Analysis
-
max time kernel
170s -
max time network
178s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 02:17
Static task
static1
Behavioral task
behavioral1
Sample
Proof Of Payment.scr
Resource
win7-20220414-en
General
-
Target
Proof Of Payment.scr
-
Size
831KB
-
MD5
22178eb7c68a50049e957fcf78b6515e
-
SHA1
4e7788b3983bac98179aa70aaeb8f4e088191b90
-
SHA256
d0b5b67a47d70659712ff004c3d7e91b5027100bbd84db3407e9668ed6a408f1
-
SHA512
a6816c5e58519eff11beb22ba87023bbd1b9844fae6b7d23e41a23ce850c77c9643e688fe4a1cf7c509376ff873db6892892ef86ed74cfbeabd86f85edace623
Malware Config
Extracted
nanocore
1.2.2.0
harolds.ooguy.com:6051
harold.2waky.com:6051
79556390-7150-4551-9067-10cd33e6482e
-
activate_away_mode
true
-
backup_connection_host
harold.2waky.com
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-04-28T08:36:06.976087436Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
6051
-
default_group
Acandy
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
79556390-7150-4551-9067-10cd33e6482e
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
harolds.ooguy.com
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Processes:
Proof Of Payment.scrdescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Proof Of Payment.scr -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Proof Of Payment.scrdescription pid process target process PID 1740 set thread context of 2044 1740 Proof Of Payment.scr Proof Of Payment.scr -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Proof Of Payment.scrpid process 2044 Proof Of Payment.scr 2044 Proof Of Payment.scr -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Proof Of Payment.scrpid process 2044 Proof Of Payment.scr -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Proof Of Payment.scrdescription pid process Token: SeDebugPrivilege 2044 Proof Of Payment.scr -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
Proof Of Payment.scrdescription pid process target process PID 1740 wrote to memory of 1108 1740 Proof Of Payment.scr schtasks.exe PID 1740 wrote to memory of 1108 1740 Proof Of Payment.scr schtasks.exe PID 1740 wrote to memory of 1108 1740 Proof Of Payment.scr schtasks.exe PID 1740 wrote to memory of 1108 1740 Proof Of Payment.scr schtasks.exe PID 1740 wrote to memory of 2044 1740 Proof Of Payment.scr Proof Of Payment.scr PID 1740 wrote to memory of 2044 1740 Proof Of Payment.scr Proof Of Payment.scr PID 1740 wrote to memory of 2044 1740 Proof Of Payment.scr Proof Of Payment.scr PID 1740 wrote to memory of 2044 1740 Proof Of Payment.scr Proof Of Payment.scr PID 1740 wrote to memory of 2044 1740 Proof Of Payment.scr Proof Of Payment.scr PID 1740 wrote to memory of 2044 1740 Proof Of Payment.scr Proof Of Payment.scr PID 1740 wrote to memory of 2044 1740 Proof Of Payment.scr Proof Of Payment.scr PID 1740 wrote to memory of 2044 1740 Proof Of Payment.scr Proof Of Payment.scr PID 1740 wrote to memory of 2044 1740 Proof Of Payment.scr Proof Of Payment.scr
Processes
-
C:\Users\Admin\AppData\Local\Temp\Proof Of Payment.scr"C:\Users\Admin\AppData\Local\Temp\Proof Of Payment.scr" /S1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dCjZPel" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1D13.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Proof Of Payment.scr"{path}"2⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp1D13.tmpFilesize
1KB
MD5a47179f6ee5c99368b68ecc151bf8af9
SHA1382cf2a287290849a574427c2554ff484286b7c0
SHA256b0b0afc803568f48e92d97b358ff0ca25064dd5aea80336c6dfc4544a0dc163d
SHA51251da1b0a089b51361da057249334643c8818187d00304c4f0bce2e931b42638553322764daf89b1dfd7f4ca5b18ba8699bde48fe027d742915dabba32eb984a3
-
memory/1108-58-0x0000000000000000-mapping.dmp
-
memory/1740-54-0x0000000000DC0000-0x0000000000E96000-memory.dmpFilesize
856KB
-
memory/1740-55-0x00000000002E0000-0x00000000002EA000-memory.dmpFilesize
40KB
-
memory/1740-56-0x0000000000A60000-0x0000000000AA0000-memory.dmpFilesize
256KB
-
memory/1740-57-0x00000000752A1000-0x00000000752A3000-memory.dmpFilesize
8KB
-
memory/2044-63-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2044-61-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2044-60-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2044-64-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2044-66-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2044-67-0x000000000041E792-mapping.dmp
-
memory/2044-69-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2044-71-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2044-73-0x0000000000480000-0x000000000048A000-memory.dmpFilesize
40KB
-
memory/2044-74-0x0000000000530000-0x000000000054E000-memory.dmpFilesize
120KB
-
memory/2044-75-0x00000000004A0000-0x00000000004AA000-memory.dmpFilesize
40KB