Analysis
-
max time kernel
137s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28-03-2024 14:22
Static task
static1
Behavioral task
behavioral1
Sample
Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe
Resource
win7-20240221-en
General
-
Target
Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe
-
Size
381KB
-
MD5
891820fd2e1bbe5f5f74cd2b77a1f6b9
-
SHA1
682a00cb848ded94d88e218f222803214a040774
-
SHA256
0d2e62e016f98d3213e3ac755d335795035b76f6ad9d6b5370df9ca0cced055c
-
SHA512
545fe42e8191657d7e45db77f58c1e83d9c8839ce07da1c1dcecb8d08056a4ca61ed2ab70e5498e15fb30e95df6b73703bd181a3d0f25040e1004f46a0c8a03c
-
SSDEEP
6144:wRHGKZMkhBE45nstM7gSD3OqpNsvSUvyvdLkld9Bgxoa4zrfVqAhRLh42ZdzMovS:a2SBHnsWMS3Ns5vyVcdmo9TjpKsQ7Y4
Malware Config
Extracted
nanocore
1.2.2.0
kamuchehddhgfgf.ddns.net:1187
37.0.10.22:1187
9ff0e8a4-a323-4111-bc49-0daecb63120d
-
activate_away_mode
true
-
backup_connection_host
37.0.10.22
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2021-07-17T00:05:39.048278936Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
1187
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
9ff0e8a4-a323-4111-bc49-0daecb63120d
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
kamuchehddhgfgf.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DHCP Host = "C:\\Program Files (x86)\\DHCP Host\\dhcphost.exe" Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe -
Processes:
Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exedescription pid process target process PID 2420 set thread context of 2684 2420 Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe -
Drops file in Program Files directory 2 IoCs
Processes:
Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exedescription ioc process File opened for modification C:\Program Files (x86)\DHCP Host\dhcphost.exe Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe File created C:\Program Files (x86)\DHCP Host\dhcphost.exe Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exeCircular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exepid process 2420 Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe 2420 Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe 2684 Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe 2684 Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exepid process 2684 Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exeCircular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exedescription pid process Token: SeDebugPrivilege 2420 Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe Token: SeDebugPrivilege 2684 Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exedescription pid process target process PID 2420 wrote to memory of 2564 2420 Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe PID 2420 wrote to memory of 2564 2420 Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe PID 2420 wrote to memory of 2564 2420 Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe PID 2420 wrote to memory of 2564 2420 Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe PID 2420 wrote to memory of 2568 2420 Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe PID 2420 wrote to memory of 2568 2420 Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe PID 2420 wrote to memory of 2568 2420 Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe PID 2420 wrote to memory of 2568 2420 Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe PID 2420 wrote to memory of 2684 2420 Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe PID 2420 wrote to memory of 2684 2420 Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe PID 2420 wrote to memory of 2684 2420 Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe PID 2420 wrote to memory of 2684 2420 Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe PID 2420 wrote to memory of 2684 2420 Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe PID 2420 wrote to memory of 2684 2420 Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe PID 2420 wrote to memory of 2684 2420 Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe PID 2420 wrote to memory of 2684 2420 Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe PID 2420 wrote to memory of 2684 2420 Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe"C:\Users\Admin\AppData\Local\Temp\Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe"C:\Users\Admin\AppData\Local\Temp\Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe"C:\Users\Admin\AppData\Local\Temp\Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe"C:\Users\Admin\AppData\Local\Temp\Circular PSSB Parts Disc Credit Term (Dlr) Oct2021 (1).exe"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2420-20-0x0000000074800000-0x0000000074DAB000-memory.dmpFilesize
5.7MB
-
memory/2420-1-0x0000000074800000-0x0000000074DAB000-memory.dmpFilesize
5.7MB
-
memory/2420-0-0x0000000074800000-0x0000000074DAB000-memory.dmpFilesize
5.7MB
-
memory/2420-3-0x0000000074800000-0x0000000074DAB000-memory.dmpFilesize
5.7MB
-
memory/2420-4-0x0000000000670000-0x00000000006B0000-memory.dmpFilesize
256KB
-
memory/2420-2-0x0000000000670000-0x00000000006B0000-memory.dmpFilesize
256KB
-
memory/2684-27-0x0000000002110000-0x0000000002150000-memory.dmpFilesize
256KB
-
memory/2684-9-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2684-7-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2684-5-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2684-17-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2684-15-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2684-11-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2684-19-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2684-22-0x0000000002110000-0x0000000002150000-memory.dmpFilesize
256KB
-
memory/2684-21-0x0000000074800000-0x0000000074DAB000-memory.dmpFilesize
5.7MB
-
memory/2684-23-0x0000000074800000-0x0000000074DAB000-memory.dmpFilesize
5.7MB
-
memory/2684-26-0x0000000074800000-0x0000000074DAB000-memory.dmpFilesize
5.7MB
-
memory/2684-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB