Quotation_Request_Sheet_0089600090944833933.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 2788 Quotation_Request_Sheet_0089600090944833933.exe Token: SeDebugPrivilege 4664 RegAsm.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
Quotation_Request_Sheet_0089600090944833933.execsc.exedescription pid process target process PID 2788 wrote to memory of 2268 2788 Quotation_Request_Sheet_0089600090944833933.exe csc.exe PID 2788 wrote to memory of 2268 2788 Quotation_Request_Sheet_0089600090944833933.exe csc.exe PID 2788 wrote to memory of 2268 2788 Quotation_Request_Sheet_0089600090944833933.exe csc.exe PID 2268 wrote to memory of 2240 2268 csc.exe cvtres.exe PID 2268 wrote to memory of 2240 2268 csc.exe cvtres.exe PID 2268 wrote to memory of 2240 2268 csc.exe cvtres.exe PID 2788 wrote to memory of 4664 2788 Quotation_Request_Sheet_0089600090944833933.exe RegAsm.exe PID 2788 wrote to memory of 4664 2788 Quotation_Request_Sheet_0089600090944833933.exe RegAsm.exe PID 2788 wrote to memory of 4664 2788 Quotation_Request_Sheet_0089600090944833933.exe RegAsm.exe PID 2788 wrote to memory of 4664 2788 Quotation_Request_Sheet_0089600090944833933.exe RegAsm.exe PID 2788 wrote to memory of 4664 2788 Quotation_Request_Sheet_0089600090944833933.exe RegAsm.exe PID 2788 wrote to memory of 4664 2788 Quotation_Request_Sheet_0089600090944833933.exe RegAsm.exe PID 2788 wrote to memory of 4664 2788 Quotation_Request_Sheet_0089600090944833933.exe RegAsm.exe PID 2788 wrote to memory of 4664 2788 Quotation_Request_Sheet_0089600090944833933.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Quotation_Request_Sheet_0089600090944833933.exe"C:\Users\Admin\AppData\Local\Temp\Quotation_Request_Sheet_0089600090944833933.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\m1sgfq54\m1sgfq54.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5AA3.tmp" "c:\Users\Admin\AppData\Local\Temp\m1sgfq54\CSC7786421CE6DD4D13BBBAE94F74E7AED3.TMP"3⤵PID:2240
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4664
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES5AA3.tmpFilesize
1KB
MD56a7ede554626bc89b5449aea51ac30a2
SHA115448cad99e9d3ac8c6dee6d20c80035ea47643d
SHA256573c567345a69b8aea7bcfe6bf6466ccf34f598d985ee7649c61f243fce9c25d
SHA5127bfb63794f8212b9ee74e9bf71b3775e0f9c7e3cad82213333ac2710c596cd0ee3d5a7aae6cfc9375a1de0299d70442cdddd4e9efbc92702ebdea4f59bd9476a
-
C:\Users\Admin\AppData\Local\Temp\m1sgfq54\m1sgfq54.dllFilesize
9KB
MD5c071d4f6e54067ca5fd0020323ed4e55
SHA1257c16016ced36a5169fee3b4b1d554f5eabcae5
SHA256fb1f63a2d6fcc00fb16978330432f6ca8095db3edf2951a911a2bb4f9023a3e5
SHA5124058ff041cf50d009b3763839c667cd311defc2b853513c58c4af21a031e273433d038d53994a87bd2255ac395d3be7f4dba1edb1cfd8504ac6c8766df8a12ca
-
C:\Users\Admin\AppData\Local\Temp\m1sgfq54\m1sgfq54.pdbFilesize
29KB
MD5b4e5767686085c3af5669990e031eb84
SHA19008cb404353f92ceee308312474d8f13bec8ced
SHA2566a56011e3d499f0f9fa9023f41ff49bc9e4894437eb7ab5311d08077573106a8
SHA512f1c419fb91ac51c52f0e5fc1d6133fd8814716b45ceffc1b925601536b37fdd20333c4318d7fc61cf8a4c477f61447ba0e708af38ac2838521618ac40339f243
-
\??\c:\Users\Admin\AppData\Local\Temp\m1sgfq54\CSC7786421CE6DD4D13BBBAE94F74E7AED3.TMPFilesize
1KB
MD56e9e83ab90a3d2ba703b2d7ebff38aab
SHA1835e39cdb3812b5e36764d9885c2dfe59e2e1224
SHA2566ac75578afca75f1cd097f3f3e6d96c121b37a5bd008239f1c472019522a9b0d
SHA5127352fab09f2ab5ce091134ef56f57e26cf0a7a8f96ff2ad80fb84bf2326e3a372ac012daa452a07e99a0f780cc9eee2756194e8cff1d2edc0831e3eace6fadbc
-
\??\c:\Users\Admin\AppData\Local\Temp\m1sgfq54\m1sgfq54.0.csFilesize
10KB
MD54801a7d3498045d0e79c845b4750557d
SHA1479bae8d7b735b8d24225d173bdbf47b940e4da0
SHA256e724633ba5babd87fd8d3a24cca85f213e0c8827ddc44aba0e470d42ae3f5e31
SHA5124f0aa3c16cf13ab8c071dd5bc2176861216ba51cebe9bf6f4bd94ca23af7c1e629238afc829cecd493ae02a06b3e1213edefc78c42a4941be9958feb10db7e36
-
\??\c:\Users\Admin\AppData\Local\Temp\m1sgfq54\m1sgfq54.cmdlineFilesize
312B
MD5948abdf6f2a35c87d3a1fea5b11c83c6
SHA1fbf47c5c95119c6dc1d18b007f00e68066a46f8f
SHA256f86c2e237248a04015180ff38e8a3a03e002b7ab1179ff32def1839b9c424847
SHA5129dca84a65ada7add43fbbe66f8f0dff9f7f2570b526f6594d25888073b560a4977c2736b115bac3c39cf6411d74cbcfc9fca0d39d2be3980f186ed9a996ac412
-
memory/2788-19-0x00000000058A0000-0x0000000005932000-memory.dmpFilesize
584KB
-
memory/2788-24-0x0000000005DF0000-0x0000000005E28000-memory.dmpFilesize
224KB
-
memory/2788-1-0x0000000000E30000-0x0000000000EA4000-memory.dmpFilesize
464KB
-
memory/2788-17-0x0000000005770000-0x0000000005778000-memory.dmpFilesize
32KB
-
memory/2788-0-0x000000007492E000-0x000000007492F000-memory.dmpFilesize
4KB
-
memory/2788-20-0x0000000005D80000-0x0000000005DC2000-memory.dmpFilesize
264KB
-
memory/2788-21-0x0000000005DD0000-0x0000000005DDC000-memory.dmpFilesize
48KB
-
memory/2788-5-0x0000000074920000-0x00000000750D0000-memory.dmpFilesize
7.7MB
-
memory/2788-25-0x0000000005ED0000-0x0000000005F6C000-memory.dmpFilesize
624KB
-
memory/2788-28-0x0000000074920000-0x00000000750D0000-memory.dmpFilesize
7.7MB
-
memory/4664-26-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/4664-29-0x0000000074B12000-0x0000000074B13000-memory.dmpFilesize
4KB
-
memory/4664-30-0x0000000074B10000-0x00000000750C1000-memory.dmpFilesize
5.7MB
-
memory/4664-31-0x0000000074B10000-0x00000000750C1000-memory.dmpFilesize
5.7MB
-
memory/4664-33-0x0000000074B12000-0x0000000074B13000-memory.dmpFilesize
4KB
-
memory/4664-34-0x0000000074B10000-0x00000000750C1000-memory.dmpFilesize
5.7MB