Analysis
-
max time kernel
152s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 18:40
Static task
static1
Behavioral task
behavioral1
Sample
UNPAID BILLING INVOICE APRIL 2020.PDF.exe
Resource
win7-20220414-en
General
-
Target
UNPAID BILLING INVOICE APRIL 2020.PDF.exe
-
Size
1.1MB
-
MD5
2c51d508e952e74dff3622fce3067988
-
SHA1
8f4e9008be3b4332d21eff90965c8abf7f82a088
-
SHA256
a94d174668553fbeb3c27e3194f9cef33d0d24ca56891658911bfdd7451ae9f8
-
SHA512
b93642b5feb79d2230130d8e4bffc073a449bd6bf96aa25e9a7cf506e6df1c7ff93bffa74978338dabea985b6cf3dc762c0b2ffddaf8c5fc567aea43b4ed054b
Malware Config
Extracted
nanocore
1.2.2.0
aashkanani22.casacam.net:54985
aashkanani22.ddns.net:54985
81f9209a-84c0-4e4f-8b18-1c30549233d2
-
activate_away_mode
true
-
backup_connection_host
aashkanani22.ddns.net
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-03-22T05:36:42.462642636Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
54985
-
default_group
JUNE-2020
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
81f9209a-84c0-4e4f-8b18-1c30549233d2
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
aashkanani22.casacam.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
puxshtsj.pifRegSvcs.exepid process 4764 puxshtsj.pif 212 RegSvcs.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
UNPAID BILLING INVOICE APRIL 2020.PDF.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation UNPAID BILLING INVOICE APRIL 2020.PDF.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
puxshtsj.pifdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run puxshtsj.pif Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "0\\81302821\\puxshtsj.pif 0\\81302821\\lujmrbtsow.gpe" puxshtsj.pif -
Processes:
RegSvcs.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
puxshtsj.pifdescription pid process target process PID 4764 set thread context of 212 4764 puxshtsj.pif RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
RegSvcs.exepuxshtsj.pifpid process 212 RegSvcs.exe 212 RegSvcs.exe 212 RegSvcs.exe 212 RegSvcs.exe 4764 puxshtsj.pif 4764 puxshtsj.pif 4764 puxshtsj.pif 4764 puxshtsj.pif 4764 puxshtsj.pif 4764 puxshtsj.pif 4764 puxshtsj.pif 4764 puxshtsj.pif 4764 puxshtsj.pif 4764 puxshtsj.pif 212 RegSvcs.exe 212 RegSvcs.exe 212 RegSvcs.exe 4764 puxshtsj.pif 4764 puxshtsj.pif 4764 puxshtsj.pif 4764 puxshtsj.pif 4764 puxshtsj.pif 4764 puxshtsj.pif 4764 puxshtsj.pif 4764 puxshtsj.pif 4764 puxshtsj.pif 4764 puxshtsj.pif 4764 puxshtsj.pif 4764 puxshtsj.pif 4764 puxshtsj.pif 4764 puxshtsj.pif 4764 puxshtsj.pif 4764 puxshtsj.pif 4764 puxshtsj.pif 4764 puxshtsj.pif 4764 puxshtsj.pif 4764 puxshtsj.pif 4764 puxshtsj.pif 4764 puxshtsj.pif 4764 puxshtsj.pif 4764 puxshtsj.pif 4764 puxshtsj.pif 4764 puxshtsj.pif 4764 puxshtsj.pif 4764 puxshtsj.pif 4764 puxshtsj.pif 4764 puxshtsj.pif 4764 puxshtsj.pif 4764 puxshtsj.pif 4764 puxshtsj.pif 4764 puxshtsj.pif 4764 puxshtsj.pif 4764 puxshtsj.pif 4764 puxshtsj.pif 4764 puxshtsj.pif 4764 puxshtsj.pif 4764 puxshtsj.pif 4764 puxshtsj.pif 4764 puxshtsj.pif 4764 puxshtsj.pif 4764 puxshtsj.pif 4764 puxshtsj.pif 4764 puxshtsj.pif 4764 puxshtsj.pif -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegSvcs.exepid process 212 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 212 RegSvcs.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
UNPAID BILLING INVOICE APRIL 2020.PDF.exepuxshtsj.pifRegSvcs.exedescription pid process target process PID 1544 wrote to memory of 4764 1544 UNPAID BILLING INVOICE APRIL 2020.PDF.exe puxshtsj.pif PID 1544 wrote to memory of 4764 1544 UNPAID BILLING INVOICE APRIL 2020.PDF.exe puxshtsj.pif PID 1544 wrote to memory of 4764 1544 UNPAID BILLING INVOICE APRIL 2020.PDF.exe puxshtsj.pif PID 4764 wrote to memory of 212 4764 puxshtsj.pif RegSvcs.exe PID 4764 wrote to memory of 212 4764 puxshtsj.pif RegSvcs.exe PID 4764 wrote to memory of 212 4764 puxshtsj.pif RegSvcs.exe PID 4764 wrote to memory of 212 4764 puxshtsj.pif RegSvcs.exe PID 4764 wrote to memory of 212 4764 puxshtsj.pif RegSvcs.exe PID 212 wrote to memory of 4432 212 RegSvcs.exe schtasks.exe PID 212 wrote to memory of 4432 212 RegSvcs.exe schtasks.exe PID 212 wrote to memory of 4432 212 RegSvcs.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\UNPAID BILLING INVOICE APRIL 2020.PDF.exe"C:\Users\Admin\AppData\Local\Temp\UNPAID BILLING INVOICE APRIL 2020.PDF.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\81302821\puxshtsj.pif"C:\Users\Admin\81302821\puxshtsj.pif" lujmrbtsow.gpe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "WPA Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp39CD.tmp"4⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\81302821\lujmrbtsow.gpeFilesize
214.4MB
MD5c364085ef46c97d0b3d5846976de7d69
SHA12cb1760323891da3d1e92aa649e9856029b6a962
SHA256084aa55282acba4c34db3424ec94ed8a3c8016ba7eb75af64b76cf08fd67f46f
SHA512c9507a1d0ad3021db91245998c42921c7eeb636773ee51ed92d534798707409ecf036fcb41ae29c97aaa1cc16b01d9ff59ab77612d3b96d89cacf59b89d257c1
-
C:\Users\Admin\81302821\puxshtsj.pifFilesize
655KB
MD5a75bc752c50fb74f7597c2bb59b93d43
SHA1d2dcd3d104b6b04f0828844aeda188798669b41f
SHA256877365dfcbe9d4896e9ca544c7d19e106ab78339edbc1bd410f2e11bd32cd2ee
SHA512e856238e3cb519786365faf17d0d590692fa991d9ca81e2fb8ce094cd090583f4ed1823b7ca9c0f702320398054ba682644a02f8d99d4e0f53733564611d3f97
-
C:\Users\Admin\81302821\puxshtsj.pifFilesize
655KB
MD5a75bc752c50fb74f7597c2bb59b93d43
SHA1d2dcd3d104b6b04f0828844aeda188798669b41f
SHA256877365dfcbe9d4896e9ca544c7d19e106ab78339edbc1bd410f2e11bd32cd2ee
SHA512e856238e3cb519786365faf17d0d590692fa991d9ca81e2fb8ce094cd090583f4ed1823b7ca9c0f702320398054ba682644a02f8d99d4e0f53733564611d3f97
-
C:\Users\Admin\81302821\ufcppr.txtFilesize
459KB
MD5ce7e39ca5dacbc7de06f3784a5f965e7
SHA16377a22c9532af6b1ad6f591b3907d2a17d6dca1
SHA256400a340a3746e8f52d7251d8f82852844f71d728ee6050abc3990c7296e15642
SHA512c88ed4e779b5e6154117012a136df4d539f480ee70abe65cf2a64f9dcbedb1ce90f8b8e0297eb1bc36d51d658138deaa10c09945bdb7ae7cf1c6a8fbb31b13d3
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exeFilesize
44KB
MD59d352bc46709f0cb5ec974633a0c3c94
SHA11969771b2f022f9a86d77ac4d4d239becdf08d07
SHA2562c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA51213c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exeFilesize
44KB
MD59d352bc46709f0cb5ec974633a0c3c94
SHA11969771b2f022f9a86d77ac4d4d239becdf08d07
SHA2562c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA51213c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b
-
C:\Users\Admin\AppData\Local\Temp\tmp39CD.tmpFilesize
1KB
MD595aceabc58acad5d73372b0966ee1b35
SHA12293b7ad4793cf574b1a5220e85f329b5601040a
SHA2568d9642e1c3cd1e0b5d1763de2fb5e605ba593e5a918b93eec15acbc5dcc48fd4
SHA51200760dfc9d8caf357f0cee5336e5448a4cca18e32cc63e1a69c16e34fe00ea29acd5b2cf278e86c6f9c3e66a1b176d27ed927361848212e6bf1fade7d3d06e74
-
memory/212-139-0x000000000131E792-mapping.dmp
-
memory/212-138-0x0000000001300000-0x00000000017AA000-memory.dmpFilesize
4.7MB
-
memory/212-142-0x0000000001300000-0x0000000001338000-memory.dmpFilesize
224KB
-
memory/212-143-0x00000000063A0000-0x0000000006944000-memory.dmpFilesize
5.6MB
-
memory/212-144-0x0000000005D10000-0x0000000005DA2000-memory.dmpFilesize
584KB
-
memory/212-145-0x0000000005E90000-0x0000000005F2C000-memory.dmpFilesize
624KB
-
memory/212-146-0x0000000005DC0000-0x0000000005DCA000-memory.dmpFilesize
40KB
-
memory/4432-147-0x0000000000000000-mapping.dmp
-
memory/4764-133-0x0000000000000000-mapping.dmp