Analysis
-
max time kernel
16s -
max time network
151s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
19-04-2021 03:56
Static task
static1
Behavioral task
behavioral1
Sample
HSBC Payment Transfer CopyPDF.exe
Resource
win7v20210408
General
-
Target
HSBC Payment Transfer CopyPDF.exe
-
Size
323KB
-
MD5
adc177e2f5d7228446d98dcb388da1c9
-
SHA1
3e7228d6d8e664c18e7f7e4ffe4b0845ff97cc1b
-
SHA256
9d41101cd1d384aa0fb3b2bf1ae720af44623bb3bcf6ccd9697a88489801eb1b
-
SHA512
a47fd211e63db2a4a0b788782fad728745ffa02a187f1bae3694ff08a86ef2c824a972bc61c7698d7484bf2754a31c757608fad0831f84f6dd110c2d70b52c3b
Malware Config
Extracted
nanocore
1.2.2.0
gentle.duckdns.org:8709
8ad4cc0f-3c30-4e60-a5e5-4ad7e6204002
-
activate_away_mode
true
-
backup_connection_host
gentle.duckdns.org
-
backup_dns_server
gentle.duckdns.org
-
buffer_size
65535
-
build_time
2021-01-24T18:45:28.005456836Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
8709
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
8ad4cc0f-3c30-4e60-a5e5-4ad7e6204002
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
gentle.duckdns.org
-
primary_dns_server
gentle.duckdns.org
-
request_elevation
false
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
HSBC Payment Transfer CopyPDF.exepid process 1096 HSBC Payment Transfer CopyPDF.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
HSBC Payment Transfer CopyPDF.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DPI Service = "C:\\Program Files (x86)\\DPI Service\\dpisv.exe" HSBC Payment Transfer CopyPDF.exe -
Processes:
HSBC Payment Transfer CopyPDF.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA HSBC Payment Transfer CopyPDF.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
HSBC Payment Transfer CopyPDF.exedescription pid process target process PID 1096 set thread context of 1944 1096 HSBC Payment Transfer CopyPDF.exe HSBC Payment Transfer CopyPDF.exe -
Drops file in Program Files directory 2 IoCs
Processes:
HSBC Payment Transfer CopyPDF.exedescription ioc process File created C:\Program Files (x86)\DPI Service\dpisv.exe HSBC Payment Transfer CopyPDF.exe File opened for modification C:\Program Files (x86)\DPI Service\dpisv.exe HSBC Payment Transfer CopyPDF.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
HSBC Payment Transfer CopyPDF.exepid process 1944 HSBC Payment Transfer CopyPDF.exe 1944 HSBC Payment Transfer CopyPDF.exe 1944 HSBC Payment Transfer CopyPDF.exe 1944 HSBC Payment Transfer CopyPDF.exe 1944 HSBC Payment Transfer CopyPDF.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
HSBC Payment Transfer CopyPDF.exepid process 1944 HSBC Payment Transfer CopyPDF.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
HSBC Payment Transfer CopyPDF.exepid process 1096 HSBC Payment Transfer CopyPDF.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
HSBC Payment Transfer CopyPDF.exedescription pid process Token: SeDebugPrivilege 1944 HSBC Payment Transfer CopyPDF.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
HSBC Payment Transfer CopyPDF.exeHSBC Payment Transfer CopyPDF.exedescription pid process target process PID 1096 wrote to memory of 1944 1096 HSBC Payment Transfer CopyPDF.exe HSBC Payment Transfer CopyPDF.exe PID 1096 wrote to memory of 1944 1096 HSBC Payment Transfer CopyPDF.exe HSBC Payment Transfer CopyPDF.exe PID 1096 wrote to memory of 1944 1096 HSBC Payment Transfer CopyPDF.exe HSBC Payment Transfer CopyPDF.exe PID 1096 wrote to memory of 1944 1096 HSBC Payment Transfer CopyPDF.exe HSBC Payment Transfer CopyPDF.exe PID 1096 wrote to memory of 1944 1096 HSBC Payment Transfer CopyPDF.exe HSBC Payment Transfer CopyPDF.exe PID 1944 wrote to memory of 464 1944 HSBC Payment Transfer CopyPDF.exe schtasks.exe PID 1944 wrote to memory of 464 1944 HSBC Payment Transfer CopyPDF.exe schtasks.exe PID 1944 wrote to memory of 464 1944 HSBC Payment Transfer CopyPDF.exe schtasks.exe PID 1944 wrote to memory of 464 1944 HSBC Payment Transfer CopyPDF.exe schtasks.exe PID 1944 wrote to memory of 1716 1944 HSBC Payment Transfer CopyPDF.exe schtasks.exe PID 1944 wrote to memory of 1716 1944 HSBC Payment Transfer CopyPDF.exe schtasks.exe PID 1944 wrote to memory of 1716 1944 HSBC Payment Transfer CopyPDF.exe schtasks.exe PID 1944 wrote to memory of 1716 1944 HSBC Payment Transfer CopyPDF.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\HSBC Payment Transfer CopyPDF.exe"C:\Users\Admin\AppData\Local\Temp\HSBC Payment Transfer CopyPDF.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Users\Admin\AppData\Local\Temp\HSBC Payment Transfer CopyPDF.exe"C:\Users\Admin\AppData\Local\Temp\HSBC Payment Transfer CopyPDF.exe"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DPI Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp85D3.tmp"3⤵
- Creates scheduled task(s)
PID:464 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DPI Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp87A8.tmp"3⤵
- Creates scheduled task(s)
PID:1716
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp85D3.tmpMD5
9d2ca538050190b22592ee40baf669c2
SHA1fae87df756aa0f4bf13ce83cebbff5cf5b41caa0
SHA256b36d16d4811b204d76e5657729a4ee94e381ecba0cbf1f75aa5590747373342a
SHA5127b3b6852688252a5ff38acda6cd47c0f83ec04597d28c8579b195d5155eece82682cbe4441490b0f1e431afc15bed9dd0146495c043fe9cc483f8cfbd24f23d9
-
C:\Users\Admin\AppData\Local\Temp\tmp87A8.tmpMD5
a9af285136db016a568e4a53208f21d0
SHA1e1afef2b7ee8ae945353315daa19a15574b435b7
SHA2567dce876e35550f4a5b8ce8a8bbab3b0ccd7c5b8660f9db4b832466b77e3a8b7c
SHA51280a1f5e463a87cddc0f66336e2dc4262daf98984c6f6c662c3615d615ebe7c58677c3d694edb3bd7816ccee969aae967c7efe8526ba423f274ac1210c0c8bd6e
-
\Users\Admin\AppData\Local\Temp\nsn75ED.tmp\x8jhsg4r.dllMD5
b5a88f4bcf2d4465d9408931b028778c
SHA15b1c7d0a8d63f7b95026b49d41989f337008c0f0
SHA256b51382d07aee1b35e0ed65d4dac771e35e51b7095303552f654312494f756cc3
SHA51207a1b3cc1fcb990f8fc8d0af0387fb66ff167d6e66f75c02ce0289cc87b8e163e633c9f21bb714bdf192b3e072afc201ad7e4652696e87e3da3150465f56df01
-
memory/464-73-0x0000000000000000-mapping.dmp
-
memory/1096-62-0x0000000002430000-0x000000000307A000-memory.dmpFilesize
12.3MB
-
memory/1096-60-0x0000000075DA1000-0x0000000075DA3000-memory.dmpFilesize
8KB
-
memory/1716-75-0x0000000000000000-mapping.dmp
-
memory/1944-77-0x0000000000710000-0x0000000000715000-memory.dmpFilesize
20KB
-
memory/1944-81-0x0000000005140000-0x0000000005155000-memory.dmpFilesize
84KB
-
memory/1944-71-0x00000000045D3000-0x00000000045D4000-memory.dmpFilesize
4KB
-
memory/1944-70-0x00000000045D2000-0x00000000045D3000-memory.dmpFilesize
4KB
-
memory/1944-68-0x0000000004460000-0x0000000004493000-memory.dmpFilesize
204KB
-
memory/1944-66-0x0000000000400000-0x0000000000448000-memory.dmpFilesize
288KB
-
memory/1944-67-0x00000000045D1000-0x00000000045D2000-memory.dmpFilesize
4KB
-
memory/1944-64-0x000000000040188B-mapping.dmp
-
memory/1944-78-0x0000000004560000-0x0000000004579000-memory.dmpFilesize
100KB
-
memory/1944-79-0x0000000004580000-0x0000000004583000-memory.dmpFilesize
12KB
-
memory/1944-80-0x0000000005130000-0x000000000513D000-memory.dmpFilesize
52KB
-
memory/1944-72-0x00000000045D4000-0x00000000045D5000-memory.dmpFilesize
4KB
-
memory/1944-82-0x00000000056B0000-0x00000000056B6000-memory.dmpFilesize
24KB
-
memory/1944-83-0x00000000056D0000-0x00000000056DC000-memory.dmpFilesize
48KB
-
memory/1944-84-0x00000000056E0000-0x00000000056E7000-memory.dmpFilesize
28KB
-
memory/1944-85-0x00000000056F0000-0x00000000056F6000-memory.dmpFilesize
24KB
-
memory/1944-86-0x0000000005700000-0x000000000570D000-memory.dmpFilesize
52KB
-
memory/1944-87-0x0000000005710000-0x0000000005719000-memory.dmpFilesize
36KB
-
memory/1944-88-0x0000000005720000-0x000000000572F000-memory.dmpFilesize
60KB
-
memory/1944-89-0x0000000005730000-0x000000000573A000-memory.dmpFilesize
40KB
-
memory/1944-90-0x0000000005750000-0x0000000005779000-memory.dmpFilesize
164KB
-
memory/1944-91-0x0000000005780000-0x000000000578F000-memory.dmpFilesize
60KB