Analysis
-
max time kernel
158s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
04-10-2022 06:25
Static task
static1
Behavioral task
behavioral1
Sample
Payment Order.exe
Resource
win7-20220812-en
General
-
Target
Payment Order.exe
-
Size
1.0MB
-
MD5
11711e45cabcdda6408597a44517c9aa
-
SHA1
087d435882f0fca5b85ab34d981814ea8e5f4bad
-
SHA256
73e0cfe89cdb7759de8338d0174f721d8ae60539e5ea8f5236548de0513b5054
-
SHA512
9694cacd6759dfba4fec7cfdd6bdabc6f22edf3d1702dfe61dd4afbda3f1e2e56986873153977f28b29bbde75274231a2e4b555b94e13157bcf84085ea0c63e6
-
SSDEEP
12288:W8qK4HTNcD9wIZbySXVNrY9oJ2UfDRqKgUm4KR2YQqwMd1ndT:WMD9jXXRDcym4g2YQ6vT
Malware Config
Extracted
nanocore
1.2.2.0
tochi.ddns.net:1177
127.0.0.1:1177
5640475c-30f6-4f19-b86f-d53c3910bce7
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
-
backup_dns_server
37.235.1.177
-
buffer_size
65535
-
build_time
2022-07-02T08:25:26.509790436Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
1177
-
default_group
money transfer
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
5640475c-30f6-4f19-b86f-d53c3910bce7
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
tochi.ddns.net
-
primary_dns_server
37.235.1.174
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Payment Order.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation Payment Order.exe -
Unexpected DNS network traffic destination 4 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 37.235.1.177 Destination IP 37.235.1.174 Destination IP 37.235.1.177 Destination IP 37.235.1.174 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Payment Order.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AGP Monitor = "C:\\Program Files (x86)\\AGP Monitor\\agpmon.exe" Payment Order.exe -
Processes:
Payment Order.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Payment Order.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Payment Order.exedescription pid process target process PID 4892 set thread context of 4224 4892 Payment Order.exe Payment Order.exe -
Drops file in Program Files directory 2 IoCs
Processes:
Payment Order.exedescription ioc process File created C:\Program Files (x86)\AGP Monitor\agpmon.exe Payment Order.exe File opened for modification C:\Program Files (x86)\AGP Monitor\agpmon.exe Payment Order.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exePayment Order.exepid process 1880 powershell.exe 4224 Payment Order.exe 4224 Payment Order.exe 4224 Payment Order.exe 1880 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Payment Order.exepid process 4224 Payment Order.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exePayment Order.exedescription pid process Token: SeDebugPrivilege 1880 powershell.exe Token: SeDebugPrivilege 4224 Payment Order.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
Payment Order.exedescription pid process target process PID 4892 wrote to memory of 1880 4892 Payment Order.exe powershell.exe PID 4892 wrote to memory of 1880 4892 Payment Order.exe powershell.exe PID 4892 wrote to memory of 1880 4892 Payment Order.exe powershell.exe PID 4892 wrote to memory of 4260 4892 Payment Order.exe schtasks.exe PID 4892 wrote to memory of 4260 4892 Payment Order.exe schtasks.exe PID 4892 wrote to memory of 4260 4892 Payment Order.exe schtasks.exe PID 4892 wrote to memory of 4224 4892 Payment Order.exe Payment Order.exe PID 4892 wrote to memory of 4224 4892 Payment Order.exe Payment Order.exe PID 4892 wrote to memory of 4224 4892 Payment Order.exe Payment Order.exe PID 4892 wrote to memory of 4224 4892 Payment Order.exe Payment Order.exe PID 4892 wrote to memory of 4224 4892 Payment Order.exe Payment Order.exe PID 4892 wrote to memory of 4224 4892 Payment Order.exe Payment Order.exe PID 4892 wrote to memory of 4224 4892 Payment Order.exe Payment Order.exe PID 4892 wrote to memory of 4224 4892 Payment Order.exe Payment Order.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment Order.exe"C:\Users\Admin\AppData\Local\Temp\Payment Order.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DSjOgD.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DSjOgD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE436.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Payment Order.exe"C:\Users\Admin\AppData\Local\Temp\Payment Order.exe"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Payment Order.exe.logFilesize
673B
MD5a70f4eab0c307df43fba00d5b8dc3812
SHA149eea64ec436e38436e94b3dbdc0761156f8fb11
SHA25624530a8c840eaef5c9d7ca6d9f4124b80fd40b24eb2688b2085e875be349d325
SHA5127340ce7c58745b1e568147d2abe2bb7df3d699471b6710af0d6d9d37ac3cebbe75b121cb84dddc544e7c42a8999ff798f393aeca657a3b8210b7d04c25435730
-
C:\Users\Admin\AppData\Local\Temp\tmpE436.tmpFilesize
1KB
MD58ef907c72d3812a2a9721c7a2223fe9c
SHA1363fdeb4b502681e14e221119397c7b8b201a34c
SHA25696052d4e49cc8534e59cb83752a2f5a0828454854b660004e44031ed5598a20c
SHA512a6c940bf556fe31857d7096ecc33ef2caaa638a40ba7dfad1ee8e8e202cf9b9186caba5734e2031fb203ceb550f68303ef055080413f08a9a56f8d3e3622da98
-
memory/1880-150-0x000000006F270000-0x000000006F2BC000-memory.dmpFilesize
304KB
-
memory/1880-153-0x0000000005B60000-0x0000000005B7A000-memory.dmpFilesize
104KB
-
memory/1880-146-0x0000000005460000-0x00000000054C6000-memory.dmpFilesize
408KB
-
memory/1880-158-0x0000000007180000-0x0000000007188000-memory.dmpFilesize
32KB
-
memory/1880-157-0x00000000071A0000-0x00000000071BA000-memory.dmpFilesize
104KB
-
memory/1880-156-0x0000000007090000-0x000000000709E000-memory.dmpFilesize
56KB
-
memory/1880-155-0x00000000070E0000-0x0000000007176000-memory.dmpFilesize
600KB
-
memory/1880-148-0x0000000004980000-0x000000000499E000-memory.dmpFilesize
120KB
-
memory/1880-154-0x0000000006ED0000-0x0000000006EDA000-memory.dmpFilesize
40KB
-
memory/1880-142-0x0000000004D20000-0x0000000005348000-memory.dmpFilesize
6.2MB
-
memory/1880-144-0x0000000005350000-0x0000000005372000-memory.dmpFilesize
136KB
-
memory/1880-145-0x00000000053F0000-0x0000000005456000-memory.dmpFilesize
408KB
-
memory/1880-134-0x0000000000000000-mapping.dmp
-
memory/1880-152-0x00000000074D0000-0x0000000007B4A000-memory.dmpFilesize
6.5MB
-
memory/1880-141-0x0000000004600000-0x0000000004636000-memory.dmpFilesize
216KB
-
memory/1880-149-0x00000000060F0000-0x0000000006122000-memory.dmpFilesize
200KB
-
memory/1880-151-0x0000000006130000-0x000000000614E000-memory.dmpFilesize
120KB
-
memory/4224-138-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/4224-143-0x0000000075210000-0x00000000757C1000-memory.dmpFilesize
5.7MB
-
memory/4224-147-0x0000000075210000-0x00000000757C1000-memory.dmpFilesize
5.7MB
-
memory/4224-137-0x0000000000000000-mapping.dmp
-
memory/4260-135-0x0000000000000000-mapping.dmp
-
memory/4892-132-0x0000000075210000-0x00000000757C1000-memory.dmpFilesize
5.7MB
-
memory/4892-140-0x0000000075210000-0x00000000757C1000-memory.dmpFilesize
5.7MB
-
memory/4892-133-0x0000000075210000-0x00000000757C1000-memory.dmpFilesize
5.7MB