Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 00:19
Static task
static1
Behavioral task
behavioral1
Sample
71f5f09ec8f0e4b1296da50a6a4e4e87c10e85aadc1a8261f0c6f2ecde4a5ac5.rar
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
71f5f09ec8f0e4b1296da50a6a4e4e87c10e85aadc1a8261f0c6f2ecde4a5ac5.rar
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
Payment Confirmation.scr
Resource
win7-20220414-en
General
-
Target
Payment Confirmation.scr
-
Size
813KB
-
MD5
26325d99df3eeb5f6f39f9eb45ae3bee
-
SHA1
54e06e4ef19e4209c023724a1863cbf752ea67f8
-
SHA256
b8d17b00725d58556c468f413f0825f5ac4fe19734898645d9db2f2f0be5e1af
-
SHA512
8803e0ed820fa0916324169e5ab7f32bc88c4bf0a5b8b400efe5bec8acf1ebad7aec3238713d9be6adbbb59d4652cac4caae281ebc25dc9fa0a864bc3b62a407
Malware Config
Extracted
nanocore
1.2.2.0
harolds.ooguy.com:6051
harold.2waky.com:6051
79556390-7150-4551-9067-10cd33e6482e
-
activate_away_mode
true
-
backup_connection_host
harold.2waky.com
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-04-28T08:36:06.976087436Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
6051
-
default_group
Acandy
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
79556390-7150-4551-9067-10cd33e6482e
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
harolds.ooguy.com
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Payment Confirmation.scrdescription pid process target process PID 1972 set thread context of 1684 1972 Payment Confirmation.scr RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
Payment Confirmation.scrRegSvcs.exepid process 1972 Payment Confirmation.scr 1972 Payment Confirmation.scr 1972 Payment Confirmation.scr 1972 Payment Confirmation.scr 1972 Payment Confirmation.scr 1684 RegSvcs.exe 1684 RegSvcs.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegSvcs.exepid process 1684 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Payment Confirmation.scrRegSvcs.exedescription pid process Token: SeDebugPrivilege 1972 Payment Confirmation.scr Token: SeDebugPrivilege 1684 RegSvcs.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
Payment Confirmation.scrdescription pid process target process PID 1972 wrote to memory of 1736 1972 Payment Confirmation.scr schtasks.exe PID 1972 wrote to memory of 1736 1972 Payment Confirmation.scr schtasks.exe PID 1972 wrote to memory of 1736 1972 Payment Confirmation.scr schtasks.exe PID 1972 wrote to memory of 1736 1972 Payment Confirmation.scr schtasks.exe PID 1972 wrote to memory of 1684 1972 Payment Confirmation.scr RegSvcs.exe PID 1972 wrote to memory of 1684 1972 Payment Confirmation.scr RegSvcs.exe PID 1972 wrote to memory of 1684 1972 Payment Confirmation.scr RegSvcs.exe PID 1972 wrote to memory of 1684 1972 Payment Confirmation.scr RegSvcs.exe PID 1972 wrote to memory of 1684 1972 Payment Confirmation.scr RegSvcs.exe PID 1972 wrote to memory of 1684 1972 Payment Confirmation.scr RegSvcs.exe PID 1972 wrote to memory of 1684 1972 Payment Confirmation.scr RegSvcs.exe PID 1972 wrote to memory of 1684 1972 Payment Confirmation.scr RegSvcs.exe PID 1972 wrote to memory of 1684 1972 Payment Confirmation.scr RegSvcs.exe PID 1972 wrote to memory of 1684 1972 Payment Confirmation.scr RegSvcs.exe PID 1972 wrote to memory of 1684 1972 Payment Confirmation.scr RegSvcs.exe PID 1972 wrote to memory of 1684 1972 Payment Confirmation.scr RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment Confirmation.scr"C:\Users\Admin\AppData\Local\Temp\Payment Confirmation.scr" /S1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\&startupname&" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA249.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpA249.tmpFilesize
1KB
MD5d2aa72e1e0a9b7dcb81af5082540153a
SHA169f84c985fea812daa2fcfd1941a7d60facb4a7e
SHA256c7a368be198491672c06e17b5626878b39a06de3bb28c0f028cc3aff46e43d3d
SHA512541bbb3c838c14bfc2c91d1394a99a72f76ad8c3534da1215336ffdc3d63922d456af573ced60d5dff7f9e70fc1f7c8f3cd8ad997374356ecb784695ea312692
-
memory/1684-69-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1684-72-0x0000000075FE1000-0x0000000075FE3000-memory.dmpFilesize
8KB
-
memory/1684-66-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1684-67-0x000000000041E792-mapping.dmp
-
memory/1684-64-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1684-60-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1684-61-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1684-63-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1684-76-0x00000000005A5000-0x00000000005B6000-memory.dmpFilesize
68KB
-
memory/1684-75-0x00000000004D0000-0x00000000004DA000-memory.dmpFilesize
40KB
-
memory/1684-74-0x0000000000560000-0x000000000057E000-memory.dmpFilesize
120KB
-
memory/1684-73-0x00000000004C0000-0x00000000004CA000-memory.dmpFilesize
40KB
-
memory/1684-71-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1736-58-0x0000000000000000-mapping.dmp
-
memory/1972-56-0x00000000046D0000-0x000000000473C000-memory.dmpFilesize
432KB
-
memory/1972-54-0x0000000000370000-0x0000000000442000-memory.dmpFilesize
840KB
-
memory/1972-57-0x00000000002B0000-0x00000000002F4000-memory.dmpFilesize
272KB
-
memory/1972-55-0x0000000000350000-0x0000000000358000-memory.dmpFilesize
32KB