Analysis
-
max time kernel
146s -
max time network
147s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
08-01-2021 17:27
Static task
static1
Behavioral task
behavioral1
Sample
shipping order#.scr
Resource
win7v20201028
General
-
Target
shipping order#.scr
-
Size
2.7MB
-
MD5
a916070df947a28ea73074c080189d35
-
SHA1
2c4215352fecfbd74b596f1125177f54cd010a4b
-
SHA256
b657538bf8bc1aca7ca8e7e02f1c5a39cbc8bc343bf7c5ebfe026f6dcc02fe32
-
SHA512
3d5b554c97d6a093f6ce94b8c5d681438f5f4b74df391468e8adf36a7ab2b599b0ee49dcf7c57fb9aab03509d3f6a07747d94e05929eaaf627aa18d170abfc4e
Malware Config
Extracted
nanocore
1.2.2.0
1.ispnano.dns-cloud.net:10004
db5d3893-53a7-40c5-9e07-c472ba23289f
-
activate_away_mode
true
-
backup_connection_host
1.ispnano.dns-cloud.net
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-10-19T23:27:30.974613536Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
10004
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
db5d3893-53a7-40c5-9e07-c472ba23289f
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
1.ispnano.dns-cloud.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
shipping order#.scrdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\shipping order#.scr\"" shipping order#.scr -
Turns off Windows Defender SpyNet reporting 2 TTPs
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
shipping order#.scrdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion shipping order#.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion shipping order#.scr -
Drops startup file 2 IoCs
Processes:
shipping order#.scrdescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.scr shipping order#.scr File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.scr shipping order#.scr -
Processes:
shipping order#.scrdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features shipping order#.scr Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" shipping order#.scr Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection shipping order#.scr Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" shipping order#.scr Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet shipping order#.scr Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" shipping order#.scr Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths shipping order#.scr Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions shipping order#.scr Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.scr = "0" shipping order#.scr Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\shipping order#.scr = "0" shipping order#.scr Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0" shipping order#.scr -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
shipping order#.scrshipping order#.scrdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\AppData\\Local\\Temp\\shipping order#.scr" shipping order#.scr Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\shipping order#.scr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\shipping order#.scr" shipping order#.scr Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SMTP Manager = "C:\\Program Files (x86)\\SMTP Manager\\smtpmgr.exe" shipping order#.scr -
Processes:
shipping order#.scrdescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA shipping order#.scr -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
shipping order#.scrdescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum shipping order#.scr Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 shipping order#.scr -
Suspicious use of NtSetInformationThreadHideFromDebugger 15 IoCs
Processes:
shipping order#.scrpid process 528 shipping order#.scr 528 shipping order#.scr 528 shipping order#.scr 528 shipping order#.scr 528 shipping order#.scr 528 shipping order#.scr 528 shipping order#.scr 528 shipping order#.scr 528 shipping order#.scr 528 shipping order#.scr 528 shipping order#.scr 528 shipping order#.scr 528 shipping order#.scr 528 shipping order#.scr 528 shipping order#.scr -
Suspicious use of SetThreadContext 1 IoCs
Processes:
shipping order#.scrdescription pid process target process PID 528 set thread context of 2936 528 shipping order#.scr shipping order#.scr -
Drops file in Program Files directory 2 IoCs
Processes:
shipping order#.scrdescription ioc process File opened for modification C:\Program Files (x86)\SMTP Manager\smtpmgr.exe shipping order#.scr File created C:\Program Files (x86)\SMTP Manager\smtpmgr.exe shipping order#.scr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1724 528 WerFault.exe shipping order#.scr -
Delays execution with timeout.exe 3 IoCs
Processes:
timeout.exetimeout.exetimeout.exepid process 2916 timeout.exe 3828 timeout.exe 2504 timeout.exe -
Suspicious behavior: EnumeratesProcesses 37 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exeshipping order#.scrshipping order#.scrWerFault.exepid process 2928 powershell.exe 188 powershell.exe 2840 powershell.exe 3528 powershell.exe 2928 powershell.exe 188 powershell.exe 3528 powershell.exe 2840 powershell.exe 2840 powershell.exe 3528 powershell.exe 188 powershell.exe 2928 powershell.exe 528 shipping order#.scr 528 shipping order#.scr 528 shipping order#.scr 2936 shipping order#.scr 2936 shipping order#.scr 2936 shipping order#.scr 1724 WerFault.exe 1724 WerFault.exe 1724 WerFault.exe 1724 WerFault.exe 1724 WerFault.exe 1724 WerFault.exe 1724 WerFault.exe 1724 WerFault.exe 1724 WerFault.exe 1724 WerFault.exe 1724 WerFault.exe 1724 WerFault.exe 1724 WerFault.exe 1724 WerFault.exe 1724 WerFault.exe 1724 WerFault.exe 2936 shipping order#.scr 2936 shipping order#.scr 2936 shipping order#.scr -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
shipping order#.scrpid process 2936 shipping order#.scr -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
shipping order#.scrpowershell.exepowershell.exepowershell.exepowershell.exeWerFault.exeshipping order#.scrdescription pid process Token: SeDebugPrivilege 528 shipping order#.scr Token: SeDebugPrivilege 2840 powershell.exe Token: SeDebugPrivilege 2928 powershell.exe Token: SeDebugPrivilege 3528 powershell.exe Token: SeDebugPrivilege 188 powershell.exe Token: SeRestorePrivilege 1724 WerFault.exe Token: SeBackupPrivilege 1724 WerFault.exe Token: SeDebugPrivilege 2936 shipping order#.scr Token: SeDebugPrivilege 1724 WerFault.exe -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
shipping order#.scrcmd.execmd.execmd.exedescription pid process target process PID 528 wrote to memory of 2840 528 shipping order#.scr powershell.exe PID 528 wrote to memory of 2840 528 shipping order#.scr powershell.exe PID 528 wrote to memory of 2840 528 shipping order#.scr powershell.exe PID 528 wrote to memory of 3528 528 shipping order#.scr powershell.exe PID 528 wrote to memory of 3528 528 shipping order#.scr powershell.exe PID 528 wrote to memory of 3528 528 shipping order#.scr powershell.exe PID 528 wrote to memory of 2928 528 shipping order#.scr powershell.exe PID 528 wrote to memory of 2928 528 shipping order#.scr powershell.exe PID 528 wrote to memory of 2928 528 shipping order#.scr powershell.exe PID 528 wrote to memory of 188 528 shipping order#.scr powershell.exe PID 528 wrote to memory of 188 528 shipping order#.scr powershell.exe PID 528 wrote to memory of 188 528 shipping order#.scr powershell.exe PID 528 wrote to memory of 2276 528 shipping order#.scr cmd.exe PID 528 wrote to memory of 2276 528 shipping order#.scr cmd.exe PID 528 wrote to memory of 2276 528 shipping order#.scr cmd.exe PID 2276 wrote to memory of 2916 2276 cmd.exe timeout.exe PID 2276 wrote to memory of 2916 2276 cmd.exe timeout.exe PID 2276 wrote to memory of 2916 2276 cmd.exe timeout.exe PID 528 wrote to memory of 1824 528 shipping order#.scr cmd.exe PID 528 wrote to memory of 1824 528 shipping order#.scr cmd.exe PID 528 wrote to memory of 1824 528 shipping order#.scr cmd.exe PID 1824 wrote to memory of 3828 1824 cmd.exe timeout.exe PID 1824 wrote to memory of 3828 1824 cmd.exe timeout.exe PID 1824 wrote to memory of 3828 1824 cmd.exe timeout.exe PID 528 wrote to memory of 3460 528 shipping order#.scr cmd.exe PID 528 wrote to memory of 3460 528 shipping order#.scr cmd.exe PID 528 wrote to memory of 3460 528 shipping order#.scr cmd.exe PID 3460 wrote to memory of 2504 3460 cmd.exe timeout.exe PID 3460 wrote to memory of 2504 3460 cmd.exe timeout.exe PID 3460 wrote to memory of 2504 3460 cmd.exe timeout.exe PID 528 wrote to memory of 2936 528 shipping order#.scr shipping order#.scr PID 528 wrote to memory of 2936 528 shipping order#.scr shipping order#.scr PID 528 wrote to memory of 2936 528 shipping order#.scr shipping order#.scr PID 528 wrote to memory of 2936 528 shipping order#.scr shipping order#.scr PID 528 wrote to memory of 2936 528 shipping order#.scr shipping order#.scr PID 528 wrote to memory of 2936 528 shipping order#.scr shipping order#.scr PID 528 wrote to memory of 2936 528 shipping order#.scr shipping order#.scr PID 528 wrote to memory of 2936 528 shipping order#.scr shipping order#.scr
Processes
-
C:\Users\Admin\AppData\Local\Temp\shipping order#.scr"C:\Users\Admin\AppData\Local\Temp\shipping order#.scr" /S1⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.scr" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.scr" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.scr" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\shipping order#.scr" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\shipping order#.scr"C:\Users\Admin\AppData\Local\Temp\shipping order#.scr"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 528 -s 23242⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
1c19c16e21c97ed42d5beabc93391fc5
SHA18ad83f8e0b3acf8dfbbf87931e41f0d664c4df68
SHA2561bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05
SHA5127d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
51556769203492e9758a54e908140bfd
SHA14472c4c95e48e2e05cbd35b50ea2033fa07ae650
SHA25649546043e6c763995da4226e47248700fbbf990455e8bf03ab2b425cebd78b40
SHA512db7c3a335759e190185b134c4e354f0d39695be588604a1ad6315ca637cd1533a1773b7c5365d2c05193e7497d050cf513f66323d99233c373f610d1badbf70b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
51556769203492e9758a54e908140bfd
SHA14472c4c95e48e2e05cbd35b50ea2033fa07ae650
SHA25649546043e6c763995da4226e47248700fbbf990455e8bf03ab2b425cebd78b40
SHA512db7c3a335759e190185b134c4e354f0d39695be588604a1ad6315ca637cd1533a1773b7c5365d2c05193e7497d050cf513f66323d99233c373f610d1badbf70b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
51556769203492e9758a54e908140bfd
SHA14472c4c95e48e2e05cbd35b50ea2033fa07ae650
SHA25649546043e6c763995da4226e47248700fbbf990455e8bf03ab2b425cebd78b40
SHA512db7c3a335759e190185b134c4e354f0d39695be588604a1ad6315ca637cd1533a1773b7c5365d2c05193e7497d050cf513f66323d99233c373f610d1badbf70b
-
memory/188-12-0x0000000000000000-mapping.dmp
-
memory/188-47-0x0000000008620000-0x0000000008621000-memory.dmpFilesize
4KB
-
memory/188-18-0x0000000073D50000-0x000000007443E000-memory.dmpFilesize
6.9MB
-
memory/188-102-0x0000000009700000-0x0000000009701000-memory.dmpFilesize
4KB
-
memory/188-43-0x0000000007BA0000-0x0000000007BA1000-memory.dmpFilesize
4KB
-
memory/528-7-0x0000000006040000-0x0000000006041000-memory.dmpFilesize
4KB
-
memory/528-8-0x0000000005B40000-0x0000000005B41000-memory.dmpFilesize
4KB
-
memory/528-2-0x0000000073D50000-0x000000007443E000-memory.dmpFilesize
6.9MB
-
memory/528-6-0x0000000001A50000-0x0000000001A9F000-memory.dmpFilesize
316KB
-
memory/528-5-0x00000000058D0000-0x00000000058D1000-memory.dmpFilesize
4KB
-
memory/528-3-0x0000000000DD0000-0x0000000000DD1000-memory.dmpFilesize
4KB
-
memory/1724-111-0x0000000004240000-0x0000000004241000-memory.dmpFilesize
4KB
-
memory/1824-55-0x0000000000000000-mapping.dmp
-
memory/2276-37-0x0000000000000000-mapping.dmp
-
memory/2504-63-0x0000000000000000-mapping.dmp
-
memory/2840-13-0x0000000073D50000-0x000000007443E000-memory.dmpFilesize
6.9MB
-
memory/2840-51-0x0000000008810000-0x0000000008811000-memory.dmpFilesize
4KB
-
memory/2840-9-0x0000000000000000-mapping.dmp
-
memory/2840-19-0x00000000077E0000-0x00000000077E1000-memory.dmpFilesize
4KB
-
memory/2840-15-0x0000000004D60000-0x0000000004D61000-memory.dmpFilesize
4KB
-
memory/2916-42-0x0000000000000000-mapping.dmp
-
memory/2928-16-0x0000000073D50000-0x000000007443E000-memory.dmpFilesize
6.9MB
-
memory/2928-38-0x00000000075A0000-0x00000000075A1000-memory.dmpFilesize
4KB
-
memory/2928-29-0x00000000072E0000-0x00000000072E1000-memory.dmpFilesize
4KB
-
memory/2928-25-0x0000000006BC0000-0x0000000006BC1000-memory.dmpFilesize
4KB
-
memory/2928-11-0x0000000000000000-mapping.dmp
-
memory/2936-115-0x0000000005470000-0x0000000005475000-memory.dmpFilesize
20KB
-
memory/2936-116-0x0000000005480000-0x0000000005499000-memory.dmpFilesize
100KB
-
memory/2936-100-0x000000000041E792-mapping.dmp
-
memory/2936-101-0x0000000073D50000-0x000000007443E000-memory.dmpFilesize
6.9MB
-
memory/2936-117-0x00000000056D0000-0x00000000056D3000-memory.dmpFilesize
12KB
-
memory/2936-109-0x0000000005330000-0x0000000005331000-memory.dmpFilesize
4KB
-
memory/2936-99-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/2936-114-0x00000000053D0000-0x00000000053D1000-memory.dmpFilesize
4KB
-
memory/3460-57-0x0000000000000000-mapping.dmp
-
memory/3528-64-0x00000000095F0000-0x0000000009623000-memory.dmpFilesize
204KB
-
memory/3528-91-0x00000000073C0000-0x00000000073C1000-memory.dmpFilesize
4KB
-
memory/3528-95-0x0000000009720000-0x0000000009721000-memory.dmpFilesize
4KB
-
memory/3528-118-0x0000000009AB0000-0x0000000009AB1000-memory.dmpFilesize
4KB
-
memory/3528-126-0x0000000009AA0000-0x0000000009AA1000-memory.dmpFilesize
4KB
-
memory/3528-14-0x0000000073D50000-0x000000007443E000-memory.dmpFilesize
6.9MB
-
memory/3528-10-0x0000000000000000-mapping.dmp
-
memory/3828-56-0x0000000000000000-mapping.dmp