Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
11-05-2021 11:03
Static task
static1
Behavioral task
behavioral1
Sample
remittance slip.pdf.exe
Resource
win7v20210410
General
-
Target
remittance slip.pdf.exe
-
Size
1.1MB
-
MD5
ab02d19370377ebefa832e38e4f9531a
-
SHA1
79855a0e2d4378d91f987f0046a2d2f470ca3193
-
SHA256
645a6049e233daf9c05944e1644eb7ba86ec8368ebab70862e926eef9117dcbd
-
SHA512
70c97908e8dc50a4a741eaa4980977ee0a958ceb5c6c7aef94a4896c0b3ab9605a9efe7364570f5179f4adf715ff1339454b0172184ef08ac6c6ba1acaaec7f6
Malware Config
Extracted
nanocore
1.2.2.0
shahzad73.ddns.net:9036
shahzad73.casacam.net:9036
655a2b03-a820-4abd-957f-5fd46068b31a
-
activate_away_mode
true
-
backup_connection_host
shahzad73.casacam.net
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2021-02-20T11:12:57.853166736Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
9036
-
default_group
MAY-BLESS
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
655a2b03-a820-4abd-957f-5fd46068b31a
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
shahzad73.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
qeqreqd.pifRegSvcs.exepid process 1632 qeqreqd.pif 3808 RegSvcs.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
qeqreqd.pifdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run qeqreqd.pif Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\15537950\\qeqreqd.pif C:\\Users\\Admin\\AppData\\Roaming\\15537950\\tjjehk.kml" qeqreqd.pif -
Processes:
RegSvcs.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
qeqreqd.pifdescription pid process target process PID 1632 set thread context of 3808 1632 qeqreqd.pif RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
qeqreqd.pifRegSvcs.exepid process 1632 qeqreqd.pif 1632 qeqreqd.pif 3808 RegSvcs.exe 3808 RegSvcs.exe 3808 RegSvcs.exe 3808 RegSvcs.exe 1632 qeqreqd.pif 1632 qeqreqd.pif 1632 qeqreqd.pif 1632 qeqreqd.pif 1632 qeqreqd.pif 1632 qeqreqd.pif 1632 qeqreqd.pif 1632 qeqreqd.pif 3808 RegSvcs.exe 3808 RegSvcs.exe 3808 RegSvcs.exe 1632 qeqreqd.pif 1632 qeqreqd.pif 1632 qeqreqd.pif 1632 qeqreqd.pif 1632 qeqreqd.pif 1632 qeqreqd.pif 1632 qeqreqd.pif 1632 qeqreqd.pif 1632 qeqreqd.pif 1632 qeqreqd.pif 1632 qeqreqd.pif 1632 qeqreqd.pif 1632 qeqreqd.pif 1632 qeqreqd.pif 1632 qeqreqd.pif 1632 qeqreqd.pif 3808 RegSvcs.exe 3808 RegSvcs.exe 3808 RegSvcs.exe 1632 qeqreqd.pif 1632 qeqreqd.pif 1632 qeqreqd.pif 1632 qeqreqd.pif 1632 qeqreqd.pif 1632 qeqreqd.pif 1632 qeqreqd.pif 1632 qeqreqd.pif 1632 qeqreqd.pif 1632 qeqreqd.pif 1632 qeqreqd.pif 1632 qeqreqd.pif 1632 qeqreqd.pif 1632 qeqreqd.pif 1632 qeqreqd.pif 1632 qeqreqd.pif 1632 qeqreqd.pif 1632 qeqreqd.pif 1632 qeqreqd.pif 1632 qeqreqd.pif 1632 qeqreqd.pif 1632 qeqreqd.pif 1632 qeqreqd.pif 1632 qeqreqd.pif 1632 qeqreqd.pif 1632 qeqreqd.pif 1632 qeqreqd.pif 1632 qeqreqd.pif -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegSvcs.exepid process 3808 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 3808 RegSvcs.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
remittance slip.pdf.exeqeqreqd.pifRegSvcs.exedescription pid process target process PID 3944 wrote to memory of 1632 3944 remittance slip.pdf.exe qeqreqd.pif PID 3944 wrote to memory of 1632 3944 remittance slip.pdf.exe qeqreqd.pif PID 3944 wrote to memory of 1632 3944 remittance slip.pdf.exe qeqreqd.pif PID 1632 wrote to memory of 3808 1632 qeqreqd.pif RegSvcs.exe PID 1632 wrote to memory of 3808 1632 qeqreqd.pif RegSvcs.exe PID 1632 wrote to memory of 3808 1632 qeqreqd.pif RegSvcs.exe PID 1632 wrote to memory of 3808 1632 qeqreqd.pif RegSvcs.exe PID 1632 wrote to memory of 3808 1632 qeqreqd.pif RegSvcs.exe PID 3808 wrote to memory of 3172 3808 RegSvcs.exe schtasks.exe PID 3808 wrote to memory of 3172 3808 RegSvcs.exe schtasks.exe PID 3808 wrote to memory of 3172 3808 RegSvcs.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\remittance slip.pdf.exe"C:\Users\Admin\AppData\Local\Temp\remittance slip.pdf.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\15537950\qeqreqd.pif"C:\Users\Admin\AppData\Roaming\15537950\qeqreqd.pif" tjjehk.kml2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "ISS Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmp3222.tmp"4⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exeMD5
0e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exeMD5
0e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
C:\Users\Admin\AppData\Local\Temp\tmp3222.tmpMD5
95aceabc58acad5d73372b0966ee1b35
SHA12293b7ad4793cf574b1a5220e85f329b5601040a
SHA2568d9642e1c3cd1e0b5d1763de2fb5e605ba593e5a918b93eec15acbc5dcc48fd4
SHA51200760dfc9d8caf357f0cee5336e5448a4cca18e32cc63e1a69c16e34fe00ea29acd5b2cf278e86c6f9c3e66a1b176d27ed927361848212e6bf1fade7d3d06e74
-
C:\Users\Admin\AppData\Roaming\15537950\bqqg.docxMD5
b08694fac934f555d878df9ec56a5ff5
SHA171ffe87c60e475841dcc6fa4475de836d63790f2
SHA256dba342e0ab09ff5fe59461426ec58c73625b6f37b570a32f2dd88e74abe106a1
SHA512f8c1c6acc4eb61c0ca8c9238fa98aebeadca62bd8051a55e1a10e472afd3810ba9666479cccad4e7d9f6d804d3df404dac210fd02197b5e8bcd0fec620bac79c
-
C:\Users\Admin\AppData\Roaming\15537950\qeqreqd.pifMD5
bc9cafed1a5b5d3a9d401bb04d953fb9
SHA1016f860965f7a5488fba1bd9df8055ae7e237d8c
SHA2560e3d5d839e6b8a4fac5d71208420c8aa1017ff0f7896c64d9d087f1cdd0d39ee
SHA512fecd5ae1c282f65c5f840a059a7969d786aa927548ff89d8e2dabefb062d128db2d76c3879e339069ec0c34497985bc30391806f053f4347671afec1736a5aad
-
C:\Users\Admin\AppData\Roaming\15537950\qeqreqd.pifMD5
bc9cafed1a5b5d3a9d401bb04d953fb9
SHA1016f860965f7a5488fba1bd9df8055ae7e237d8c
SHA2560e3d5d839e6b8a4fac5d71208420c8aa1017ff0f7896c64d9d087f1cdd0d39ee
SHA512fecd5ae1c282f65c5f840a059a7969d786aa927548ff89d8e2dabefb062d128db2d76c3879e339069ec0c34497985bc30391806f053f4347671afec1736a5aad
-
C:\Users\Admin\AppData\Roaming\15537950\tjjehk.kmlMD5
d221f337e65a0dbca2c8cbf323a59089
SHA1930676a48759836a72f3076c2368f7bb17487394
SHA256c8a1f0e07b27148446ca8fbfd988bea1e7b2b216461a29ff77962f7eaf2ad631
SHA51255bdf2052942d704eb266271c914ed4b9954910902bd09132e0665189696359edb36ea530ce36e9dc86566933143959a9b1a535b4cb4792cbfe4a800367cf781
-
memory/1632-114-0x0000000000000000-mapping.dmp
-
memory/3172-130-0x0000000000000000-mapping.dmp
-
memory/3808-132-0x00000000056E0000-0x00000000056E5000-memory.dmpFilesize
20KB
-
memory/3808-136-0x0000000006610000-0x0000000006625000-memory.dmpFilesize
84KB
-
memory/3808-127-0x0000000005790000-0x0000000005791000-memory.dmpFilesize
4KB
-
memory/3808-128-0x00000000055D0000-0x00000000055D1000-memory.dmpFilesize
4KB
-
memory/3808-129-0x0000000005650000-0x0000000005B4E000-memory.dmpFilesize
5.0MB
-
memory/3808-125-0x0000000005B50000-0x0000000005B51000-memory.dmpFilesize
4KB
-
memory/3808-120-0x0000000000B1E792-mapping.dmp
-
memory/3808-119-0x0000000000B00000-0x000000000101B000-memory.dmpFilesize
5.1MB
-
memory/3808-133-0x00000000059B0000-0x00000000059C9000-memory.dmpFilesize
100KB
-
memory/3808-134-0x0000000005B30000-0x0000000005B33000-memory.dmpFilesize
12KB
-
memory/3808-135-0x0000000005B40000-0x0000000005B4D000-memory.dmpFilesize
52KB
-
memory/3808-126-0x00000000056F0000-0x00000000056F1000-memory.dmpFilesize
4KB
-
memory/3808-137-0x0000000006C60000-0x0000000006C66000-memory.dmpFilesize
24KB
-
memory/3808-138-0x0000000006C70000-0x0000000006C7C000-memory.dmpFilesize
48KB
-
memory/3808-139-0x0000000006C80000-0x0000000006C86000-memory.dmpFilesize
24KB
-
memory/3808-140-0x0000000006C90000-0x0000000006C97000-memory.dmpFilesize
28KB
-
memory/3808-141-0x0000000006CA0000-0x0000000006CAD000-memory.dmpFilesize
52KB
-
memory/3808-142-0x0000000006CB0000-0x0000000006CB9000-memory.dmpFilesize
36KB
-
memory/3808-143-0x0000000006CC0000-0x0000000006CCF000-memory.dmpFilesize
60KB
-
memory/3808-144-0x0000000006CE0000-0x0000000006CEA000-memory.dmpFilesize
40KB
-
memory/3808-146-0x0000000006D30000-0x0000000006D3F000-memory.dmpFilesize
60KB
-
memory/3808-145-0x0000000006CF0000-0x0000000006D19000-memory.dmpFilesize
164KB
-
memory/3808-147-0x0000000006F00000-0x0000000006F01000-memory.dmpFilesize
4KB