Analysis
-
max time kernel
148s -
max time network
155s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
24-06-2021 12:11
Static task
static1
Behavioral task
behavioral1
Sample
PAYMENT FOR PROFORMA INV0089.exe
Resource
win7v20210410
General
-
Target
PAYMENT FOR PROFORMA INV0089.exe
-
Size
1.2MB
-
MD5
af0bb269d15ab9be8cc4c2ba3d037171
-
SHA1
c0b881551c2e8cb4db285538ef2ac6e091c7537c
-
SHA256
9fea8f3b2070ddd865fbc8e41f134829e0bacf4061ac245e3d3716bfd462d4aa
-
SHA512
bcb208aedf64952e9137902263875846fc62a2aa5246d18d632b05e7e3e8826591e1e7f999e1f3cd91f793c64d8064ae3ec0c1116f850a2976664559aaff6d7a
Malware Config
Extracted
nanocore
1.2.2.0
night90.ddns.net:5657
127.0.0.1:5657
0b119eb7-2d8f-489b-a81c-d786a1637de7
-
activate_away_mode
false
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2021-04-05T11:22:54.943841536Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
false
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
5657
-
default_group
NEW DAY
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
0b119eb7-2d8f-489b-a81c-d786a1637de7
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
night90.ddns.net
-
primary_dns_server
night90.ddns.net
-
request_elevation
true
-
restart_delay
5000
-
run_delay
50
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
PAYMENT FOR PROFORMA INV0089.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ISS Manager = "C:\\Program Files (x86)\\ISS Manager\\issmgr.exe" PAYMENT FOR PROFORMA INV0089.exe -
Processes:
PAYMENT FOR PROFORMA INV0089.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA PAYMENT FOR PROFORMA INV0089.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PAYMENT FOR PROFORMA INV0089.exedescription pid process target process PID 3872 set thread context of 1064 3872 PAYMENT FOR PROFORMA INV0089.exe PAYMENT FOR PROFORMA INV0089.exe -
Drops file in Program Files directory 2 IoCs
Processes:
PAYMENT FOR PROFORMA INV0089.exedescription ioc process File opened for modification C:\Program Files (x86)\ISS Manager\issmgr.exe PAYMENT FOR PROFORMA INV0089.exe File created C:\Program Files (x86)\ISS Manager\issmgr.exe PAYMENT FOR PROFORMA INV0089.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 2496 schtasks.exe 3952 schtasks.exe 3768 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
PAYMENT FOR PROFORMA INV0089.exePAYMENT FOR PROFORMA INV0089.exepid process 3872 PAYMENT FOR PROFORMA INV0089.exe 1064 PAYMENT FOR PROFORMA INV0089.exe 1064 PAYMENT FOR PROFORMA INV0089.exe 1064 PAYMENT FOR PROFORMA INV0089.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
PAYMENT FOR PROFORMA INV0089.exepid process 1064 PAYMENT FOR PROFORMA INV0089.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
PAYMENT FOR PROFORMA INV0089.exePAYMENT FOR PROFORMA INV0089.exedescription pid process Token: SeDebugPrivilege 3872 PAYMENT FOR PROFORMA INV0089.exe Token: SeDebugPrivilege 1064 PAYMENT FOR PROFORMA INV0089.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
PAYMENT FOR PROFORMA INV0089.exePAYMENT FOR PROFORMA INV0089.exedescription pid process target process PID 3872 wrote to memory of 3768 3872 PAYMENT FOR PROFORMA INV0089.exe schtasks.exe PID 3872 wrote to memory of 3768 3872 PAYMENT FOR PROFORMA INV0089.exe schtasks.exe PID 3872 wrote to memory of 3768 3872 PAYMENT FOR PROFORMA INV0089.exe schtasks.exe PID 3872 wrote to memory of 1064 3872 PAYMENT FOR PROFORMA INV0089.exe PAYMENT FOR PROFORMA INV0089.exe PID 3872 wrote to memory of 1064 3872 PAYMENT FOR PROFORMA INV0089.exe PAYMENT FOR PROFORMA INV0089.exe PID 3872 wrote to memory of 1064 3872 PAYMENT FOR PROFORMA INV0089.exe PAYMENT FOR PROFORMA INV0089.exe PID 3872 wrote to memory of 1064 3872 PAYMENT FOR PROFORMA INV0089.exe PAYMENT FOR PROFORMA INV0089.exe PID 3872 wrote to memory of 1064 3872 PAYMENT FOR PROFORMA INV0089.exe PAYMENT FOR PROFORMA INV0089.exe PID 3872 wrote to memory of 1064 3872 PAYMENT FOR PROFORMA INV0089.exe PAYMENT FOR PROFORMA INV0089.exe PID 3872 wrote to memory of 1064 3872 PAYMENT FOR PROFORMA INV0089.exe PAYMENT FOR PROFORMA INV0089.exe PID 3872 wrote to memory of 1064 3872 PAYMENT FOR PROFORMA INV0089.exe PAYMENT FOR PROFORMA INV0089.exe PID 1064 wrote to memory of 2496 1064 PAYMENT FOR PROFORMA INV0089.exe schtasks.exe PID 1064 wrote to memory of 2496 1064 PAYMENT FOR PROFORMA INV0089.exe schtasks.exe PID 1064 wrote to memory of 2496 1064 PAYMENT FOR PROFORMA INV0089.exe schtasks.exe PID 1064 wrote to memory of 3952 1064 PAYMENT FOR PROFORMA INV0089.exe schtasks.exe PID 1064 wrote to memory of 3952 1064 PAYMENT FOR PROFORMA INV0089.exe schtasks.exe PID 1064 wrote to memory of 3952 1064 PAYMENT FOR PROFORMA INV0089.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PAYMENT FOR PROFORMA INV0089.exe"C:\Users\Admin\AppData\Local\Temp\PAYMENT FOR PROFORMA INV0089.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZKodLVapzQiD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA44F.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\PAYMENT FOR PROFORMA INV0089.exe"C:\Users\Admin\AppData\Local\Temp\PAYMENT FOR PROFORMA INV0089.exe"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "ISS Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmpA808.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "ISS Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpA857.tmp"3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpA44F.tmpMD5
babc283e97608b957e4dc208542d56da
SHA1909d2fb8c13e0c3805d6c862365b3cd8fb29363e
SHA2567b4fc8f015736b0562f99fa75dbe5b251cd6569e60d29de2f95402af5c39801e
SHA5124e5d4e93a373d9e21e9cbfcebd2f88d6a2c2f6bff3a95bf3236f13284a3841f5ad0f21feea64223c3135ceb6e70356a9647c462dc7618f42bea82b6d7c60acf3
-
C:\Users\Admin\AppData\Local\Temp\tmpA808.tmpMD5
94ecc4bbe7ced06daf6097d0af7c8384
SHA1696da3da652c3cda7a969c867ef6681e3fa10d33
SHA2569bc9f11e1f15083959ed102e945732759addd624609263d5fc2443ef6bc43dec
SHA5129873f48134b1cbebe35cbb04abe98b164ef44443d2736074f1bfffc13e3fed97e8d87f84527a9426152a8e601fe49142ad15ccb3fe3efe0f73ad56d038a905c6
-
C:\Users\Admin\AppData\Local\Temp\tmpA857.tmpMD5
ea7095fa975a5ac043c9de2899ce61d0
SHA1ba4e21d0728fb1b4b87006c2e8ceb6109c9046a3
SHA2565a1ba7b1b91e0bb7aedcfa82dc687972abb31f72ae1613ac586938ef0843f30f
SHA512b52c8f1b58f263a3d1ad1ef9939167853a5f55033d9ad8976130174c7118407711a0703266c7d2d542bc2ca8119f875e35cc791b9dd70ef83b5310ac1e7cd1cb
-
memory/1064-117-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1064-118-0x000000000041E792-mapping.dmp
-
memory/1064-119-0x0000000000A10000-0x0000000000ABE000-memory.dmpFilesize
696KB
-
memory/2496-120-0x0000000000000000-mapping.dmp
-
memory/3768-115-0x0000000000000000-mapping.dmp
-
memory/3872-114-0x00000000011F0000-0x00000000011F1000-memory.dmpFilesize
4KB
-
memory/3952-122-0x0000000000000000-mapping.dmp