Analysis
-
max time kernel
13s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
19-04-2021 03:56
Static task
static1
Behavioral task
behavioral1
Sample
HSBC Payment Transfer CopyPDF.exe
Resource
win7v20210408
General
-
Target
HSBC Payment Transfer CopyPDF.exe
-
Size
323KB
-
MD5
adc177e2f5d7228446d98dcb388da1c9
-
SHA1
3e7228d6d8e664c18e7f7e4ffe4b0845ff97cc1b
-
SHA256
9d41101cd1d384aa0fb3b2bf1ae720af44623bb3bcf6ccd9697a88489801eb1b
-
SHA512
a47fd211e63db2a4a0b788782fad728745ffa02a187f1bae3694ff08a86ef2c824a972bc61c7698d7484bf2754a31c757608fad0831f84f6dd110c2d70b52c3b
Malware Config
Extracted
nanocore
1.2.2.0
gentle.duckdns.org:8709
8ad4cc0f-3c30-4e60-a5e5-4ad7e6204002
-
activate_away_mode
true
-
backup_connection_host
gentle.duckdns.org
-
backup_dns_server
gentle.duckdns.org
-
buffer_size
65535
-
build_time
2021-01-24T18:45:28.005456836Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
8709
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
8ad4cc0f-3c30-4e60-a5e5-4ad7e6204002
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
gentle.duckdns.org
-
primary_dns_server
gentle.duckdns.org
-
request_elevation
false
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
HSBC Payment Transfer CopyPDF.exepid process 3176 HSBC Payment Transfer CopyPDF.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
HSBC Payment Transfer CopyPDF.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ISS Manager = "C:\\Program Files (x86)\\ISS Manager\\issmgr.exe" HSBC Payment Transfer CopyPDF.exe -
Processes:
HSBC Payment Transfer CopyPDF.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA HSBC Payment Transfer CopyPDF.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
HSBC Payment Transfer CopyPDF.exedescription pid process target process PID 3176 set thread context of 1140 3176 HSBC Payment Transfer CopyPDF.exe HSBC Payment Transfer CopyPDF.exe -
Drops file in Program Files directory 2 IoCs
Processes:
HSBC Payment Transfer CopyPDF.exedescription ioc process File created C:\Program Files (x86)\ISS Manager\issmgr.exe HSBC Payment Transfer CopyPDF.exe File opened for modification C:\Program Files (x86)\ISS Manager\issmgr.exe HSBC Payment Transfer CopyPDF.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2372 schtasks.exe 2812 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
HSBC Payment Transfer CopyPDF.exepid process 1140 HSBC Payment Transfer CopyPDF.exe 1140 HSBC Payment Transfer CopyPDF.exe 1140 HSBC Payment Transfer CopyPDF.exe 1140 HSBC Payment Transfer CopyPDF.exe 1140 HSBC Payment Transfer CopyPDF.exe 1140 HSBC Payment Transfer CopyPDF.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
HSBC Payment Transfer CopyPDF.exepid process 1140 HSBC Payment Transfer CopyPDF.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
HSBC Payment Transfer CopyPDF.exepid process 3176 HSBC Payment Transfer CopyPDF.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
HSBC Payment Transfer CopyPDF.exedescription pid process Token: SeDebugPrivilege 1140 HSBC Payment Transfer CopyPDF.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
HSBC Payment Transfer CopyPDF.exeHSBC Payment Transfer CopyPDF.exedescription pid process target process PID 3176 wrote to memory of 1140 3176 HSBC Payment Transfer CopyPDF.exe HSBC Payment Transfer CopyPDF.exe PID 3176 wrote to memory of 1140 3176 HSBC Payment Transfer CopyPDF.exe HSBC Payment Transfer CopyPDF.exe PID 3176 wrote to memory of 1140 3176 HSBC Payment Transfer CopyPDF.exe HSBC Payment Transfer CopyPDF.exe PID 3176 wrote to memory of 1140 3176 HSBC Payment Transfer CopyPDF.exe HSBC Payment Transfer CopyPDF.exe PID 1140 wrote to memory of 2372 1140 HSBC Payment Transfer CopyPDF.exe schtasks.exe PID 1140 wrote to memory of 2372 1140 HSBC Payment Transfer CopyPDF.exe schtasks.exe PID 1140 wrote to memory of 2372 1140 HSBC Payment Transfer CopyPDF.exe schtasks.exe PID 1140 wrote to memory of 2812 1140 HSBC Payment Transfer CopyPDF.exe schtasks.exe PID 1140 wrote to memory of 2812 1140 HSBC Payment Transfer CopyPDF.exe schtasks.exe PID 1140 wrote to memory of 2812 1140 HSBC Payment Transfer CopyPDF.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\HSBC Payment Transfer CopyPDF.exe"C:\Users\Admin\AppData\Local\Temp\HSBC Payment Transfer CopyPDF.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3176 -
C:\Users\Admin\AppData\Local\Temp\HSBC Payment Transfer CopyPDF.exe"C:\Users\Admin\AppData\Local\Temp\HSBC Payment Transfer CopyPDF.exe"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "ISS Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmp14C6.tmp"3⤵
- Creates scheduled task(s)
PID:2372 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "ISS Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp1573.tmp"3⤵
- Creates scheduled task(s)
PID:2812
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp14C6.tmpMD5
9d2ca538050190b22592ee40baf669c2
SHA1fae87df756aa0f4bf13ce83cebbff5cf5b41caa0
SHA256b36d16d4811b204d76e5657729a4ee94e381ecba0cbf1f75aa5590747373342a
SHA5127b3b6852688252a5ff38acda6cd47c0f83ec04597d28c8579b195d5155eece82682cbe4441490b0f1e431afc15bed9dd0146495c043fe9cc483f8cfbd24f23d9
-
C:\Users\Admin\AppData\Local\Temp\tmp1573.tmpMD5
ea7095fa975a5ac043c9de2899ce61d0
SHA1ba4e21d0728fb1b4b87006c2e8ceb6109c9046a3
SHA2565a1ba7b1b91e0bb7aedcfa82dc687972abb31f72ae1613ac586938ef0843f30f
SHA512b52c8f1b58f263a3d1ad1ef9939167853a5f55033d9ad8976130174c7118407711a0703266c7d2d542bc2ca8119f875e35cc791b9dd70ef83b5310ac1e7cd1cb
-
\Users\Admin\AppData\Local\Temp\nssDA4.tmp\x8jhsg4r.dllMD5
b5a88f4bcf2d4465d9408931b028778c
SHA15b1c7d0a8d63f7b95026b49d41989f337008c0f0
SHA256b51382d07aee1b35e0ed65d4dac771e35e51b7095303552f654312494f756cc3
SHA51207a1b3cc1fcb990f8fc8d0af0387fb66ff167d6e66f75c02ce0289cc87b8e163e633c9f21bb714bdf192b3e072afc201ad7e4652696e87e3da3150465f56df01
-
memory/1140-123-0x0000000004983000-0x0000000004984000-memory.dmpFilesize
4KB
-
memory/1140-148-0x0000000006350000-0x0000000006351000-memory.dmpFilesize
4KB
-
memory/1140-132-0x0000000005660000-0x0000000005665000-memory.dmpFilesize
20KB
-
memory/1140-133-0x00000000056F0000-0x0000000005709000-memory.dmpFilesize
100KB
-
memory/1140-122-0x0000000000400000-0x0000000000448000-memory.dmpFilesize
288KB
-
memory/1140-118-0x0000000004990000-0x0000000004991000-memory.dmpFilesize
4KB
-
memory/1140-124-0x0000000004980000-0x0000000004981000-memory.dmpFilesize
4KB
-
memory/1140-126-0x0000000004E90000-0x0000000004E91000-memory.dmpFilesize
4KB
-
memory/1140-125-0x0000000004982000-0x0000000004983000-memory.dmpFilesize
4KB
-
memory/1140-127-0x0000000005000000-0x0000000005001000-memory.dmpFilesize
4KB
-
memory/1140-147-0x00000000060A0000-0x00000000060AF000-memory.dmpFilesize
60KB
-
memory/1140-116-0x00000000047D0000-0x0000000004803000-memory.dmpFilesize
204KB
-
memory/1140-146-0x0000000006070000-0x0000000006099000-memory.dmpFilesize
164KB
-
memory/1140-115-0x000000000040188B-mapping.dmp
-
memory/1140-145-0x0000000006050000-0x000000000605A000-memory.dmpFilesize
40KB
-
memory/1140-134-0x0000000004984000-0x0000000004985000-memory.dmpFilesize
4KB
-
memory/1140-119-0x0000000004850000-0x0000000004851000-memory.dmpFilesize
4KB
-
memory/1140-135-0x0000000005820000-0x0000000005823000-memory.dmpFilesize
12KB
-
memory/1140-136-0x0000000005830000-0x000000000583D000-memory.dmpFilesize
52KB
-
memory/1140-137-0x0000000005840000-0x0000000005855000-memory.dmpFilesize
84KB
-
memory/1140-138-0x0000000005FD0000-0x0000000005FD6000-memory.dmpFilesize
24KB
-
memory/1140-139-0x0000000005FE0000-0x0000000005FEC000-memory.dmpFilesize
48KB
-
memory/1140-140-0x0000000005FF0000-0x0000000005FF7000-memory.dmpFilesize
28KB
-
memory/1140-141-0x0000000006000000-0x0000000006006000-memory.dmpFilesize
24KB
-
memory/1140-142-0x0000000006010000-0x000000000601D000-memory.dmpFilesize
52KB
-
memory/1140-143-0x0000000006020000-0x0000000006029000-memory.dmpFilesize
36KB
-
memory/1140-144-0x0000000006030000-0x000000000603F000-memory.dmpFilesize
60KB
-
memory/2372-128-0x0000000000000000-mapping.dmp
-
memory/2812-130-0x0000000000000000-mapping.dmp
-
memory/3176-120-0x0000000003180000-0x0000000003181000-memory.dmpFilesize
4KB
-
memory/3176-121-0x0000000003181000-0x0000000003183000-memory.dmpFilesize
8KB