Analysis
-
max time kernel
40s -
max time network
149s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
13-01-2021 07:27
Static task
static1
Behavioral task
behavioral1
Sample
parcel_images.exe
Resource
win7v20201028
General
-
Target
parcel_images.exe
-
Size
1.3MB
-
MD5
5f8a97a2c2b464c360a3628c73b88103
-
SHA1
134af6300df733356a3bd6dbe94f42dbfd2f31d8
-
SHA256
74995e87513e47357c351f37565a1422202dace38dc789308d72417b5797b93e
-
SHA512
2fd1f73c6bd869787347d1bdea9d535e6ada26db2aebee0ef9a827d00d76654641a42ddf4763443f9d6181c75d8ed69375e9e52c19b16f50631c56e13382b446
Malware Config
Extracted
nanocore
1.2.2.0
69.61.59.215:60003
cldgr.duckdns.org:60003
0c1e37c4-6fe0-4fbd-a4f4-dbf4c0453c4a
-
activate_away_mode
false
-
backup_connection_host
cldgr.duckdns.org
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-08-14T15:52:11.646113636Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
60003
-
default_group
winter
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
0c1e37c4-6fe0-4fbd-a4f4-dbf4c0453c4a
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
69.61.59.215
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WAN Service = "C:\\Program Files (x86)\\WAN Service\\wansv.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
parcel_images.exedescription pid process target process PID 4648 set thread context of 3156 4648 parcel_images.exe RegSvcs.exe -
Drops file in Program Files directory 2 IoCs
Processes:
RegSvcs.exedescription ioc process File created C:\Program Files (x86)\WAN Service\wansv.exe RegSvcs.exe File opened for modification C:\Program Files (x86)\WAN Service\wansv.exe RegSvcs.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 4300 schtasks.exe 3840 schtasks.exe 4088 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
parcel_images.exeRegSvcs.exepid process 4648 parcel_images.exe 4648 parcel_images.exe 4648 parcel_images.exe 3156 RegSvcs.exe 3156 RegSvcs.exe 3156 RegSvcs.exe 3156 RegSvcs.exe 3156 RegSvcs.exe 3156 RegSvcs.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegSvcs.exepid process 3156 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
parcel_images.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 4648 parcel_images.exe Token: SeDebugPrivilege 3156 RegSvcs.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
parcel_images.exeRegSvcs.exedescription pid process target process PID 4648 wrote to memory of 3840 4648 parcel_images.exe schtasks.exe PID 4648 wrote to memory of 3840 4648 parcel_images.exe schtasks.exe PID 4648 wrote to memory of 3840 4648 parcel_images.exe schtasks.exe PID 4648 wrote to memory of 3388 4648 parcel_images.exe RegSvcs.exe PID 4648 wrote to memory of 3388 4648 parcel_images.exe RegSvcs.exe PID 4648 wrote to memory of 3388 4648 parcel_images.exe RegSvcs.exe PID 4648 wrote to memory of 3156 4648 parcel_images.exe RegSvcs.exe PID 4648 wrote to memory of 3156 4648 parcel_images.exe RegSvcs.exe PID 4648 wrote to memory of 3156 4648 parcel_images.exe RegSvcs.exe PID 4648 wrote to memory of 3156 4648 parcel_images.exe RegSvcs.exe PID 4648 wrote to memory of 3156 4648 parcel_images.exe RegSvcs.exe PID 4648 wrote to memory of 3156 4648 parcel_images.exe RegSvcs.exe PID 4648 wrote to memory of 3156 4648 parcel_images.exe RegSvcs.exe PID 4648 wrote to memory of 3156 4648 parcel_images.exe RegSvcs.exe PID 3156 wrote to memory of 4088 3156 RegSvcs.exe schtasks.exe PID 3156 wrote to memory of 4088 3156 RegSvcs.exe schtasks.exe PID 3156 wrote to memory of 4088 3156 RegSvcs.exe schtasks.exe PID 3156 wrote to memory of 4300 3156 RegSvcs.exe schtasks.exe PID 3156 wrote to memory of 4300 3156 RegSvcs.exe schtasks.exe PID 3156 wrote to memory of 4300 3156 RegSvcs.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\parcel_images.exe"C:\Users\Admin\AppData\Local\Temp\parcel_images.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kWLVXBfTFQKW" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBD5A.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"{path}"2⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"{path}"2⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "WAN Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmpC096.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "WAN Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpC0F5.tmp"3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpBD5A.tmpMD5
8aa9af93335e0277c66fa6b25e05517a
SHA1dd36799221674f74cfb20ff268a3bd2726831c5d
SHA256d02227972a51f196f84e0b196a3f40d3e0c37c0a8591806ae74499430779a92f
SHA512b552d543870fc6487a12848566df5f1ceb7415c821e846a723e9eb26f9631e0a858da3cdddd6c1ad04b5ce4de6847d7e97ddd12a79565ec2c2dd6d16ac346cec
-
C:\Users\Admin\AppData\Local\Temp\tmpC096.tmpMD5
40b11ef601fb28f9b2e69d36857bf2ec
SHA1b6454020ad2ceed193f4792b77001d0bd741b370
SHA256c51e12d18cc664425f6711d8ae2507068884c7057092cfa11884100e1e9d49e1
SHA512e3c5bcc714cbfca4b8058ddcddf231dcefa69c15881ce3f8123e59ed45cfb5da052b56e1945dcf8dc7f800d62f9a4eecb82bca69a66a1530787aeffeb15e2bd5
-
C:\Users\Admin\AppData\Local\Temp\tmpC0F5.tmpMD5
eb527779d4a920bac8c3c59e8f4b4b4c
SHA14c9c48fd4ab89a983c87d810577133dc281160b4
SHA25697a200adfccc855ed435941fe1453a6add1a66b8390d033279c2f1a6a64c26a2
SHA512a48c1ca2310a4bceacca90d3b8748fdecc0169738905e0bc62a665ab048c1ae6bb801dc99f0f04d85287993c27bfd0a4e7f59d27a1c233b6662d6ba3ca586da0
-
memory/3156-8-0x000000000041E792-mapping.dmp
-
memory/3156-7-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/3840-5-0x0000000000000000-mapping.dmp
-
memory/4088-9-0x0000000000000000-mapping.dmp
-
memory/4300-11-0x0000000000000000-mapping.dmp