Analysis
-
max time kernel
68s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
05-12-2022 09:31
Static task
static1
Behavioral task
behavioral1
Sample
Payment Advice - Advice Ref A1T4C80vSIxi ACH.exe
Resource
win7-20220812-en
General
-
Target
Payment Advice - Advice Ref A1T4C80vSIxi ACH.exe
-
Size
534KB
-
MD5
5e614380d01c2f0f36ee265fe8dd9d9c
-
SHA1
63691f614618e101c120cb83b21fb56e22301960
-
SHA256
3d4072b7826c27f5aa407e7ba64a3ce64beeb00d1fd5d02042afb9cc95b18835
-
SHA512
4f2b4ee01c6737983c82045b8f64493399397ad45d655c46dbe55d20685c5c42d86418f61247e3c994f1e2f056a433e2bf310defb14f74842738928854e3708d
-
SSDEEP
12288:OGlaKpWlZbRbQ/POekgipNmY6hwayRJ/r/l2:XlppW1b8Rkg8NmnOJ/r/k
Malware Config
Extracted
nanocore
1.2.2.0
svetanakravenova248.ddns.net:5634
28aa6c07-7c21-4208-97f7-23c9618edcb1
-
activate_away_mode
true
-
backup_connection_host
svetanakravenova248.ddns.net
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2022-09-13T17:11:19.119527236Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
5634
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
28aa6c07-7c21-4208-97f7-23c9618edcb1
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
svetanakravenova248.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
kdayca.exekdayca.exepid process 1016 kdayca.exe 1076 kdayca.exe -
Loads dropped DLL 2 IoCs
Processes:
Payment Advice - Advice Ref A1T4C80vSIxi ACH.exekdayca.exepid process 1508 Payment Advice - Advice Ref A1T4C80vSIxi ACH.exe 1016 kdayca.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
kdayca.exekdayca.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\sdtltnvgmep = "C:\\Users\\Admin\\AppData\\Roaming\\owftmfp\\ltvcoaoosru.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\kdayca.exe\" C:\\Users\\Admin\\AppData\\Local" kdayca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UDP Service = "C:\\Program Files (x86)\\UDP Service\\udpsv.exe" kdayca.exe -
Processes:
kdayca.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA kdayca.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
kdayca.exedescription pid process target process PID 1016 set thread context of 1076 1016 kdayca.exe kdayca.exe -
Drops file in Program Files directory 2 IoCs
Processes:
kdayca.exedescription ioc process File created C:\Program Files (x86)\UDP Service\udpsv.exe kdayca.exe File opened for modification C:\Program Files (x86)\UDP Service\udpsv.exe kdayca.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
kdayca.exepid process 1076 kdayca.exe 1076 kdayca.exe 1076 kdayca.exe 1076 kdayca.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
kdayca.exepid process 1076 kdayca.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
kdayca.exepid process 1016 kdayca.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
kdayca.exedescription pid process Token: SeDebugPrivilege 1076 kdayca.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Payment Advice - Advice Ref A1T4C80vSIxi ACH.exekdayca.exedescription pid process target process PID 1508 wrote to memory of 1016 1508 Payment Advice - Advice Ref A1T4C80vSIxi ACH.exe kdayca.exe PID 1508 wrote to memory of 1016 1508 Payment Advice - Advice Ref A1T4C80vSIxi ACH.exe kdayca.exe PID 1508 wrote to memory of 1016 1508 Payment Advice - Advice Ref A1T4C80vSIxi ACH.exe kdayca.exe PID 1508 wrote to memory of 1016 1508 Payment Advice - Advice Ref A1T4C80vSIxi ACH.exe kdayca.exe PID 1016 wrote to memory of 1076 1016 kdayca.exe kdayca.exe PID 1016 wrote to memory of 1076 1016 kdayca.exe kdayca.exe PID 1016 wrote to memory of 1076 1016 kdayca.exe kdayca.exe PID 1016 wrote to memory of 1076 1016 kdayca.exe kdayca.exe PID 1016 wrote to memory of 1076 1016 kdayca.exe kdayca.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment Advice - Advice Ref A1T4C80vSIxi ACH.exe"C:\Users\Admin\AppData\Local\Temp\Payment Advice - Advice Ref A1T4C80vSIxi ACH.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\kdayca.exe"C:\Users\Admin\AppData\Local\Temp\kdayca.exe" C:\Users\Admin\AppData\Local\Temp\figrnaab.u2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\kdayca.exe"C:\Users\Admin\AppData\Local\Temp\kdayca.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\figrnaab.uFilesize
7KB
MD52c4820a476f531228300166a9a6cdd0b
SHA174b0de590aa64c2a712fdd41a5b89534f0aaaf9b
SHA2563a5ee30e2f418e1e20273f0ff26bd181eccdfcd037e9ba31a8c06d2205920ca8
SHA512b9247d55eca78db32572ac9f28e04d09779e298076d54860e286274f9fb535020671082a6920a19ca11517a40b1b0ca88d91e94b019a4f1db7a824964ff79323
-
C:\Users\Admin\AppData\Local\Temp\kdayca.exeFilesize
99KB
MD5ced9a738610c75dc13095052e3e15e3d
SHA1d801230769d1d3c5889d1d613fdd1a04123c2fad
SHA256bf416d8928db2dcfc77f865190fcb68578ed7c9841f7a02bebcd1cabc922b4bd
SHA512d170b38c1a8e958af2a071a09c4a6762c2bb088614e3daf9be7f2eb90e1b50f0e62ee1a46962d6f2ec08a64b47716dcd5e3c3562d2c51f533c0545289d10663b
-
C:\Users\Admin\AppData\Local\Temp\kdayca.exeFilesize
99KB
MD5ced9a738610c75dc13095052e3e15e3d
SHA1d801230769d1d3c5889d1d613fdd1a04123c2fad
SHA256bf416d8928db2dcfc77f865190fcb68578ed7c9841f7a02bebcd1cabc922b4bd
SHA512d170b38c1a8e958af2a071a09c4a6762c2bb088614e3daf9be7f2eb90e1b50f0e62ee1a46962d6f2ec08a64b47716dcd5e3c3562d2c51f533c0545289d10663b
-
C:\Users\Admin\AppData\Local\Temp\kdayca.exeFilesize
99KB
MD5ced9a738610c75dc13095052e3e15e3d
SHA1d801230769d1d3c5889d1d613fdd1a04123c2fad
SHA256bf416d8928db2dcfc77f865190fcb68578ed7c9841f7a02bebcd1cabc922b4bd
SHA512d170b38c1a8e958af2a071a09c4a6762c2bb088614e3daf9be7f2eb90e1b50f0e62ee1a46962d6f2ec08a64b47716dcd5e3c3562d2c51f533c0545289d10663b
-
C:\Users\Admin\AppData\Local\Temp\lxnzlufzpky.tmFilesize
280KB
MD5801d5102cc4d411b23d8c10dca8d5098
SHA1cbaa0a9564fc44c30d309926c49d91e62cb6a0ff
SHA256fe39d1074568852fec2814d93045c6d676dc7272ccaefa4836c307bfb852b737
SHA512fc6fe969cd9d260c2dbf61ead074cc441c12f03a20c8873d8348599226da79ef802239a0d4b63ab1d859e2179def51f61f741616f14f03e068c161cf094ea6d9
-
\Users\Admin\AppData\Local\Temp\kdayca.exeFilesize
99KB
MD5ced9a738610c75dc13095052e3e15e3d
SHA1d801230769d1d3c5889d1d613fdd1a04123c2fad
SHA256bf416d8928db2dcfc77f865190fcb68578ed7c9841f7a02bebcd1cabc922b4bd
SHA512d170b38c1a8e958af2a071a09c4a6762c2bb088614e3daf9be7f2eb90e1b50f0e62ee1a46962d6f2ec08a64b47716dcd5e3c3562d2c51f533c0545289d10663b
-
\Users\Admin\AppData\Local\Temp\kdayca.exeFilesize
99KB
MD5ced9a738610c75dc13095052e3e15e3d
SHA1d801230769d1d3c5889d1d613fdd1a04123c2fad
SHA256bf416d8928db2dcfc77f865190fcb68578ed7c9841f7a02bebcd1cabc922b4bd
SHA512d170b38c1a8e958af2a071a09c4a6762c2bb088614e3daf9be7f2eb90e1b50f0e62ee1a46962d6f2ec08a64b47716dcd5e3c3562d2c51f533c0545289d10663b
-
memory/1016-56-0x0000000000000000-mapping.dmp
-
memory/1076-66-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/1076-63-0x0000000000401896-mapping.dmp
-
memory/1076-67-0x00000000003B0000-0x00000000003E8000-memory.dmpFilesize
224KB
-
memory/1076-68-0x0000000000810000-0x000000000081A000-memory.dmpFilesize
40KB
-
memory/1076-69-0x0000000001EA0000-0x0000000001EBE000-memory.dmpFilesize
120KB
-
memory/1076-70-0x00000000008E0000-0x00000000008EA000-memory.dmpFilesize
40KB
-
memory/1076-72-0x00000000042A0000-0x00000000042BA000-memory.dmpFilesize
104KB
-
memory/1076-71-0x0000000001FD0000-0x0000000001FE2000-memory.dmpFilesize
72KB
-
memory/1076-73-0x0000000004190000-0x00000000041A4000-memory.dmpFilesize
80KB
-
memory/1076-75-0x00000000047E0000-0x000000000480E000-memory.dmpFilesize
184KB
-
memory/1076-74-0x0000000004780000-0x000000000478E000-memory.dmpFilesize
56KB
-
memory/1076-76-0x0000000004790000-0x00000000047A4000-memory.dmpFilesize
80KB
-
memory/1508-54-0x0000000075451000-0x0000000075453000-memory.dmpFilesize
8KB