Analysis
-
max time kernel
80s -
max time network
154s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
12-10-2021 12:54
Static task
static1
Behavioral task
behavioral1
Sample
Proof of payment.jpg.scr
Resource
win7-en-20210920
General
-
Target
Proof of payment.jpg.scr
-
Size
670KB
-
MD5
f16a886b0c04454901ac6d0923297c0e
-
SHA1
47ed9cbe0c0430444ffd842a231c06a258fe6a5d
-
SHA256
9f4c690fdf0c329b419eb7cbf02c874dd7be5ec7bb3585a0c94a0aba266604d4
-
SHA512
e60a04f86083603cac82f970552c0031fd52a9cbc7293ba873427d45fbedfeb13284126bf28eb01692b9c4da81b26d9146db7c9f6630a2455e9f32d15183caeb
Malware Config
Extracted
nanocore
1.2.2.0
harold.accesscam.org:6051
harold.2waky.com:6051
ed2d5ce0-ca4d-4264-be01-91a018d59d09
-
activate_away_mode
true
-
backup_connection_host
harold.2waky.com
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2019-07-13T12:05:45.695760236Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
6051
-
default_group
INV TO BID
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
ed2d5ce0-ca4d-4264-be01-91a018d59d09
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
harold.accesscam.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Proof of payment.jpg.scrdescription pid process target process PID 2412 set thread context of 1940 2412 Proof of payment.jpg.scr RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
Proof of payment.jpg.scrRegSvcs.exepid process 2412 Proof of payment.jpg.scr 2412 Proof of payment.jpg.scr 1940 RegSvcs.exe 1940 RegSvcs.exe 1940 RegSvcs.exe 1940 RegSvcs.exe 1940 RegSvcs.exe 1940 RegSvcs.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegSvcs.exepid process 1940 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Proof of payment.jpg.scrRegSvcs.exedescription pid process Token: SeDebugPrivilege 2412 Proof of payment.jpg.scr Token: SeDebugPrivilege 1940 RegSvcs.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
Proof of payment.jpg.scrdescription pid process target process PID 2412 wrote to memory of 3516 2412 Proof of payment.jpg.scr schtasks.exe PID 2412 wrote to memory of 3516 2412 Proof of payment.jpg.scr schtasks.exe PID 2412 wrote to memory of 3516 2412 Proof of payment.jpg.scr schtasks.exe PID 2412 wrote to memory of 3964 2412 Proof of payment.jpg.scr RegSvcs.exe PID 2412 wrote to memory of 3964 2412 Proof of payment.jpg.scr RegSvcs.exe PID 2412 wrote to memory of 3964 2412 Proof of payment.jpg.scr RegSvcs.exe PID 2412 wrote to memory of 1940 2412 Proof of payment.jpg.scr RegSvcs.exe PID 2412 wrote to memory of 1940 2412 Proof of payment.jpg.scr RegSvcs.exe PID 2412 wrote to memory of 1940 2412 Proof of payment.jpg.scr RegSvcs.exe PID 2412 wrote to memory of 1940 2412 Proof of payment.jpg.scr RegSvcs.exe PID 2412 wrote to memory of 1940 2412 Proof of payment.jpg.scr RegSvcs.exe PID 2412 wrote to memory of 1940 2412 Proof of payment.jpg.scr RegSvcs.exe PID 2412 wrote to memory of 1940 2412 Proof of payment.jpg.scr RegSvcs.exe PID 2412 wrote to memory of 1940 2412 Proof of payment.jpg.scr RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Proof of payment.jpg.scr"C:\Users\Admin\AppData\Local\Temp\Proof of payment.jpg.scr" /S1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eoPqnTxJGg" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2A77.tmp"2⤵
- Creates scheduled task(s)
PID:3516
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵PID:3964
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1940
-