Analysis
-
max time kernel
152s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 18:39
Static task
static1
Behavioral task
behavioral1
Sample
POEA-MANNING ADVISORY 2020-56.PDF.exe
Resource
win7-20220414-en
General
-
Target
POEA-MANNING ADVISORY 2020-56.PDF.exe
-
Size
1.1MB
-
MD5
dfd8bd78c724d661a354312437e303de
-
SHA1
1ab0afb0cafb35b2218aefa34de78abec2eea298
-
SHA256
62a7f441ba21aaa568fe700029fa32d6dd7eeb2ed0a7f7259a680f2aae65ee31
-
SHA512
e6cc3b297288cf0a361754d3a377ff89c8206382cedf044f7d2cc3bbc41b39e330a7acf2ede4fc2f353bf16cf2d23bceab17c1c385fec84876eb54b72a02ed37
Malware Config
Extracted
nanocore
1.2.2.0
alhabib4rec.freeddns.org:54985
alhabib4rec.ddns.net:54985
241aa85d-c14f-4ebb-875d-fb86e35e90ef
-
activate_away_mode
true
-
backup_connection_host
alhabib4rec.ddns.net
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-05-22T04:20:45.642519636Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
54985
-
default_group
AUGUST-LOGS
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
241aa85d-c14f-4ebb-875d-fb86e35e90ef
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
alhabib4rec.freeddns.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
sfoioh.pifRegSvcs.exepid process 4216 sfoioh.pif 4716 RegSvcs.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
POEA-MANNING ADVISORY 2020-56.PDF.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation POEA-MANNING ADVISORY 2020-56.PDF.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
sfoioh.pifdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run sfoioh.pif Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\29636000\\sfoioh.pif C:\\Users\\Admin\\29636000\\eqhp.lxk" sfoioh.pif -
Processes:
RegSvcs.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
sfoioh.pifdescription pid process target process PID 4216 set thread context of 4716 4216 sfoioh.pif RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
sfoioh.pifRegSvcs.exepid process 4216 sfoioh.pif 4216 sfoioh.pif 4216 sfoioh.pif 4216 sfoioh.pif 4716 RegSvcs.exe 4716 RegSvcs.exe 4716 RegSvcs.exe 4716 RegSvcs.exe 4216 sfoioh.pif 4216 sfoioh.pif 4216 sfoioh.pif 4216 sfoioh.pif 4216 sfoioh.pif 4216 sfoioh.pif 4216 sfoioh.pif 4216 sfoioh.pif 4216 sfoioh.pif 4216 sfoioh.pif 4216 sfoioh.pif 4216 sfoioh.pif 4216 sfoioh.pif 4216 sfoioh.pif 4216 sfoioh.pif 4216 sfoioh.pif 4216 sfoioh.pif 4216 sfoioh.pif 4216 sfoioh.pif 4216 sfoioh.pif 4216 sfoioh.pif 4216 sfoioh.pif 4216 sfoioh.pif 4216 sfoioh.pif 4716 RegSvcs.exe 4716 RegSvcs.exe 4716 RegSvcs.exe 4216 sfoioh.pif 4216 sfoioh.pif 4216 sfoioh.pif 4216 sfoioh.pif 4216 sfoioh.pif 4216 sfoioh.pif 4216 sfoioh.pif 4216 sfoioh.pif 4216 sfoioh.pif 4216 sfoioh.pif 4216 sfoioh.pif 4216 sfoioh.pif 4216 sfoioh.pif 4216 sfoioh.pif 4216 sfoioh.pif 4216 sfoioh.pif 4216 sfoioh.pif 4216 sfoioh.pif 4216 sfoioh.pif 4216 sfoioh.pif 4216 sfoioh.pif 4216 sfoioh.pif 4216 sfoioh.pif 4216 sfoioh.pif 4216 sfoioh.pif 4216 sfoioh.pif 4216 sfoioh.pif 4216 sfoioh.pif 4216 sfoioh.pif -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegSvcs.exepid process 4716 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 4716 RegSvcs.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
sfoioh.pifpid process 4216 sfoioh.pif -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
POEA-MANNING ADVISORY 2020-56.PDF.exesfoioh.pifRegSvcs.exedescription pid process target process PID 1748 wrote to memory of 4216 1748 POEA-MANNING ADVISORY 2020-56.PDF.exe sfoioh.pif PID 1748 wrote to memory of 4216 1748 POEA-MANNING ADVISORY 2020-56.PDF.exe sfoioh.pif PID 1748 wrote to memory of 4216 1748 POEA-MANNING ADVISORY 2020-56.PDF.exe sfoioh.pif PID 4216 wrote to memory of 4716 4216 sfoioh.pif RegSvcs.exe PID 4216 wrote to memory of 4716 4216 sfoioh.pif RegSvcs.exe PID 4216 wrote to memory of 4716 4216 sfoioh.pif RegSvcs.exe PID 4216 wrote to memory of 4716 4216 sfoioh.pif RegSvcs.exe PID 4216 wrote to memory of 4716 4216 sfoioh.pif RegSvcs.exe PID 4716 wrote to memory of 3512 4716 RegSvcs.exe schtasks.exe PID 4716 wrote to memory of 3512 4716 RegSvcs.exe schtasks.exe PID 4716 wrote to memory of 3512 4716 RegSvcs.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\POEA-MANNING ADVISORY 2020-56.PDF.exe"C:\Users\Admin\AppData\Local\Temp\POEA-MANNING ADVISORY 2020-56.PDF.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\29636000\sfoioh.pif"C:\Users\Admin\29636000\sfoioh.pif" eqhp.lxk2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "WPA Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp3865.tmp"4⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\29636000\eqhp.lxkFilesize
163.8MB
MD5dd9d3c284f145310191e54f38e77c612
SHA1a37372bc5fe3658da6b7aae1130b9704a1baa132
SHA25632f2e39dc6ecfb1ec709ee20b3941718129eeb91379e25cc1555eed76fcb2124
SHA512670dc9edf4b5ad1190461919e52ad0f87d28c6192f44b92275f4af550e35a737b23fc2932d6aa212f07a753877b0a9adb5edb2a3bd0698420285c5040fb110df
-
C:\Users\Admin\29636000\gklhdwdnin.icoFilesize
461KB
MD55d4efddc3fce2129f51b0c55ca44e3d7
SHA162df8b558d1ecdc40066c25bddadcef363151fda
SHA256989aa53994b85502af0a163113363d90b28a800e9e1c26d52029ec3f581c6415
SHA512708860e32eb396c775c8eb95e04b67c0c736da4d0c3644c9d2d2de4b94b31eec45df7aec077786ed52a5966f174883e32bf675d4ddce8b5167a27f4b9f83244f
-
C:\Users\Admin\29636000\sfoioh.pifFilesize
712KB
MD50ccbaaf7aec34840fcd7c27a8539c8a1
SHA130f905338f43c12abc44226e1a6211e16f3491d2
SHA256da606b2ce7c6d525844f1fdc751719c42ec59d662a8794104ca12eb5de280438
SHA51204583d42685b0a904c08bcc7c4b360577ceff8e72f74133d856175df8c005e49a8ac2ae4d75bb764b4a9e0a8c7d7adfb12cf45caf70beaf52f273d1e39e7a0a9
-
C:\Users\Admin\29636000\sfoioh.pifFilesize
712KB
MD50ccbaaf7aec34840fcd7c27a8539c8a1
SHA130f905338f43c12abc44226e1a6211e16f3491d2
SHA256da606b2ce7c6d525844f1fdc751719c42ec59d662a8794104ca12eb5de280438
SHA51204583d42685b0a904c08bcc7c4b360577ceff8e72f74133d856175df8c005e49a8ac2ae4d75bb764b4a9e0a8c7d7adfb12cf45caf70beaf52f273d1e39e7a0a9
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exeFilesize
44KB
MD59d352bc46709f0cb5ec974633a0c3c94
SHA11969771b2f022f9a86d77ac4d4d239becdf08d07
SHA2562c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA51213c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exeFilesize
44KB
MD59d352bc46709f0cb5ec974633a0c3c94
SHA11969771b2f022f9a86d77ac4d4d239becdf08d07
SHA2562c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA51213c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b
-
C:\Users\Admin\AppData\Local\Temp\tmp3865.tmpFilesize
1KB
MD595aceabc58acad5d73372b0966ee1b35
SHA12293b7ad4793cf574b1a5220e85f329b5601040a
SHA2568d9642e1c3cd1e0b5d1763de2fb5e605ba593e5a918b93eec15acbc5dcc48fd4
SHA51200760dfc9d8caf357f0cee5336e5448a4cca18e32cc63e1a69c16e34fe00ea29acd5b2cf278e86c6f9c3e66a1b176d27ed927361848212e6bf1fade7d3d06e74
-
memory/3512-144-0x0000000000000000-mapping.dmp
-
memory/4216-130-0x0000000000000000-mapping.dmp
-
memory/4716-136-0x0000000000E1E792-mapping.dmp
-
memory/4716-135-0x0000000000E00000-0x00000000012A5000-memory.dmpFilesize
4.6MB
-
memory/4716-139-0x0000000000E00000-0x0000000000E38000-memory.dmpFilesize
224KB
-
memory/4716-140-0x0000000005F60000-0x0000000006504000-memory.dmpFilesize
5.6MB
-
memory/4716-141-0x0000000005A50000-0x0000000005AE2000-memory.dmpFilesize
584KB
-
memory/4716-142-0x0000000005AF0000-0x0000000005B8C000-memory.dmpFilesize
624KB
-
memory/4716-143-0x0000000005A00000-0x0000000005A0A000-memory.dmpFilesize
40KB