Analysis Overview
SHA256
982d20cce7e6458f1b964b36efef0c7245bd155962c04b08e02323c9efc60f3b
Threat Level: Known bad
The file Payment advice.exe was found to be: Known bad.
Malicious Activity Summary
NanoCore
Drops startup file
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in Program Files directory
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-13 00:23
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-13 00:23
Reported
2022-11-13 00:25
Platform
win7-20220812-en
Max time kernel
75s
Max time network
152s
Command Line
Signatures
NanoCore
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systeddgsm.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systeddgsm.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SCSI Service = "C:\\Program Files (x86)\\SCSI Service\\scsisvc.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1096 set thread context of 2032 | N/A | C:\Users\Admin\AppData\Local\Temp\Payment advice.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\SCSI Service\scsisvc.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| File opened for modification | C:\Program Files (x86)\SCSI Service\scsisvc.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Payment advice.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Payment advice.exe
"C:\Users\Admin\AppData\Local\Temp\Payment advice.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
"Powershell" Copy-Item 'C:\Users\Admin\AppData\Local\Temp\Payment advice.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systeddgsm.exe'
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "SCSI Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp897B.tmp"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "SCSI Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp8B12.tmp"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | brewsterchristophe.ddns.net | udp |
| N/A | 185.216.71.149:5899 | brewsterchristophe.ddns.net | tcp |
Files
memory/1096-54-0x00000000011F0000-0x000000000124E000-memory.dmp
memory/1096-55-0x0000000075ED1000-0x0000000075ED3000-memory.dmp
memory/2036-56-0x0000000000000000-mapping.dmp
memory/1096-58-0x00000000003A0000-0x00000000003BC000-memory.dmp
memory/2032-59-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2032-60-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2032-62-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2032-63-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2032-65-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2032-66-0x000000000041E792-mapping.dmp
memory/2032-68-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2032-70-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1692-72-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmp897B.tmp
| MD5 | 8cad1b41587ced0f1e74396794f31d58 |
| SHA1 | 11054bf74fcf5e8e412768035e4dae43aa7b710f |
| SHA256 | 3086d914f6b23268f8a12cb1a05516cd5465c2577e1d1e449f1b45c8e5e8f83c |
| SHA512 | 99c2ef89029de51a866df932841684b7fc912df21e10e2dd0d09e400203bbdc6cba6319a31780b7bf8b286d2cea8ea3fc7d084348bf2f002ab4f5a34218ccbef |
memory/620-74-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmp8B12.tmp
| MD5 | 4e71faa3a77029484cfaba423d96618f |
| SHA1 | 9c837d050bb43d69dc608af809c292e13bca4718 |
| SHA256 | c470f45efd2e7c4c5b88534a18965a78dce0f8e154d3e45a9d5569ad0e334bdb |
| SHA512 | 6d014de41352f2b0b494d94cd58188791e81d4e53578d0722110b6827793b735e19c614877f25c61b26233dea1b5f1998ba1240bdc8fa04c87b7e64a4ca15fe0 |
memory/2032-76-0x00000000003E0000-0x00000000003EA000-memory.dmp
memory/2032-77-0x0000000000480000-0x000000000049E000-memory.dmp
memory/2032-78-0x00000000003F0000-0x00000000003FA000-memory.dmp
memory/2036-79-0x0000000070340000-0x00000000708EB000-memory.dmp
memory/2036-80-0x0000000070340000-0x00000000708EB000-memory.dmp
memory/2032-81-0x0000000000570000-0x0000000000582000-memory.dmp
memory/2032-82-0x00000000006B0000-0x00000000006CA000-memory.dmp
memory/2032-83-0x00000000006E0000-0x00000000006EE000-memory.dmp
memory/2032-85-0x0000000000700000-0x000000000070E000-memory.dmp
memory/2032-84-0x00000000006F0000-0x0000000000702000-memory.dmp
memory/2032-86-0x0000000000710000-0x000000000071C000-memory.dmp
memory/2032-88-0x0000000000B80000-0x0000000000B90000-memory.dmp
memory/2032-87-0x00000000008A0000-0x00000000008B4000-memory.dmp
memory/2032-89-0x0000000000B90000-0x0000000000BA4000-memory.dmp
memory/2032-90-0x0000000000D40000-0x0000000000D4E000-memory.dmp
memory/2032-91-0x0000000002330000-0x000000000235E000-memory.dmp
memory/2032-92-0x00000000022D0000-0x00000000022E4000-memory.dmp
memory/2032-93-0x0000000004EE5000-0x0000000004EF6000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-11-13 00:23
Reported
2022-11-13 00:25
Platform
win10v2004-20220901-en
Max time kernel
61s
Max time network
153s
Command Line
Signatures
NanoCore
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systeddgsm.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systeddgsm.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DHCP Subsystem = "C:\\Program Files (x86)\\DHCP Subsystem\\dhcpss.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2148 set thread context of 2284 | N/A | C:\Users\Admin\AppData\Local\Temp\Payment advice.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\DHCP Subsystem\dhcpss.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| File opened for modification | C:\Program Files (x86)\DHCP Subsystem\dhcpss.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Payment advice.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Payment advice.exe
"C:\Users\Admin\AppData\Local\Temp\Payment advice.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
"Powershell" Copy-Item 'C:\Users\Admin\AppData\Local\Temp\Payment advice.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systeddgsm.exe'
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DHCP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp4873.tmp"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DHCP Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp4920.tmp"
Network
| Country | Destination | Domain | Proto |
| N/A | 20.42.73.25:443 | tcp | |
| N/A | 8.8.8.8:53 | brewsterchristophe.ddns.net | udp |
| N/A | 185.216.71.149:5899 | brewsterchristophe.ddns.net | tcp |
Files
memory/2148-132-0x0000000000F70000-0x0000000000FCE000-memory.dmp
memory/2148-133-0x00000000080B0000-0x000000000814C000-memory.dmp
memory/2148-134-0x0000000008700000-0x0000000008CA4000-memory.dmp
memory/2252-135-0x0000000000000000-mapping.dmp
memory/2252-136-0x0000000002400000-0x0000000002436000-memory.dmp
memory/2284-137-0x0000000000000000-mapping.dmp
memory/2284-138-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2252-139-0x0000000004EC0000-0x00000000054E8000-memory.dmp
memory/2284-140-0x0000000005780000-0x0000000005812000-memory.dmp
memory/2252-141-0x0000000004C50000-0x0000000004C72000-memory.dmp
memory/2252-142-0x00000000054F0000-0x0000000005556000-memory.dmp
memory/2252-143-0x00000000056D0000-0x0000000005736000-memory.dmp
memory/2284-144-0x00000000056E0000-0x00000000056EA000-memory.dmp
memory/3616-145-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmp4873.tmp
| MD5 | 8cad1b41587ced0f1e74396794f31d58 |
| SHA1 | 11054bf74fcf5e8e412768035e4dae43aa7b710f |
| SHA256 | 3086d914f6b23268f8a12cb1a05516cd5465c2577e1d1e449f1b45c8e5e8f83c |
| SHA512 | 99c2ef89029de51a866df932841684b7fc912df21e10e2dd0d09e400203bbdc6cba6319a31780b7bf8b286d2cea8ea3fc7d084348bf2f002ab4f5a34218ccbef |
memory/2252-147-0x0000000005D30000-0x0000000005D4E000-memory.dmp
memory/4656-148-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmp4920.tmp
| MD5 | 2f26d92c1eeead3896820e56ec46f6f1 |
| SHA1 | d95533b61eed7d89e4ada56bc566d60e42ac1f61 |
| SHA256 | 99a158463ce40c750bad6991ae1fceece305a0dbf8e209dd7147b5d539756bfa |
| SHA512 | 6c1ed12d5e1afcd9e7f327e0153786fd8594f75a995f341c408ef014e69917452a9fe99c511f0249aceb57b3045b707f1fd3f404e4086cfbf0aadcb3318db892 |
memory/2252-150-0x00000000062A0000-0x0000000006336000-memory.dmp
memory/2252-151-0x0000000006210000-0x000000000622A000-memory.dmp
memory/2252-152-0x0000000006260000-0x0000000006282000-memory.dmp