Analysis
-
max time kernel
100s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
19-09-2022 15:56
Static task
static1
Behavioral task
behavioral1
Sample
Payment Invoice.exe
Resource
win7-20220812-en
General
-
Target
Payment Invoice.exe
-
Size
875KB
-
MD5
2a7f904046d84e1e7357e1e2a25c4d6a
-
SHA1
21295c64773194b68011c56239d2f2eaff1bad84
-
SHA256
5dd503490af8829d84dcf61f1b829b3a26eb0f9fdf807b49d9b606cd6e2ff974
-
SHA512
5c9e981427fc57aa40a6742fe21bf79b7f84ffaf032a9905d32c960b24566a64ad32753c2688e04221bbe4f4d7016df03e5c25340a3245cea1cb1d3b4d29ff81
-
SSDEEP
12288:tFnv6yVmzuaXM8FZF61P+XLoykU6hfWxvWVpPOBJl7qZIm:jd0zlzFpkykUmuKPwi
Malware Config
Extracted
nanocore
1.2.2.0
story.servepics.com:22
85.31.46.207:22
cd820fe9-0080-4a6b-9ac2-42543933ee09
-
activate_away_mode
true
-
backup_connection_host
85.31.46.207
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2022-07-01T16:11:50.181051836Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
22
-
default_group
Blessed
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
cd820fe9-0080-4a6b-9ac2-42543933ee09
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
story.servepics.com
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Processes:
Payment Invoice.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Payment Invoice.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Payment Invoice.exedescription pid process target process PID 1964 set thread context of 1632 1964 Payment Invoice.exe Payment Invoice.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exepowershell.exePayment Invoice.exepid process 1320 powershell.exe 1280 powershell.exe 1632 Payment Invoice.exe 1632 Payment Invoice.exe 1632 Payment Invoice.exe 1632 Payment Invoice.exe 1632 Payment Invoice.exe 1632 Payment Invoice.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Payment Invoice.exepid process 1632 Payment Invoice.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exepowershell.exePayment Invoice.exedescription pid process Token: SeDebugPrivilege 1280 powershell.exe Token: SeDebugPrivilege 1320 powershell.exe Token: SeDebugPrivilege 1632 Payment Invoice.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
Payment Invoice.exedescription pid process target process PID 1964 wrote to memory of 1320 1964 Payment Invoice.exe powershell.exe PID 1964 wrote to memory of 1320 1964 Payment Invoice.exe powershell.exe PID 1964 wrote to memory of 1320 1964 Payment Invoice.exe powershell.exe PID 1964 wrote to memory of 1320 1964 Payment Invoice.exe powershell.exe PID 1964 wrote to memory of 1280 1964 Payment Invoice.exe powershell.exe PID 1964 wrote to memory of 1280 1964 Payment Invoice.exe powershell.exe PID 1964 wrote to memory of 1280 1964 Payment Invoice.exe powershell.exe PID 1964 wrote to memory of 1280 1964 Payment Invoice.exe powershell.exe PID 1964 wrote to memory of 2004 1964 Payment Invoice.exe schtasks.exe PID 1964 wrote to memory of 2004 1964 Payment Invoice.exe schtasks.exe PID 1964 wrote to memory of 2004 1964 Payment Invoice.exe schtasks.exe PID 1964 wrote to memory of 2004 1964 Payment Invoice.exe schtasks.exe PID 1964 wrote to memory of 1632 1964 Payment Invoice.exe Payment Invoice.exe PID 1964 wrote to memory of 1632 1964 Payment Invoice.exe Payment Invoice.exe PID 1964 wrote to memory of 1632 1964 Payment Invoice.exe Payment Invoice.exe PID 1964 wrote to memory of 1632 1964 Payment Invoice.exe Payment Invoice.exe PID 1964 wrote to memory of 1632 1964 Payment Invoice.exe Payment Invoice.exe PID 1964 wrote to memory of 1632 1964 Payment Invoice.exe Payment Invoice.exe PID 1964 wrote to memory of 1632 1964 Payment Invoice.exe Payment Invoice.exe PID 1964 wrote to memory of 1632 1964 Payment Invoice.exe Payment Invoice.exe PID 1964 wrote to memory of 1632 1964 Payment Invoice.exe Payment Invoice.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe"C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\edRwRca.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\edRwRca" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD24E.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe"C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe"2⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpD24E.tmpFilesize
1KB
MD5e9ff3045a6da106be4898913bf389e05
SHA1b316eb9400bbbabee226f64d0691ee0a5efb61af
SHA256ebbb5533d5b918de8a2a2c100df02bc217677585abc1657116938544a28f2a9b
SHA5127ce259f7bfe5e2e98142f1544a1d11dc6d54cda68a5b59eceab15fc12147bf5b00ef0859dde39520f02284b9bf944d73bb4a622c8bf46c86dc1f363091ff439f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD5cbf923fb744d1f2e70c3b50e79fbbf27
SHA1a1f9c955d8b8b6953fd9c2d86e3c32a0a07df806
SHA256c49ca7b2a1c9ee2a52c385b1357eb4ac28b3f6de7c9eaa17ef27fdf39b3786fa
SHA512e173373bd070caa2c9296a8d16217097a1831e17874cfe3fcb92053c7c958187527d9bc284b5316d76059140d48dcd8917a7510014d30d6eceb1aa5f195ff3ae
-
memory/1280-90-0x000000006F2A0000-0x000000006F84B000-memory.dmpFilesize
5.7MB
-
memory/1280-83-0x000000006F2A0000-0x000000006F84B000-memory.dmpFilesize
5.7MB
-
memory/1280-61-0x0000000000000000-mapping.dmp
-
memory/1320-88-0x000000006F2A0000-0x000000006F84B000-memory.dmpFilesize
5.7MB
-
memory/1320-84-0x000000006F2A0000-0x000000006F84B000-memory.dmpFilesize
5.7MB
-
memory/1320-59-0x0000000000000000-mapping.dmp
-
memory/1632-78-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1632-85-0x00000000009B0000-0x00000000009C2000-memory.dmpFilesize
72KB
-
memory/1632-97-0x0000000000FA0000-0x0000000000FCE000-memory.dmpFilesize
184KB
-
memory/1632-67-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1632-68-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1632-70-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1632-71-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1632-73-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1632-74-0x000000000041E792-mapping.dmp
-
memory/1632-76-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1632-98-0x0000000000F40000-0x0000000000F54000-memory.dmpFilesize
80KB
-
memory/1632-80-0x0000000000910000-0x000000000091A000-memory.dmpFilesize
40KB
-
memory/1632-81-0x0000000000980000-0x000000000099E000-memory.dmpFilesize
120KB
-
memory/1632-82-0x0000000000920000-0x000000000092A000-memory.dmpFilesize
40KB
-
memory/1632-96-0x0000000000F20000-0x0000000000F2E000-memory.dmpFilesize
56KB
-
memory/1632-95-0x0000000000CF0000-0x0000000000D04000-memory.dmpFilesize
80KB
-
memory/1632-86-0x0000000000A10000-0x0000000000A2A000-memory.dmpFilesize
104KB
-
memory/1632-94-0x0000000000B60000-0x0000000000B70000-memory.dmpFilesize
64KB
-
memory/1632-93-0x0000000000B50000-0x0000000000B64000-memory.dmpFilesize
80KB
-
memory/1632-87-0x0000000000AF0000-0x0000000000AFE000-memory.dmpFilesize
56KB
-
memory/1632-92-0x0000000000B40000-0x0000000000B4C000-memory.dmpFilesize
48KB
-
memory/1632-89-0x0000000000B20000-0x0000000000B32000-memory.dmpFilesize
72KB
-
memory/1632-91-0x0000000000B30000-0x0000000000B3E000-memory.dmpFilesize
56KB
-
memory/1964-55-0x0000000076411000-0x0000000076413000-memory.dmpFilesize
8KB
-
memory/1964-56-0x0000000000440000-0x0000000000456000-memory.dmpFilesize
88KB
-
memory/1964-57-0x0000000000450000-0x000000000045C000-memory.dmpFilesize
48KB
-
memory/1964-58-0x0000000007D10000-0x0000000007DA4000-memory.dmpFilesize
592KB
-
memory/1964-54-0x0000000000FE0000-0x00000000010C0000-memory.dmpFilesize
896KB
-
memory/1964-66-0x0000000004C70000-0x0000000004CAA000-memory.dmpFilesize
232KB
-
memory/2004-62-0x0000000000000000-mapping.dmp