Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- * ID: 1071
- * MalFamily: "Nanocore"
- * MalScore: 10.0
- * File Name: "New Order_03.09.19.exe"
- * File Size: 1570168
- * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
- * SHA256: "278b8dfcd1aafa43cc4828afe2db67367f937340bdb2690d6cb317ea58abb2d4"
- * MD5: "96fa87d91da96ef5f26f38d74e326638"
- * SHA1: "2856880ff2e0bd4f21f62d91f013a3cfcdddc9ed"
- * SHA512: "a4f09ca33dc42362703849048a0a640b6ae06264de9546dc9b421128246fcf42688713b85e383131368eaafb68cca30f197c5ee05c53a1a72cedef2a1aeb7e96"
- * CRC32: "88B5C383"
- * SSDEEP: "6144:6XOd8pKLhA5YUuv4WfbL0XNalnsPEryqnRsNgmTzn7zhOumBzPc8E6u:ypKtA5ROPIQsPqRAgmzzhOumBzP9u"
- * Process Execution:
- "New Order_03.09.19.exe",
- "New Order_03.09.19.exe",
- "schtasks.exe",
- "schtasks.exe",
- "svchost.exe"
- * Executed Commands:
- "\"C:\\Users\\user\\AppData\\Local\\Temp\\New Order_03.09.19.exe\"",
- "\"schtasks.exe\" /create /f /tn \"DSL Subsystem\" /xml \"C:\\Users\\user\\AppData\\Local\\Temp\\tmp6CE3.tmp\"",
- "\"schtasks.exe\" /create /f /tn \"DSL Subsystem Task\" /xml \"C:\\Users\\user\\AppData\\Local\\Temp\\tmp94B0.tmp\""
- * Signatures Detected:
- "Description": "Behavioural detection: Executable code extraction",
- "Details":
- "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
- "Details":
- "Description": "Attempts to connect to a dead IP:Port (1 unique times)",
- "Details":
- "IP_ioc": "185.217.1.137:8494 (Sweden)"
- "Description": "Creates RWX memory",
- "Details":
- "Description": "Guard pages use detected - possible anti-debugging.",
- "Details":
- "Description": "A process attempted to delay the analysis task.",
- "Details":
- "Process": "svchost.exe tried to sleep 251 seconds, actually delayed analysis time by 0 seconds"
- "Description": "At least one IP Address, Domain, or File Name was found in a crypto call",
- "Details":
- "ioc": "v2.0.50727"
- "Description": "A process created a hidden window",
- "Details":
- "Process": "New Order_03.09.19.exe -> \"schtasks.exe\" /create /f /tn \"DSL Subsystem\" /xml \"C:\\Users\\user\\AppData\\Local\\Temp\\tmp6CE3.tmp\""
- "Process": "New Order_03.09.19.exe -> \"schtasks.exe\" /create /f /tn \"DSL Subsystem Task\" /xml \"C:\\Users\\user\\AppData\\Local\\Temp\\tmp94B0.tmp\""
- "Description": "Performs some HTTP requests",
- "Details":
- "url_iocs": "http://ocsp.intel.com//MFQwUjBQME4wTDAJBgUrDgMCGgUABBT1Za4BFGmV4BD09OmrDjjl2Yt8JgQUssBnplaNJ3kQdMP1xaWJZtbxLjYCE1YAAAidKVOniKW4iGkAAAAACJ0%3D"
- "Description": "Uses Windows utilities for basic functionality",
- "Details":
- "command": "\"schtasks.exe\" /create /f /tn \"DSL Subsystem\" /xml \"C:\\Users\\user\\AppData\\Local\\Temp\\tmp6CE3.tmp\""
- "command": "\"schtasks.exe\" /create /f /tn \"DSL Subsystem Task\" /xml \"C:\\Users\\user\\AppData\\Local\\Temp\\tmp94B0.tmp\""
- "Description": "Behavioural detection: Injection (Process Hollowing)",
- "Details":
- "Injection": "New Order_03.09.19.exe(1808) -> New Order_03.09.19.exe(1408)"
- "Description": "Executed a process and injected code into it, probably while unpacking",
- "Details":
- "Injection": "New Order_03.09.19.exe(1808) -> New Order_03.09.19.exe(1408)"
- "Description": "Attempts to execute a Living Off The Land Binary command for post exeploitation",
- "Details":
- "MITRE T1078 - schtask": "(Tactic: Execution, Persistence, Privilege Escalation)"
- "Description": "Installs itself for autorun at Windows startup",
- "Details":
- "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\DSL Subsystem"
- "data": "C:\\Program Files (x86)\\DSL Subsystem\\dslss.exe"
- "Description": "Exhibits behavior characteristic of Nanocore RAT",
- "Details":
- "Description": "Creates a copy of itself",
- "Details":
- "copy": "C:\\Program Files (x86)\\DSL Subsystem\\dslss.exe"
- "Description": "Collects information to fingerprint the system",
- "Details":
- * Started Service:
- * Mutexes:
- "Global\\CLR_PerfMon_WrapMutex",
- "Global\\CLR_CASOFF_MUTEX",
- "Global\\5feb13c7-e2a9-49d7-a670-8deff3a364df",
- "Global\\.net clr networking"
- * Modified Files:
- "C:\\Users\\user\\AppData\\Roaming\\C1515A12-1764-4632-ACE9-A9DFF9253200\\run.dat",
- "C:\\Program Files (x86)\\DSL Subsystem\\dslss.exe",
- "C:\\Users\\user\\AppData\\Local\\Temp\\tmp6CE3.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\tmp94B0.tmp",
- "\\Device\\LanmanDatagramReceiver",
- "\\??\\PIPE\\srvsvc",
- "C:\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb",
- "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edb.chk"
- * Deleted Files:
- "C:\\Program Files (x86)\\DSL Subsystem\\dslss.exe",
- "C:\\Users\\user\\AppData\\Roaming\\C1515A12-1764-4632-ACE9-A9DFF9253200\\DSL Subsystem\\dslss.exe",
- "C:\\Users\\user\\AppData\\Local\\Temp\\tmp6CE3.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\tmp94B0.tmp",
- "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edbtmp.log"
- * Modified Registry Keys:
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\DSL Subsystem"
- * Deleted Registry Keys:
- * DNS Communications:
- "type": "A",
- "request": "ocsp.intel.com",
- "answers":
- "data": "t3j2g9x7.stackpathcdn.com",
- "type": "CNAME"
- "data": "ocsp.comodoca.com",
- "type": "CNAME"
- "data": "151.139.128.14",
- "type": "A"
- * Domains:
- "ip": "151.139.128.14",
- "domain": "ocsp.intel.com"
- * Network Communication - ICMP:
- * Network Communication - HTTP:
- "count": 1,
- "body": "",
- "uri": "http://ocsp.intel.com//MFQwUjBQME4wTDAJBgUrDgMCGgUABBT1Za4BFGmV4BD09OmrDjjl2Yt8JgQUssBnplaNJ3kQdMP1xaWJZtbxLjYCE1YAAAidKVOniKW4iGkAAAAACJ0%3D",
- "user-agent": "Microsoft-CryptoAPI/6.1",
- "method": "GET",
- "host": "ocsp.intel.com",
- "version": "1.1",
- "path": "//MFQwUjBQME4wTDAJBgUrDgMCGgUABBT1Za4BFGmV4BD09OmrDjjl2Yt8JgQUssBnplaNJ3kQdMP1xaWJZtbxLjYCE1YAAAidKVOniKW4iGkAAAAACJ0%3D",
- "data": "GET //MFQwUjBQME4wTDAJBgUrDgMCGgUABBT1Za4BFGmV4BD09OmrDjjl2Yt8JgQUssBnplaNJ3kQdMP1xaWJZtbxLjYCE1YAAAidKVOniKW4iGkAAAAACJ0%3D HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.intel.com\r\n\r\n",
- "port": 80
- * Network Communication - SMTP:
- * Network Communication - Hosts:
- "country_name": "Sweden",
- "ip": "185.217.1.137",
- "inaddrarpa": "",
- "hostname": ""
- * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement