Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
21-01-2021 17:14
Static task
static1
Behavioral task
behavioral1
Sample
PROOF OF PAYMENT.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
PROOF OF PAYMENT.exe
Resource
win10v20201028
General
-
Target
PROOF OF PAYMENT.exe
-
Size
1.1MB
-
MD5
dcf168394ef0a6d6774b099dd8493b75
-
SHA1
565c77fa9f7f22229ff5aabad52f6f9e0c5fbce0
-
SHA256
373e294fccf1cbc447469aeb6fc86678efbfd072b5035a295d1fc74ce6e9fd79
-
SHA512
6f19bd8c1ce255848fc9e60b92b758ac960c81e3cb4c3c7bc5e520de5b03cfc0a2244891150b50ecc179fc35a9d7f9477e567bdd275b32b4873fe640dafe7ac9
Malware Config
Extracted
nanocore
1.2.2.0
amechi.duckdns.org:3190
c3f2ffac-72ce-4a70-9d04-4f6a62cc4c81
-
activate_away_mode
true
-
backup_connection_host
amechi.duckdns.org
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-11-02T13:48:01.329593636Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
3190
-
default_group
OJO 202111111111
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
c3f2ffac-72ce-4a70-9d04-4f6a62cc4c81
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
amechi.duckdns.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
PROOF OF PAYMENT.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WPA Host = "C:\\Program Files (x86)\\WPA Host\\wpahost.exe" PROOF OF PAYMENT.exe -
Processes:
PROOF OF PAYMENT.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA PROOF OF PAYMENT.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
PROOF OF PAYMENT.exedescription pid process target process PID 1924 set thread context of 1072 1924 PROOF OF PAYMENT.exe PROOF OF PAYMENT.exe -
Drops file in Program Files directory 2 IoCs
Processes:
PROOF OF PAYMENT.exedescription ioc process File opened for modification C:\Program Files (x86)\WPA Host\wpahost.exe PROOF OF PAYMENT.exe File created C:\Program Files (x86)\WPA Host\wpahost.exe PROOF OF PAYMENT.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
PROOF OF PAYMENT.exePROOF OF PAYMENT.exepid process 1924 PROOF OF PAYMENT.exe 1924 PROOF OF PAYMENT.exe 1924 PROOF OF PAYMENT.exe 1924 PROOF OF PAYMENT.exe 1072 PROOF OF PAYMENT.exe 1072 PROOF OF PAYMENT.exe 1072 PROOF OF PAYMENT.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
PROOF OF PAYMENT.exepid process 1072 PROOF OF PAYMENT.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
PROOF OF PAYMENT.exePROOF OF PAYMENT.exedescription pid process Token: SeDebugPrivilege 1924 PROOF OF PAYMENT.exe Token: SeDebugPrivilege 1072 PROOF OF PAYMENT.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
PROOF OF PAYMENT.exedescription pid process target process PID 1924 wrote to memory of 1628 1924 PROOF OF PAYMENT.exe schtasks.exe PID 1924 wrote to memory of 1628 1924 PROOF OF PAYMENT.exe schtasks.exe PID 1924 wrote to memory of 1628 1924 PROOF OF PAYMENT.exe schtasks.exe PID 1924 wrote to memory of 1628 1924 PROOF OF PAYMENT.exe schtasks.exe PID 1924 wrote to memory of 1072 1924 PROOF OF PAYMENT.exe PROOF OF PAYMENT.exe PID 1924 wrote to memory of 1072 1924 PROOF OF PAYMENT.exe PROOF OF PAYMENT.exe PID 1924 wrote to memory of 1072 1924 PROOF OF PAYMENT.exe PROOF OF PAYMENT.exe PID 1924 wrote to memory of 1072 1924 PROOF OF PAYMENT.exe PROOF OF PAYMENT.exe PID 1924 wrote to memory of 1072 1924 PROOF OF PAYMENT.exe PROOF OF PAYMENT.exe PID 1924 wrote to memory of 1072 1924 PROOF OF PAYMENT.exe PROOF OF PAYMENT.exe PID 1924 wrote to memory of 1072 1924 PROOF OF PAYMENT.exe PROOF OF PAYMENT.exe PID 1924 wrote to memory of 1072 1924 PROOF OF PAYMENT.exe PROOF OF PAYMENT.exe PID 1924 wrote to memory of 1072 1924 PROOF OF PAYMENT.exe PROOF OF PAYMENT.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.exe"C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pJrVfPIhXgkUp" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA9D6.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.exe"{path}"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpA9D6.tmpMD5
2e390643630702f6edd5dc6a81f25673
SHA155beb4afe68a3114e5153a7a41b1d28e488de8cd
SHA256b44b150ff9764c86ede532b3854e49b9409b667ba0cd979bc8d9f181ea8fd2f2
SHA512bfe690ac7e4ad79a9fb32a5ad0d9422a3c20904425db02c9c58cedb1429c96a5a768df182ab8f72873fa2ffaa03b705fa495daf75e1da94a47befe57d8e2812a
-
memory/1072-16-0x00000000004C0000-0x00000000004C5000-memory.dmpFilesize
20KB
-
memory/1072-14-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1072-19-0x0000000000550000-0x0000000000553000-memory.dmpFilesize
12KB
-
memory/1072-18-0x0000000000510000-0x0000000000511000-memory.dmpFilesize
4KB
-
memory/1072-17-0x0000000000600000-0x0000000000619000-memory.dmpFilesize
100KB
-
memory/1072-11-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1072-13-0x00000000742C0000-0x00000000749AE000-memory.dmpFilesize
6.9MB
-
memory/1072-12-0x000000000041E792-mapping.dmp
-
memory/1628-9-0x0000000000000000-mapping.dmp
-
memory/1924-3-0x0000000001350000-0x0000000001351000-memory.dmpFilesize
4KB
-
memory/1924-5-0x0000000006E80000-0x0000000006F77000-memory.dmpFilesize
988KB
-
memory/1924-2-0x00000000742C0000-0x00000000749AE000-memory.dmpFilesize
6.9MB
-
memory/1924-8-0x0000000004C10000-0x0000000004CA1000-memory.dmpFilesize
580KB
-
memory/1924-7-0x00000000003A0000-0x00000000003AE000-memory.dmpFilesize
56KB
-
memory/1924-6-0x0000000000A50000-0x0000000000A51000-memory.dmpFilesize
4KB