Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
18-06-2024 16:36
Static task
static1
Behavioral task
behavioral1
Sample
final bill copy 28.6.2020.exe
Resource
win7-20240220-en
General
-
Target
final bill copy 28.6.2020.exe
-
Size
322KB
-
MD5
cdb11d14d3d4d9629af79ca24674574b
-
SHA1
aad5682a4c9798a81ca7ab34a87f281c8df77f4f
-
SHA256
cb5eb4758a41046a2f3fc084731d756aedf8ea212dc08c9bb2e6cd7f5eff6cae
-
SHA512
0712d60b0e49b309cc7423681e2523eb9c0e9c7119145a92b6312a8175680e11766eb1c9b63dd74527ba4941b91c668923ef37c3a0faf0c956731700fa9725d9
-
SSDEEP
6144:6w9LKRcqSGjUkVP0H6JBh2dxPzH7PetJiRE6ta5vj:6w4+GjF5JB0DPHRE
Malware Config
Extracted
nanocore
1.2.2.0
officezafar.hopto.org:3575
79.134.225.105:3575
addcef97-a3fd-4088-97c4-b33550fc9a8a
-
activate_away_mode
true
-
backup_connection_host
79.134.225.105
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-03-30T16:41:31.745741536Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
3575
-
default_group
officezafar
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
addcef97-a3fd-4088-97c4-b33550fc9a8a
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
officezafar.hopto.org
-
primary_dns_server
8.8.8.8
-
request_elevation
false
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
final bill copy 28.6.2020.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation final bill copy 28.6.2020.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegAsm.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DDP Host = "C:\\Program Files (x86)\\DDP Host\\ddphost.exe" RegAsm.exe -
Processes:
RegAsm.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
final bill copy 28.6.2020.exedescription pid process target process PID 4984 set thread context of 2372 4984 final bill copy 28.6.2020.exe RegAsm.exe -
Drops file in Program Files directory 2 IoCs
Processes:
RegAsm.exedescription ioc process File created C:\Program Files (x86)\DDP Host\ddphost.exe RegAsm.exe File opened for modification C:\Program Files (x86)\DDP Host\ddphost.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 512 schtasks.exe 4404 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
final bill copy 28.6.2020.exepid process 4984 final bill copy 28.6.2020.exe 4984 final bill copy 28.6.2020.exe 4984 final bill copy 28.6.2020.exe 4984 final bill copy 28.6.2020.exe 4984 final bill copy 28.6.2020.exe 4984 final bill copy 28.6.2020.exe 4984 final bill copy 28.6.2020.exe 4984 final bill copy 28.6.2020.exe 4984 final bill copy 28.6.2020.exe 4984 final bill copy 28.6.2020.exe 4984 final bill copy 28.6.2020.exe 4984 final bill copy 28.6.2020.exe 4984 final bill copy 28.6.2020.exe 4984 final bill copy 28.6.2020.exe 4984 final bill copy 28.6.2020.exe 4984 final bill copy 28.6.2020.exe 4984 final bill copy 28.6.2020.exe 4984 final bill copy 28.6.2020.exe 4984 final bill copy 28.6.2020.exe 4984 final bill copy 28.6.2020.exe 4984 final bill copy 28.6.2020.exe 4984 final bill copy 28.6.2020.exe 4984 final bill copy 28.6.2020.exe 4984 final bill copy 28.6.2020.exe 4984 final bill copy 28.6.2020.exe 4984 final bill copy 28.6.2020.exe 4984 final bill copy 28.6.2020.exe 4984 final bill copy 28.6.2020.exe 4984 final bill copy 28.6.2020.exe 4984 final bill copy 28.6.2020.exe 4984 final bill copy 28.6.2020.exe 4984 final bill copy 28.6.2020.exe 4984 final bill copy 28.6.2020.exe 4984 final bill copy 28.6.2020.exe 4984 final bill copy 28.6.2020.exe 4984 final bill copy 28.6.2020.exe 4984 final bill copy 28.6.2020.exe 4984 final bill copy 28.6.2020.exe 4984 final bill copy 28.6.2020.exe 4984 final bill copy 28.6.2020.exe 4984 final bill copy 28.6.2020.exe 4984 final bill copy 28.6.2020.exe 4984 final bill copy 28.6.2020.exe 4984 final bill copy 28.6.2020.exe 4984 final bill copy 28.6.2020.exe 4984 final bill copy 28.6.2020.exe 4984 final bill copy 28.6.2020.exe 4984 final bill copy 28.6.2020.exe 4984 final bill copy 28.6.2020.exe 4984 final bill copy 28.6.2020.exe 4984 final bill copy 28.6.2020.exe 4984 final bill copy 28.6.2020.exe 4984 final bill copy 28.6.2020.exe 4984 final bill copy 28.6.2020.exe 4984 final bill copy 28.6.2020.exe 4984 final bill copy 28.6.2020.exe 4984 final bill copy 28.6.2020.exe 4984 final bill copy 28.6.2020.exe 4984 final bill copy 28.6.2020.exe 4984 final bill copy 28.6.2020.exe 4984 final bill copy 28.6.2020.exe 4984 final bill copy 28.6.2020.exe 4984 final bill copy 28.6.2020.exe 4984 final bill copy 28.6.2020.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegAsm.exepid process 2372 RegAsm.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
final bill copy 28.6.2020.exepid process 4984 final bill copy 28.6.2020.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
final bill copy 28.6.2020.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 4984 final bill copy 28.6.2020.exe Token: SeDebugPrivilege 2372 RegAsm.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
final bill copy 28.6.2020.execmd.exeRegAsm.exedescription pid process target process PID 4984 wrote to memory of 2372 4984 final bill copy 28.6.2020.exe RegAsm.exe PID 4984 wrote to memory of 2372 4984 final bill copy 28.6.2020.exe RegAsm.exe PID 4984 wrote to memory of 2372 4984 final bill copy 28.6.2020.exe RegAsm.exe PID 4984 wrote to memory of 2372 4984 final bill copy 28.6.2020.exe RegAsm.exe PID 4984 wrote to memory of 5048 4984 final bill copy 28.6.2020.exe cmd.exe PID 4984 wrote to memory of 5048 4984 final bill copy 28.6.2020.exe cmd.exe PID 4984 wrote to memory of 5048 4984 final bill copy 28.6.2020.exe cmd.exe PID 5048 wrote to memory of 3864 5048 cmd.exe choice.exe PID 5048 wrote to memory of 3864 5048 cmd.exe choice.exe PID 5048 wrote to memory of 3864 5048 cmd.exe choice.exe PID 2372 wrote to memory of 512 2372 RegAsm.exe schtasks.exe PID 2372 wrote to memory of 512 2372 RegAsm.exe schtasks.exe PID 2372 wrote to memory of 512 2372 RegAsm.exe schtasks.exe PID 2372 wrote to memory of 4404 2372 RegAsm.exe schtasks.exe PID 2372 wrote to memory of 4404 2372 RegAsm.exe schtasks.exe PID 2372 wrote to memory of 4404 2372 RegAsm.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\final bill copy 28.6.2020.exe"C:\Users\Admin\AppData\Local\Temp\final bill copy 28.6.2020.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DDP Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmp5880.tmp"3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DDP Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp599A.tmp"3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\final bill copy 28.6.2020.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 33⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp5880.tmpFilesize
1KB
MD548ef7fa9033389ad7929d7a6b9d10298
SHA19db6cb7325c8bdf66a15f7b5f34703709a45aeb6
SHA2560c1b5f67eeb276d1d4205b138ce32bc6149924e02281a2db8e4623a700e88f15
SHA512ac8bd104ecbacc9bccce9e087f67e5b18072d59367ccd31d4e66132b6baaea520cba5b9b59464483d86abf74826b382c402f12e9a586c99bda8c78a0de33944e
-
C:\Users\Admin\AppData\Local\Temp\tmp599A.tmpFilesize
1KB
MD52271642ca970891700e3f48439739ed8
SHA1cd472df2349f7db9e1e460d0ee28acd97b8a8793
SHA2567aba66abbcb0b13455609174db23aed495a9adbef0e0acd28baa9c92445eda68
SHA5124669a4ef8ec28cdb852ffc1401576b1bf9a9d837797d7d92bc88c18b3097404f36854e50167b309706fef400cabc43c876569ce2797ba85eb169a2783b8fe807
-
memory/2372-5-0x0000000005720000-0x0000000005CC4000-memory.dmpFilesize
5.6MB
-
memory/2372-9-0x00000000052C0000-0x00000000052CA000-memory.dmpFilesize
40KB
-
memory/2372-22-0x0000000074F10000-0x00000000756C0000-memory.dmpFilesize
7.7MB
-
memory/2372-6-0x0000000074F10000-0x00000000756C0000-memory.dmpFilesize
7.7MB
-
memory/2372-7-0x0000000005210000-0x00000000052A2000-memory.dmpFilesize
584KB
-
memory/2372-21-0x0000000005700000-0x000000000570A000-memory.dmpFilesize
40KB
-
memory/2372-8-0x0000000005350000-0x00000000053EC000-memory.dmpFilesize
624KB
-
memory/2372-3-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2372-20-0x0000000005490000-0x00000000054AE000-memory.dmpFilesize
120KB
-
memory/2372-19-0x0000000005310000-0x000000000531A000-memory.dmpFilesize
40KB
-
memory/4984-1-0x0000000000D90000-0x0000000000DE8000-memory.dmpFilesize
352KB
-
memory/4984-2-0x00000000056E0000-0x0000000005722000-memory.dmpFilesize
264KB
-
memory/4984-14-0x0000000074F10000-0x00000000756C0000-memory.dmpFilesize
7.7MB
-
memory/4984-4-0x0000000074F10000-0x00000000756C0000-memory.dmpFilesize
7.7MB
-
memory/4984-0-0x0000000074F1E000-0x0000000074F1F000-memory.dmpFilesize
4KB