Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 00:19
Static task
static1
Behavioral task
behavioral1
Sample
71f5f09ec8f0e4b1296da50a6a4e4e87c10e85aadc1a8261f0c6f2ecde4a5ac5.rar
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
71f5f09ec8f0e4b1296da50a6a4e4e87c10e85aadc1a8261f0c6f2ecde4a5ac5.rar
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
Payment Confirmation.scr
Resource
win7-20220414-en
General
-
Target
Payment Confirmation.scr
-
Size
813KB
-
MD5
26325d99df3eeb5f6f39f9eb45ae3bee
-
SHA1
54e06e4ef19e4209c023724a1863cbf752ea67f8
-
SHA256
b8d17b00725d58556c468f413f0825f5ac4fe19734898645d9db2f2f0be5e1af
-
SHA512
8803e0ed820fa0916324169e5ab7f32bc88c4bf0a5b8b400efe5bec8acf1ebad7aec3238713d9be6adbbb59d4652cac4caae281ebc25dc9fa0a864bc3b62a407
Malware Config
Extracted
nanocore
1.2.2.0
harolds.ooguy.com:6051
harold.2waky.com:6051
79556390-7150-4551-9067-10cd33e6482e
-
activate_away_mode
true
-
backup_connection_host
harold.2waky.com
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-04-28T08:36:06.976087436Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
6051
-
default_group
Acandy
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
79556390-7150-4551-9067-10cd33e6482e
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
harolds.ooguy.com
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Payment Confirmation.scrdescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation Payment Confirmation.scr -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Payment Confirmation.scrdescription pid process target process PID 3044 set thread context of 1268 3044 Payment Confirmation.scr RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
Payment Confirmation.scrRegSvcs.exepid process 3044 Payment Confirmation.scr 3044 Payment Confirmation.scr 3044 Payment Confirmation.scr 3044 Payment Confirmation.scr 3044 Payment Confirmation.scr 3044 Payment Confirmation.scr 3044 Payment Confirmation.scr 1268 RegSvcs.exe 1268 RegSvcs.exe 1268 RegSvcs.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegSvcs.exepid process 1268 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Payment Confirmation.scrRegSvcs.exedescription pid process Token: SeDebugPrivilege 3044 Payment Confirmation.scr Token: SeDebugPrivilege 1268 RegSvcs.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
Payment Confirmation.scrdescription pid process target process PID 3044 wrote to memory of 4608 3044 Payment Confirmation.scr schtasks.exe PID 3044 wrote to memory of 4608 3044 Payment Confirmation.scr schtasks.exe PID 3044 wrote to memory of 4608 3044 Payment Confirmation.scr schtasks.exe PID 3044 wrote to memory of 1268 3044 Payment Confirmation.scr RegSvcs.exe PID 3044 wrote to memory of 1268 3044 Payment Confirmation.scr RegSvcs.exe PID 3044 wrote to memory of 1268 3044 Payment Confirmation.scr RegSvcs.exe PID 3044 wrote to memory of 1268 3044 Payment Confirmation.scr RegSvcs.exe PID 3044 wrote to memory of 1268 3044 Payment Confirmation.scr RegSvcs.exe PID 3044 wrote to memory of 1268 3044 Payment Confirmation.scr RegSvcs.exe PID 3044 wrote to memory of 1268 3044 Payment Confirmation.scr RegSvcs.exe PID 3044 wrote to memory of 1268 3044 Payment Confirmation.scr RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment Confirmation.scr"C:\Users\Admin\AppData\Local\Temp\Payment Confirmation.scr" /S1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\&startupname&" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5275.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp5275.tmpFilesize
1KB
MD5ab9f8a9574d9209cd8666decb37e33cc
SHA1b768b98d37b96bcf5eeeb4bae10589a196b66db2
SHA2562c052172f943620c36053efd2ab1d6ef9fbb671c55669b9f49430f0f7acd7704
SHA5125059538580cce17a2c7516e3117297310455e38ff32d51c6e17ef188448ce3567f9c968ad478df725ed2ce8630ceee2340246264a6e60877895591a67d45da70
-
memory/1268-135-0x0000000000000000-mapping.dmp
-
memory/1268-136-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1268-137-0x0000000005A00000-0x0000000005FA4000-memory.dmpFilesize
5.6MB
-
memory/1268-138-0x00000000053D0000-0x00000000053DA000-memory.dmpFilesize
40KB
-
memory/3044-130-0x0000000000770000-0x0000000000842000-memory.dmpFilesize
840KB
-
memory/3044-131-0x0000000007910000-0x00000000079AC000-memory.dmpFilesize
624KB
-
memory/3044-132-0x0000000007A50000-0x0000000007AE2000-memory.dmpFilesize
584KB
-
memory/4608-133-0x0000000000000000-mapping.dmp