Analysis
-
max time kernel
143s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 12:31
Static task
static1
Behavioral task
behavioral1
Sample
PROOF OF PAYMENTS.exe
Resource
win7-20220414-en
General
-
Target
PROOF OF PAYMENTS.exe
-
Size
400KB
-
MD5
6fe50a531deded71af1475baa734000f
-
SHA1
306f85e89241b6ee2fe694cb429b5afedf7a2f1c
-
SHA256
99e8759e702f1bec43e3646d6c217523a4062918226541899ba710f37c51a12c
-
SHA512
7867169981aa43d1afa21552a6fe775d334759872cf892cb4d251e8131c4edb399739f5ed4163201d0b09d07907d5e6d53406f64051cc9c6fdb048ba4d77163a
Malware Config
Extracted
nanocore
1.2.2.0
nansedd.duckdns.org:2133
8a218e14-a254-4eb4-9877-54145473a0a1
-
activate_away_mode
true
-
backup_connection_host
nansedd.duckdns.org
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-04-17T09:36:09.474374836Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
2133
-
default_group
BACK ON
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
8a218e14-a254-4eb4-9877-54145473a0a1
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
nansedd.duckdns.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
PROOF OF PAYMENTS.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WPA Monitor = "C:\\Program Files (x86)\\WPA Monitor\\wpamon.exe" PROOF OF PAYMENTS.exe -
Processes:
PROOF OF PAYMENTS.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA PROOF OF PAYMENTS.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PROOF OF PAYMENTS.exedescription pid process target process PID 4528 set thread context of 4872 4528 PROOF OF PAYMENTS.exe PROOF OF PAYMENTS.exe -
Drops file in Program Files directory 2 IoCs
Processes:
PROOF OF PAYMENTS.exedescription ioc process File created C:\Program Files (x86)\WPA Monitor\wpamon.exe PROOF OF PAYMENTS.exe File opened for modification C:\Program Files (x86)\WPA Monitor\wpamon.exe PROOF OF PAYMENTS.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
PROOF OF PAYMENTS.exePROOF OF PAYMENTS.exepid process 4528 PROOF OF PAYMENTS.exe 4872 PROOF OF PAYMENTS.exe 4872 PROOF OF PAYMENTS.exe 4872 PROOF OF PAYMENTS.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
PROOF OF PAYMENTS.exepid process 4872 PROOF OF PAYMENTS.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
PROOF OF PAYMENTS.exePROOF OF PAYMENTS.exedescription pid process Token: SeDebugPrivilege 4528 PROOF OF PAYMENTS.exe Token: SeDebugPrivilege 4872 PROOF OF PAYMENTS.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
PROOF OF PAYMENTS.exedescription pid process target process PID 4528 wrote to memory of 4872 4528 PROOF OF PAYMENTS.exe PROOF OF PAYMENTS.exe PID 4528 wrote to memory of 4872 4528 PROOF OF PAYMENTS.exe PROOF OF PAYMENTS.exe PID 4528 wrote to memory of 4872 4528 PROOF OF PAYMENTS.exe PROOF OF PAYMENTS.exe PID 4528 wrote to memory of 4872 4528 PROOF OF PAYMENTS.exe PROOF OF PAYMENTS.exe PID 4528 wrote to memory of 4872 4528 PROOF OF PAYMENTS.exe PROOF OF PAYMENTS.exe PID 4528 wrote to memory of 4872 4528 PROOF OF PAYMENTS.exe PROOF OF PAYMENTS.exe PID 4528 wrote to memory of 4872 4528 PROOF OF PAYMENTS.exe PROOF OF PAYMENTS.exe PID 4528 wrote to memory of 4872 4528 PROOF OF PAYMENTS.exe PROOF OF PAYMENTS.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENTS.exe"C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENTS.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENTS.exe"{path}"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s camsvc1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4528-130-0x0000000000780000-0x00000000007EA000-memory.dmpFilesize
424KB
-
memory/4528-131-0x00000000056A0000-0x0000000005C44000-memory.dmpFilesize
5.6MB
-
memory/4528-132-0x0000000005190000-0x0000000005222000-memory.dmpFilesize
584KB
-
memory/4528-133-0x0000000005340000-0x000000000534A000-memory.dmpFilesize
40KB
-
memory/4528-134-0x00000000077D0000-0x000000000786C000-memory.dmpFilesize
624KB
-
memory/4872-135-0x0000000000000000-mapping.dmp
-
memory/4872-136-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB