Analysis
-
max time kernel
158s -
max time network
160s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 18:40
Static task
static1
Behavioral task
behavioral1
Sample
UNPAID BILLING INVOICE APRIL 2020.PDF.exe
Resource
win7-20220414-en
General
-
Target
UNPAID BILLING INVOICE APRIL 2020.PDF.exe
-
Size
1.1MB
-
MD5
2c51d508e952e74dff3622fce3067988
-
SHA1
8f4e9008be3b4332d21eff90965c8abf7f82a088
-
SHA256
a94d174668553fbeb3c27e3194f9cef33d0d24ca56891658911bfdd7451ae9f8
-
SHA512
b93642b5feb79d2230130d8e4bffc073a449bd6bf96aa25e9a7cf506e6df1c7ff93bffa74978338dabea985b6cf3dc762c0b2ffddaf8c5fc567aea43b4ed054b
Malware Config
Extracted
nanocore
1.2.2.0
aashkanani22.casacam.net:54985
aashkanani22.ddns.net:54985
81f9209a-84c0-4e4f-8b18-1c30549233d2
-
activate_away_mode
true
-
backup_connection_host
aashkanani22.ddns.net
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-03-22T05:36:42.462642636Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
54985
-
default_group
JUNE-2020
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
81f9209a-84c0-4e4f-8b18-1c30549233d2
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
aashkanani22.casacam.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
puxshtsj.pifRegSvcs.exepid process 320 puxshtsj.pif 748 RegSvcs.exe -
Loads dropped DLL 5 IoCs
Processes:
UNPAID BILLING INVOICE APRIL 2020.PDF.exepuxshtsj.pifpid process 1756 UNPAID BILLING INVOICE APRIL 2020.PDF.exe 1756 UNPAID BILLING INVOICE APRIL 2020.PDF.exe 1756 UNPAID BILLING INVOICE APRIL 2020.PDF.exe 1756 UNPAID BILLING INVOICE APRIL 2020.PDF.exe 320 puxshtsj.pif -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
puxshtsj.pifdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run puxshtsj.pif Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "0\\81302821\\puxshtsj.pif 0\\81302821\\lujmrbtsow.gpe" puxshtsj.pif -
Processes:
RegSvcs.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
puxshtsj.pifdescription pid process target process PID 320 set thread context of 748 320 puxshtsj.pif RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
puxshtsj.pifRegSvcs.exepid process 320 puxshtsj.pif 748 RegSvcs.exe 748 RegSvcs.exe 748 RegSvcs.exe 748 RegSvcs.exe 320 puxshtsj.pif 320 puxshtsj.pif 320 puxshtsj.pif 748 RegSvcs.exe 748 RegSvcs.exe 320 puxshtsj.pif 320 puxshtsj.pif 320 puxshtsj.pif 320 puxshtsj.pif 320 puxshtsj.pif 320 puxshtsj.pif 320 puxshtsj.pif 320 puxshtsj.pif 320 puxshtsj.pif 320 puxshtsj.pif 320 puxshtsj.pif 320 puxshtsj.pif 320 puxshtsj.pif 320 puxshtsj.pif 320 puxshtsj.pif 320 puxshtsj.pif 320 puxshtsj.pif 320 puxshtsj.pif 320 puxshtsj.pif 320 puxshtsj.pif 320 puxshtsj.pif 320 puxshtsj.pif 320 puxshtsj.pif 320 puxshtsj.pif 320 puxshtsj.pif 320 puxshtsj.pif 320 puxshtsj.pif 320 puxshtsj.pif 320 puxshtsj.pif 320 puxshtsj.pif 320 puxshtsj.pif 320 puxshtsj.pif 320 puxshtsj.pif 320 puxshtsj.pif 320 puxshtsj.pif 320 puxshtsj.pif 320 puxshtsj.pif 320 puxshtsj.pif 320 puxshtsj.pif 320 puxshtsj.pif 320 puxshtsj.pif 320 puxshtsj.pif 320 puxshtsj.pif 320 puxshtsj.pif 320 puxshtsj.pif 320 puxshtsj.pif 320 puxshtsj.pif 320 puxshtsj.pif 320 puxshtsj.pif 320 puxshtsj.pif 320 puxshtsj.pif 320 puxshtsj.pif 320 puxshtsj.pif 320 puxshtsj.pif -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegSvcs.exepid process 748 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 748 RegSvcs.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
UNPAID BILLING INVOICE APRIL 2020.PDF.exepuxshtsj.pifRegSvcs.exedescription pid process target process PID 1756 wrote to memory of 320 1756 UNPAID BILLING INVOICE APRIL 2020.PDF.exe puxshtsj.pif PID 1756 wrote to memory of 320 1756 UNPAID BILLING INVOICE APRIL 2020.PDF.exe puxshtsj.pif PID 1756 wrote to memory of 320 1756 UNPAID BILLING INVOICE APRIL 2020.PDF.exe puxshtsj.pif PID 1756 wrote to memory of 320 1756 UNPAID BILLING INVOICE APRIL 2020.PDF.exe puxshtsj.pif PID 320 wrote to memory of 748 320 puxshtsj.pif RegSvcs.exe PID 320 wrote to memory of 748 320 puxshtsj.pif RegSvcs.exe PID 320 wrote to memory of 748 320 puxshtsj.pif RegSvcs.exe PID 320 wrote to memory of 748 320 puxshtsj.pif RegSvcs.exe PID 320 wrote to memory of 748 320 puxshtsj.pif RegSvcs.exe PID 320 wrote to memory of 748 320 puxshtsj.pif RegSvcs.exe PID 320 wrote to memory of 748 320 puxshtsj.pif RegSvcs.exe PID 320 wrote to memory of 748 320 puxshtsj.pif RegSvcs.exe PID 320 wrote to memory of 748 320 puxshtsj.pif RegSvcs.exe PID 748 wrote to memory of 1444 748 RegSvcs.exe schtasks.exe PID 748 wrote to memory of 1444 748 RegSvcs.exe schtasks.exe PID 748 wrote to memory of 1444 748 RegSvcs.exe schtasks.exe PID 748 wrote to memory of 1444 748 RegSvcs.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\UNPAID BILLING INVOICE APRIL 2020.PDF.exe"C:\Users\Admin\AppData\Local\Temp\UNPAID BILLING INVOICE APRIL 2020.PDF.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\81302821\puxshtsj.pif"C:\Users\Admin\81302821\puxshtsj.pif" lujmrbtsow.gpe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "WPA Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp3100.tmp"4⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\81302821\lujmrbtsow.gpeFilesize
214.4MB
MD5c364085ef46c97d0b3d5846976de7d69
SHA12cb1760323891da3d1e92aa649e9856029b6a962
SHA256084aa55282acba4c34db3424ec94ed8a3c8016ba7eb75af64b76cf08fd67f46f
SHA512c9507a1d0ad3021db91245998c42921c7eeb636773ee51ed92d534798707409ecf036fcb41ae29c97aaa1cc16b01d9ff59ab77612d3b96d89cacf59b89d257c1
-
C:\Users\Admin\81302821\puxshtsj.pifFilesize
655KB
MD5a75bc752c50fb74f7597c2bb59b93d43
SHA1d2dcd3d104b6b04f0828844aeda188798669b41f
SHA256877365dfcbe9d4896e9ca544c7d19e106ab78339edbc1bd410f2e11bd32cd2ee
SHA512e856238e3cb519786365faf17d0d590692fa991d9ca81e2fb8ce094cd090583f4ed1823b7ca9c0f702320398054ba682644a02f8d99d4e0f53733564611d3f97
-
C:\Users\Admin\81302821\ufcppr.txtFilesize
459KB
MD5ce7e39ca5dacbc7de06f3784a5f965e7
SHA16377a22c9532af6b1ad6f591b3907d2a17d6dca1
SHA256400a340a3746e8f52d7251d8f82852844f71d728ee6050abc3990c7296e15642
SHA512c88ed4e779b5e6154117012a136df4d539f480ee70abe65cf2a64f9dcbedb1ce90f8b8e0297eb1bc36d51d658138deaa10c09945bdb7ae7cf1c6a8fbb31b13d3
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exeFilesize
44KB
MD50e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exeFilesize
44KB
MD50e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
C:\Users\Admin\AppData\Local\Temp\tmp3100.tmpFilesize
1KB
MD595aceabc58acad5d73372b0966ee1b35
SHA12293b7ad4793cf574b1a5220e85f329b5601040a
SHA2568d9642e1c3cd1e0b5d1763de2fb5e605ba593e5a918b93eec15acbc5dcc48fd4
SHA51200760dfc9d8caf357f0cee5336e5448a4cca18e32cc63e1a69c16e34fe00ea29acd5b2cf278e86c6f9c3e66a1b176d27ed927361848212e6bf1fade7d3d06e74
-
\Users\Admin\81302821\puxshtsj.pifFilesize
655KB
MD5a75bc752c50fb74f7597c2bb59b93d43
SHA1d2dcd3d104b6b04f0828844aeda188798669b41f
SHA256877365dfcbe9d4896e9ca544c7d19e106ab78339edbc1bd410f2e11bd32cd2ee
SHA512e856238e3cb519786365faf17d0d590692fa991d9ca81e2fb8ce094cd090583f4ed1823b7ca9c0f702320398054ba682644a02f8d99d4e0f53733564611d3f97
-
\Users\Admin\81302821\puxshtsj.pifFilesize
655KB
MD5a75bc752c50fb74f7597c2bb59b93d43
SHA1d2dcd3d104b6b04f0828844aeda188798669b41f
SHA256877365dfcbe9d4896e9ca544c7d19e106ab78339edbc1bd410f2e11bd32cd2ee
SHA512e856238e3cb519786365faf17d0d590692fa991d9ca81e2fb8ce094cd090583f4ed1823b7ca9c0f702320398054ba682644a02f8d99d4e0f53733564611d3f97
-
\Users\Admin\81302821\puxshtsj.pifFilesize
655KB
MD5a75bc752c50fb74f7597c2bb59b93d43
SHA1d2dcd3d104b6b04f0828844aeda188798669b41f
SHA256877365dfcbe9d4896e9ca544c7d19e106ab78339edbc1bd410f2e11bd32cd2ee
SHA512e856238e3cb519786365faf17d0d590692fa991d9ca81e2fb8ce094cd090583f4ed1823b7ca9c0f702320398054ba682644a02f8d99d4e0f53733564611d3f97
-
\Users\Admin\81302821\puxshtsj.pifFilesize
655KB
MD5a75bc752c50fb74f7597c2bb59b93d43
SHA1d2dcd3d104b6b04f0828844aeda188798669b41f
SHA256877365dfcbe9d4896e9ca544c7d19e106ab78339edbc1bd410f2e11bd32cd2ee
SHA512e856238e3cb519786365faf17d0d590692fa991d9ca81e2fb8ce094cd090583f4ed1823b7ca9c0f702320398054ba682644a02f8d99d4e0f53733564611d3f97
-
\Users\Admin\AppData\Local\Temp\RegSvcs.exeFilesize
44KB
MD50e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
memory/320-59-0x0000000000000000-mapping.dmp
-
memory/748-65-0x0000000000350000-0x000000000091C000-memory.dmpFilesize
5.8MB
-
memory/748-68-0x000000000036E792-mapping.dmp
-
memory/748-71-0x0000000000350000-0x000000000091C000-memory.dmpFilesize
5.8MB
-
memory/748-73-0x0000000000350000-0x000000000091C000-memory.dmpFilesize
5.8MB
-
memory/748-67-0x0000000000350000-0x000000000091C000-memory.dmpFilesize
5.8MB
-
memory/748-75-0x0000000000350000-0x0000000000388000-memory.dmpFilesize
224KB
-
memory/748-79-0x0000000000BE0000-0x0000000000BEA000-memory.dmpFilesize
40KB
-
memory/748-80-0x0000000000BF0000-0x0000000000C0E000-memory.dmpFilesize
120KB
-
memory/748-81-0x0000000000C10000-0x0000000000C1A000-memory.dmpFilesize
40KB
-
memory/1444-77-0x0000000000000000-mapping.dmp
-
memory/1756-54-0x00000000750C1000-0x00000000750C3000-memory.dmpFilesize
8KB