Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
24-10-2022 11:34
Static task
static1
Behavioral task
behavioral1
Sample
HSBC PAYMENT_Pdf_.exe
Resource
win7-20220901-en
General
-
Target
HSBC PAYMENT_Pdf_.exe
-
Size
816KB
-
MD5
c2b47a1bb3ff01f35b2b83b35178f194
-
SHA1
7703a484866f04fbd1ffedcbc38feefa23701e63
-
SHA256
e2cd955271edb0b25c6acdff6cd35d4ef9e74a2b84e085c83156a9cf4b4f99f8
-
SHA512
9d283c6ebaba18c3b1ef2eed0cb762cf8088b15549ace309dfc66b9ab8663927dd3da71fb8785a4838954ff2504b00baca4349d96858e59cc94ad283bec4923f
-
SSDEEP
12288:Ly10PPJaxEOCf5lpLR6AlA+4TLjtO9k9OEw94cKlwJny/pqIr8jgs:DekmME24plwJydr6gs
Malware Config
Extracted
nanocore
1.2.2.0
194.5.98.160:4090
ea2bb8b5-d2e0-4823-aedc-8aa35cc7d5c0
-
activate_away_mode
true
- backup_connection_host
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2022-07-31T21:42:11.241839236Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
4090
-
default_group
OLUWAAA
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
ea2bb8b5-d2e0-4823-aedc-8aa35cc7d5c0
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
194.5.98.160
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
HSBC PAYMENT_Pdf_.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AGP Manager = "C:\\Program Files (x86)\\AGP Manager\\agpmgr.exe" HSBC PAYMENT_Pdf_.exe -
Processes:
HSBC PAYMENT_Pdf_.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA HSBC PAYMENT_Pdf_.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
HSBC PAYMENT_Pdf_.exedescription pid process target process PID 1368 set thread context of 896 1368 HSBC PAYMENT_Pdf_.exe HSBC PAYMENT_Pdf_.exe -
Drops file in Program Files directory 2 IoCs
Processes:
HSBC PAYMENT_Pdf_.exedescription ioc process File created C:\Program Files (x86)\AGP Manager\agpmgr.exe HSBC PAYMENT_Pdf_.exe File opened for modification C:\Program Files (x86)\AGP Manager\agpmgr.exe HSBC PAYMENT_Pdf_.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
HSBC PAYMENT_Pdf_.exepid process 896 HSBC PAYMENT_Pdf_.exe 896 HSBC PAYMENT_Pdf_.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
HSBC PAYMENT_Pdf_.exepid process 896 HSBC PAYMENT_Pdf_.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
HSBC PAYMENT_Pdf_.exedescription pid process Token: SeDebugPrivilege 896 HSBC PAYMENT_Pdf_.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
HSBC PAYMENT_Pdf_.exeHSBC PAYMENT_Pdf_.exedescription pid process target process PID 1368 wrote to memory of 896 1368 HSBC PAYMENT_Pdf_.exe HSBC PAYMENT_Pdf_.exe PID 1368 wrote to memory of 896 1368 HSBC PAYMENT_Pdf_.exe HSBC PAYMENT_Pdf_.exe PID 1368 wrote to memory of 896 1368 HSBC PAYMENT_Pdf_.exe HSBC PAYMENT_Pdf_.exe PID 1368 wrote to memory of 896 1368 HSBC PAYMENT_Pdf_.exe HSBC PAYMENT_Pdf_.exe PID 1368 wrote to memory of 896 1368 HSBC PAYMENT_Pdf_.exe HSBC PAYMENT_Pdf_.exe PID 1368 wrote to memory of 896 1368 HSBC PAYMENT_Pdf_.exe HSBC PAYMENT_Pdf_.exe PID 1368 wrote to memory of 896 1368 HSBC PAYMENT_Pdf_.exe HSBC PAYMENT_Pdf_.exe PID 1368 wrote to memory of 896 1368 HSBC PAYMENT_Pdf_.exe HSBC PAYMENT_Pdf_.exe PID 1368 wrote to memory of 896 1368 HSBC PAYMENT_Pdf_.exe HSBC PAYMENT_Pdf_.exe PID 896 wrote to memory of 824 896 HSBC PAYMENT_Pdf_.exe schtasks.exe PID 896 wrote to memory of 824 896 HSBC PAYMENT_Pdf_.exe schtasks.exe PID 896 wrote to memory of 824 896 HSBC PAYMENT_Pdf_.exe schtasks.exe PID 896 wrote to memory of 824 896 HSBC PAYMENT_Pdf_.exe schtasks.exe PID 896 wrote to memory of 676 896 HSBC PAYMENT_Pdf_.exe schtasks.exe PID 896 wrote to memory of 676 896 HSBC PAYMENT_Pdf_.exe schtasks.exe PID 896 wrote to memory of 676 896 HSBC PAYMENT_Pdf_.exe schtasks.exe PID 896 wrote to memory of 676 896 HSBC PAYMENT_Pdf_.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\HSBC PAYMENT_Pdf_.exe"C:\Users\Admin\AppData\Local\Temp\HSBC PAYMENT_Pdf_.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Users\Admin\AppData\Local\Temp\HSBC PAYMENT_Pdf_.exe"C:\Users\Admin\AppData\Local\Temp\HSBC PAYMENT_Pdf_.exe"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:896 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "AGP Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmpDBEE.tmp"3⤵
- Creates scheduled task(s)
PID:824
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "AGP Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpDD27.tmp"3⤵
- Creates scheduled task(s)
PID:676
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD57c48276b3ab1a20c55cf770ecb72be18
SHA1e8ec0b5ae58a53dd5a5e24f4fd0e4760dc504460
SHA2563dedec1a6e6ed95c2331097ed0d2f264c57a834018cb5b533262d9a4b86727d7
SHA5129b494d7da299da21bed0808620e86a2460a20b46148e8befeacc2112ce4fe60c2e8edf5c37985269783387409b2e982c25264d5fbac4092d267391933aaaec3f
-
Filesize
1KB
MD5885d6dd30570594e167fadb59d9ca0ea
SHA19981e583644c4eb9cf5056615a0e1c2913c8983b
SHA2567155bc082d1713d77c2797575ee0ade8467fb7012f5376c1d6f4aa618141a7d2
SHA5121623218143c2c25a7c85fa9da8e0f251f04a5eb848c4d0aa10bfb78688518b82393a2b3c7f287a9dc06a366ef9f46d0d4e2d246ad4cef4554a74c0bb6ff9dd2a