Analysis
-
max time kernel
146s -
max time network
149s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
01-01-2021 18:48
Static task
static1
Behavioral task
behavioral1
Sample
Shiping Doc BL.exe
Resource
win7v20201028
General
-
Target
Shiping Doc BL.exe
-
Size
334KB
-
MD5
a0522b3fe3130794e171fa99ad13e5bf
-
SHA1
48f005ad009c98a7e3bac737ff0ba0079acff43c
-
SHA256
ea6b74e2f0364ce1b058b8f5d7c078c3f47cb61a546976a5d56e0378c029892c
-
SHA512
1bad6c496c5e89d6b1fefb9ff5de403165574dfe906bd005b377bfb1dd452cb1419d3659c79e5b7b82d8aa792ce195050ba314d1089874a45fe17549ef620958
Malware Config
Extracted
nanocore
1.2.2.0
chinomso.duckdns.org:7688
5c856c52-5125-42de-9ed3-2389e16da064
-
activate_away_mode
true
-
backup_connection_host
chinomso.duckdns.org
-
backup_dns_server
chinomso.duckdns.org
-
buffer_size
65535
-
build_time
2020-10-13T03:36:21.868380136Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
7688
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
5c856c52-5125-42de-9ed3-2389e16da064
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
chinomso.duckdns.org
-
primary_dns_server
chinomso.duckdns.org
-
request_elevation
false
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Shiping Doc BL.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NTFS Manager = "C:\\Program Files (x86)\\NTFS Manager\\ntfsmgr.exe" Shiping Doc BL.exe -
Processes:
Shiping Doc BL.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Shiping Doc BL.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Shiping Doc BL.exedescription pid process target process PID 1284 set thread context of 316 1284 Shiping Doc BL.exe Shiping Doc BL.exe -
Drops file in Program Files directory 2 IoCs
Processes:
Shiping Doc BL.exedescription ioc process File created C:\Program Files (x86)\NTFS Manager\ntfsmgr.exe Shiping Doc BL.exe File opened for modification C:\Program Files (x86)\NTFS Manager\ntfsmgr.exe Shiping Doc BL.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1324 schtasks.exe 1536 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Shiping Doc BL.exepid process 316 Shiping Doc BL.exe 316 Shiping Doc BL.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Shiping Doc BL.exepid process 316 Shiping Doc BL.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
Shiping Doc BL.exeShiping Doc BL.exepid process 1340 Shiping Doc BL.exe 1284 Shiping Doc BL.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Shiping Doc BL.exedescription pid process Token: SeDebugPrivilege 316 Shiping Doc BL.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
Shiping Doc BL.exeShiping Doc BL.exeShiping Doc BL.exedescription pid process target process PID 1340 wrote to memory of 1292 1340 Shiping Doc BL.exe Shiping Doc BL.exe PID 1340 wrote to memory of 1292 1340 Shiping Doc BL.exe Shiping Doc BL.exe PID 1340 wrote to memory of 1292 1340 Shiping Doc BL.exe Shiping Doc BL.exe PID 1340 wrote to memory of 1292 1340 Shiping Doc BL.exe Shiping Doc BL.exe PID 1340 wrote to memory of 1284 1340 Shiping Doc BL.exe Shiping Doc BL.exe PID 1340 wrote to memory of 1284 1340 Shiping Doc BL.exe Shiping Doc BL.exe PID 1340 wrote to memory of 1284 1340 Shiping Doc BL.exe Shiping Doc BL.exe PID 1340 wrote to memory of 1284 1340 Shiping Doc BL.exe Shiping Doc BL.exe PID 1284 wrote to memory of 316 1284 Shiping Doc BL.exe Shiping Doc BL.exe PID 1284 wrote to memory of 316 1284 Shiping Doc BL.exe Shiping Doc BL.exe PID 1284 wrote to memory of 316 1284 Shiping Doc BL.exe Shiping Doc BL.exe PID 1284 wrote to memory of 316 1284 Shiping Doc BL.exe Shiping Doc BL.exe PID 1284 wrote to memory of 316 1284 Shiping Doc BL.exe Shiping Doc BL.exe PID 316 wrote to memory of 1324 316 Shiping Doc BL.exe schtasks.exe PID 316 wrote to memory of 1324 316 Shiping Doc BL.exe schtasks.exe PID 316 wrote to memory of 1324 316 Shiping Doc BL.exe schtasks.exe PID 316 wrote to memory of 1324 316 Shiping Doc BL.exe schtasks.exe PID 316 wrote to memory of 1536 316 Shiping Doc BL.exe schtasks.exe PID 316 wrote to memory of 1536 316 Shiping Doc BL.exe schtasks.exe PID 316 wrote to memory of 1536 316 Shiping Doc BL.exe schtasks.exe PID 316 wrote to memory of 1536 316 Shiping Doc BL.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Shiping Doc BL.exe"C:\Users\Admin\AppData\Local\Temp\Shiping Doc BL.exe"1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Shiping Doc BL.exe"C:\Users\Admin\AppData\Local\Temp\Shiping Doc BL.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Shiping Doc BL.exe"C:\Users\Admin\AppData\Local\Temp\Shiping Doc BL.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Shiping Doc BL.exe"C:\Users\Admin\AppData\Local\Temp\Shiping Doc BL.exe"3⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "NTFS Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmpAF71.tmp"4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "NTFS Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpB1B4.tmp"4⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpAF71.tmpMD5
e5b205ff4752a7179b051abd1cb3a3d5
SHA1bb1aed8d8e1553088f6d682e02f969885d184483
SHA2566b4ea6c52f73ac31be1cff5fde2171a3c8edba6344db1dc4da0aff974d449bc9
SHA512b540e223683d33c16152162ae957628ecabe07067c314abad2a691c1918bfcb89ca59ede6e6156957ccc83c5c4869ca3f16bb48603d3b59908b6dfdee5b11613
-
C:\Users\Admin\AppData\Local\Temp\tmpB1B4.tmpMD5
41808f05a9aa523d0ef506d4993f1d6c
SHA15a228145decf63ebbbd673c9b7c08a86236a22d4
SHA256f76bd5da395a725b5998efab9a5d3160657cf2d44a8be83fa24af6ba29acf731
SHA5127cf71f8fd8dccaa8cf2c724afca3178be8b7a6e0cc6e4b44990e96413bd0dac8248e2bcfa1bb82da05efb6c4b46649722c20ce14cf4a44f1720e18732bd9246e
-
memory/316-5-0x000000000040188B-mapping.dmp
-
memory/316-7-0x0000000000400000-0x0000000000448000-memory.dmpFilesize
288KB
-
memory/316-8-0x0000000074480000-0x0000000074B6E000-memory.dmpFilesize
6.9MB
-
memory/316-9-0x00000000003C0000-0x00000000003F3000-memory.dmpFilesize
204KB
-
memory/316-4-0x0000000000400000-0x0000000000448000-memory.dmpFilesize
288KB
-
memory/316-15-0x0000000003F90000-0x0000000003F95000-memory.dmpFilesize
20KB
-
memory/316-16-0x0000000003FB0000-0x0000000003FC9000-memory.dmpFilesize
100KB
-
memory/316-17-0x0000000003FA0000-0x0000000003FA3000-memory.dmpFilesize
12KB
-
memory/1284-6-0x0000000000320000-0x0000000000332000-memory.dmpFilesize
72KB
-
memory/1284-3-0x0000000000000000-mapping.dmp
-
memory/1324-11-0x0000000000000000-mapping.dmp
-
memory/1340-2-0x0000000000320000-0x0000000000332000-memory.dmpFilesize
72KB
-
memory/1536-13-0x0000000000000000-mapping.dmp