Analysis
-
max time kernel
21s -
max time network
151s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
03-01-2021 14:39
Static task
static1
Behavioral task
behavioral1
Sample
Shiping Doc BL.exe
Resource
win7v20201028
General
-
Target
Shiping Doc BL.exe
-
Size
330KB
-
MD5
dde408276c4221fb18dbec881a1da4fd
-
SHA1
9e260193d65cc3651d9c7ced09acbc65682f88a4
-
SHA256
d64a4482514be4bb53344b4712d850bb5ad28bd589a5cf3f4d2d966d2ea9ef65
-
SHA512
f919350c088dd61b1d51db3d2bb91fcad2811055959663e9a826c52866f1bdae7364af31937440f1d6830bd0c17b9e5c80a47a2a4043fcb7e503a1ffbe15d501
Malware Config
Extracted
nanocore
1.2.2.0
chinomso.duckdns.org:7688
5c856c52-5125-42de-9ed3-2389e16da064
-
activate_away_mode
true
-
backup_connection_host
chinomso.duckdns.org
-
backup_dns_server
chinomso.duckdns.org
-
buffer_size
65535
-
build_time
2020-10-13T03:36:21.868380136Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
7688
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
5c856c52-5125-42de-9ed3-2389e16da064
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
chinomso.duckdns.org
-
primary_dns_server
chinomso.duckdns.org
-
request_elevation
false
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Shiping Doc BL.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SMTP Manager = "C:\\Program Files (x86)\\SMTP Manager\\smtpmgr.exe" Shiping Doc BL.exe -
Processes:
Shiping Doc BL.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Shiping Doc BL.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Shiping Doc BL.exedescription pid process target process PID 732 set thread context of 3912 732 Shiping Doc BL.exe Shiping Doc BL.exe -
Drops file in Program Files directory 2 IoCs
Processes:
Shiping Doc BL.exedescription ioc process File opened for modification C:\Program Files (x86)\SMTP Manager\smtpmgr.exe Shiping Doc BL.exe File created C:\Program Files (x86)\SMTP Manager\smtpmgr.exe Shiping Doc BL.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
Shiping Doc BL.exepid process 3912 Shiping Doc BL.exe 3912 Shiping Doc BL.exe 3912 Shiping Doc BL.exe 3912 Shiping Doc BL.exe 3912 Shiping Doc BL.exe 3912 Shiping Doc BL.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Shiping Doc BL.exepid process 3912 Shiping Doc BL.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
Shiping Doc BL.exepid process 732 Shiping Doc BL.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Shiping Doc BL.exedescription pid process Token: SeDebugPrivilege 3912 Shiping Doc BL.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
Shiping Doc BL.exeShiping Doc BL.exedescription pid process target process PID 732 wrote to memory of 3912 732 Shiping Doc BL.exe Shiping Doc BL.exe PID 732 wrote to memory of 3912 732 Shiping Doc BL.exe Shiping Doc BL.exe PID 732 wrote to memory of 3912 732 Shiping Doc BL.exe Shiping Doc BL.exe PID 732 wrote to memory of 3912 732 Shiping Doc BL.exe Shiping Doc BL.exe PID 3912 wrote to memory of 200 3912 Shiping Doc BL.exe schtasks.exe PID 3912 wrote to memory of 200 3912 Shiping Doc BL.exe schtasks.exe PID 3912 wrote to memory of 200 3912 Shiping Doc BL.exe schtasks.exe PID 3912 wrote to memory of 2384 3912 Shiping Doc BL.exe schtasks.exe PID 3912 wrote to memory of 2384 3912 Shiping Doc BL.exe schtasks.exe PID 3912 wrote to memory of 2384 3912 Shiping Doc BL.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Shiping Doc BL.exe"C:\Users\Admin\AppData\Local\Temp\Shiping Doc BL.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Shiping Doc BL.exe"C:\Users\Admin\AppData\Local\Temp\Shiping Doc BL.exe"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "SMTP Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmp8E1C.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "SMTP Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp8F75.tmp"3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp8E1C.tmpMD5
e5b205ff4752a7179b051abd1cb3a3d5
SHA1bb1aed8d8e1553088f6d682e02f969885d184483
SHA2566b4ea6c52f73ac31be1cff5fde2171a3c8edba6344db1dc4da0aff974d449bc9
SHA512b540e223683d33c16152162ae957628ecabe07067c314abad2a691c1918bfcb89ca59ede6e6156957ccc83c5c4869ca3f16bb48603d3b59908b6dfdee5b11613
-
C:\Users\Admin\AppData\Local\Temp\tmp8F75.tmpMD5
b3b017f9df206021717a11f11d895402
SHA1e4ea12823af6550ee634536eec1eb14490580a3b
SHA256654dfce2c28024364e679e1b958f3fb81fc6d29685d534d905d1c83a84351024
SHA51295666cb81aa1fd1ade04a32f63381ce8bff274d7d300c0b59cbb10a294c4d1eebaa3000365a2000b38793de030044995cf23e623c5e3648d9b00501f97ff9343
-
memory/200-13-0x0000000000000000-mapping.dmp
-
memory/732-4-0x0000000000AB0000-0x0000000000AF8000-memory.dmpFilesize
288KB
-
memory/2384-15-0x0000000000000000-mapping.dmp
-
memory/3912-17-0x0000000005190000-0x0000000005195000-memory.dmpFilesize
20KB
-
memory/3912-21-0x00000000066B0000-0x00000000066C5000-memory.dmpFilesize
84KB
-
memory/3912-10-0x0000000004EE0000-0x0000000004EE1000-memory.dmpFilesize
4KB
-
memory/3912-11-0x0000000005020000-0x0000000005021000-memory.dmpFilesize
4KB
-
memory/3912-12-0x0000000004EC0000-0x0000000004EC1000-memory.dmpFilesize
4KB
-
memory/3912-7-0x0000000004D40000-0x0000000004D73000-memory.dmpFilesize
204KB
-
memory/3912-6-0x0000000073F90000-0x000000007467E000-memory.dmpFilesize
6.9MB
-
memory/3912-5-0x0000000000400000-0x0000000000448000-memory.dmpFilesize
288KB
-
memory/3912-3-0x000000000040188B-mapping.dmp
-
memory/3912-2-0x0000000000400000-0x0000000000448000-memory.dmpFilesize
288KB
-
memory/3912-18-0x00000000053C0000-0x00000000053D9000-memory.dmpFilesize
100KB
-
memory/3912-19-0x0000000005380000-0x0000000005383000-memory.dmpFilesize
12KB
-
memory/3912-20-0x0000000005390000-0x000000000539D000-memory.dmpFilesize
52KB
-
memory/3912-9-0x00000000053E0000-0x00000000053E1000-memory.dmpFilesize
4KB
-
memory/3912-22-0x00000000066D0000-0x00000000066D6000-memory.dmpFilesize
24KB
-
memory/3912-23-0x00000000066E0000-0x00000000066EC000-memory.dmpFilesize
48KB
-
memory/3912-24-0x00000000066F0000-0x00000000066F7000-memory.dmpFilesize
28KB
-
memory/3912-25-0x0000000006700000-0x0000000006706000-memory.dmpFilesize
24KB
-
memory/3912-26-0x0000000006710000-0x000000000671D000-memory.dmpFilesize
52KB
-
memory/3912-27-0x0000000006720000-0x0000000006729000-memory.dmpFilesize
36KB
-
memory/3912-28-0x0000000006730000-0x000000000673F000-memory.dmpFilesize
60KB
-
memory/3912-29-0x0000000006750000-0x000000000675A000-memory.dmpFilesize
40KB
-
memory/3912-30-0x0000000006770000-0x0000000006799000-memory.dmpFilesize
164KB
-
memory/3912-31-0x00000000067A0000-0x00000000067AF000-memory.dmpFilesize
60KB
-
memory/3912-32-0x0000000006980000-0x0000000006981000-memory.dmpFilesize
4KB