Analysis
-
max time kernel
146s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
18-06-2024 16:36
Static task
static1
Behavioral task
behavioral1
Sample
final bill copy 28.6.2020.exe
Resource
win7-20240220-en
General
-
Target
final bill copy 28.6.2020.exe
-
Size
322KB
-
MD5
cdb11d14d3d4d9629af79ca24674574b
-
SHA1
aad5682a4c9798a81ca7ab34a87f281c8df77f4f
-
SHA256
cb5eb4758a41046a2f3fc084731d756aedf8ea212dc08c9bb2e6cd7f5eff6cae
-
SHA512
0712d60b0e49b309cc7423681e2523eb9c0e9c7119145a92b6312a8175680e11766eb1c9b63dd74527ba4941b91c668923ef37c3a0faf0c956731700fa9725d9
-
SSDEEP
6144:6w9LKRcqSGjUkVP0H6JBh2dxPzH7PetJiRE6ta5vj:6w4+GjF5JB0DPHRE
Malware Config
Extracted
nanocore
1.2.2.0
officezafar.hopto.org:3575
79.134.225.105:3575
addcef97-a3fd-4088-97c4-b33550fc9a8a
-
activate_away_mode
true
-
backup_connection_host
79.134.225.105
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-03-30T16:41:31.745741536Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
3575
-
default_group
officezafar
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
addcef97-a3fd-4088-97c4-b33550fc9a8a
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
officezafar.hopto.org
-
primary_dns_server
8.8.8.8
-
request_elevation
false
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2516 cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegAsm.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TCP Subsystem = "C:\\Program Files (x86)\\TCP Subsystem\\tcpss.exe" RegAsm.exe -
Processes:
RegAsm.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
final bill copy 28.6.2020.exedescription pid process target process PID 1984 set thread context of 2688 1984 final bill copy 28.6.2020.exe RegAsm.exe -
Drops file in Program Files directory 2 IoCs
Processes:
RegAsm.exedescription ioc process File created C:\Program Files (x86)\TCP Subsystem\tcpss.exe RegAsm.exe File opened for modification C:\Program Files (x86)\TCP Subsystem\tcpss.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2544 schtasks.exe 2504 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
final bill copy 28.6.2020.exepid process 1984 final bill copy 28.6.2020.exe 1984 final bill copy 28.6.2020.exe 1984 final bill copy 28.6.2020.exe 1984 final bill copy 28.6.2020.exe 1984 final bill copy 28.6.2020.exe 1984 final bill copy 28.6.2020.exe 1984 final bill copy 28.6.2020.exe 1984 final bill copy 28.6.2020.exe 1984 final bill copy 28.6.2020.exe 1984 final bill copy 28.6.2020.exe 1984 final bill copy 28.6.2020.exe 1984 final bill copy 28.6.2020.exe 1984 final bill copy 28.6.2020.exe 1984 final bill copy 28.6.2020.exe 1984 final bill copy 28.6.2020.exe 1984 final bill copy 28.6.2020.exe 1984 final bill copy 28.6.2020.exe 1984 final bill copy 28.6.2020.exe 1984 final bill copy 28.6.2020.exe 1984 final bill copy 28.6.2020.exe 1984 final bill copy 28.6.2020.exe 1984 final bill copy 28.6.2020.exe 1984 final bill copy 28.6.2020.exe 1984 final bill copy 28.6.2020.exe 1984 final bill copy 28.6.2020.exe 1984 final bill copy 28.6.2020.exe 1984 final bill copy 28.6.2020.exe 1984 final bill copy 28.6.2020.exe 1984 final bill copy 28.6.2020.exe 1984 final bill copy 28.6.2020.exe 1984 final bill copy 28.6.2020.exe 1984 final bill copy 28.6.2020.exe 1984 final bill copy 28.6.2020.exe 1984 final bill copy 28.6.2020.exe 1984 final bill copy 28.6.2020.exe 1984 final bill copy 28.6.2020.exe 1984 final bill copy 28.6.2020.exe 1984 final bill copy 28.6.2020.exe 1984 final bill copy 28.6.2020.exe 1984 final bill copy 28.6.2020.exe 1984 final bill copy 28.6.2020.exe 1984 final bill copy 28.6.2020.exe 1984 final bill copy 28.6.2020.exe 1984 final bill copy 28.6.2020.exe 1984 final bill copy 28.6.2020.exe 1984 final bill copy 28.6.2020.exe 1984 final bill copy 28.6.2020.exe 1984 final bill copy 28.6.2020.exe 1984 final bill copy 28.6.2020.exe 1984 final bill copy 28.6.2020.exe 1984 final bill copy 28.6.2020.exe 1984 final bill copy 28.6.2020.exe 1984 final bill copy 28.6.2020.exe 1984 final bill copy 28.6.2020.exe 1984 final bill copy 28.6.2020.exe 1984 final bill copy 28.6.2020.exe 1984 final bill copy 28.6.2020.exe 1984 final bill copy 28.6.2020.exe 1984 final bill copy 28.6.2020.exe 1984 final bill copy 28.6.2020.exe 1984 final bill copy 28.6.2020.exe 1984 final bill copy 28.6.2020.exe 1984 final bill copy 28.6.2020.exe 1984 final bill copy 28.6.2020.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegAsm.exepid process 2688 RegAsm.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
final bill copy 28.6.2020.exepid process 1984 final bill copy 28.6.2020.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
final bill copy 28.6.2020.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 1984 final bill copy 28.6.2020.exe Token: SeDebugPrivilege 2688 RegAsm.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
final bill copy 28.6.2020.execmd.exeRegAsm.exedescription pid process target process PID 1984 wrote to memory of 2688 1984 final bill copy 28.6.2020.exe RegAsm.exe PID 1984 wrote to memory of 2688 1984 final bill copy 28.6.2020.exe RegAsm.exe PID 1984 wrote to memory of 2688 1984 final bill copy 28.6.2020.exe RegAsm.exe PID 1984 wrote to memory of 2688 1984 final bill copy 28.6.2020.exe RegAsm.exe PID 1984 wrote to memory of 2688 1984 final bill copy 28.6.2020.exe RegAsm.exe PID 1984 wrote to memory of 2688 1984 final bill copy 28.6.2020.exe RegAsm.exe PID 1984 wrote to memory of 2688 1984 final bill copy 28.6.2020.exe RegAsm.exe PID 1984 wrote to memory of 2688 1984 final bill copy 28.6.2020.exe RegAsm.exe PID 1984 wrote to memory of 2516 1984 final bill copy 28.6.2020.exe cmd.exe PID 1984 wrote to memory of 2516 1984 final bill copy 28.6.2020.exe cmd.exe PID 1984 wrote to memory of 2516 1984 final bill copy 28.6.2020.exe cmd.exe PID 1984 wrote to memory of 2516 1984 final bill copy 28.6.2020.exe cmd.exe PID 2516 wrote to memory of 2600 2516 cmd.exe choice.exe PID 2516 wrote to memory of 2600 2516 cmd.exe choice.exe PID 2516 wrote to memory of 2600 2516 cmd.exe choice.exe PID 2516 wrote to memory of 2600 2516 cmd.exe choice.exe PID 2688 wrote to memory of 2544 2688 RegAsm.exe schtasks.exe PID 2688 wrote to memory of 2544 2688 RegAsm.exe schtasks.exe PID 2688 wrote to memory of 2544 2688 RegAsm.exe schtasks.exe PID 2688 wrote to memory of 2544 2688 RegAsm.exe schtasks.exe PID 2688 wrote to memory of 2504 2688 RegAsm.exe schtasks.exe PID 2688 wrote to memory of 2504 2688 RegAsm.exe schtasks.exe PID 2688 wrote to memory of 2504 2688 RegAsm.exe schtasks.exe PID 2688 wrote to memory of 2504 2688 RegAsm.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\final bill copy 28.6.2020.exe"C:\Users\Admin\AppData\Local\Temp\final bill copy 28.6.2020.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "TCP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp2BD1.tmp"3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "TCP Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp2C5F.tmp"3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\final bill copy 28.6.2020.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 33⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp2BD1.tmpFilesize
1KB
MD548ef7fa9033389ad7929d7a6b9d10298
SHA19db6cb7325c8bdf66a15f7b5f34703709a45aeb6
SHA2560c1b5f67eeb276d1d4205b138ce32bc6149924e02281a2db8e4623a700e88f15
SHA512ac8bd104ecbacc9bccce9e087f67e5b18072d59367ccd31d4e66132b6baaea520cba5b9b59464483d86abf74826b382c402f12e9a586c99bda8c78a0de33944e
-
C:\Users\Admin\AppData\Local\Temp\tmp2C5F.tmpFilesize
1KB
MD54b7ef560289c0f62d0baf6f14f48a57a
SHA18331acb90dde588aa3196919f6e847f398fd06d1
SHA256062844155306130d6fafc4fe10ac9e5ddd2ed462532b729c50cdc979c0d83207
SHA512ecaa27c4b703d95f9f9b37d8c339982970482e7dab968c2010e0aa644bbfa31973111aafb827565af30c423d1d14e4ff997ec149614e713ff7ef3456894d02d8
-
memory/1984-8-0x0000000074500000-0x0000000074BEE000-memory.dmpFilesize
6.9MB
-
memory/1984-2-0x0000000000460000-0x00000000004A2000-memory.dmpFilesize
264KB
-
memory/1984-9-0x0000000074500000-0x0000000074BEE000-memory.dmpFilesize
6.9MB
-
memory/1984-0-0x000000007450E000-0x000000007450F000-memory.dmpFilesize
4KB
-
memory/1984-1-0x0000000000C40000-0x0000000000C98000-memory.dmpFilesize
352KB
-
memory/2688-7-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2688-5-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2688-3-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2688-17-0x0000000000540000-0x000000000054A000-memory.dmpFilesize
40KB
-
memory/2688-18-0x00000000005E0000-0x00000000005FE000-memory.dmpFilesize
120KB
-
memory/2688-19-0x0000000000550000-0x000000000055A000-memory.dmpFilesize
40KB