Analysis
-
max time kernel
91s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23-09-2022 05:46
Static task
static1
Behavioral task
behavioral1
Sample
remittance.exe
Resource
win7-20220812-en
General
-
Target
remittance.exe
-
Size
1.0MB
-
MD5
31c5c19e5cbf0993baeef892e8f73ada
-
SHA1
3f39dd3802f34e7f0b8d307a5aa31daac779c3c8
-
SHA256
b9b9fa184afcfe0808c76a42a44a22e960d0283cf763c120be371122d0de8174
-
SHA512
083b584a585fc100ee3619ad31042d0b9188e2bf81ec3f178fb2e89a2854af30d57adef2e59e46e48f0a6abfd951706d5dee52d9479f4c12317dd0fdf2e4fe86
-
SSDEEP
12288:BGVMmLXxPgZ8Uqcozk9h5uRsOLNoJ86aA/qoUmdaee/QCaCNqGVM9d4dIw8:B1mRgZjqco49hKssoJ8tydLC/VIdkIt
Malware Config
Extracted
nanocore
1.2.2.0
brightnano1.ddns.net:1989
171.22.30.97:1989
fba1bbc6-2cc8-4c94-b6c0-dda5a12fd7fe
-
activate_away_mode
true
-
backup_connection_host
171.22.30.97
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2022-06-10T14:34:05.030247036Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
1989
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
fba1bbc6-2cc8-4c94-b6c0-dda5a12fd7fe
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
brightnano1.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
remittance.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation remittance.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
remittance.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AGP Monitor = "C:\\Program Files (x86)\\AGP Monitor\\agpmon.exe" remittance.exe -
Processes:
remittance.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA remittance.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
remittance.exedescription pid process target process PID 5096 set thread context of 4880 5096 remittance.exe remittance.exe -
Drops file in Program Files directory 2 IoCs
Processes:
remittance.exedescription ioc process File created C:\Program Files (x86)\AGP Monitor\agpmon.exe remittance.exe File opened for modification C:\Program Files (x86)\AGP Monitor\agpmon.exe remittance.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 1884 schtasks.exe 1292 schtasks.exe 3468 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
remittance.exeremittance.exepid process 5096 remittance.exe 5096 remittance.exe 4880 remittance.exe 4880 remittance.exe 4880 remittance.exe 4880 remittance.exe 4880 remittance.exe 4880 remittance.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
remittance.exepid process 4880 remittance.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
remittance.exeremittance.exedescription pid process Token: SeDebugPrivilege 5096 remittance.exe Token: SeDebugPrivilege 4880 remittance.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
remittance.exeremittance.exedescription pid process target process PID 5096 wrote to memory of 3468 5096 remittance.exe schtasks.exe PID 5096 wrote to memory of 3468 5096 remittance.exe schtasks.exe PID 5096 wrote to memory of 3468 5096 remittance.exe schtasks.exe PID 5096 wrote to memory of 2596 5096 remittance.exe remittance.exe PID 5096 wrote to memory of 2596 5096 remittance.exe remittance.exe PID 5096 wrote to memory of 2596 5096 remittance.exe remittance.exe PID 5096 wrote to memory of 4880 5096 remittance.exe remittance.exe PID 5096 wrote to memory of 4880 5096 remittance.exe remittance.exe PID 5096 wrote to memory of 4880 5096 remittance.exe remittance.exe PID 5096 wrote to memory of 4880 5096 remittance.exe remittance.exe PID 5096 wrote to memory of 4880 5096 remittance.exe remittance.exe PID 5096 wrote to memory of 4880 5096 remittance.exe remittance.exe PID 5096 wrote to memory of 4880 5096 remittance.exe remittance.exe PID 5096 wrote to memory of 4880 5096 remittance.exe remittance.exe PID 4880 wrote to memory of 1884 4880 remittance.exe schtasks.exe PID 4880 wrote to memory of 1884 4880 remittance.exe schtasks.exe PID 4880 wrote to memory of 1884 4880 remittance.exe schtasks.exe PID 4880 wrote to memory of 1292 4880 remittance.exe schtasks.exe PID 4880 wrote to memory of 1292 4880 remittance.exe schtasks.exe PID 4880 wrote to memory of 1292 4880 remittance.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\remittance.exe"C:\Users\Admin\AppData\Local\Temp\remittance.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QgSBwlYTdt" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDD55.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\remittance.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\remittance.exe"{path}"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "AGP Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmpE1F8.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "AGP Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpE276.tmp"3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\remittance.exe.logFilesize
1KB
MD584e77a587d94307c0ac1357eb4d3d46f
SHA183cc900f9401f43d181207d64c5adba7a85edc1e
SHA256e16024b092a026a9dc00df69d4b9bbcab7b2dc178dc5291fc308a1abc9304a99
SHA512aefb5c62200b3ed97718d20a89990954d4d8acdc0a6a73c5a420f1bba619cb79e70c2cd0a579b9f52dc6b09e1de2cea6cd6cac4376cfee92d94e2c01d310f691
-
C:\Users\Admin\AppData\Local\Temp\tmpDD55.tmpFilesize
1KB
MD58b3310d46caf32eaddc990f12ca1dc47
SHA1a217d37fefd5f6dd79e5440097265d43f0065b01
SHA25671b596c094b192aacc93c31f762fcf60805e13cc7dbf51c42f4dcdb3de8e26b9
SHA512a09e23596216fda8c7adbe73aa60592d9ea5e5debddd72dbcaa45ee4d12bde295f00767ecb016153b082d4dcbba89fb2c35cc32f2cc245bb75137752c58c41dc
-
C:\Users\Admin\AppData\Local\Temp\tmpE1F8.tmpFilesize
1KB
MD55b40c05ffe47a1227d3db2c56517ecfe
SHA11ea3f663140e2e90ec188487d5e18b038d193f74
SHA256a99d30fe31f4a0b49cf83dd407130c99a8b54d8637efcedcac84a4ff2b19953f
SHA5123a641ceb180611a778ada9403bb5e8edab66efee93851ee95033013571a43f2f13b5e3b140d1812128d8203052e4a8c603603a91c3b7c73edd62dc246e55691c
-
C:\Users\Admin\AppData\Local\Temp\tmpE276.tmpFilesize
1KB
MD5157cd55403665c49c9fd3ca1196c4397
SHA14feed6e606b41bb617274471349582963182756b
SHA25649d903f84313feb16bd189c58b6c206f98b05da00ea0da881e2ff0c893b6ba5e
SHA512bea7e3caa9c37cadd772a6d3ee0d9ed47de6b3e880cd58649be2939cacd00f70d4edc1ad177e432539267bb520094d9cda3f781cdfc69122f3775242321c11b8
-
memory/1292-145-0x0000000000000000-mapping.dmp
-
memory/1884-143-0x0000000000000000-mapping.dmp
-
memory/2596-139-0x0000000000000000-mapping.dmp
-
memory/3468-137-0x0000000000000000-mapping.dmp
-
memory/4880-140-0x0000000000000000-mapping.dmp
-
memory/4880-141-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/4880-147-0x00000000075D0000-0x0000000007636000-memory.dmpFilesize
408KB
-
memory/5096-132-0x0000000000190000-0x000000000029A000-memory.dmpFilesize
1.0MB
-
memory/5096-136-0x0000000004B00000-0x0000000004B0A000-memory.dmpFilesize
40KB
-
memory/5096-135-0x0000000004C40000-0x0000000004CDC000-memory.dmpFilesize
624KB
-
memory/5096-134-0x0000000004BA0000-0x0000000004C32000-memory.dmpFilesize
584KB
-
memory/5096-133-0x00000000050B0000-0x0000000005654000-memory.dmpFilesize
5.6MB