Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
15-01-2021 13:52
Static task
static1
Behavioral task
behavioral1
Sample
TECHNICAL OFFERS.exe
Resource
win7v20201028
General
-
Target
TECHNICAL OFFERS.exe
-
Size
288KB
-
MD5
7d5e8d9809ed642c031226dc385f98f3
-
SHA1
eb5b7f5617e9cac86931c9a6fecff5dce2d975dd
-
SHA256
44b244b665832f11995d435e978ca9cd406c7bc8816e68c23c4a22a51990b0fb
-
SHA512
66e35ba5914b03fbe549f61aec7143daca89655faa60c58556b4038b8db1d03452a3e92cb30519a587ae2964de8c2399e992394e326ab7a401d3fffde8baef2d
Malware Config
Extracted
nanocore
1.2.2.0
mystupidfriend.duckdns.org:6578
32885bce-b113-4152-91c6-9c705cad8fa3
-
activate_away_mode
true
-
backup_connection_host
mystupidfriend.duckdns.org
-
backup_dns_server
mystupidfriend.duckdns.org
-
buffer_size
65535
-
build_time
2020-10-27T08:44:15.324888036Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
6578
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
32885bce-b113-4152-91c6-9c705cad8fa3
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
mystupidfriend.duckdns.org
-
primary_dns_server
mystupidfriend.duckdns.org
-
request_elevation
false
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
TECHNICAL OFFERS.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SMTP Manager = "C:\\Program Files (x86)\\SMTP Manager\\smtpmgr.exe" TECHNICAL OFFERS.exe -
Processes:
TECHNICAL OFFERS.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA TECHNICAL OFFERS.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
TECHNICAL OFFERS.exedescription pid process target process PID 1996 set thread context of 2824 1996 TECHNICAL OFFERS.exe TECHNICAL OFFERS.exe -
Drops file in Program Files directory 2 IoCs
Processes:
TECHNICAL OFFERS.exedescription ioc process File created C:\Program Files (x86)\SMTP Manager\smtpmgr.exe TECHNICAL OFFERS.exe File opened for modification C:\Program Files (x86)\SMTP Manager\smtpmgr.exe TECHNICAL OFFERS.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1936 schtasks.exe 3292 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
TECHNICAL OFFERS.exepid process 2824 TECHNICAL OFFERS.exe 2824 TECHNICAL OFFERS.exe 2824 TECHNICAL OFFERS.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
TECHNICAL OFFERS.exepid process 2824 TECHNICAL OFFERS.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
TECHNICAL OFFERS.exeTECHNICAL OFFERS.exeTECHNICAL OFFERS.exepid process 492 TECHNICAL OFFERS.exe 3176 TECHNICAL OFFERS.exe 1996 TECHNICAL OFFERS.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
TECHNICAL OFFERS.exedescription pid process Token: SeDebugPrivilege 2824 TECHNICAL OFFERS.exe -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
TECHNICAL OFFERS.exeTECHNICAL OFFERS.exeTECHNICAL OFFERS.exeTECHNICAL OFFERS.exedescription pid process target process PID 492 wrote to memory of 2716 492 TECHNICAL OFFERS.exe cmd.exe PID 492 wrote to memory of 2716 492 TECHNICAL OFFERS.exe cmd.exe PID 492 wrote to memory of 2716 492 TECHNICAL OFFERS.exe cmd.exe PID 492 wrote to memory of 3120 492 TECHNICAL OFFERS.exe TECHNICAL OFFERS.exe PID 492 wrote to memory of 3120 492 TECHNICAL OFFERS.exe TECHNICAL OFFERS.exe PID 492 wrote to memory of 3120 492 TECHNICAL OFFERS.exe TECHNICAL OFFERS.exe PID 492 wrote to memory of 3176 492 TECHNICAL OFFERS.exe TECHNICAL OFFERS.exe PID 492 wrote to memory of 3176 492 TECHNICAL OFFERS.exe TECHNICAL OFFERS.exe PID 492 wrote to memory of 3176 492 TECHNICAL OFFERS.exe TECHNICAL OFFERS.exe PID 3176 wrote to memory of 3028 3176 TECHNICAL OFFERS.exe cmd.exe PID 3176 wrote to memory of 3028 3176 TECHNICAL OFFERS.exe cmd.exe PID 3176 wrote to memory of 3028 3176 TECHNICAL OFFERS.exe cmd.exe PID 3176 wrote to memory of 3688 3176 TECHNICAL OFFERS.exe TECHNICAL OFFERS.exe PID 3176 wrote to memory of 3688 3176 TECHNICAL OFFERS.exe TECHNICAL OFFERS.exe PID 3176 wrote to memory of 3688 3176 TECHNICAL OFFERS.exe TECHNICAL OFFERS.exe PID 3176 wrote to memory of 1996 3176 TECHNICAL OFFERS.exe TECHNICAL OFFERS.exe PID 3176 wrote to memory of 1996 3176 TECHNICAL OFFERS.exe TECHNICAL OFFERS.exe PID 3176 wrote to memory of 1996 3176 TECHNICAL OFFERS.exe TECHNICAL OFFERS.exe PID 1996 wrote to memory of 2816 1996 TECHNICAL OFFERS.exe cmd.exe PID 1996 wrote to memory of 2816 1996 TECHNICAL OFFERS.exe cmd.exe PID 1996 wrote to memory of 2816 1996 TECHNICAL OFFERS.exe cmd.exe PID 1996 wrote to memory of 2824 1996 TECHNICAL OFFERS.exe TECHNICAL OFFERS.exe PID 1996 wrote to memory of 2824 1996 TECHNICAL OFFERS.exe TECHNICAL OFFERS.exe PID 1996 wrote to memory of 2824 1996 TECHNICAL OFFERS.exe TECHNICAL OFFERS.exe PID 1996 wrote to memory of 2824 1996 TECHNICAL OFFERS.exe TECHNICAL OFFERS.exe PID 2824 wrote to memory of 1936 2824 TECHNICAL OFFERS.exe schtasks.exe PID 2824 wrote to memory of 1936 2824 TECHNICAL OFFERS.exe schtasks.exe PID 2824 wrote to memory of 1936 2824 TECHNICAL OFFERS.exe schtasks.exe PID 2824 wrote to memory of 3292 2824 TECHNICAL OFFERS.exe schtasks.exe PID 2824 wrote to memory of 3292 2824 TECHNICAL OFFERS.exe schtasks.exe PID 2824 wrote to memory of 3292 2824 TECHNICAL OFFERS.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\TECHNICAL OFFERS.exe"C:\Users\Admin\AppData\Local\Temp\TECHNICAL OFFERS.exe"1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Users\Admin\AppData\Local\Temp\TECHNICAL OFFERS.exe"C:\Users\Admin\AppData\Local\Temp\TECHNICAL OFFERS.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\TECHNICAL OFFERS.exe"C:\Users\Admin\AppData\Local\Temp\TECHNICAL OFFERS.exe"2⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cls3⤵
-
C:\Users\Admin\AppData\Local\Temp\TECHNICAL OFFERS.exe"C:\Users\Admin\AppData\Local\Temp\TECHNICAL OFFERS.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\TECHNICAL OFFERS.exe"C:\Users\Admin\AppData\Local\Temp\TECHNICAL OFFERS.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵
-
C:\Users\Admin\AppData\Local\Temp\TECHNICAL OFFERS.exe"C:\Users\Admin\AppData\Local\Temp\TECHNICAL OFFERS.exe"4⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "SMTP Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmp710F.tmp"5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "SMTP Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp721A.tmp"5⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp710F.tmpMD5
f2eee8cfc479e25d22bbd29ed53c009a
SHA11fa54cca5b14d3c35c977456a1b706e34069e3aa
SHA2563e1fa2229e7740810a39a25e9087adfb4506250606ffecf5a60a04871569b32f
SHA512b655eb4dcae4f1699f6e8a2a3c0c3779a7b9a8286d75764bea4231473421206870d8a1c3e4704af138ebf272fae81dd89444136046c7bbae966c17225f6c2f87
-
C:\Users\Admin\AppData\Local\Temp\tmp721A.tmpMD5
b3b017f9df206021717a11f11d895402
SHA1e4ea12823af6550ee634536eec1eb14490580a3b
SHA256654dfce2c28024364e679e1b958f3fb81fc6d29685d534d905d1c83a84351024
SHA51295666cb81aa1fd1ade04a32f63381ce8bff274d7d300c0b59cbb10a294c4d1eebaa3000365a2000b38793de030044995cf23e623c5e3648d9b00501f97ff9343
-
memory/1936-18-0x0000000000000000-mapping.dmp
-
memory/1996-5-0x0000000000000000-mapping.dmp
-
memory/1996-9-0x000000001BDF0000-0x000000001BE38000-memory.dmpFilesize
288KB
-
memory/2716-2-0x0000000000000000-mapping.dmp
-
memory/2816-6-0x0000000000000000-mapping.dmp
-
memory/2824-7-0x0000000000400000-0x0000000000448000-memory.dmpFilesize
288KB
-
memory/2824-8-0x000000000040188B-mapping.dmp
-
memory/2824-12-0x0000000002D10000-0x0000000002D43000-memory.dmpFilesize
204KB
-
memory/2824-14-0x00000000058D0000-0x00000000058D1000-memory.dmpFilesize
4KB
-
memory/2824-15-0x00000000052E0000-0x00000000052E1000-memory.dmpFilesize
4KB
-
memory/2824-16-0x0000000005470000-0x0000000005471000-memory.dmpFilesize
4KB
-
memory/2824-17-0x00000000052B0000-0x00000000052B1000-memory.dmpFilesize
4KB
-
memory/2824-11-0x0000000073060000-0x000000007374E000-memory.dmpFilesize
6.9MB
-
memory/2824-24-0x0000000005840000-0x0000000005843000-memory.dmpFilesize
12KB
-
memory/2824-23-0x0000000005650000-0x0000000005669000-memory.dmpFilesize
100KB
-
memory/2824-22-0x0000000005460000-0x0000000005465000-memory.dmpFilesize
20KB
-
memory/3028-4-0x0000000000000000-mapping.dmp
-
memory/3176-3-0x0000000000000000-mapping.dmp
-
memory/3292-20-0x0000000000000000-mapping.dmp