Analysis
-
max time kernel
152s -
max time network
181s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 18:41
Static task
static1
Behavioral task
behavioral1
Sample
PROOF OF PAYMENT.exe
Resource
win7-20220414-en
General
-
Target
PROOF OF PAYMENT.exe
-
Size
1.4MB
-
MD5
9a077bd0268cea0a1eea13d7ff75a691
-
SHA1
a4f20bd9e3083afb7dd60d5b06436075591e6619
-
SHA256
522eeb43150a93e0dd1308403baf27e10ca4042330e6405e87913683f3f6a67a
-
SHA512
0165b5e0e41be712ea3ee677cd860488c7154d5bd070f375c4cba78b429921254aae97adc3c4431a1d6f7a0086b0b69bb4707f3d481b0004d0d07fbdb1ebaadb
Malware Config
Extracted
nanocore
1.2.2.0
antonlmcmotor.ddns.net:3190
262bd9a6-fed5-40b1-be60-47588f2277bb
-
activate_away_mode
true
-
backup_connection_host
antonlmcmotor.ddns.net
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-03-06T10:01:36.466293536Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
3190
-
default_group
2020 reformat
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
262bd9a6-fed5-40b1-be60-47588f2277bb
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
antonlmcmotor.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Drops startup file 1 IoCs
Processes:
PROOF OF PAYMENT.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chgport.url PROOF OF PAYMENT.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
MSBuild.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ARP Service = "C:\\Program Files (x86)\\ARP Service\\arpsvc.exe" MSBuild.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PROOF OF PAYMENT.exedescription pid process target process PID 1728 set thread context of 1944 1728 PROOF OF PAYMENT.exe MSBuild.exe -
Drops file in Program Files directory 2 IoCs
Processes:
MSBuild.exedescription ioc process File created C:\Program Files (x86)\ARP Service\arpsvc.exe MSBuild.exe File opened for modification C:\Program Files (x86)\ARP Service\arpsvc.exe MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
MSBuild.exepid process 1944 MSBuild.exe 1944 MSBuild.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
MSBuild.exepid process 1944 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
MSBuild.exedescription pid process Token: SeDebugPrivilege 1944 MSBuild.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
PROOF OF PAYMENT.exepid process 1728 PROOF OF PAYMENT.exe 1728 PROOF OF PAYMENT.exe 1728 PROOF OF PAYMENT.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
PROOF OF PAYMENT.exepid process 1728 PROOF OF PAYMENT.exe 1728 PROOF OF PAYMENT.exe 1728 PROOF OF PAYMENT.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
PROOF OF PAYMENT.exedescription pid process target process PID 1728 wrote to memory of 1944 1728 PROOF OF PAYMENT.exe MSBuild.exe PID 1728 wrote to memory of 1944 1728 PROOF OF PAYMENT.exe MSBuild.exe PID 1728 wrote to memory of 1944 1728 PROOF OF PAYMENT.exe MSBuild.exe PID 1728 wrote to memory of 1944 1728 PROOF OF PAYMENT.exe MSBuild.exe PID 1728 wrote to memory of 1944 1728 PROOF OF PAYMENT.exe MSBuild.exe PID 1728 wrote to memory of 1944 1728 PROOF OF PAYMENT.exe MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.exe"C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\MSBuild.exe"2⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1728-54-0x0000000075AE1000-0x0000000075AE3000-memory.dmpFilesize
8KB
-
memory/1728-64-0x0000000000DF0000-0x0000000000E56000-memory.dmpFilesize
408KB
-
memory/1728-65-0x00000000028F0000-0x0000000002956000-memory.dmpFilesize
408KB
-
memory/1944-55-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1944-57-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1944-62-0x000000000041E792-mapping.dmp
-
memory/1944-63-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1944-66-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1944-68-0x00000000747E0000-0x0000000074D8B000-memory.dmpFilesize
5.7MB
-
memory/1944-69-0x0000000002146000-0x0000000002157000-memory.dmpFilesize
68KB