Analysis
-
max time kernel
135s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
08-09-2022 10:18
Static task
static1
Behavioral task
behavioral1
Sample
Re Remittance Advice.exe
Resource
win7-20220901-en
General
-
Target
Re Remittance Advice.exe
-
Size
566KB
-
MD5
0f69b38426bbbcb5528aaef9d7d6e054
-
SHA1
bbc0cec1892e41a0d854b33bf8d8f156367caf6b
-
SHA256
24584863e35b36fa2cd4285a6aafd6a117ea0585c5c92ddf289ab13b8af87622
-
SHA512
21bc78a63dc7aa27500261d43747ccf5589a95ebf9a866f7e68bdc8ec89c573a9352e1af438cb8360a29ceee63fb6788841f0f3399159e1f0069bd17abf59df8
-
SSDEEP
12288:XO8l02b1zzUFFiRU8WnSSW/FnILBTqZfs+StQPI:NlfzzUFAKLSSW+LBTq3A
Malware Config
Extracted
nanocore
1.2.2.0
brightnano1.ddns.net:1989
171.22.30.97:1989
fba1bbc6-2cc8-4c94-b6c0-dda5a12fd7fe
-
activate_away_mode
true
-
backup_connection_host
171.22.30.97
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2022-06-10T14:34:05.030247036Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
1989
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
fba1bbc6-2cc8-4c94-b6c0-dda5a12fd7fe
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
brightnano1.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Bin.exepid process 1936 Bin.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
reg.exeRegAsm.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Bin = "C:\\Users\\Admin\\Desktop\\Bin.exe" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AGP Manager = "C:\\Program Files (x86)\\AGP Manager\\agpmgr.exe" RegAsm.exe -
Processes:
RegAsm.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Bin.exedescription pid process target process PID 1936 set thread context of 916 1936 Bin.exe RegAsm.exe -
Drops file in Program Files directory 2 IoCs
Processes:
RegAsm.exedescription ioc process File created C:\Program Files (x86)\AGP Manager\agpmgr.exe RegAsm.exe File opened for modification C:\Program Files (x86)\AGP Manager\agpmgr.exe RegAsm.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1940 schtasks.exe 1588 schtasks.exe -
Runs ping.exe 1 TTPs 3 IoCs
Processes:
PING.EXEPING.EXEPING.EXEpid process 560 PING.EXE 1316 PING.EXE 1688 PING.EXE -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
Re Remittance Advice.exeBin.exeRegAsm.exepid process 2016 Re Remittance Advice.exe 2016 Re Remittance Advice.exe 2016 Re Remittance Advice.exe 1936 Bin.exe 1936 Bin.exe 916 RegAsm.exe 916 RegAsm.exe 916 RegAsm.exe 916 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Re Remittance Advice.exeBin.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 2016 Re Remittance Advice.exe Token: SeDebugPrivilege 1936 Bin.exe Token: SeDebugPrivilege 916 RegAsm.exe -
Suspicious use of WriteProcessMemory 48 IoCs
Processes:
Re Remittance Advice.execmd.execmd.exeBin.exeRegAsm.exedescription pid process target process PID 2016 wrote to memory of 368 2016 Re Remittance Advice.exe cmd.exe PID 2016 wrote to memory of 368 2016 Re Remittance Advice.exe cmd.exe PID 2016 wrote to memory of 368 2016 Re Remittance Advice.exe cmd.exe PID 2016 wrote to memory of 368 2016 Re Remittance Advice.exe cmd.exe PID 368 wrote to memory of 560 368 cmd.exe PING.EXE PID 368 wrote to memory of 560 368 cmd.exe PING.EXE PID 368 wrote to memory of 560 368 cmd.exe PING.EXE PID 368 wrote to memory of 560 368 cmd.exe PING.EXE PID 2016 wrote to memory of 1868 2016 Re Remittance Advice.exe cmd.exe PID 2016 wrote to memory of 1868 2016 Re Remittance Advice.exe cmd.exe PID 2016 wrote to memory of 1868 2016 Re Remittance Advice.exe cmd.exe PID 2016 wrote to memory of 1868 2016 Re Remittance Advice.exe cmd.exe PID 1868 wrote to memory of 1316 1868 cmd.exe PING.EXE PID 1868 wrote to memory of 1316 1868 cmd.exe PING.EXE PID 1868 wrote to memory of 1316 1868 cmd.exe PING.EXE PID 1868 wrote to memory of 1316 1868 cmd.exe PING.EXE PID 368 wrote to memory of 1988 368 cmd.exe reg.exe PID 368 wrote to memory of 1988 368 cmd.exe reg.exe PID 368 wrote to memory of 1988 368 cmd.exe reg.exe PID 368 wrote to memory of 1988 368 cmd.exe reg.exe PID 1868 wrote to memory of 1688 1868 cmd.exe PING.EXE PID 1868 wrote to memory of 1688 1868 cmd.exe PING.EXE PID 1868 wrote to memory of 1688 1868 cmd.exe PING.EXE PID 1868 wrote to memory of 1688 1868 cmd.exe PING.EXE PID 1868 wrote to memory of 1936 1868 cmd.exe Bin.exe PID 1868 wrote to memory of 1936 1868 cmd.exe Bin.exe PID 1868 wrote to memory of 1936 1868 cmd.exe Bin.exe PID 1868 wrote to memory of 1936 1868 cmd.exe Bin.exe PID 1936 wrote to memory of 916 1936 Bin.exe RegAsm.exe PID 1936 wrote to memory of 916 1936 Bin.exe RegAsm.exe PID 1936 wrote to memory of 916 1936 Bin.exe RegAsm.exe PID 1936 wrote to memory of 916 1936 Bin.exe RegAsm.exe PID 1936 wrote to memory of 916 1936 Bin.exe RegAsm.exe PID 1936 wrote to memory of 916 1936 Bin.exe RegAsm.exe PID 1936 wrote to memory of 916 1936 Bin.exe RegAsm.exe PID 1936 wrote to memory of 916 1936 Bin.exe RegAsm.exe PID 1936 wrote to memory of 916 1936 Bin.exe RegAsm.exe PID 1936 wrote to memory of 916 1936 Bin.exe RegAsm.exe PID 1936 wrote to memory of 916 1936 Bin.exe RegAsm.exe PID 1936 wrote to memory of 916 1936 Bin.exe RegAsm.exe PID 916 wrote to memory of 1940 916 RegAsm.exe schtasks.exe PID 916 wrote to memory of 1940 916 RegAsm.exe schtasks.exe PID 916 wrote to memory of 1940 916 RegAsm.exe schtasks.exe PID 916 wrote to memory of 1940 916 RegAsm.exe schtasks.exe PID 916 wrote to memory of 1588 916 RegAsm.exe schtasks.exe PID 916 wrote to memory of 1588 916 RegAsm.exe schtasks.exe PID 916 wrote to memory of 1588 916 RegAsm.exe schtasks.exe PID 916 wrote to memory of 1588 916 RegAsm.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Re Remittance Advice.exe"C:\Users\Admin\AppData\Local\Temp\Re Remittance Advice.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 11 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Bin" /t REG_SZ /d "C:\Users\Admin\Desktop\Bin.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 113⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Bin" /t REG_SZ /d "C:\Users\Admin\Desktop\Bin.exe"3⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 20 > nul && copy "C:\Users\Admin\AppData\Local\Temp\Re Remittance Advice.exe" "C:\Users\Admin\Desktop\Bin.exe" && ping 127.0.0.1 -n 20 > nul && "C:\Users\Admin\Desktop\Bin.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 203⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 203⤵
- Runs ping.exe
-
C:\Users\Admin\Desktop\Bin.exe"C:\Users\Admin\Desktop\Bin.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "AGP Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmp2AE8.tmp"5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "AGP Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp2C02.tmp"5⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp2AE8.tmpFilesize
1KB
MD548ef7fa9033389ad7929d7a6b9d10298
SHA19db6cb7325c8bdf66a15f7b5f34703709a45aeb6
SHA2560c1b5f67eeb276d1d4205b138ce32bc6149924e02281a2db8e4623a700e88f15
SHA512ac8bd104ecbacc9bccce9e087f67e5b18072d59367ccd31d4e66132b6baaea520cba5b9b59464483d86abf74826b382c402f12e9a586c99bda8c78a0de33944e
-
C:\Users\Admin\AppData\Local\Temp\tmp2C02.tmpFilesize
1KB
MD5885d6dd30570594e167fadb59d9ca0ea
SHA19981e583644c4eb9cf5056615a0e1c2913c8983b
SHA2567155bc082d1713d77c2797575ee0ade8467fb7012f5376c1d6f4aa618141a7d2
SHA5121623218143c2c25a7c85fa9da8e0f251f04a5eb848c4d0aa10bfb78688518b82393a2b3c7f287a9dc06a366ef9f46d0d4e2d246ad4cef4554a74c0bb6ff9dd2a
-
C:\Users\Admin\Desktop\Bin.exeFilesize
566KB
MD50f69b38426bbbcb5528aaef9d7d6e054
SHA1bbc0cec1892e41a0d854b33bf8d8f156367caf6b
SHA25624584863e35b36fa2cd4285a6aafd6a117ea0585c5c92ddf289ab13b8af87622
SHA51221bc78a63dc7aa27500261d43747ccf5589a95ebf9a866f7e68bdc8ec89c573a9352e1af438cb8360a29ceee63fb6788841f0f3399159e1f0069bd17abf59df8
-
C:\Users\Admin\Desktop\Bin.exeFilesize
566KB
MD50f69b38426bbbcb5528aaef9d7d6e054
SHA1bbc0cec1892e41a0d854b33bf8d8f156367caf6b
SHA25624584863e35b36fa2cd4285a6aafd6a117ea0585c5c92ddf289ab13b8af87622
SHA51221bc78a63dc7aa27500261d43747ccf5589a95ebf9a866f7e68bdc8ec89c573a9352e1af438cb8360a29ceee63fb6788841f0f3399159e1f0069bd17abf59df8
-
memory/368-58-0x0000000000000000-mapping.dmp
-
memory/560-59-0x0000000000000000-mapping.dmp
-
memory/916-79-0x000000000041E792-mapping.dmp
-
memory/916-75-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/916-104-0x00000000010D5000-0x00000000010E6000-memory.dmpFilesize
68KB
-
memory/916-93-0x0000000000A30000-0x0000000000A4A000-memory.dmpFilesize
104KB
-
memory/916-103-0x00000000010B0000-0x00000000010C4000-memory.dmpFilesize
80KB
-
memory/916-92-0x0000000000A20000-0x0000000000A32000-memory.dmpFilesize
72KB
-
memory/916-102-0x00000000012C0000-0x00000000012EE000-memory.dmpFilesize
184KB
-
memory/916-101-0x0000000001090000-0x000000000109E000-memory.dmpFilesize
56KB
-
memory/916-100-0x0000000001080000-0x0000000001094000-memory.dmpFilesize
80KB
-
memory/916-99-0x0000000001070000-0x0000000001080000-memory.dmpFilesize
64KB
-
memory/916-91-0x0000000000830000-0x000000000083A000-memory.dmpFilesize
40KB
-
memory/916-72-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/916-73-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/916-94-0x0000000000A60000-0x0000000000A6E000-memory.dmpFilesize
56KB
-
memory/916-76-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/916-78-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/916-98-0x0000000001020000-0x0000000001034000-memory.dmpFilesize
80KB
-
memory/916-81-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/916-83-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/916-97-0x0000000000F90000-0x0000000000F9C000-memory.dmpFilesize
48KB
-
memory/916-96-0x0000000000DF0000-0x0000000000DFE000-memory.dmpFilesize
56KB
-
memory/916-90-0x00000000009A0000-0x00000000009BE000-memory.dmpFilesize
120KB
-
memory/916-95-0x0000000000DE0000-0x0000000000DF2000-memory.dmpFilesize
72KB
-
memory/916-89-0x0000000000820000-0x000000000082A000-memory.dmpFilesize
40KB
-
memory/1316-61-0x0000000000000000-mapping.dmp
-
memory/1588-87-0x0000000000000000-mapping.dmp
-
memory/1688-63-0x0000000000000000-mapping.dmp
-
memory/1868-60-0x0000000000000000-mapping.dmp
-
memory/1936-71-0x0000000000A90000-0x0000000000A96000-memory.dmpFilesize
24KB
-
memory/1936-70-0x0000000000C20000-0x0000000000C3A000-memory.dmpFilesize
104KB
-
memory/1936-69-0x0000000000690000-0x00000000006C4000-memory.dmpFilesize
208KB
-
memory/1936-67-0x00000000012A0000-0x0000000001334000-memory.dmpFilesize
592KB
-
memory/1936-64-0x0000000000000000-mapping.dmp
-
memory/1940-85-0x0000000000000000-mapping.dmp
-
memory/1988-62-0x0000000000000000-mapping.dmp
-
memory/2016-55-0x0000000075A71000-0x0000000075A73000-memory.dmpFilesize
8KB
-
memory/2016-56-0x0000000000AE0000-0x0000000000B14000-memory.dmpFilesize
208KB
-
memory/2016-54-0x0000000000E90000-0x0000000000F24000-memory.dmpFilesize
592KB
-
memory/2016-57-0x00000000005F0000-0x0000000000608000-memory.dmpFilesize
96KB