1071New_Order_03_09_19_exe_2019-09-04_10_30.txt

1.  
2. * ID: 1071
3. * MalFamily: "Nanocore"
4.  
5. * MalScore: 10.0
6.  
7. * File Name: "New Order_03.09.19.exe"
8. * File Size: 1570168
9. * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
10. * SHA256: "278b8dfcd1aafa43cc4828afe2db67367f937340bdb2690d6cb317ea58abb2d4"
11. * MD5: "96fa87d91da96ef5f26f38d74e326638"
12. * SHA1: "2856880ff2e0bd4f21f62d91f013a3cfcdddc9ed"
13. * SHA512: "a4f09ca33dc42362703849048a0a640b6ae06264de9546dc9b421128246fcf42688713b85e383131368eaafb68cca30f197c5ee05c53a1a72cedef2a1aeb7e96"
14. * CRC32: "88B5C383"
15. * SSDEEP: "6144:6XOd8pKLhA5YUuv4WfbL0XNalnsPEryqnRsNgmTzn7zhOumBzPc8E6u:ypKtA5ROPIQsPqRAgmzzhOumBzP9u"
16.  
17. * Process Execution:
18. "New Order_03.09.19.exe",
19. "New Order_03.09.19.exe",
20. "schtasks.exe",
21. "schtasks.exe",
22. "svchost.exe"
23.  
24.  
25. * Executed Commands:
26. "\"C:\\Users\\user\\AppData\\Local\\Temp\\New Order_03.09.19.exe\"",
27. "\"schtasks.exe\" /create /f /tn \"DSL Subsystem\" /xml \"C:\\Users\\user\\AppData\\Local\\Temp\\tmp6CE3.tmp\"",
28. "\"schtasks.exe\" /create /f /tn \"DSL Subsystem Task\" /xml \"C:\\Users\\user\\AppData\\Local\\Temp\\tmp94B0.tmp\""
29.  
30.  
31. * Signatures Detected:
32.  
33. "Description": "Behavioural detection: Executable code extraction",
34. "Details":
35.  
36.  
37. "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
38. "Details":
39.  
40.  
41. "Description": "Attempts to connect to a dead IP:Port (1 unique times)",
42. "Details":
43.  
44. "IP_ioc": "185.217.1.137:8494 (Sweden)"
45.  
46.  
47.  
48.  
49. "Description": "Creates RWX memory",
50. "Details":
51.  
52.  
53. "Description": "Guard pages use detected - possible anti-debugging.",
54. "Details":
55.  
56.  
57. "Description": "A process attempted to delay the analysis task.",
58. "Details":
59.  
60. "Process": "svchost.exe tried to sleep 251 seconds, actually delayed analysis time by 0 seconds"
61.  
62.  
63.  
64.  
65. "Description": "At least one IP Address, Domain, or File Name was found in a crypto call",
66. "Details":
67.  
68. "ioc": "v2.0.50727"
69.  
70.  
71.  
72.  
73. "Description": "A process created a hidden window",
74. "Details":
75.  
76. "Process": "New Order_03.09.19.exe -> \"schtasks.exe\" /create /f /tn \"DSL Subsystem\" /xml \"C:\\Users\\user\\AppData\\Local\\Temp\\tmp6CE3.tmp\""
77.  
78.  
79. "Process": "New Order_03.09.19.exe -> \"schtasks.exe\" /create /f /tn \"DSL Subsystem Task\" /xml \"C:\\Users\\user\\AppData\\Local\\Temp\\tmp94B0.tmp\""
80.  
81.  
82.  
83.  
84. "Description": "Performs some HTTP requests",
85. "Details":
86.  
87. "url_iocs": "http://ocsp.intel.com//MFQwUjBQME4wTDAJBgUrDgMCGgUABBT1Za4BFGmV4BD09OmrDjjl2Yt8JgQUssBnplaNJ3kQdMP1xaWJZtbxLjYCE1YAAAidKVOniKW4iGkAAAAACJ0%3D"
88.  
89.  
90.  
91.  
92. "Description": "Uses Windows utilities for basic functionality",
93. "Details":
94.  
95. "command": "\"schtasks.exe\" /create /f /tn \"DSL Subsystem\" /xml \"C:\\Users\\user\\AppData\\Local\\Temp\\tmp6CE3.tmp\""
96.  
97.  
98. "command": "\"schtasks.exe\" /create /f /tn \"DSL Subsystem Task\" /xml \"C:\\Users\\user\\AppData\\Local\\Temp\\tmp94B0.tmp\""
99.  
100.  
101.  
102.  
103. "Description": "Behavioural detection: Injection (Process Hollowing)",
104. "Details":
105.  
106. "Injection": "New Order_03.09.19.exe(1808) -> New Order_03.09.19.exe(1408)"
107.  
108.  
109.  
110.  
111. "Description": "Executed a process and injected code into it, probably while unpacking",
112. "Details":
113.  
114. "Injection": "New Order_03.09.19.exe(1808) -> New Order_03.09.19.exe(1408)"
115.  
116.  
117.  
118.  
119. "Description": "Attempts to execute a Living Off The Land Binary command for post exeploitation",
120. "Details":
121.  
122. "MITRE T1078 - schtask": "(Tactic: Execution, Persistence, Privilege Escalation)"
123.  
124.  
125.  
126.  
127. "Description": "Installs itself for autorun at Windows startup",
128. "Details":
129.  
130. "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\DSL Subsystem"
131.  
132.  
133. "data": "C:\\Program Files (x86)\\DSL Subsystem\\dslss.exe"
134.  
135.  
136.  
137.  
138. "Description": "Exhibits behavior characteristic of Nanocore RAT",
139. "Details":
140.  
141.  
142. "Description": "Creates a copy of itself",
143. "Details":
144.  
145. "copy": "C:\\Program Files (x86)\\DSL Subsystem\\dslss.exe"
146.  
147.  
148.  
149.  
150. "Description": "Collects information to fingerprint the system",
151. "Details":
152.  
153.  
154.  
155. * Started Service:
156.  
157. * Mutexes:
158. "Global\\CLR_PerfMon_WrapMutex",
159. "Global\\CLR_CASOFF_MUTEX",
160. "Global\\5feb13c7-e2a9-49d7-a670-8deff3a364df",
161. "Global\\.net clr networking"
162.  
163.  
164. * Modified Files:
165. "C:\\Users\\user\\AppData\\Roaming\\C1515A12-1764-4632-ACE9-A9DFF9253200\\run.dat",
166. "C:\\Program Files (x86)\\DSL Subsystem\\dslss.exe",
167. "C:\\Users\\user\\AppData\\Local\\Temp\\tmp6CE3.tmp",
168. "C:\\Users\\user\\AppData\\Local\\Temp\\tmp94B0.tmp",
169. "\\Device\\LanmanDatagramReceiver",
170. "\\??\\PIPE\\srvsvc",
171. "C:\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb",
172. "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edb.chk"
173.  
174.  
175. * Deleted Files:
176. "C:\\Program Files (x86)\\DSL Subsystem\\dslss.exe",
177. "C:\\Users\\user\\AppData\\Roaming\\C1515A12-1764-4632-ACE9-A9DFF9253200\\DSL Subsystem\\dslss.exe",
178. "C:\\Users\\user\\AppData\\Local\\Temp\\tmp6CE3.tmp",
179. "C:\\Users\\user\\AppData\\Local\\Temp\\tmp94B0.tmp",
180. "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edbtmp.log"
181.  
182.  
183. * Modified Registry Keys:
184. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\DSL Subsystem"
185.  
186.  
187. * Deleted Registry Keys:
188.  
189. * DNS Communications:
190.  
191. "type": "A",
192. "request": "ocsp.intel.com",
193. "answers":
194.  
195. "data": "t3j2g9x7.stackpathcdn.com",
196. "type": "CNAME"
197.  
198.  
199. "data": "ocsp.comodoca.com",
200. "type": "CNAME"
201.  
202.  
203. "data": "151.139.128.14",
204. "type": "A"
205.  
206.  
207.  
208.  
209.  
210. * Domains:
211.  
212. "ip": "151.139.128.14",
213. "domain": "ocsp.intel.com"
214.  
215.  
216.  
217. * Network Communication - ICMP:
218.  
219. * Network Communication - HTTP:
220.  
221. "count": 1,
222. "body": "",
223. "uri": "http://ocsp.intel.com//MFQwUjBQME4wTDAJBgUrDgMCGgUABBT1Za4BFGmV4BD09OmrDjjl2Yt8JgQUssBnplaNJ3kQdMP1xaWJZtbxLjYCE1YAAAidKVOniKW4iGkAAAAACJ0%3D",
224. "user-agent": "Microsoft-CryptoAPI/6.1",
225. "method": "GET",
226. "host": "ocsp.intel.com",
227. "version": "1.1",
228. "path": "//MFQwUjBQME4wTDAJBgUrDgMCGgUABBT1Za4BFGmV4BD09OmrDjjl2Yt8JgQUssBnplaNJ3kQdMP1xaWJZtbxLjYCE1YAAAidKVOniKW4iGkAAAAACJ0%3D",
229. "data": "GET //MFQwUjBQME4wTDAJBgUrDgMCGgUABBT1Za4BFGmV4BD09OmrDjjl2Yt8JgQUssBnplaNJ3kQdMP1xaWJZtbxLjYCE1YAAAidKVOniKW4iGkAAAAACJ0%3D HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.intel.com\r\n\r\n",
230. "port": 80
231.  
232.  
233.  
234. * Network Communication - SMTP:
235.  
236. * Network Communication - Hosts:
237.  
238. "country_name": "Sweden",
239. "ip": "185.217.1.137",
240. "inaddrarpa": "",
241. "hostname": ""
242.  
243.  
244.  
245. * Network Communication - IRC: