Analysis
-
max time kernel
119s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
25-04-2024 08:06
Static task
static1
Behavioral task
behavioral1
Sample
PROOF OF PAYMENT.scr.exe
Resource
win7-20240221-en
General
-
Target
PROOF OF PAYMENT.scr.exe
-
Size
670KB
-
MD5
11b19b59f657910f0af49721a77bc2dd
-
SHA1
3078779d892bd96e5dfddb76d491f52eefd39a2d
-
SHA256
c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85
-
SHA512
de92458acc1341bd5db1ca3f5542339c5e06dac938903efc9c9eeca234058a92fb1e99bdb94c547a7126dfe033c300beb5a8ef3ca63dcb61bb6dbd397b7602e2
-
SSDEEP
12288:EWYIPXjxannnHg2g2Qsj2kGPBjQW/dAOAbnB4BziHmBOXB3NEqRFnj7Qu4YCgca:EWYIPFannnHg2F2kUBjB8B4BOHLXcqbh
Malware Config
Extracted
nanocore
1.2.2.0
amechi.duckdns.org:3190
3ccbc5bb-95bf-4854-a1cd-6f73b82adcba
-
activate_away_mode
true
-
backup_connection_host
amechi.duckdns.org
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2024-02-04T08:58:27.782943536Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
3190
-
default_group
GLORY
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
3ccbc5bb-95bf-4854-a1cd-6f73b82adcba
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
amechi.duckdns.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
PROOF OF PAYMENT.scr.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DHCP Host = "C:\\Program Files (x86)\\DHCP Host\\dhcphost.exe" PROOF OF PAYMENT.scr.exe -
Processes:
PROOF OF PAYMENT.scr.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA PROOF OF PAYMENT.scr.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PROOF OF PAYMENT.scr.exedescription pid process target process PID 2972 set thread context of 2456 2972 PROOF OF PAYMENT.scr.exe PROOF OF PAYMENT.scr.exe -
Drops file in Program Files directory 2 IoCs
Processes:
PROOF OF PAYMENT.scr.exedescription ioc process File created C:\Program Files (x86)\DHCP Host\dhcphost.exe PROOF OF PAYMENT.scr.exe File opened for modification C:\Program Files (x86)\DHCP Host\dhcphost.exe PROOF OF PAYMENT.scr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
PROOF OF PAYMENT.scr.exepowershell.exepowershell.exePROOF OF PAYMENT.scr.exepid process 2972 PROOF OF PAYMENT.scr.exe 2972 PROOF OF PAYMENT.scr.exe 2972 PROOF OF PAYMENT.scr.exe 2972 PROOF OF PAYMENT.scr.exe 2624 powershell.exe 2704 powershell.exe 2456 PROOF OF PAYMENT.scr.exe 2456 PROOF OF PAYMENT.scr.exe 2456 PROOF OF PAYMENT.scr.exe 2456 PROOF OF PAYMENT.scr.exe 2456 PROOF OF PAYMENT.scr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
PROOF OF PAYMENT.scr.exepid process 2456 PROOF OF PAYMENT.scr.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
PROOF OF PAYMENT.scr.exepowershell.exepowershell.exePROOF OF PAYMENT.scr.exedescription pid process Token: SeDebugPrivilege 2972 PROOF OF PAYMENT.scr.exe Token: SeDebugPrivilege 2624 powershell.exe Token: SeDebugPrivilege 2704 powershell.exe Token: SeDebugPrivilege 2456 PROOF OF PAYMENT.scr.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
PROOF OF PAYMENT.scr.exedescription pid process target process PID 2972 wrote to memory of 2624 2972 PROOF OF PAYMENT.scr.exe powershell.exe PID 2972 wrote to memory of 2624 2972 PROOF OF PAYMENT.scr.exe powershell.exe PID 2972 wrote to memory of 2624 2972 PROOF OF PAYMENT.scr.exe powershell.exe PID 2972 wrote to memory of 2624 2972 PROOF OF PAYMENT.scr.exe powershell.exe PID 2972 wrote to memory of 2704 2972 PROOF OF PAYMENT.scr.exe powershell.exe PID 2972 wrote to memory of 2704 2972 PROOF OF PAYMENT.scr.exe powershell.exe PID 2972 wrote to memory of 2704 2972 PROOF OF PAYMENT.scr.exe powershell.exe PID 2972 wrote to memory of 2704 2972 PROOF OF PAYMENT.scr.exe powershell.exe PID 2972 wrote to memory of 2732 2972 PROOF OF PAYMENT.scr.exe schtasks.exe PID 2972 wrote to memory of 2732 2972 PROOF OF PAYMENT.scr.exe schtasks.exe PID 2972 wrote to memory of 2732 2972 PROOF OF PAYMENT.scr.exe schtasks.exe PID 2972 wrote to memory of 2732 2972 PROOF OF PAYMENT.scr.exe schtasks.exe PID 2972 wrote to memory of 2456 2972 PROOF OF PAYMENT.scr.exe PROOF OF PAYMENT.scr.exe PID 2972 wrote to memory of 2456 2972 PROOF OF PAYMENT.scr.exe PROOF OF PAYMENT.scr.exe PID 2972 wrote to memory of 2456 2972 PROOF OF PAYMENT.scr.exe PROOF OF PAYMENT.scr.exe PID 2972 wrote to memory of 2456 2972 PROOF OF PAYMENT.scr.exe PROOF OF PAYMENT.scr.exe PID 2972 wrote to memory of 2456 2972 PROOF OF PAYMENT.scr.exe PROOF OF PAYMENT.scr.exe PID 2972 wrote to memory of 2456 2972 PROOF OF PAYMENT.scr.exe PROOF OF PAYMENT.scr.exe PID 2972 wrote to memory of 2456 2972 PROOF OF PAYMENT.scr.exe PROOF OF PAYMENT.scr.exe PID 2972 wrote to memory of 2456 2972 PROOF OF PAYMENT.scr.exe PROOF OF PAYMENT.scr.exe PID 2972 wrote to memory of 2456 2972 PROOF OF PAYMENT.scr.exe PROOF OF PAYMENT.scr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe"C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2624 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\hXGmUcb.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2704 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hXGmUcb" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4CF8.tmp"2⤵
- Creates scheduled task(s)
PID:2732 -
C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe"C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2456
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5c456add6ad59576f2037e540cfaa97ea
SHA103bcba4d5ba09effe878d8017855912a93335774
SHA256113aed93c3b60ae1342b5a4f8dcb509767e1edfb72f695c25dbaf874a2a67a91
SHA512d846ebbd3b4b4ef92bff425f62d949aeabd6dd7aaa8740f7cd42b2cd1fe8a8de79297e651ecd95cbc0de0e43fe11bcd91205a99ca37394c1793deb94cb4e1d9a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\H97CD0VR7R5OFFP3ZBJ1.temp
Filesize7KB
MD5ba257e0457ef70df3d33fd32ec83b772
SHA1c4d49520897241dfebe30d5e4727fe9ef8ebbaa8
SHA256f64ccd63e69a78a628b8457eb1c405e1f237b0fa3552ca5340360dc35dfd13bb
SHA51210a6d73a953665f2cc5f8bb4ba9be293e57446590c03afd2b4ed4fc337e1d6d5da97d1cd7801b951d280a9c2fb740c0cadaafd091f0f7fb13349940e6a8071e8