Analysis
-
max time kernel
139s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
25-04-2024 08:06
Static task
static1
Behavioral task
behavioral1
Sample
PROOF OF PAYMENT.scr.exe
Resource
win7-20240221-en
General
-
Target
PROOF OF PAYMENT.scr.exe
-
Size
670KB
-
MD5
11b19b59f657910f0af49721a77bc2dd
-
SHA1
3078779d892bd96e5dfddb76d491f52eefd39a2d
-
SHA256
c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85
-
SHA512
de92458acc1341bd5db1ca3f5542339c5e06dac938903efc9c9eeca234058a92fb1e99bdb94c547a7126dfe033c300beb5a8ef3ca63dcb61bb6dbd397b7602e2
-
SSDEEP
12288:EWYIPXjxannnHg2g2Qsj2kGPBjQW/dAOAbnB4BziHmBOXB3NEqRFnj7Qu4YCgca:EWYIPFannnHg2F2kUBjB8B4BOHLXcqbh
Malware Config
Extracted
nanocore
1.2.2.0
amechi.duckdns.org:3190
3ccbc5bb-95bf-4854-a1cd-6f73b82adcba
-
activate_away_mode
true
-
backup_connection_host
amechi.duckdns.org
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2024-02-04T08:58:27.782943536Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
3190
-
default_group
GLORY
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
3ccbc5bb-95bf-4854-a1cd-6f73b82adcba
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
amechi.duckdns.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
PROOF OF PAYMENT.scr.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation PROOF OF PAYMENT.scr.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
PROOF OF PAYMENT.scr.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DDP Service = "C:\\Program Files (x86)\\DDP Service\\ddpsv.exe" PROOF OF PAYMENT.scr.exe -
Processes:
PROOF OF PAYMENT.scr.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA PROOF OF PAYMENT.scr.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PROOF OF PAYMENT.scr.exedescription pid process target process PID 3320 set thread context of 2708 3320 PROOF OF PAYMENT.scr.exe PROOF OF PAYMENT.scr.exe -
Drops file in Program Files directory 2 IoCs
Processes:
PROOF OF PAYMENT.scr.exedescription ioc process File created C:\Program Files (x86)\DDP Service\ddpsv.exe PROOF OF PAYMENT.scr.exe File opened for modification C:\Program Files (x86)\DDP Service\ddpsv.exe PROOF OF PAYMENT.scr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
PROOF OF PAYMENT.scr.exepowershell.exepowershell.exePROOF OF PAYMENT.scr.exepid process 3320 PROOF OF PAYMENT.scr.exe 3320 PROOF OF PAYMENT.scr.exe 3320 PROOF OF PAYMENT.scr.exe 3320 PROOF OF PAYMENT.scr.exe 2248 powershell.exe 2248 powershell.exe 2956 powershell.exe 2956 powershell.exe 3320 PROOF OF PAYMENT.scr.exe 2956 powershell.exe 2708 PROOF OF PAYMENT.scr.exe 2708 PROOF OF PAYMENT.scr.exe 2708 PROOF OF PAYMENT.scr.exe 2708 PROOF OF PAYMENT.scr.exe 2248 powershell.exe 2708 PROOF OF PAYMENT.scr.exe 2708 PROOF OF PAYMENT.scr.exe 2708 PROOF OF PAYMENT.scr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
PROOF OF PAYMENT.scr.exepid process 2708 PROOF OF PAYMENT.scr.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
PROOF OF PAYMENT.scr.exepowershell.exepowershell.exePROOF OF PAYMENT.scr.exedescription pid process Token: SeDebugPrivilege 3320 PROOF OF PAYMENT.scr.exe Token: SeDebugPrivilege 2956 powershell.exe Token: SeDebugPrivilege 2248 powershell.exe Token: SeDebugPrivilege 2708 PROOF OF PAYMENT.scr.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
PROOF OF PAYMENT.scr.exedescription pid process target process PID 3320 wrote to memory of 2956 3320 PROOF OF PAYMENT.scr.exe powershell.exe PID 3320 wrote to memory of 2956 3320 PROOF OF PAYMENT.scr.exe powershell.exe PID 3320 wrote to memory of 2956 3320 PROOF OF PAYMENT.scr.exe powershell.exe PID 3320 wrote to memory of 2248 3320 PROOF OF PAYMENT.scr.exe powershell.exe PID 3320 wrote to memory of 2248 3320 PROOF OF PAYMENT.scr.exe powershell.exe PID 3320 wrote to memory of 2248 3320 PROOF OF PAYMENT.scr.exe powershell.exe PID 3320 wrote to memory of 5112 3320 PROOF OF PAYMENT.scr.exe schtasks.exe PID 3320 wrote to memory of 5112 3320 PROOF OF PAYMENT.scr.exe schtasks.exe PID 3320 wrote to memory of 5112 3320 PROOF OF PAYMENT.scr.exe schtasks.exe PID 3320 wrote to memory of 2708 3320 PROOF OF PAYMENT.scr.exe PROOF OF PAYMENT.scr.exe PID 3320 wrote to memory of 2708 3320 PROOF OF PAYMENT.scr.exe PROOF OF PAYMENT.scr.exe PID 3320 wrote to memory of 2708 3320 PROOF OF PAYMENT.scr.exe PROOF OF PAYMENT.scr.exe PID 3320 wrote to memory of 2708 3320 PROOF OF PAYMENT.scr.exe PROOF OF PAYMENT.scr.exe PID 3320 wrote to memory of 2708 3320 PROOF OF PAYMENT.scr.exe PROOF OF PAYMENT.scr.exe PID 3320 wrote to memory of 2708 3320 PROOF OF PAYMENT.scr.exe PROOF OF PAYMENT.scr.exe PID 3320 wrote to memory of 2708 3320 PROOF OF PAYMENT.scr.exe PROOF OF PAYMENT.scr.exe PID 3320 wrote to memory of 2708 3320 PROOF OF PAYMENT.scr.exe PROOF OF PAYMENT.scr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe"C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3320 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2956 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\hXGmUcb.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2248 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hXGmUcb" /XML "C:\Users\Admin\AppData\Local\Temp\tmp64B5.tmp"2⤵
- Creates scheduled task(s)
PID:5112 -
C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe"C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.scr.exe"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2708
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
18KB
MD5e92e247ae977b531b7b40472155cd25d
SHA174f2dc6703a371270bb9708757a9952b1a7a6b35
SHA256c2d082c8ed35e5d6fb24c1476d76c795700a513362fea8df03822158d9d059ce
SHA512f80f9dbdf13ff1eaef540b242b97f3527e4801124fda74fe8e43f2b1f7fb8b4d525008886c025b250535aef39113e83a956b5df198f6aae1ccd26cfe901e0ee0
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD5882a972596278184fe775c2dec04bbc0
SHA1f906bd7585992515713e2efe013ae61ccb3f0e0d
SHA256561cab84b68a06a7c48a660aebb716f4bc525630aa7e7e395f7863a17c9df328
SHA5126f837c4424ff593f63f4718333a48fe4472795e4d27b90bb823635c238e1542ce0add10559d4a173491b43775d90723fcc2def02fb2db519057cbc104504faeb