Analysis
-
max time kernel
139s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
25-02-2022 14:13
Static task
static1
Behavioral task
behavioral1
Sample
TT PAYMENT SLIP.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
TT PAYMENT SLIP.exe
Resource
win10v2004-en-20220113
General
-
Target
TT PAYMENT SLIP.exe
-
Size
38KB
-
MD5
44a0f51f3868778ac0ec66f6097f929c
-
SHA1
37f8010dad800349a8a813a6e326c475256aafb4
-
SHA256
6b68f82534d3741e2e20d707a45831fb294a61a2facd1e67b0bd0836886375e8
-
SHA512
ce20e98a1bf3701ad695c26e3678be9298f65a7511052da0c9f8786a87d8e41a32607d317280eacf7c41f8544281ae40614dcd6eef270b805d6f99075fbd4693
Malware Config
Extracted
nanocore
1.2.2.0
amechi.duckdns.org:4190
8702659d-e2e3-4823-9a31-8d87ea07b81d
-
activate_away_mode
true
-
backup_connection_host
amechi.duckdns.org
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2021-12-06T23:10:12.854593636Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
4190
-
default_group
NEW BBBBBBBBBBBBBBB
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
8702659d-e2e3-4823-9a31-8d87ea07b81d
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
amechi.duckdns.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Extracted
agenttesla
Protocol: smtp- Host:
shoresedge.co.za - Port:
587 - Username:
bookings@shoresedge.co.za - Password:
woz]p3pgIg&W - Email To:
easiacess5@gmail.com
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 2956 created 4004 2956 WerFault.exe TT PAYMENT SLIP.exe -
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4004-136-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
Executes dropped EXE 1 IoCs
Processes:
Qfirbyvbmnan binnnnnnnnn.exepid process 5036 Qfirbyvbmnan binnnnnnnnn.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
TT PAYMENT SLIP.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation TT PAYMENT SLIP.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
TT PAYMENT SLIP.exeTT PAYMENT SLIP.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\chrome = "\"C:\\Users\\Admin\\AppData\\Roaming\\chrome.exe\"" TT PAYMENT SLIP.exe Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hcnIuh = "C:\\Users\\Admin\\AppData\\Roaming\\hcnIuh\\hcnIuh.exe" TT PAYMENT SLIP.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
TT PAYMENT SLIP.exedescription pid process target process PID 1532 set thread context of 4004 1532 TT PAYMENT SLIP.exe TT PAYMENT SLIP.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 736 4004 WerFault.exe TT PAYMENT SLIP.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 5048 timeout.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
WerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
TT PAYMENT SLIP.exeTT PAYMENT SLIP.exeWerFault.exepid process 1532 TT PAYMENT SLIP.exe 1532 TT PAYMENT SLIP.exe 4004 TT PAYMENT SLIP.exe 4004 TT PAYMENT SLIP.exe 736 WerFault.exe 736 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
TT PAYMENT SLIP.exeTT PAYMENT SLIP.exeWerFault.exedescription pid process Token: SeDebugPrivilege 1532 TT PAYMENT SLIP.exe Token: SeDebugPrivilege 4004 TT PAYMENT SLIP.exe Token: SeRestorePrivilege 736 WerFault.exe Token: SeBackupPrivilege 736 WerFault.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
TT PAYMENT SLIP.execmd.exeQfirbyvbmnan binnnnnnnnn.exefondue.exeWerFault.exedescription pid process target process PID 1532 wrote to memory of 3816 1532 TT PAYMENT SLIP.exe cmd.exe PID 1532 wrote to memory of 3816 1532 TT PAYMENT SLIP.exe cmd.exe PID 1532 wrote to memory of 3816 1532 TT PAYMENT SLIP.exe cmd.exe PID 3816 wrote to memory of 5048 3816 cmd.exe timeout.exe PID 3816 wrote to memory of 5048 3816 cmd.exe timeout.exe PID 3816 wrote to memory of 5048 3816 cmd.exe timeout.exe PID 1532 wrote to memory of 5036 1532 TT PAYMENT SLIP.exe Qfirbyvbmnan binnnnnnnnn.exe PID 1532 wrote to memory of 5036 1532 TT PAYMENT SLIP.exe Qfirbyvbmnan binnnnnnnnn.exe PID 1532 wrote to memory of 5036 1532 TT PAYMENT SLIP.exe Qfirbyvbmnan binnnnnnnnn.exe PID 5036 wrote to memory of 2260 5036 Qfirbyvbmnan binnnnnnnnn.exe fondue.exe PID 5036 wrote to memory of 2260 5036 Qfirbyvbmnan binnnnnnnnn.exe fondue.exe PID 5036 wrote to memory of 2260 5036 Qfirbyvbmnan binnnnnnnnn.exe fondue.exe PID 2260 wrote to memory of 3576 2260 fondue.exe FonDUE.EXE PID 2260 wrote to memory of 3576 2260 fondue.exe FonDUE.EXE PID 1532 wrote to memory of 4004 1532 TT PAYMENT SLIP.exe TT PAYMENT SLIP.exe PID 1532 wrote to memory of 4004 1532 TT PAYMENT SLIP.exe TT PAYMENT SLIP.exe PID 1532 wrote to memory of 4004 1532 TT PAYMENT SLIP.exe TT PAYMENT SLIP.exe PID 1532 wrote to memory of 4004 1532 TT PAYMENT SLIP.exe TT PAYMENT SLIP.exe PID 1532 wrote to memory of 4004 1532 TT PAYMENT SLIP.exe TT PAYMENT SLIP.exe PID 1532 wrote to memory of 4004 1532 TT PAYMENT SLIP.exe TT PAYMENT SLIP.exe PID 1532 wrote to memory of 4004 1532 TT PAYMENT SLIP.exe TT PAYMENT SLIP.exe PID 1532 wrote to memory of 4004 1532 TT PAYMENT SLIP.exe TT PAYMENT SLIP.exe PID 2956 wrote to memory of 4004 2956 WerFault.exe TT PAYMENT SLIP.exe PID 2956 wrote to memory of 4004 2956 WerFault.exe TT PAYMENT SLIP.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\TT PAYMENT SLIP.exe"C:\Users\Admin\AppData\Local\Temp\TT PAYMENT SLIP.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 202⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 203⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\Qfirbyvbmnan binnnnnnnnn.exe"C:\Users\Admin\AppData\Local\Temp\Qfirbyvbmnan binnnnnnnnn.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\fondue.exe"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\FonDUE.EXE"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll4⤵
-
C:\Users\Admin\AppData\Local\Temp\TT PAYMENT SLIP.exe"C:\Users\Admin\AppData\Local\Temp\TT PAYMENT SLIP.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4004 -s 15323⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4004 -ip 40041⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\system32\PcaSvc.dll,PcaPatchSdbTask1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TT PAYMENT SLIP.exe.logMD5
e309ab46728031325412385f1321672e
SHA1a26e8b1f88b33b7732507133a42c041537f9e2b3
SHA2561fd43786db1663d58e600089d0d286bc2c497dbeaa5072e3e3f862dea463fd78
SHA512ff7c1d353636f022818b64f0bc53dc568dbc576e74d05a3bf2e453fe17d7cfe3a86ed6c152b4db233032560d0fab581e065d9c748c4d2c0257228e4c95f89040
-
C:\Users\Admin\AppData\Local\Temp\Qfirbyvbmnan binnnnnnnnn.exeMD5
9074f2b19792b44a068c9816547893c3
SHA17f85972add38829589a415ede1dd402e21d07946
SHA2567ddf1df2b9a865622920044d23f7976a33d4b7062a9633bdc1b34d7fdc111390
SHA5125b75ab6c41aa7376dae057226c626806180280c626a5054facc549b6acccebd6914c7684f2879d373dc3ee91c1b13f31208c98f83ecaca54fcb9564ac4780612
-
C:\Users\Admin\AppData\Local\Temp\Qfirbyvbmnan binnnnnnnnn.exeMD5
9074f2b19792b44a068c9816547893c3
SHA17f85972add38829589a415ede1dd402e21d07946
SHA2567ddf1df2b9a865622920044d23f7976a33d4b7062a9633bdc1b34d7fdc111390
SHA5125b75ab6c41aa7376dae057226c626806180280c626a5054facc549b6acccebd6914c7684f2879d373dc3ee91c1b13f31208c98f83ecaca54fcb9564ac4780612
-
memory/1532-131-0x0000000074E4E000-0x0000000074E4F000-memory.dmpFilesize
4KB
-
memory/1532-132-0x0000000004B10000-0x0000000004B11000-memory.dmpFilesize
4KB
-
memory/1532-135-0x0000000000AD0000-0x0000000000B62000-memory.dmpFilesize
584KB
-
memory/1532-130-0x00000000001F0000-0x00000000001FE000-memory.dmpFilesize
56KB
-
memory/4004-136-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/4004-138-0x00000000057A0000-0x0000000005D44000-memory.dmpFilesize
5.6MB
-
memory/4004-139-0x0000000074E4E000-0x0000000074E4F000-memory.dmpFilesize
4KB
-
memory/4004-140-0x0000000005440000-0x0000000005441000-memory.dmpFilesize
4KB
-
memory/4004-141-0x0000000005450000-0x00000000054EC000-memory.dmpFilesize
624KB
-
memory/4004-142-0x0000000006090000-0x00000000060F6000-memory.dmpFilesize
408KB