Analysis
-
max time kernel
121s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
07-10-2022 02:31
Static task
static1
Behavioral task
behavioral1
Sample
Payment Advice.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
Payment Advice.exe
Resource
win10v2004-20220812-en
General
-
Target
Payment Advice.exe
-
Size
1.0MB
-
MD5
232a09bfbb394ed852834398426a7802
-
SHA1
800229b32cd515d318fe79a3839783b1339064c1
-
SHA256
f01dd589bf6eee71da5d8f1dd99471c0ff2b2e4071147bfcad07d75727258425
-
SHA512
fd6e1f23769d9712d02bb4ff56bb374f22a8c048c0410af1ad5e8cbc1f823007630257d2304b6ed26cd6331deae43899728a610551e5149da41f675dced00acc
-
SSDEEP
12288:b8mAF94vNMpuKh1O8qrAot6ZMP5CxFBXpAFyDGNOSH+JoDNyADqjJ5nXOc1uqBnt:bWFCvOON6MxgNAsGNOSeWBUjrXOc
Malware Config
Extracted
nanocore
1.2.2.0
brewsterchristophe.ddns.net:5899
194,147,5,75:5899
b8aebc29-8c64-444f-99e6-dc4122e9bbfc
-
activate_away_mode
true
-
backup_connection_host
194,147,5,75
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2022-04-29T03:26:40.572298236Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
5899
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
b8aebc29-8c64-444f-99e6-dc4122e9bbfc
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
brewsterchristophe.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Payment Advice.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AGP Manager = "C:\\Program Files (x86)\\AGP Manager\\agpmgr.exe" Payment Advice.exe -
Processes:
Payment Advice.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Payment Advice.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Payment Advice.exedescription pid process target process PID 1380 set thread context of 2016 1380 Payment Advice.exe Payment Advice.exe -
Drops file in Program Files directory 2 IoCs
Processes:
Payment Advice.exedescription ioc process File created C:\Program Files (x86)\AGP Manager\agpmgr.exe Payment Advice.exe File opened for modification C:\Program Files (x86)\AGP Manager\agpmgr.exe Payment Advice.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 1776 schtasks.exe 1936 schtasks.exe 1364 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
Payment Advice.exePayment Advice.exepid process 1380 Payment Advice.exe 1380 Payment Advice.exe 2016 Payment Advice.exe 2016 Payment Advice.exe 2016 Payment Advice.exe 2016 Payment Advice.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Payment Advice.exepid process 2016 Payment Advice.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Payment Advice.exePayment Advice.exedescription pid process Token: SeDebugPrivilege 1380 Payment Advice.exe Token: SeDebugPrivilege 2016 Payment Advice.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
Payment Advice.exePayment Advice.exedescription pid process target process PID 1380 wrote to memory of 1776 1380 Payment Advice.exe schtasks.exe PID 1380 wrote to memory of 1776 1380 Payment Advice.exe schtasks.exe PID 1380 wrote to memory of 1776 1380 Payment Advice.exe schtasks.exe PID 1380 wrote to memory of 1776 1380 Payment Advice.exe schtasks.exe PID 1380 wrote to memory of 2016 1380 Payment Advice.exe Payment Advice.exe PID 1380 wrote to memory of 2016 1380 Payment Advice.exe Payment Advice.exe PID 1380 wrote to memory of 2016 1380 Payment Advice.exe Payment Advice.exe PID 1380 wrote to memory of 2016 1380 Payment Advice.exe Payment Advice.exe PID 1380 wrote to memory of 2016 1380 Payment Advice.exe Payment Advice.exe PID 1380 wrote to memory of 2016 1380 Payment Advice.exe Payment Advice.exe PID 1380 wrote to memory of 2016 1380 Payment Advice.exe Payment Advice.exe PID 1380 wrote to memory of 2016 1380 Payment Advice.exe Payment Advice.exe PID 1380 wrote to memory of 2016 1380 Payment Advice.exe Payment Advice.exe PID 2016 wrote to memory of 1936 2016 Payment Advice.exe schtasks.exe PID 2016 wrote to memory of 1936 2016 Payment Advice.exe schtasks.exe PID 2016 wrote to memory of 1936 2016 Payment Advice.exe schtasks.exe PID 2016 wrote to memory of 1936 2016 Payment Advice.exe schtasks.exe PID 2016 wrote to memory of 1364 2016 Payment Advice.exe schtasks.exe PID 2016 wrote to memory of 1364 2016 Payment Advice.exe schtasks.exe PID 2016 wrote to memory of 1364 2016 Payment Advice.exe schtasks.exe PID 2016 wrote to memory of 1364 2016 Payment Advice.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe"C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xWcmbnYoCxCd" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5A32.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe"{path}"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "AGP Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmp5E66.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "AGP Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp5F22.tmp"3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp5A32.tmpFilesize
1KB
MD58fc8cb65235a6e03f094b544162c001c
SHA1e7eeca41621d12122e78a043145e80ac4beb514f
SHA256794d5a056eae4fab6baa6c25788eb13b818bc38c0bb4b037ada8a298af1ed188
SHA512db0b95f82dfe5726745f5416c9100d8b47a52693b826573a24b893bac9751707206b0b24f449e87be6cbcbbfde963eb0899ac40fe6d92b85832cfcfe235a9b4f
-
C:\Users\Admin\AppData\Local\Temp\tmp5E66.tmpFilesize
1KB
MD5458bd9bd481646fa69a54d107e96c8f9
SHA18c13631b59db1efcb6d33a4e40ba38614226d42a
SHA256e196fc51e235fc106b72fe4258ce43c64b24b344c4781b6d2b0db6ab01f31c34
SHA512266e4a2752ff6a1c78fad600d9dc74ed0946a7bfc6802bd03783360b7f5ce8ada8be0fbf0f342e81d76f74af62879ffbf2b865160e4b8d0a27c6e15f98f92171
-
C:\Users\Admin\AppData\Local\Temp\tmp5F22.tmpFilesize
1KB
MD5885d6dd30570594e167fadb59d9ca0ea
SHA19981e583644c4eb9cf5056615a0e1c2913c8983b
SHA2567155bc082d1713d77c2797575ee0ade8467fb7012f5376c1d6f4aa618141a7d2
SHA5121623218143c2c25a7c85fa9da8e0f251f04a5eb848c4d0aa10bfb78688518b82393a2b3c7f287a9dc06a366ef9f46d0d4e2d246ad4cef4554a74c0bb6ff9dd2a
-
memory/1364-76-0x0000000000000000-mapping.dmp
-
memory/1380-55-0x0000000075A11000-0x0000000075A13000-memory.dmpFilesize
8KB
-
memory/1380-56-0x0000000000610000-0x0000000000630000-memory.dmpFilesize
128KB
-
memory/1380-57-0x0000000005FD0000-0x000000000605C000-memory.dmpFilesize
560KB
-
memory/1380-58-0x0000000004810000-0x000000000484C000-memory.dmpFilesize
240KB
-
memory/1380-54-0x0000000000A30000-0x0000000000B3A000-memory.dmpFilesize
1.0MB
-
memory/1776-59-0x0000000000000000-mapping.dmp
-
memory/1936-74-0x0000000000000000-mapping.dmp
-
memory/2016-62-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2016-81-0x0000000000700000-0x0000000000712000-memory.dmpFilesize
72KB
-
memory/2016-70-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2016-72-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2016-67-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2016-65-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2016-64-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2016-61-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2016-78-0x0000000000460000-0x000000000046A000-memory.dmpFilesize
40KB
-
memory/2016-79-0x0000000000750000-0x000000000076E000-memory.dmpFilesize
120KB
-
memory/2016-80-0x0000000000550000-0x000000000055A000-memory.dmpFilesize
40KB
-
memory/2016-68-0x000000000041E792-mapping.dmp
-
memory/2016-82-0x0000000000950000-0x000000000096A000-memory.dmpFilesize
104KB
-
memory/2016-83-0x00000000009C0000-0x00000000009CE000-memory.dmpFilesize
56KB
-
memory/2016-84-0x00000000009E0000-0x00000000009F2000-memory.dmpFilesize
72KB
-
memory/2016-85-0x00000000021D0000-0x00000000021DE000-memory.dmpFilesize
56KB
-
memory/2016-86-0x00000000021E0000-0x00000000021EC000-memory.dmpFilesize
48KB
-
memory/2016-87-0x00000000022A0000-0x00000000022B4000-memory.dmpFilesize
80KB
-
memory/2016-88-0x0000000004510000-0x0000000004520000-memory.dmpFilesize
64KB
-
memory/2016-89-0x0000000004520000-0x0000000004534000-memory.dmpFilesize
80KB
-
memory/2016-90-0x0000000004530000-0x000000000453E000-memory.dmpFilesize
56KB
-
memory/2016-91-0x0000000005370000-0x000000000539E000-memory.dmpFilesize
184KB
-
memory/2016-92-0x0000000004D40000-0x0000000004D54000-memory.dmpFilesize
80KB