Analysis
-
max time kernel
151s -
max time network
169s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
04-10-2022 06:25
Static task
static1
Behavioral task
behavioral1
Sample
Payment Order.exe
Resource
win7-20220812-en
General
-
Target
Payment Order.exe
-
Size
1.0MB
-
MD5
11711e45cabcdda6408597a44517c9aa
-
SHA1
087d435882f0fca5b85ab34d981814ea8e5f4bad
-
SHA256
73e0cfe89cdb7759de8338d0174f721d8ae60539e5ea8f5236548de0513b5054
-
SHA512
9694cacd6759dfba4fec7cfdd6bdabc6f22edf3d1702dfe61dd4afbda3f1e2e56986873153977f28b29bbde75274231a2e4b555b94e13157bcf84085ea0c63e6
-
SSDEEP
12288:W8qK4HTNcD9wIZbySXVNrY9oJ2UfDRqKgUm4KR2YQqwMd1ndT:WMD9jXXRDcym4g2YQ6vT
Malware Config
Extracted
nanocore
1.2.2.0
tochi.ddns.net:1177
127.0.0.1:1177
5640475c-30f6-4f19-b86f-d53c3910bce7
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
-
backup_dns_server
37.235.1.177
-
buffer_size
65535
-
build_time
2022-07-02T08:25:26.509790436Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
1177
-
default_group
money transfer
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
5640475c-30f6-4f19-b86f-d53c3910bce7
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
tochi.ddns.net
-
primary_dns_server
37.235.1.174
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Unexpected DNS network traffic destination 2 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 37.235.1.174 Destination IP 37.235.1.177 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Payment Order.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NTFS Monitor = "C:\\Program Files (x86)\\NTFS Monitor\\ntfsmon.exe" Payment Order.exe -
Processes:
Payment Order.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Payment Order.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Payment Order.exedescription pid process target process PID 968 set thread context of 620 968 Payment Order.exe Payment Order.exe -
Drops file in Program Files directory 2 IoCs
Processes:
Payment Order.exedescription ioc process File created C:\Program Files (x86)\NTFS Monitor\ntfsmon.exe Payment Order.exe File opened for modification C:\Program Files (x86)\NTFS Monitor\ntfsmon.exe Payment Order.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exePayment Order.exepid process 1524 powershell.exe 620 Payment Order.exe 620 Payment Order.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exePayment Order.exedescription pid process Token: SeDebugPrivilege 1524 powershell.exe Token: SeDebugPrivilege 620 Payment Order.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
Payment Order.exedescription pid process target process PID 968 wrote to memory of 1524 968 Payment Order.exe powershell.exe PID 968 wrote to memory of 1524 968 Payment Order.exe powershell.exe PID 968 wrote to memory of 1524 968 Payment Order.exe powershell.exe PID 968 wrote to memory of 1524 968 Payment Order.exe powershell.exe PID 968 wrote to memory of 1764 968 Payment Order.exe schtasks.exe PID 968 wrote to memory of 1764 968 Payment Order.exe schtasks.exe PID 968 wrote to memory of 1764 968 Payment Order.exe schtasks.exe PID 968 wrote to memory of 1764 968 Payment Order.exe schtasks.exe PID 968 wrote to memory of 620 968 Payment Order.exe Payment Order.exe PID 968 wrote to memory of 620 968 Payment Order.exe Payment Order.exe PID 968 wrote to memory of 620 968 Payment Order.exe Payment Order.exe PID 968 wrote to memory of 620 968 Payment Order.exe Payment Order.exe PID 968 wrote to memory of 620 968 Payment Order.exe Payment Order.exe PID 968 wrote to memory of 620 968 Payment Order.exe Payment Order.exe PID 968 wrote to memory of 620 968 Payment Order.exe Payment Order.exe PID 968 wrote to memory of 620 968 Payment Order.exe Payment Order.exe PID 968 wrote to memory of 620 968 Payment Order.exe Payment Order.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment Order.exe"C:\Users\Admin\AppData\Local\Temp\Payment Order.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DSjOgD.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DSjOgD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp60F5.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Payment Order.exe"C:\Users\Admin\AppData\Local\Temp\Payment Order.exe"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp60F5.tmpFilesize
1KB
MD53e56651565811eb3dbe637724757c254
SHA1fd28675447e9a846a2669d66c14e0dff0fb37cd0
SHA256ab01df1feb8bc3c6523e253affeab5d65c8ac04707e8901b1e306fc669aef088
SHA51224acee9ca1beb9a1b533ee018f4f39c7a3bf67b5e6de7be47b5454442652c9f4e7fad660895c99c676bfbc10beb9c1a48f82c945df39d4946d9375f944562c4d
-
memory/620-69-0x000000000041E792-mapping.dmp
-
memory/620-76-0x0000000074840000-0x0000000074DEB000-memory.dmpFilesize
5.7MB
-
memory/620-66-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/620-68-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/620-71-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/620-73-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/620-62-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/620-63-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/620-78-0x0000000074840000-0x0000000074DEB000-memory.dmpFilesize
5.7MB
-
memory/620-65-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/968-56-0x0000000074840000-0x0000000074DEB000-memory.dmpFilesize
5.7MB
-
memory/968-54-0x0000000075501000-0x0000000075503000-memory.dmpFilesize
8KB
-
memory/968-55-0x0000000074840000-0x0000000074DEB000-memory.dmpFilesize
5.7MB
-
memory/968-74-0x0000000074840000-0x0000000074DEB000-memory.dmpFilesize
5.7MB
-
memory/1524-61-0x0000000074840000-0x0000000074DEB000-memory.dmpFilesize
5.7MB
-
memory/1524-77-0x0000000074840000-0x0000000074DEB000-memory.dmpFilesize
5.7MB
-
memory/1524-57-0x0000000000000000-mapping.dmp
-
memory/1764-58-0x0000000000000000-mapping.dmp