Analysis
-
max time kernel
96s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
08-09-2022 04:52
Static task
static1
Behavioral task
behavioral1
Sample
Pay-In Slip·pdf.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
Pay-In Slip·pdf.exe
Resource
win10v2004-20220812-en
General
-
Target
Pay-In Slip·pdf.exe
-
Size
346KB
-
MD5
8d4854f7d2c0efd244648435941eac95
-
SHA1
e2985e3ecc1ba7dd2d81ac7dba214e01dccaa9f7
-
SHA256
6605bf5c726be2c791f0e6611b9421443e4f655e0626fe8016f3dfcfea1db057
-
SHA512
841b5b9241e95af117176c70f829d3f7a33b2f55da68d7270a06914f609560b19b18c67bafb40c18c161db572b11dea7f5e2919e65bfbbdb10f23ed2801200fd
-
SSDEEP
6144:V/c/43AbmhXUQirdrt9ENYoTvGfKPGneudaKPvPSYn0Zn8f4lAFRJG3wDIMq2vd6:VR37XUTrdp9SYYOfKeneudb/SY2n8fet
Malware Config
Extracted
nanocore
1.2.2.0
master042.duckdns.org:2535
b5c6edd2-71c9-4e5f-8e64-7d4e8ff2379f
-
activate_away_mode
true
- backup_connection_host
- backup_dns_server
-
buffer_size
65535
-
build_time
2022-06-19T20:17:08.219933736Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
2535
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
b5c6edd2-71c9-4e5f-8e64-7d4e8ff2379f
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
master042.duckdns.org
-
primary_dns_server
press042.hopto.org
-
request_elevation
true
-
restart_delay
5000
-
run_delay
15
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
Processes:
caspol.exePay-In Slip·pdf.exedescription ioc process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe caspol.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe Pay-In Slip·pdf.exe -
Loads dropped DLL 2 IoCs
Processes:
Pay-In Slip·pdf.exepid process 1056 Pay-In Slip·pdf.exe 1056 Pay-In Slip·pdf.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in System32 directory 2 IoCs
Processes:
Pay-In Slip·pdf.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Antiantienzyme.Cur Pay-In Slip·pdf.exe File opened for modification C:\Windows\SysWOW64\Rosanilin\Forsigtighedsprincip\atropia\Guders.Trn Pay-In Slip·pdf.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
caspol.exepid process 940 caspol.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
Pay-In Slip·pdf.execaspol.exepid process 1056 Pay-In Slip·pdf.exe 940 caspol.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Pay-In Slip·pdf.exedescription pid process target process PID 1056 set thread context of 940 1056 Pay-In Slip·pdf.exe caspol.exe -
Drops file in Windows directory 1 IoCs
Processes:
Pay-In Slip·pdf.exedescription ioc process File opened for modification C:\Windows\Fonts\Resistensproblemet\Crossleted\Ansgtes\Ridderlfterne232.Tet Pay-In Slip·pdf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
caspol.exepid process 940 caspol.exe 940 caspol.exe 940 caspol.exe 940 caspol.exe 940 caspol.exe 940 caspol.exe 940 caspol.exe 940 caspol.exe 940 caspol.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
caspol.exepid process 940 caspol.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
Pay-In Slip·pdf.exepid process 1056 Pay-In Slip·pdf.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
caspol.exedescription pid process Token: SeDebugPrivilege 940 caspol.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Pay-In Slip·pdf.execaspol.exedescription pid process target process PID 1056 wrote to memory of 940 1056 Pay-In Slip·pdf.exe caspol.exe PID 1056 wrote to memory of 940 1056 Pay-In Slip·pdf.exe caspol.exe PID 1056 wrote to memory of 940 1056 Pay-In Slip·pdf.exe caspol.exe PID 1056 wrote to memory of 940 1056 Pay-In Slip·pdf.exe caspol.exe PID 1056 wrote to memory of 940 1056 Pay-In Slip·pdf.exe caspol.exe PID 940 wrote to memory of 816 940 caspol.exe schtasks.exe PID 940 wrote to memory of 816 940 caspol.exe schtasks.exe PID 940 wrote to memory of 816 940 caspol.exe schtasks.exe PID 940 wrote to memory of 816 940 caspol.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Pay-In Slip·pdf.exe"C:\Users\Admin\AppData\Local\Temp\Pay-In Slip·pdf.exe"1⤵
- Checks QEMU agent file
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe"C:\Users\Admin\AppData\Local\Temp\Pay-In Slip·pdf.exe"2⤵
- Checks QEMU agent file
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "AGP Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmpA12.tmp"3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpA12.tmpFilesize
1KB
MD5497f298fc157762f192a7c42854c6fb6
SHA104bec630f5cc64ea17c0e3e780b3ccf15a35c6e0
SHA2563462cbe62fbb64fc53a0fcf97e43baafe9dd9929204f586a86afe4b89d8048a6
SHA512c7c6fd3097f4d1ccd313160fedf7cb031644e0836b8c3e25481095e5f4b003759bc84fc6ea9421e3a090e66dc2ff875fec2f394a386691ab178cb164733411b2
-
\Users\Admin\AppData\Local\Temp\nsj2D99.tmp\Math.dllFilesize
171KB
MD5499788d1d4b70ea3499b6411ef5aca0c
SHA1db7274f0c3beea8a2ed7df7fe3006b1ec965d13c
SHA2566b6c63505ac093672cdc062ea23ea8fbb263204c9591c936dda896cba2c56504
SHA512c566e94acf0d0de820fb2e7661b721a6fd23c6c5fe7b551b48e80b3c24b0d8de379fa2c53a653858e69dd0a8f6b98bf68a6d7425342f1ade1602ddaa2310c549
-
\Users\Admin\AppData\Local\Temp\nsj2D99.tmp\System.dllFilesize
12KB
MD56c38da8922cc37b4bbb77de4a63ad843
SHA14e0533fd11df8bddbd543ed58df7b6060d9f4631
SHA2561624d9ad8b2e2658af224691263f64388ba3a997efe80011889e3c35237ce4c1
SHA512ad0be3d7e57da9c304e9b9cac5341b6c76b157456ab44f5579d6c38c830a31c9c3e1e9a875b8f465243c607ea2ede6b0bb77237f17a70a4d4c78606e036c3430
-
memory/816-75-0x0000000000000000-mapping.dmp
-
memory/940-70-0x0000000000400000-0x0000000000615000-memory.dmpFilesize
2.1MB
-
memory/940-79-0x0000000000FE0000-0x0000000001020000-memory.dmpFilesize
256KB
-
memory/940-62-0x0000000001128A9E-mapping.dmp
-
memory/940-83-0x0000000000FE0000-0x0000000001020000-memory.dmpFilesize
256KB
-
memory/940-82-0x0000000073AB0000-0x000000007405B000-memory.dmpFilesize
5.7MB
-
memory/940-65-0x0000000000080000-0x0000000000180000-memory.dmpFilesize
1024KB
-
memory/940-81-0x0000000077C50000-0x0000000077DD0000-memory.dmpFilesize
1.5MB
-
memory/940-68-0x0000000077A70000-0x0000000077C19000-memory.dmpFilesize
1.7MB
-
memory/940-80-0x0000000077A70000-0x0000000077C19000-memory.dmpFilesize
1.7MB
-
memory/940-71-0x0000000000401000-0x0000000000615000-memory.dmpFilesize
2.1MB
-
memory/940-73-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/940-74-0x0000000073AB0000-0x000000007405B000-memory.dmpFilesize
5.7MB
-
memory/1056-58-0x0000000003B70000-0x0000000003CAB000-memory.dmpFilesize
1.2MB
-
memory/1056-57-0x0000000003B70000-0x0000000003CAB000-memory.dmpFilesize
1.2MB
-
memory/1056-77-0x0000000003B70000-0x0000000003CAB000-memory.dmpFilesize
1.2MB
-
memory/1056-78-0x0000000077C50000-0x0000000077DD0000-memory.dmpFilesize
1.5MB
-
memory/1056-59-0x0000000077A70000-0x0000000077C19000-memory.dmpFilesize
1.7MB
-
memory/1056-54-0x0000000075A71000-0x0000000075A73000-memory.dmpFilesize
8KB
-
memory/1056-67-0x0000000077C50000-0x0000000077DD0000-memory.dmpFilesize
1.5MB
-
memory/1056-64-0x0000000077C50000-0x0000000077DD0000-memory.dmpFilesize
1.5MB
-
memory/1056-63-0x0000000077C50000-0x0000000077DD0000-memory.dmpFilesize
1.5MB