Analysis
-
max time kernel
44s -
max time network
147s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
16-04-2021 21:51
Static task
static1
Behavioral task
behavioral1
Sample
receipt.exe
Resource
win7v20210410
General
-
Target
receipt.exe
-
Size
878KB
-
MD5
14e1ad7305a1a922bbfb27648409cece
-
SHA1
c8dde3f6c66237043e38e666305b103da6869367
-
SHA256
86059a4b84489fb1b625b1eb2bdabcd88fb4226fb04b769fddfe0fbec40c28b5
-
SHA512
b5cf896bd1b270db3dead0c15a746a191eb83af62034d96690e0381a9aa2a059d9cf039c6f86f5b8b6e0cc0b507363d41777589c14d2c157fd4ea61d7b9ac1d4
Malware Config
Extracted
nanocore
1.2.2.0
cldgr.duckdns.org:8008
127.0.0.1:8008
e05d61c5-9a4c-422d-885b-a239d0634e5c
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-12-22T19:42:47.139515236Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
8008
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
e05d61c5-9a4c-422d-885b-a239d0634e5c
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
cldgr.duckdns.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
receipt.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UPNP Subsystem = "C:\\Program Files (x86)\\UPNP Subsystem\\upnpss.exe" receipt.exe -
Processes:
receipt.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA receipt.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
receipt.exedescription pid process target process PID 624 set thread context of 4028 624 receipt.exe receipt.exe -
Drops file in Program Files directory 2 IoCs
Processes:
receipt.exedescription ioc process File created C:\Program Files (x86)\UPNP Subsystem\upnpss.exe receipt.exe File opened for modification C:\Program Files (x86)\UPNP Subsystem\upnpss.exe receipt.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 1160 schtasks.exe 980 schtasks.exe 916 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
receipt.exereceipt.exepid process 624 receipt.exe 4028 receipt.exe 4028 receipt.exe 4028 receipt.exe 4028 receipt.exe 4028 receipt.exe 4028 receipt.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
receipt.exepid process 4028 receipt.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
receipt.exereceipt.exedescription pid process Token: SeDebugPrivilege 624 receipt.exe Token: SeDebugPrivilege 4028 receipt.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
receipt.exereceipt.exedescription pid process target process PID 624 wrote to memory of 916 624 receipt.exe schtasks.exe PID 624 wrote to memory of 916 624 receipt.exe schtasks.exe PID 624 wrote to memory of 916 624 receipt.exe schtasks.exe PID 624 wrote to memory of 4028 624 receipt.exe receipt.exe PID 624 wrote to memory of 4028 624 receipt.exe receipt.exe PID 624 wrote to memory of 4028 624 receipt.exe receipt.exe PID 624 wrote to memory of 4028 624 receipt.exe receipt.exe PID 624 wrote to memory of 4028 624 receipt.exe receipt.exe PID 624 wrote to memory of 4028 624 receipt.exe receipt.exe PID 624 wrote to memory of 4028 624 receipt.exe receipt.exe PID 624 wrote to memory of 4028 624 receipt.exe receipt.exe PID 4028 wrote to memory of 1160 4028 receipt.exe schtasks.exe PID 4028 wrote to memory of 1160 4028 receipt.exe schtasks.exe PID 4028 wrote to memory of 1160 4028 receipt.exe schtasks.exe PID 4028 wrote to memory of 980 4028 receipt.exe schtasks.exe PID 4028 wrote to memory of 980 4028 receipt.exe schtasks.exe PID 4028 wrote to memory of 980 4028 receipt.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\receipt.exe"C:\Users\Admin\AppData\Local\Temp\receipt.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uGgdCdbL" /XML "C:\Users\Admin\AppData\Local\Temp\tmp27EB.tmp"2⤵
- Creates scheduled task(s)
PID:916 -
C:\Users\Admin\AppData\Local\Temp\receipt.exe"{path}"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "UPNP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp2FAC.tmp"3⤵
- Creates scheduled task(s)
PID:1160 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "UPNP Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp300B.tmp"3⤵
- Creates scheduled task(s)
PID:980
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
b7453dab2ef6c8ad0f1de075b3b716f5
SHA11eebf0f34561188f40c2ba6de61ae5cdfdbdc0e4
SHA256e4ed4bb55ec8dca4e63c6f2b9f6fe2bb5fe72e74927f461f42c2167e0e88f8e0
SHA51273a34482db44bb809540cb74ffa9055aab9233f10f612c0b96c69d5420bac547b099c9346875d25abaf2138ab55fdb748b301605bc7f32f3c06193f2d4d61613
-
MD5
2237150f6585a5a008578ef40bb32466
SHA18f5e244b66d1a86a8592d014a817a467db467e49
SHA256a697b23a9e986b47f4f19598de804dfc3e70c411dde186b9510152eb8655a649
SHA512a72830c3d8d7e79567fd0a817f420593fe441104dd7406c5da9c7367363414e875df255ef6eb1142042f83fb15182eaa5fd1ca6d9070f2645c5e7af5c09e578f
-
MD5
af9986f5e128fd8bd3ae748fcba6576d
SHA18060072c35108b48649a03be91803b97f1ad40a4
SHA256f3242f6480b3d1a8f9285135fdce9a201c4802ce062eee4fb41c488a21d53303
SHA512f35c8e1699905bc972ae48a5a4a9fd33ea04b2d851ffc1cb1d1573a2087121d803b4186a696b2edad10a9c46c388a478e105f5a730020b598aa9f483086dba38