Analysis
-
max time kernel
46s -
max time network
147s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
13-01-2021 07:27
Static task
static1
Behavioral task
behavioral1
Sample
parcel_images.exe
Resource
win7v20201028
General
-
Target
parcel_images.exe
-
Size
1.3MB
-
MD5
5f8a97a2c2b464c360a3628c73b88103
-
SHA1
134af6300df733356a3bd6dbe94f42dbfd2f31d8
-
SHA256
74995e87513e47357c351f37565a1422202dace38dc789308d72417b5797b93e
-
SHA512
2fd1f73c6bd869787347d1bdea9d535e6ada26db2aebee0ef9a827d00d76654641a42ddf4763443f9d6181c75d8ed69375e9e52c19b16f50631c56e13382b446
Malware Config
Extracted
nanocore
1.2.2.0
69.61.59.215:60003
cldgr.duckdns.org:60003
0c1e37c4-6fe0-4fbd-a4f4-dbf4c0453c4a
-
activate_away_mode
false
-
backup_connection_host
cldgr.duckdns.org
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-08-14T15:52:11.646113636Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
60003
-
default_group
winter
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
0c1e37c4-6fe0-4fbd-a4f4-dbf4c0453c4a
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
69.61.59.215
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WPA Host = "C:\\Program Files (x86)\\WPA Host\\wpahost.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
parcel_images.exedescription pid process target process PID 1580 set thread context of 1124 1580 parcel_images.exe RegSvcs.exe -
Drops file in Program Files directory 2 IoCs
Processes:
RegSvcs.exedescription ioc process File created C:\Program Files (x86)\WPA Host\wpahost.exe RegSvcs.exe File opened for modification C:\Program Files (x86)\WPA Host\wpahost.exe RegSvcs.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 1408 schtasks.exe 576 schtasks.exe 1640 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
parcel_images.exeRegSvcs.exepid process 1580 parcel_images.exe 1580 parcel_images.exe 1580 parcel_images.exe 1124 RegSvcs.exe 1124 RegSvcs.exe 1124 RegSvcs.exe 1124 RegSvcs.exe 1124 RegSvcs.exe 1124 RegSvcs.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegSvcs.exepid process 1124 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
parcel_images.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 1580 parcel_images.exe Token: SeDebugPrivilege 1124 RegSvcs.exe -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
parcel_images.exeRegSvcs.exedescription pid process target process PID 1580 wrote to memory of 1408 1580 parcel_images.exe schtasks.exe PID 1580 wrote to memory of 1408 1580 parcel_images.exe schtasks.exe PID 1580 wrote to memory of 1408 1580 parcel_images.exe schtasks.exe PID 1580 wrote to memory of 1408 1580 parcel_images.exe schtasks.exe PID 1580 wrote to memory of 268 1580 parcel_images.exe RegSvcs.exe PID 1580 wrote to memory of 268 1580 parcel_images.exe RegSvcs.exe PID 1580 wrote to memory of 268 1580 parcel_images.exe RegSvcs.exe PID 1580 wrote to memory of 268 1580 parcel_images.exe RegSvcs.exe PID 1580 wrote to memory of 268 1580 parcel_images.exe RegSvcs.exe PID 1580 wrote to memory of 268 1580 parcel_images.exe RegSvcs.exe PID 1580 wrote to memory of 268 1580 parcel_images.exe RegSvcs.exe PID 1580 wrote to memory of 1124 1580 parcel_images.exe RegSvcs.exe PID 1580 wrote to memory of 1124 1580 parcel_images.exe RegSvcs.exe PID 1580 wrote to memory of 1124 1580 parcel_images.exe RegSvcs.exe PID 1580 wrote to memory of 1124 1580 parcel_images.exe RegSvcs.exe PID 1580 wrote to memory of 1124 1580 parcel_images.exe RegSvcs.exe PID 1580 wrote to memory of 1124 1580 parcel_images.exe RegSvcs.exe PID 1580 wrote to memory of 1124 1580 parcel_images.exe RegSvcs.exe PID 1580 wrote to memory of 1124 1580 parcel_images.exe RegSvcs.exe PID 1580 wrote to memory of 1124 1580 parcel_images.exe RegSvcs.exe PID 1580 wrote to memory of 1124 1580 parcel_images.exe RegSvcs.exe PID 1580 wrote to memory of 1124 1580 parcel_images.exe RegSvcs.exe PID 1580 wrote to memory of 1124 1580 parcel_images.exe RegSvcs.exe PID 1124 wrote to memory of 576 1124 RegSvcs.exe schtasks.exe PID 1124 wrote to memory of 576 1124 RegSvcs.exe schtasks.exe PID 1124 wrote to memory of 576 1124 RegSvcs.exe schtasks.exe PID 1124 wrote to memory of 576 1124 RegSvcs.exe schtasks.exe PID 1124 wrote to memory of 1640 1124 RegSvcs.exe schtasks.exe PID 1124 wrote to memory of 1640 1124 RegSvcs.exe schtasks.exe PID 1124 wrote to memory of 1640 1124 RegSvcs.exe schtasks.exe PID 1124 wrote to memory of 1640 1124 RegSvcs.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\parcel_images.exe"C:\Users\Admin\AppData\Local\Temp\parcel_images.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kWLVXBfTFQKW" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9138.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"{path}"2⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"{path}"2⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "WPA Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmp9482.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "WPA Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp951F.tmp"3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp9138.tmpMD5
3837fb8aeb5898369e603bf7d466198a
SHA16642ae22087fffef3409d400312e8dfc598e0604
SHA25652055760720fe87844e3e38cb472e91404bcbfe176a42f830885d67dd6d01fb0
SHA5124f4495ef640dd1c5922c89e5c1945ff8d1ac605627bb8431116ab5ac962ee161c9731209cff33f5bfa5b156fda41560d8686506e09a8cfec8dab6ae5882906d3
-
C:\Users\Admin\AppData\Local\Temp\tmp9482.tmpMD5
40b11ef601fb28f9b2e69d36857bf2ec
SHA1b6454020ad2ceed193f4792b77001d0bd741b370
SHA256c51e12d18cc664425f6711d8ae2507068884c7057092cfa11884100e1e9d49e1
SHA512e3c5bcc714cbfca4b8058ddcddf231dcefa69c15881ce3f8123e59ed45cfb5da052b56e1945dcf8dc7f800d62f9a4eecb82bca69a66a1530787aeffeb15e2bd5
-
C:\Users\Admin\AppData\Local\Temp\tmp951F.tmpMD5
819bdbdac3be050783d203020e6c4c30
SHA1a373521fceb21cac8b93e55ee48578e40a6e740b
SHA2560e5dedca6d0d3c50ebcedb5bbf51ef3d434eb6b43da46764205de7636131f053
SHA512cece1c4d8b4db79fc6e3cd225efaccdf9d2493f28991b1d48439944af38aaa61a215bd00a0beedcbdecc4f1ec5be0843774375a483f3d4a573a3980c54798cbd
-
memory/576-14-0x0000000000000000-mapping.dmp
-
memory/1124-11-0x000000000041E792-mapping.dmp
-
memory/1124-10-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1124-12-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1124-13-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1408-8-0x0000000000000000-mapping.dmp
-
memory/1640-16-0x0000000000000000-mapping.dmp