Analysis
-
max time kernel
163s -
max time network
183s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 02:17
Static task
static1
Behavioral task
behavioral1
Sample
Proof Of Payment.scr
Resource
win7-20220414-en
General
-
Target
Proof Of Payment.scr
-
Size
831KB
-
MD5
22178eb7c68a50049e957fcf78b6515e
-
SHA1
4e7788b3983bac98179aa70aaeb8f4e088191b90
-
SHA256
d0b5b67a47d70659712ff004c3d7e91b5027100bbd84db3407e9668ed6a408f1
-
SHA512
a6816c5e58519eff11beb22ba87023bbd1b9844fae6b7d23e41a23ce850c77c9643e688fe4a1cf7c509376ff873db6892892ef86ed74cfbeabd86f85edace623
Malware Config
Extracted
nanocore
1.2.2.0
harolds.ooguy.com:6051
harold.2waky.com:6051
79556390-7150-4551-9067-10cd33e6482e
-
activate_away_mode
true
-
backup_connection_host
harold.2waky.com
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-04-28T08:36:06.976087436Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
6051
-
default_group
Acandy
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
79556390-7150-4551-9067-10cd33e6482e
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
harolds.ooguy.com
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Proof Of Payment.scrdescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation Proof Of Payment.scr -
Processes:
Proof Of Payment.scrdescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Proof Of Payment.scr -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Proof Of Payment.scrdescription pid process target process PID 4036 set thread context of 4668 4036 Proof Of Payment.scr Proof Of Payment.scr -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
Proof Of Payment.scrProof Of Payment.scrpid process 4036 Proof Of Payment.scr 4036 Proof Of Payment.scr 4036 Proof Of Payment.scr 4036 Proof Of Payment.scr 4668 Proof Of Payment.scr 4668 Proof Of Payment.scr 4668 Proof Of Payment.scr -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Proof Of Payment.scrpid process 4668 Proof Of Payment.scr -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Proof Of Payment.scrProof Of Payment.scrdescription pid process Token: SeDebugPrivilege 4036 Proof Of Payment.scr Token: SeDebugPrivilege 4668 Proof Of Payment.scr -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
Proof Of Payment.scrdescription pid process target process PID 4036 wrote to memory of 2120 4036 Proof Of Payment.scr schtasks.exe PID 4036 wrote to memory of 2120 4036 Proof Of Payment.scr schtasks.exe PID 4036 wrote to memory of 2120 4036 Proof Of Payment.scr schtasks.exe PID 4036 wrote to memory of 4700 4036 Proof Of Payment.scr Proof Of Payment.scr PID 4036 wrote to memory of 4700 4036 Proof Of Payment.scr Proof Of Payment.scr PID 4036 wrote to memory of 4700 4036 Proof Of Payment.scr Proof Of Payment.scr PID 4036 wrote to memory of 4760 4036 Proof Of Payment.scr Proof Of Payment.scr PID 4036 wrote to memory of 4760 4036 Proof Of Payment.scr Proof Of Payment.scr PID 4036 wrote to memory of 4760 4036 Proof Of Payment.scr Proof Of Payment.scr PID 4036 wrote to memory of 4668 4036 Proof Of Payment.scr Proof Of Payment.scr PID 4036 wrote to memory of 4668 4036 Proof Of Payment.scr Proof Of Payment.scr PID 4036 wrote to memory of 4668 4036 Proof Of Payment.scr Proof Of Payment.scr PID 4036 wrote to memory of 4668 4036 Proof Of Payment.scr Proof Of Payment.scr PID 4036 wrote to memory of 4668 4036 Proof Of Payment.scr Proof Of Payment.scr PID 4036 wrote to memory of 4668 4036 Proof Of Payment.scr Proof Of Payment.scr PID 4036 wrote to memory of 4668 4036 Proof Of Payment.scr Proof Of Payment.scr PID 4036 wrote to memory of 4668 4036 Proof Of Payment.scr Proof Of Payment.scr
Processes
-
C:\Users\Admin\AppData\Local\Temp\Proof Of Payment.scr"C:\Users\Admin\AppData\Local\Temp\Proof Of Payment.scr" /S1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dCjZPel" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA43F.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Proof Of Payment.scr"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Proof Of Payment.scr"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Proof Of Payment.scr"{path}"2⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Proof Of Payment.scr.logFilesize
507B
MD5ab4c71d3ff6255edd4e5c1e09540f49e
SHA122e06bf4e258741b5df918061871cba998c50cea
SHA2561690fec628f775dd3c3385b800eed126b37978ef2ffd592b024052724caafb5a
SHA5128fa7d0045796e6cda7c28e2b9a690ef550619828c1b5d0ebf8e8367aff4bf4d9f63121e5b4f199d30cb8006eb584c6767f4c59150749b8256dab9dd0ebd9f1af
-
C:\Users\Admin\AppData\Local\Temp\tmpA43F.tmpFilesize
1KB
MD5eb44c85b5620e1ff7acc9ef4d13b665d
SHA1a18956d23d1fb893789ec7d075616f8328ef47d8
SHA2560d4615d1faed2473561caa05c2ae39cc90e4c523205df3ecc32b161db12e5831
SHA512950c63ce6bf70157aa82f61f407c04f1e6e9d3b720edb566a964e3ba0fbceeecc0f5f2334257460943fb8da8068c24c3648bf6b5d55e5444b593c1f5bfb96f5d
-
memory/2120-134-0x0000000000000000-mapping.dmp
-
memory/4036-130-0x0000000000F90000-0x0000000001066000-memory.dmpFilesize
856KB
-
memory/4036-131-0x0000000005A00000-0x0000000005A9C000-memory.dmpFilesize
624KB
-
memory/4036-132-0x0000000005AA0000-0x0000000005B32000-memory.dmpFilesize
584KB
-
memory/4036-133-0x00000000067B0000-0x0000000006D54000-memory.dmpFilesize
5.6MB
-
memory/4668-138-0x0000000000000000-mapping.dmp
-
memory/4668-139-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/4668-141-0x00000000056E0000-0x00000000056EA000-memory.dmpFilesize
40KB
-
memory/4700-136-0x0000000000000000-mapping.dmp
-
memory/4760-137-0x0000000000000000-mapping.dmp