Analysis
-
max time kernel
144s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
17-06-2024 03:29
Static task
static1
Behavioral task
behavioral1
Sample
invoice.exe
Resource
win7-20240221-en
General
-
Target
invoice.exe
-
Size
427KB
-
MD5
c9521986c45818165a3344c4ad821d17
-
SHA1
59360e8cda98f594c57dbec84484ef3c7a953dd9
-
SHA256
a68d6f1f8eac6e726187af10e2c6a7372696792cfd1b73eecbe4b77a874590a7
-
SHA512
da06e36625034650f93500c874c77f7d3ffa66a7d3043c01daeea74b04f5219561b43de5fb563dbd72165726e325b86f5a985a1ecbb7823766f7ffb61d13beef
-
SSDEEP
6144:Vs6sCfPRYwK+8sl7gNLmn8FY90SMjFWVLlIgMHxuPw+Qr8iGdPVbpqH:FPRYw0mgNLm8GezgM0cr/Go
Malware Config
Extracted
nanocore
1.2.2.0
kskent.dynu.net:333
127.0.0.1:333
4d94aa95-8442-4268-a4c7-1d0109c44f55
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-02-24T03:50:49.960434136Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
333
-
default_group
2020
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
4d94aa95-8442-4268-a4c7-1d0109c44f55
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
kskent.dynu.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Processes:
invoice.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA invoice.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
invoice.exedescription pid process target process PID 2036 set thread context of 2568 2036 invoice.exe invoice.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
invoice.exeinvoice.exepid process 2036 invoice.exe 2568 invoice.exe 2568 invoice.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
invoice.exepid process 2568 invoice.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
invoice.exeinvoice.exedescription pid process Token: SeDebugPrivilege 2036 invoice.exe Token: SeDebugPrivilege 2568 invoice.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
invoice.exedescription pid process target process PID 2036 wrote to memory of 2572 2036 invoice.exe schtasks.exe PID 2036 wrote to memory of 2572 2036 invoice.exe schtasks.exe PID 2036 wrote to memory of 2572 2036 invoice.exe schtasks.exe PID 2036 wrote to memory of 2572 2036 invoice.exe schtasks.exe PID 2036 wrote to memory of 2568 2036 invoice.exe invoice.exe PID 2036 wrote to memory of 2568 2036 invoice.exe invoice.exe PID 2036 wrote to memory of 2568 2036 invoice.exe invoice.exe PID 2036 wrote to memory of 2568 2036 invoice.exe invoice.exe PID 2036 wrote to memory of 2568 2036 invoice.exe invoice.exe PID 2036 wrote to memory of 2568 2036 invoice.exe invoice.exe PID 2036 wrote to memory of 2568 2036 invoice.exe invoice.exe PID 2036 wrote to memory of 2568 2036 invoice.exe invoice.exe PID 2036 wrote to memory of 2568 2036 invoice.exe invoice.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\invoice.exe"C:\Users\Admin\AppData\Local\Temp\invoice.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FgBAmhwboOZYD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp250E.tmp"2⤵
- Creates scheduled task(s)
PID:2572 -
C:\Users\Admin\AppData\Local\Temp\invoice.exe"{path}"2⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2568
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp250E.tmpFilesize
1KB
MD5a259096d942103c863dfb0ac2cd6ba66
SHA1296e8f135b77457ee7166921a20c51bf25a9254b
SHA256ba15635cd90377f46d7596ad5b6040c6087a625dd1e56ab78e8065cf22670d4f
SHA512890373113a45e96bd80237a916834f0b0dd3686413ee4f33b943e99522e99deedc756309350866b284465d9f897d59e991ed6443423b7adb64a120b1558cbca6
-
memory/2036-0-0x0000000074A91000-0x0000000074A92000-memory.dmpFilesize
4KB
-
memory/2036-1-0x0000000074A90000-0x000000007503B000-memory.dmpFilesize
5.7MB
-
memory/2036-2-0x0000000074A90000-0x000000007503B000-memory.dmpFilesize
5.7MB
-
memory/2036-3-0x0000000074A90000-0x000000007503B000-memory.dmpFilesize
5.7MB
-
memory/2036-24-0x0000000074A90000-0x000000007503B000-memory.dmpFilesize
5.7MB
-
memory/2568-19-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2568-21-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2568-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2568-15-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2568-13-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2568-23-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2568-11-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2568-25-0x0000000074A90000-0x000000007503B000-memory.dmpFilesize
5.7MB
-
memory/2568-9-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2568-27-0x0000000074A90000-0x000000007503B000-memory.dmpFilesize
5.7MB