nanocore | 65603c7a88beb93205d2012ca8d63dba310fc0f7f91fc81300734ee3b2eb3f10

General

Target

Update on Stamp Duty Charges on Paga.pdf.scr
Size

474KB
MD5

931d6095b12f270ab926dd037d3b8430
SHA1

ae8832bcefff293fd6d4c29d00362e3ed5a2202c
SHA256

65603c7a88beb93205d2012ca8d63dba310fc0f7f91fc81300734ee3b2eb3f10
SHA512

c69971083b4fbbb7b3c8098f1fdc7edc8b66642d04ac0f2fe795eae4f1a5cd0dac08658e2814ee2a31e3b3472f4def59056c1142d4d63eece3ad7368e8aa67d2

Score

10^/10

evasion trojan keylogger stealer spyware nanocore persistence

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

grace532.sytes.net:1919

Mutex

02171e57-d8c6-4512-9969-2622471b4b14

Attributes

activate_away_mode
true
backup_connection_host
grace532.sytes.net
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2020-04-10T08:21:11.593844436Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
1919
default_group
New House New Grace
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
02171e57-d8c6-4512-9969-2622471b4b14
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
grace532.sytes.net
primary_dns_server
8.8.8.8
request_elevation
false
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

Adds Run entry to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RegAsm.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WAN Subsystem = "C:\\Program Files (x86)\\WAN Subsystem\\wanss.exe"	RegAsm.exe

Suspicious use of SetThreadContext 27 IoCs

Processes:

Update on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scr

description	pid	process	target process
PID 1156 set thread context of 844	1156	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 316 set thread context of 1548	316	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 1140 set thread context of 1796	1140	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 1612 set thread context of 1868	1612	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 1944 set thread context of 2036	1944	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 684 set thread context of 1152	684	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 1076 set thread context of 648	1076	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 280 set thread context of 1492	280	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 1856 set thread context of 1532	1856	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 1936 set thread context of 1752	1936	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 1584 set thread context of 1944	1584	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 932 set thread context of 684	932	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 1704 set thread context of 1428	1704	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 1656 set thread context of 1576	1656	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 288 set thread context of 1804	288	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 1352 set thread context of 1332	1352	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 1040 set thread context of 1792	1040	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 1020 set thread context of 1540	1020	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 1676 set thread context of 1940	1676	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 1144 set thread context of 1660	1144	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 852 set thread context of 1920	852	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 1808 set thread context of 1892	1808	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 2044 set thread context of 1840	2044	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 1628 set thread context of 1468	1628	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 1072 set thread context of 1776	1072	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 1768 set thread context of 1140	1768	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 1844 set thread context of 548	1844	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 11603 IoCs

Processes:

Update on Stamp Duty Charges on Paga.pdf.scr

pid	process
1156	Update on Stamp Duty Charges on Paga.pdf.scr
1156	Update on Stamp Duty Charges on Paga.pdf.scr
1156	Update on Stamp Duty Charges on Paga.pdf.scr
1156	Update on Stamp Duty Charges on Paga.pdf.scr
1156	Update on Stamp Duty Charges on Paga.pdf.scr
1156	Update on Stamp Duty Charges on Paga.pdf.scr
1156	Update on Stamp Duty Charges on Paga.pdf.scr
1156	Update on Stamp Duty Charges on Paga.pdf.scr
1156	Update on Stamp Duty Charges on Paga.pdf.scr
1156	Update on Stamp Duty Charges on Paga.pdf.scr
1156	Update on Stamp Duty Charges on Paga.pdf.scr
1156	Update on Stamp Duty Charges on Paga.pdf.scr
1156	Update on Stamp Duty Charges on Paga.pdf.scr
1156	Update on Stamp Duty Charges on Paga.pdf.scr
1156	Update on Stamp Duty Charges on Paga.pdf.scr
1156	Update on Stamp Duty Charges on Paga.pdf.scr
1156	Update on Stamp Duty Charges on Paga.pdf.scr
1156	Update on Stamp Duty Charges on Paga.pdf.scr
1156	Update on Stamp Duty Charges on Paga.pdf.scr
1156	Update on Stamp Duty Charges on Paga.pdf.scr
1156	Update on Stamp Duty Charges on Paga.pdf.scr
1156	Update on Stamp Duty Charges on Paga.pdf.scr
1156	Update on Stamp Duty Charges on Paga.pdf.scr
1156	Update on Stamp Duty Charges on Paga.pdf.scr
1156	Update on Stamp Duty Charges on Paga.pdf.scr
1156	Update on Stamp Duty Charges on Paga.pdf.scr
1156	Update on Stamp Duty Charges on Paga.pdf.scr
1156	Update on Stamp Duty Charges on Paga.pdf.scr
1156	Update on Stamp Duty Charges on Paga.pdf.scr
1156	Update on Stamp Duty Charges on Paga.pdf.scr
1156	Update on Stamp Duty Charges on Paga.pdf.scr
1156	Update on Stamp Duty Charges on Paga.pdf.scr
1156	Update on Stamp Duty Charges on Paga.pdf.scr
1156	Update on Stamp Duty Charges on Paga.pdf.scr
1156	Update on Stamp Duty Charges on Paga.pdf.scr
1156	Update on Stamp Duty Charges on Paga.pdf.scr
1156	Update on Stamp Duty Charges on Paga.pdf.scr
1156	Update on Stamp Duty Charges on Paga.pdf.scr
1156	Update on Stamp Duty Charges on Paga.pdf.scr
1156	Update on Stamp Duty Charges on Paga.pdf.scr
1156	Update on Stamp Duty Charges on Paga.pdf.scr
1156	Update on Stamp Duty Charges on Paga.pdf.scr
1156	Update on Stamp Duty Charges on Paga.pdf.scr
1156	Update on Stamp Duty Charges on Paga.pdf.scr
1156	Update on Stamp Duty Charges on Paga.pdf.scr
1156	Update on Stamp Duty Charges on Paga.pdf.scr
1156	Update on Stamp Duty Charges on Paga.pdf.scr
1156	Update on Stamp Duty Charges on Paga.pdf.scr
1156	Update on Stamp Duty Charges on Paga.pdf.scr
1156	Update on Stamp Duty Charges on Paga.pdf.scr
1156	Update on Stamp Duty Charges on Paga.pdf.scr
1156	Update on Stamp Duty Charges on Paga.pdf.scr
1156	Update on Stamp Duty Charges on Paga.pdf.scr
1156	Update on Stamp Duty Charges on Paga.pdf.scr
1156	Update on Stamp Duty Charges on Paga.pdf.scr
1156	Update on Stamp Duty Charges on Paga.pdf.scr
1156	Update on Stamp Duty Charges on Paga.pdf.scr
1156	Update on Stamp Duty Charges on Paga.pdf.scr
1156	Update on Stamp Duty Charges on Paga.pdf.scr
1156	Update on Stamp Duty Charges on Paga.pdf.scr
1156	Update on Stamp Duty Charges on Paga.pdf.scr
1156	Update on Stamp Duty Charges on Paga.pdf.scr
1156	Update on Stamp Duty Charges on Paga.pdf.scr
1156	Update on Stamp Duty Charges on Paga.pdf.scr

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

RegAsm.exe

pid process

844 RegAsm.exe
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

RegAsm.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegAsm.exe
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

pid	process
844	RegAsm.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegAsm.exe

Drops startup file 2 IoCs

Processes:

Update on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scr

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe	Update on Stamp Duty Charges on Paga.pdf.scr
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe	Update on Stamp Duty Charges on Paga.pdf.scr

Suspicious use of WriteProcessMemory 440 IoCs

Processes:

Update on Stamp Duty Charges on Paga.pdf.scrRegAsm.exeUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scr

description	pid	process	target process
PID 1156 wrote to memory of 844	1156	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 1156 wrote to memory of 844	1156	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 1156 wrote to memory of 844	1156	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 1156 wrote to memory of 844	1156	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 1156 wrote to memory of 844	1156	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 1156 wrote to memory of 844	1156	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 1156 wrote to memory of 844	1156	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 1156 wrote to memory of 844	1156	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 1156 wrote to memory of 316	1156	Update on Stamp Duty Charges on Paga.pdf.scr	Update on Stamp Duty Charges on Paga.pdf.scr
PID 1156 wrote to memory of 316	1156	Update on Stamp Duty Charges on Paga.pdf.scr	Update on Stamp Duty Charges on Paga.pdf.scr
PID 1156 wrote to memory of 316	1156	Update on Stamp Duty Charges on Paga.pdf.scr	Update on Stamp Duty Charges on Paga.pdf.scr
PID 1156 wrote to memory of 316	1156	Update on Stamp Duty Charges on Paga.pdf.scr	Update on Stamp Duty Charges on Paga.pdf.scr
PID 1156 wrote to memory of 316	1156	Update on Stamp Duty Charges on Paga.pdf.scr	Update on Stamp Duty Charges on Paga.pdf.scr
PID 1156 wrote to memory of 316	1156	Update on Stamp Duty Charges on Paga.pdf.scr	Update on Stamp Duty Charges on Paga.pdf.scr
PID 1156 wrote to memory of 316	1156	Update on Stamp Duty Charges on Paga.pdf.scr	Update on Stamp Duty Charges on Paga.pdf.scr
PID 844 wrote to memory of 272	844	RegAsm.exe	schtasks.exe
PID 844 wrote to memory of 272	844	RegAsm.exe	schtasks.exe
PID 844 wrote to memory of 272	844	RegAsm.exe	schtasks.exe
PID 844 wrote to memory of 272	844	RegAsm.exe	schtasks.exe
PID 844 wrote to memory of 272	844	RegAsm.exe	schtasks.exe
PID 844 wrote to memory of 272	844	RegAsm.exe	schtasks.exe
PID 844 wrote to memory of 272	844	RegAsm.exe	schtasks.exe
PID 844 wrote to memory of 768	844	RegAsm.exe	schtasks.exe
PID 844 wrote to memory of 768	844	RegAsm.exe	schtasks.exe
PID 844 wrote to memory of 768	844	RegAsm.exe	schtasks.exe
PID 844 wrote to memory of 768	844	RegAsm.exe	schtasks.exe
PID 844 wrote to memory of 768	844	RegAsm.exe	schtasks.exe
PID 844 wrote to memory of 768	844	RegAsm.exe	schtasks.exe
PID 844 wrote to memory of 768	844	RegAsm.exe	schtasks.exe
PID 316 wrote to memory of 1548	316	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 316 wrote to memory of 1548	316	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 316 wrote to memory of 1548	316	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 316 wrote to memory of 1548	316	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 316 wrote to memory of 1548	316	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 316 wrote to memory of 1548	316	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 316 wrote to memory of 1548	316	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 316 wrote to memory of 1548	316	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 316 wrote to memory of 1140	316	Update on Stamp Duty Charges on Paga.pdf.scr	Update on Stamp Duty Charges on Paga.pdf.scr
PID 316 wrote to memory of 1140	316	Update on Stamp Duty Charges on Paga.pdf.scr	Update on Stamp Duty Charges on Paga.pdf.scr
PID 316 wrote to memory of 1140	316	Update on Stamp Duty Charges on Paga.pdf.scr	Update on Stamp Duty Charges on Paga.pdf.scr
PID 316 wrote to memory of 1140	316	Update on Stamp Duty Charges on Paga.pdf.scr	Update on Stamp Duty Charges on Paga.pdf.scr
PID 316 wrote to memory of 1140	316	Update on Stamp Duty Charges on Paga.pdf.scr	Update on Stamp Duty Charges on Paga.pdf.scr
PID 316 wrote to memory of 1140	316	Update on Stamp Duty Charges on Paga.pdf.scr	Update on Stamp Duty Charges on Paga.pdf.scr
PID 316 wrote to memory of 1140	316	Update on Stamp Duty Charges on Paga.pdf.scr	Update on Stamp Duty Charges on Paga.pdf.scr
PID 1140 wrote to memory of 1796	1140	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 1140 wrote to memory of 1796	1140	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 1140 wrote to memory of 1796	1140	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 1140 wrote to memory of 1796	1140	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 1140 wrote to memory of 1796	1140	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 1140 wrote to memory of 1796	1140	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 1140 wrote to memory of 1796	1140	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 1140 wrote to memory of 1796	1140	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 1140 wrote to memory of 1612	1140	Update on Stamp Duty Charges on Paga.pdf.scr	Update on Stamp Duty Charges on Paga.pdf.scr
PID 1140 wrote to memory of 1612	1140	Update on Stamp Duty Charges on Paga.pdf.scr	Update on Stamp Duty Charges on Paga.pdf.scr
PID 1140 wrote to memory of 1612	1140	Update on Stamp Duty Charges on Paga.pdf.scr	Update on Stamp Duty Charges on Paga.pdf.scr
PID 1140 wrote to memory of 1612	1140	Update on Stamp Duty Charges on Paga.pdf.scr	Update on Stamp Duty Charges on Paga.pdf.scr
PID 1140 wrote to memory of 1612	1140	Update on Stamp Duty Charges on Paga.pdf.scr	Update on Stamp Duty Charges on Paga.pdf.scr
PID 1140 wrote to memory of 1612	1140	Update on Stamp Duty Charges on Paga.pdf.scr	Update on Stamp Duty Charges on Paga.pdf.scr
PID 1140 wrote to memory of 1612	1140	Update on Stamp Duty Charges on Paga.pdf.scr	Update on Stamp Duty Charges on Paga.pdf.scr
PID 1612 wrote to memory of 1868	1612	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 1612 wrote to memory of 1868	1612	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 1612 wrote to memory of 1868	1612	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 1612 wrote to memory of 1868	1612	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 1612 wrote to memory of 1868	1612	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe

Suspicious behavior: MapViewOfSection 30 IoCs

Processes:

Update on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scr

pid	process
1156	Update on Stamp Duty Charges on Paga.pdf.scr
316	Update on Stamp Duty Charges on Paga.pdf.scr
1140	Update on Stamp Duty Charges on Paga.pdf.scr
1612	Update on Stamp Duty Charges on Paga.pdf.scr
1944	Update on Stamp Duty Charges on Paga.pdf.scr
684	Update on Stamp Duty Charges on Paga.pdf.scr
1076	Update on Stamp Duty Charges on Paga.pdf.scr
280	Update on Stamp Duty Charges on Paga.pdf.scr
1856	Update on Stamp Duty Charges on Paga.pdf.scr
1936	Update on Stamp Duty Charges on Paga.pdf.scr
1584	Update on Stamp Duty Charges on Paga.pdf.scr
1584	Update on Stamp Duty Charges on Paga.pdf.scr
932	Update on Stamp Duty Charges on Paga.pdf.scr
1704	Update on Stamp Duty Charges on Paga.pdf.scr
1656	Update on Stamp Duty Charges on Paga.pdf.scr
288	Update on Stamp Duty Charges on Paga.pdf.scr
1352	Update on Stamp Duty Charges on Paga.pdf.scr
1040	Update on Stamp Duty Charges on Paga.pdf.scr
1020	Update on Stamp Duty Charges on Paga.pdf.scr
1676	Update on Stamp Duty Charges on Paga.pdf.scr
1676	Update on Stamp Duty Charges on Paga.pdf.scr
1144	Update on Stamp Duty Charges on Paga.pdf.scr
852	Update on Stamp Duty Charges on Paga.pdf.scr
1808	Update on Stamp Duty Charges on Paga.pdf.scr
2044	Update on Stamp Duty Charges on Paga.pdf.scr
1628	Update on Stamp Duty Charges on Paga.pdf.scr
1072	Update on Stamp Duty Charges on Paga.pdf.scr
1768	Update on Stamp Duty Charges on Paga.pdf.scr
1768	Update on Stamp Duty Charges on Paga.pdf.scr
1844	Update on Stamp Duty Charges on Paga.pdf.scr

Suspicious use of AdjustPrivilegeToken 28 IoCs

Processes:

Update on Stamp Duty Charges on Paga.pdf.scrRegAsm.exeUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scr

description	pid	process
Token: SeDebugPrivilege	1156	Update on Stamp Duty Charges on Paga.pdf.scr
Token: SeDebugPrivilege	844	RegAsm.exe
Token: SeDebugPrivilege	316	Update on Stamp Duty Charges on Paga.pdf.scr
Token: SeDebugPrivilege	1140	Update on Stamp Duty Charges on Paga.pdf.scr
Token: SeDebugPrivilege	1612	Update on Stamp Duty Charges on Paga.pdf.scr
Token: SeDebugPrivilege	1944	Update on Stamp Duty Charges on Paga.pdf.scr
Token: SeDebugPrivilege	684	Update on Stamp Duty Charges on Paga.pdf.scr
Token: SeDebugPrivilege	1076	Update on Stamp Duty Charges on Paga.pdf.scr
Token: SeDebugPrivilege	280	Update on Stamp Duty Charges on Paga.pdf.scr
Token: SeDebugPrivilege	1856	Update on Stamp Duty Charges on Paga.pdf.scr
Token: SeDebugPrivilege	1936	Update on Stamp Duty Charges on Paga.pdf.scr
Token: SeDebugPrivilege	1584	Update on Stamp Duty Charges on Paga.pdf.scr
Token: SeDebugPrivilege	932	Update on Stamp Duty Charges on Paga.pdf.scr
Token: SeDebugPrivilege	1704	Update on Stamp Duty Charges on Paga.pdf.scr
Token: SeDebugPrivilege	1656	Update on Stamp Duty Charges on Paga.pdf.scr
Token: SeDebugPrivilege	288	Update on Stamp Duty Charges on Paga.pdf.scr
Token: SeDebugPrivilege	1352	Update on Stamp Duty Charges on Paga.pdf.scr
Token: SeDebugPrivilege	1040	Update on Stamp Duty Charges on Paga.pdf.scr
Token: SeDebugPrivilege	1020	Update on Stamp Duty Charges on Paga.pdf.scr
Token: SeDebugPrivilege	1676	Update on Stamp Duty Charges on Paga.pdf.scr
Token: SeDebugPrivilege	1144	Update on Stamp Duty Charges on Paga.pdf.scr
Token: SeDebugPrivilege	852	Update on Stamp Duty Charges on Paga.pdf.scr
Token: SeDebugPrivilege	1808	Update on Stamp Duty Charges on Paga.pdf.scr
Token: SeDebugPrivilege	2044	Update on Stamp Duty Charges on Paga.pdf.scr
Token: SeDebugPrivilege	1628	Update on Stamp Duty Charges on Paga.pdf.scr
Token: SeDebugPrivilege	1072	Update on Stamp Duty Charges on Paga.pdf.scr
Token: SeDebugPrivilege	1768	Update on Stamp Duty Charges on Paga.pdf.scr
Token: SeDebugPrivilege	1844	Update on Stamp Duty Charges on Paga.pdf.scr

Drops file in Program Files directory 2 IoCs

Processes:

RegAsm.exe

description	ioc	process
File created	C:\Program Files (x86)\WAN Subsystem\wanss.exe	RegAsm.exe
File opened for modification	C:\Program Files (x86)\WAN Subsystem\wanss.exe	RegAsm.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

272 schtasks.exe
768 schtasks.exe

pid	process
272	schtasks.exe
768	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr
"C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr" /S
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Drops startup file
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1156

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Adds Run entry to start application
- Suspicious behavior: GetForegroundWindowSpam
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Drops file in Program Files directory
PID:844

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "WAN Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp3F31.tmp"
3⤵
- Creates scheduled task(s)
PID:272

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "WAN Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp405A.tmp"
3⤵
- Creates scheduled task(s)
PID:768

C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr
"C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr" /S
2⤵
- Suspicious use of SetThreadContext
- Drops startup file
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1548

C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr
"C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr" /S
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1140

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:1796

C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr
"C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr" /S
4⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
PID:1868

C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr
"C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr" /S
5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1944

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
6⤵
PID:2036

C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr
"C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr" /S
6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:684

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
7⤵
PID:1152

C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr
"C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr" /S
7⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1076

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
8⤵
PID:648

C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr
"C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr" /S
8⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:280

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
9⤵
PID:1492

C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr
"C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr" /S
9⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1856

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
10⤵
PID:1532

C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr
"C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr" /S
10⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1936

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
11⤵
PID:1752

C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr
"C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr" /S
11⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1584

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
12⤵
PID:580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
12⤵
PID:1944

C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr
"C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr" /S
12⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
13⤵
PID:684

C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr
"C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr" /S
13⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1704

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
14⤵
PID:1428

C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr
"C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr" /S
14⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
15⤵
PID:1576

C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr
"C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr" /S
15⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:288

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
16⤵
PID:1804

C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr
"C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr" /S
16⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1352

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
17⤵
PID:1332

C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr
"C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr" /S
17⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1040

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
18⤵
PID:1792

C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr
"C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr" /S
18⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1020

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
19⤵
PID:1540

C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr
"C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr" /S
19⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1676

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
20⤵
PID:932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
20⤵
PID:1940

C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr
"C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr" /S
20⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1144

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
21⤵
PID:1660

C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr
"C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr" /S
21⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
22⤵
PID:1920

C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr
"C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr" /S
22⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1808

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
23⤵
PID:1892

C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr
"C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr" /S
23⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
24⤵
PID:1840

C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr
"C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr" /S
24⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1628

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
25⤵
PID:1468

C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr
"C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr" /S
25⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1072

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
26⤵
PID:1776

C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr
"C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr" /S
26⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1768

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
27⤵
PID:276

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
27⤵
PID:1140

C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr
"C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr" /S
27⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1844

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
28⤵
PID:548

C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr
"C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr" /S
28⤵
PID:1144

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp3F31.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp405A.tmp

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe

Download Submit
memory/272-5-0x0000000000000000-mapping.dmp

Download
memory/280-39-0x0000000000000000-mapping.dmp

Download
memory/288-74-0x0000000000000000-mapping.dmp

Download
memory/316-4-0x0000000000000000-mapping.dmp

Download
memory/548-136-0x000000000041E792-mapping.dmp

Download
memory/648-36-0x000000000041E792-mapping.dmp

Download
memory/684-61-0x000000000041E792-mapping.dmp

Download
memory/684-29-0x0000000000000000-mapping.dmp

Download
memory/768-7-0x0000000000000000-mapping.dmp

Download
memory/844-2-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/844-1-0x000000000041E792-mapping.dmp

Download
memory/844-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/844-3-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/852-104-0x0000000000000000-mapping.dmp

Download
memory/932-59-0x0000000000000000-mapping.dmp

Download
memory/1020-89-0x0000000000000000-mapping.dmp

Download
memory/1040-84-0x0000000000000000-mapping.dmp

Download
memory/1072-124-0x0000000000000000-mapping.dmp

Download
memory/1076-34-0x0000000000000000-mapping.dmp

Download
memory/1140-131-0x000000000041E792-mapping.dmp

Download
memory/1140-13-0x0000000000000000-mapping.dmp

Download
memory/1144-99-0x0000000000000000-mapping.dmp

Download
memory/1144-139-0x0000000000000000-mapping.dmp

Download
memory/1152-31-0x000000000041E792-mapping.dmp

Download
memory/1332-81-0x000000000041E792-mapping.dmp

Download
memory/1352-79-0x0000000000000000-mapping.dmp

Download
memory/1428-66-0x000000000041E792-mapping.dmp

Download
memory/1468-121-0x000000000041E792-mapping.dmp

Download
memory/1492-41-0x000000000041E792-mapping.dmp

Download
memory/1532-46-0x000000000041E792-mapping.dmp

Download
memory/1540-91-0x000000000041E792-mapping.dmp

Download
memory/1548-10-0x000000000041E792-mapping.dmp

Download
memory/1576-71-0x000000000041E792-mapping.dmp

Download
memory/1584-54-0x0000000000000000-mapping.dmp

Download
memory/1612-19-0x0000000000000000-mapping.dmp

Download
memory/1628-119-0x0000000000000000-mapping.dmp

Download
memory/1656-69-0x0000000000000000-mapping.dmp

Download
memory/1660-101-0x000000000041E792-mapping.dmp

Download
memory/1676-94-0x0000000000000000-mapping.dmp

Download
memory/1704-64-0x0000000000000000-mapping.dmp

Download
memory/1752-51-0x000000000041E792-mapping.dmp

Download
memory/1768-129-0x0000000000000000-mapping.dmp

Download
memory/1776-126-0x000000000041E792-mapping.dmp

Download
memory/1792-86-0x000000000041E792-mapping.dmp

Download
memory/1796-16-0x000000000041E792-mapping.dmp

Download
memory/1804-76-0x000000000041E792-mapping.dmp

Download
memory/1808-109-0x0000000000000000-mapping.dmp

Download
memory/1840-116-0x000000000041E792-mapping.dmp

Download
memory/1844-134-0x0000000000000000-mapping.dmp

Download
memory/1856-44-0x0000000000000000-mapping.dmp

Download
memory/1868-21-0x000000000041E792-mapping.dmp

Download
memory/1892-111-0x000000000041E792-mapping.dmp

Download
memory/1920-106-0x000000000041E792-mapping.dmp

Download
memory/1936-49-0x0000000000000000-mapping.dmp

Download
memory/1940-96-0x000000000041E792-mapping.dmp

Download
memory/1944-56-0x000000000041E792-mapping.dmp

Download
memory/1944-24-0x0000000000000000-mapping.dmp

Download
memory/2036-26-0x000000000041E792-mapping.dmp

Download
memory/2044-114-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads