Analysis
-
max time kernel
141s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
27/09/2024, 05:04 UTC
Static task
static1
Behavioral task
behavioral1
Sample
PROOF OF PAYMENT.exe
Resource
win7-20240903-en
General
-
Target
PROOF OF PAYMENT.exe
-
Size
769KB
-
MD5
74b1f9ccfc3a8cd599c6565187306657
-
SHA1
447362e6ac5562132324147636b2c5f13ed7e87e
-
SHA256
8c6515ea1d1dc1263f76e273d06eee09ce298ddaefa435b84bb6e5bc9b578da1
-
SHA512
c88740b94abe0fc862560525566b6c8482cc04c59f43c85b5ee8220db546eeb77990cea5a792aa0928341152371a1b84e27df7abb6bdedad5982937cb0128821
-
SSDEEP
12288:ixfMNAGE3qOh/EcvseSdNZo9KDictCHTC0kX7qj8DBTuLTtuZTUJ:i9GVE3qOh/zxqG9lkCHo7qQtThZTU
Malware Config
Extracted
nanocore
1.2.2.0
amechi.duckdns.org:4190
2a0a9f29-2b47-4a8a-bba0-73bd2bfb466e
-
activate_away_mode
true
-
backup_connection_host
amechi.duckdns.org
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-11-27T10:27:04.358793536Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
4190
-
default_group
EYPPPP
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
2a0a9f29-2b47-4a8a-bba0-73bd2bfb466e
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
amechi.duckdns.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation PROOF OF PAYMENT.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DSL Service = "C:\\Program Files (x86)\\DSL Service\\dslsv.exe" PROOF OF PAYMENT.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA PROOF OF PAYMENT.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4216 set thread context of 1316 4216 PROOF OF PAYMENT.exe 92 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\DSL Service\dslsv.exe PROOF OF PAYMENT.exe File opened for modification C:\Program Files (x86)\DSL Service\dslsv.exe PROOF OF PAYMENT.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PROOF OF PAYMENT.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PROOF OF PAYMENT.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3024 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4216 PROOF OF PAYMENT.exe 1316 PROOF OF PAYMENT.exe 1316 PROOF OF PAYMENT.exe 1316 PROOF OF PAYMENT.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1316 PROOF OF PAYMENT.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4216 PROOF OF PAYMENT.exe Token: SeDebugPrivilege 1316 PROOF OF PAYMENT.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 4216 wrote to memory of 3024 4216 PROOF OF PAYMENT.exe 90 PID 4216 wrote to memory of 3024 4216 PROOF OF PAYMENT.exe 90 PID 4216 wrote to memory of 3024 4216 PROOF OF PAYMENT.exe 90 PID 4216 wrote to memory of 1316 4216 PROOF OF PAYMENT.exe 92 PID 4216 wrote to memory of 1316 4216 PROOF OF PAYMENT.exe 92 PID 4216 wrote to memory of 1316 4216 PROOF OF PAYMENT.exe 92 PID 4216 wrote to memory of 1316 4216 PROOF OF PAYMENT.exe 92 PID 4216 wrote to memory of 1316 4216 PROOF OF PAYMENT.exe 92 PID 4216 wrote to memory of 1316 4216 PROOF OF PAYMENT.exe 92 PID 4216 wrote to memory of 1316 4216 PROOF OF PAYMENT.exe 92 PID 4216 wrote to memory of 1316 4216 PROOF OF PAYMENT.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.exe"C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4216 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kgiHOQFWsi" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE724.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3024
-
-
C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.exe"{path}"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1316
-
Network
-
Remote address:8.8.8.8:53Request133.211.185.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request88.210.23.2.in-addr.arpaIN PTRResponse88.210.23.2.in-addr.arpaIN PTRa2-23-210-88deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request136.32.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request241.150.49.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request28.118.140.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request197.87.175.4.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request15.164.165.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestamechi.duckdns.orgIN AResponseamechi.duckdns.orgIN A45.128.36.178
-
Remote address:8.8.8.8:53Requestamechi.duckdns.orgIN AResponse
-
Remote address:8.8.8.8:53Requestamechi.duckdns.orgIN AResponse
-
Remote address:8.8.8.8:53Requestamechi.duckdns.orgIN AResponse
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestamechi.duckdns.orgIN AResponseamechi.duckdns.orgIN A45.128.36.178
-
Remote address:8.8.8.8:53Requestamechi.duckdns.orgIN AResponse
-
Remote address:8.8.8.8:53Request68.209.201.84.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestamechi.duckdns.orgIN AResponseamechi.duckdns.orgIN A45.128.36.178
-
Remote address:8.8.8.8:53Requestamechi.duckdns.orgIN AResponse
-
Remote address:8.8.8.8:53Requestamechi.duckdns.orgIN AResponse
-
Remote address:8.8.8.8:53Requestamechi.duckdns.orgIN AResponse
-
Remote address:8.8.8.8:53Requestamechi.duckdns.orgIN AResponseamechi.duckdns.orgIN A45.128.36.178
-
Remote address:8.8.8.8:53Request83.210.23.2.in-addr.arpaIN PTRResponse83.210.23.2.in-addr.arpaIN PTRa2-23-210-83deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request30.243.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestamechi.duckdns.orgIN AResponseamechi.duckdns.orgIN A45.128.36.178
-
Remote address:8.8.8.8:53Requestamechi.duckdns.orgIN AResponseamechi.duckdns.orgIN A45.128.36.178
-
Remote address:8.8.8.8:53Requestamechi.duckdns.orgIN AResponseamechi.duckdns.orgIN A45.128.36.178
-
Remote address:8.8.8.8:53Requestamechi.duckdns.orgIN AResponseamechi.duckdns.orgIN A45.128.36.178
-
208 B 4
-
208 B 4
-
208 B 4
-
208 B 4
-
208 B 4
-
208 B 4
-
208 B 4
-
73 B 147 B 1 1
DNS Request
133.211.185.52.in-addr.arpa
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
88.210.23.2.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
136.32.126.40.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
241.150.49.20.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
28.118.140.52.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
197.87.175.4.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
15.164.165.52.in-addr.arpa
-
256 B 272 B 4 4
DNS Request
amechi.duckdns.org
DNS Request
amechi.duckdns.org
DNS Request
amechi.duckdns.org
DNS Request
amechi.duckdns.org
DNS Response
45.128.36.178
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
-
128 B 144 B 2 2
DNS Request
amechi.duckdns.org
DNS Request
amechi.duckdns.org
DNS Response
45.128.36.178
-
72 B 132 B 1 1
DNS Request
68.209.201.84.in-addr.arpa
-
256 B 272 B 4 4
DNS Request
amechi.duckdns.org
DNS Request
amechi.duckdns.org
DNS Request
amechi.duckdns.org
DNS Request
amechi.duckdns.org
DNS Response
45.128.36.178
-
64 B 80 B 1 1
DNS Request
amechi.duckdns.org
DNS Response
45.128.36.178
-
70 B 133 B 1 1
DNS Request
83.210.23.2.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
30.243.111.52.in-addr.arpa
-
128 B 160 B 2 2
DNS Request
amechi.duckdns.org
DNS Request
amechi.duckdns.org
DNS Response
45.128.36.178
DNS Response
45.128.36.178
-
64 B 80 B 1 1
DNS Request
amechi.duckdns.org
DNS Response
45.128.36.178
-
64 B 80 B 1 1
DNS Request
amechi.duckdns.org
DNS Response
45.128.36.178
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5671a6c030de33d5123075040da9b753d
SHA136d41c9e2eef3e5db0ca3776f5d13fbd7bdef3b8
SHA25686c70796fe0c7508d604d5cd229dd76f764f96a8ab5e39a3903560c1d7e0538b
SHA512b21f0359fd676e485245849966c81c77cbf808a5d0092fc099a87d9fbf25d5dbba33402ff7f1149d7f87311829775c9df7a600b96e0955b4e8002eec9c382e1b