Analysis
-
max time kernel
138s -
max time network
147s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
16-04-2021 20:03
Static task
static1
Behavioral task
behavioral1
Sample
DHL AWB TRACKNG DETAIL.exe
Resource
win7v20210408
General
-
Target
DHL AWB TRACKNG DETAIL.exe
-
Size
379KB
-
MD5
7936b78bca1d7e23aa203369563ef9e5
-
SHA1
ee99523f6456a4ba9d026ecee447116ac43f25ac
-
SHA256
4810afd49cb35f756bab13c854922461be237236e455f7d07b32517cbc95a9a6
-
SHA512
bc74f50c35f0007c7bd52b55a501992729fd96e29c8d2646843bd1ab7a20dfaf3d3582176a168ec2f38aab0b2fc9d13aa24745e0a6b24d207132519db5d727a8
Malware Config
Extracted
nanocore
1.2.2.0
dunga.duckdns.org:9087
91b56d86-44e9-4ab8-b650-866edac2901e
-
activate_away_mode
true
-
backup_connection_host
dunga.duckdns.org
-
backup_dns_server
dunga.duckdns.org
-
buffer_size
65535
-
build_time
2021-01-25T17:53:41.406526036Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
9087
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
91b56d86-44e9-4ab8-b650-866edac2901e
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
dunga.duckdns.org
-
primary_dns_server
dunga.duckdns.org
-
request_elevation
false
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
1lK8eDHXOrfuAIz.exeCTS.exe1lK8eDHXOrfuAIz.exepid process 200 1lK8eDHXOrfuAIz.exe 3840 CTS.exe 2728 1lK8eDHXOrfuAIz.exe -
Loads dropped DLL 1 IoCs
Processes:
1lK8eDHXOrfuAIz.exepid process 200 1lK8eDHXOrfuAIz.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
DHL AWB TRACKNG DETAIL.exeCTS.exe1lK8eDHXOrfuAIz.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run DHL AWB TRACKNG DETAIL.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" DHL AWB TRACKNG DETAIL.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run CTS.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" CTS.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ISS Manager = "C:\\Program Files (x86)\\ISS Manager\\issmgr.exe" 1lK8eDHXOrfuAIz.exe -
Processes:
1lK8eDHXOrfuAIz.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 1lK8eDHXOrfuAIz.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
1lK8eDHXOrfuAIz.exedescription pid process target process PID 200 set thread context of 2728 200 1lK8eDHXOrfuAIz.exe 1lK8eDHXOrfuAIz.exe -
Drops file in Program Files directory 2 IoCs
Processes:
1lK8eDHXOrfuAIz.exedescription ioc process File created C:\Program Files (x86)\ISS Manager\issmgr.exe 1lK8eDHXOrfuAIz.exe File opened for modification C:\Program Files (x86)\ISS Manager\issmgr.exe 1lK8eDHXOrfuAIz.exe -
Drops file in Windows directory 2 IoCs
Processes:
CTS.exeDHL AWB TRACKNG DETAIL.exedescription ioc process File created C:\Windows\CTS.exe CTS.exe File created C:\Windows\CTS.exe DHL AWB TRACKNG DETAIL.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 6 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1lK8eDHXOrfuAIz.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\1lK8eDHXOrfuAIz.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\1lK8eDHXOrfuAIz.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\1lK8eDHXOrfuAIz.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\1lK8eDHXOrfuAIz.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\1lK8eDHXOrfuAIz.exe nsis_installer_2 -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 3360 schtasks.exe 2220 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
1lK8eDHXOrfuAIz.exepid process 2728 1lK8eDHXOrfuAIz.exe 2728 1lK8eDHXOrfuAIz.exe 2728 1lK8eDHXOrfuAIz.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
1lK8eDHXOrfuAIz.exepid process 2728 1lK8eDHXOrfuAIz.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
1lK8eDHXOrfuAIz.exepid process 200 1lK8eDHXOrfuAIz.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
DHL AWB TRACKNG DETAIL.exeCTS.exe1lK8eDHXOrfuAIz.exedescription pid process Token: SeDebugPrivilege 2672 DHL AWB TRACKNG DETAIL.exe Token: SeDebugPrivilege 3840 CTS.exe Token: SeDebugPrivilege 2728 1lK8eDHXOrfuAIz.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
DHL AWB TRACKNG DETAIL.exe1lK8eDHXOrfuAIz.exe1lK8eDHXOrfuAIz.exedescription pid process target process PID 2672 wrote to memory of 200 2672 DHL AWB TRACKNG DETAIL.exe 1lK8eDHXOrfuAIz.exe PID 2672 wrote to memory of 200 2672 DHL AWB TRACKNG DETAIL.exe 1lK8eDHXOrfuAIz.exe PID 2672 wrote to memory of 200 2672 DHL AWB TRACKNG DETAIL.exe 1lK8eDHXOrfuAIz.exe PID 2672 wrote to memory of 3840 2672 DHL AWB TRACKNG DETAIL.exe CTS.exe PID 2672 wrote to memory of 3840 2672 DHL AWB TRACKNG DETAIL.exe CTS.exe PID 2672 wrote to memory of 3840 2672 DHL AWB TRACKNG DETAIL.exe CTS.exe PID 200 wrote to memory of 2728 200 1lK8eDHXOrfuAIz.exe 1lK8eDHXOrfuAIz.exe PID 200 wrote to memory of 2728 200 1lK8eDHXOrfuAIz.exe 1lK8eDHXOrfuAIz.exe PID 200 wrote to memory of 2728 200 1lK8eDHXOrfuAIz.exe 1lK8eDHXOrfuAIz.exe PID 200 wrote to memory of 2728 200 1lK8eDHXOrfuAIz.exe 1lK8eDHXOrfuAIz.exe PID 2728 wrote to memory of 3360 2728 1lK8eDHXOrfuAIz.exe schtasks.exe PID 2728 wrote to memory of 3360 2728 1lK8eDHXOrfuAIz.exe schtasks.exe PID 2728 wrote to memory of 3360 2728 1lK8eDHXOrfuAIz.exe schtasks.exe PID 2728 wrote to memory of 2220 2728 1lK8eDHXOrfuAIz.exe schtasks.exe PID 2728 wrote to memory of 2220 2728 1lK8eDHXOrfuAIz.exe schtasks.exe PID 2728 wrote to memory of 2220 2728 1lK8eDHXOrfuAIz.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DHL AWB TRACKNG DETAIL.exe"C:\Users\Admin\AppData\Local\Temp\DHL AWB TRACKNG DETAIL.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1lK8eDHXOrfuAIz.exeC:\Users\Admin\AppData\Local\Temp\1lK8eDHXOrfuAIz.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1lK8eDHXOrfuAIz.exeC:\Users\Admin\AppData\Local\Temp\1lK8eDHXOrfuAIz.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "ISS Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmp1DCE.tmp"4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "ISS Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp1E4C.tmp"4⤵
- Creates scheduled task(s)
-
C:\Windows\CTS.exe"C:\Windows\CTS.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1lK8eDHXOrfuAIz.exeMD5
ad87becb87d4e0d8b6e026219159e9ee
SHA1b800f8be72d8cfd4710d2fe1947a3abc88489b19
SHA25629cb152e132ba4da36eeda013e0f55845422246db700b7fabfdda1e49b71b464
SHA5123adea41b7ec89df5b3ac28beb0e20654a9a0ed26d75916cdd729b4d38e9ded644bce053860670b5120e1fde6814972ecc3f4744e9d563ea2f044bcfd8aa3f3a2
-
C:\Users\Admin\AppData\Local\Temp\1lK8eDHXOrfuAIz.exeMD5
ad87becb87d4e0d8b6e026219159e9ee
SHA1b800f8be72d8cfd4710d2fe1947a3abc88489b19
SHA25629cb152e132ba4da36eeda013e0f55845422246db700b7fabfdda1e49b71b464
SHA5123adea41b7ec89df5b3ac28beb0e20654a9a0ed26d75916cdd729b4d38e9ded644bce053860670b5120e1fde6814972ecc3f4744e9d563ea2f044bcfd8aa3f3a2
-
C:\Users\Admin\AppData\Local\Temp\1lK8eDHXOrfuAIz.exeMD5
ad87becb87d4e0d8b6e026219159e9ee
SHA1b800f8be72d8cfd4710d2fe1947a3abc88489b19
SHA25629cb152e132ba4da36eeda013e0f55845422246db700b7fabfdda1e49b71b464
SHA5123adea41b7ec89df5b3ac28beb0e20654a9a0ed26d75916cdd729b4d38e9ded644bce053860670b5120e1fde6814972ecc3f4744e9d563ea2f044bcfd8aa3f3a2
-
C:\Users\Admin\AppData\Local\Temp\tmp1DCE.tmpMD5
ec1ec9bbee42428fedff60bfdab0dac4
SHA1ae3e9d8ea3ecd927f607c036665366529e515f24
SHA256a3d90180e62b24e5d419afc3b9aebfad612d8f607bc93fedae2bb653a56d48cc
SHA5126c291348927fa047dbd92f00ac608cf871ba10eefa5ca4781904503a5c5c4df6f3a377495188f50fe721d4a2df7ca7c5c4cd59340e96e821d91a6958c72c75f9
-
C:\Users\Admin\AppData\Local\Temp\tmp1E4C.tmpMD5
ea7095fa975a5ac043c9de2899ce61d0
SHA1ba4e21d0728fb1b4b87006c2e8ceb6109c9046a3
SHA2565a1ba7b1b91e0bb7aedcfa82dc687972abb31f72ae1613ac586938ef0843f30f
SHA512b52c8f1b58f263a3d1ad1ef9939167853a5f55033d9ad8976130174c7118407711a0703266c7d2d542bc2ca8119f875e35cc791b9dd70ef83b5310ac1e7cd1cb
-
C:\Windows\CTS.exeMD5
9471f0a5c13a6d9b41f142d876b46d86
SHA1df13ce5f8351670562e1a312daad44783d2fa547
SHA256a7d8a643f929a3d92bea8e707b6943a0b45e11731a9f29fb1c942bb4b3aff4a1
SHA51234579c1b9eea8181fa7bf8e5ca5d7fd687395104aa9fe7f5f38e55f024e6b08e595bd896d76f5485bf72defb140a3d13bab7d84b1ad481f66860e51493db8c85
-
C:\Windows\CTS.exeMD5
9471f0a5c13a6d9b41f142d876b46d86
SHA1df13ce5f8351670562e1a312daad44783d2fa547
SHA256a7d8a643f929a3d92bea8e707b6943a0b45e11731a9f29fb1c942bb4b3aff4a1
SHA51234579c1b9eea8181fa7bf8e5ca5d7fd687395104aa9fe7f5f38e55f024e6b08e595bd896d76f5485bf72defb140a3d13bab7d84b1ad481f66860e51493db8c85
-
\Users\Admin\AppData\Local\Temp\nsl163F.tmp\lzif.dllMD5
dd633261c7161397c1b12fdecc998ca6
SHA1c8cd6e6887d98e9a002524060811f1c4d77d7df4
SHA256ba421cfcb6fef46bd0f3a24ef4640a1c844bfede46642c2a4c7552ecb5f38358
SHA512c51aa33de9a73af3daeb380a1b36fe8bce849ade2c5f187cccf41e2cf150e179274d6a0aa854f38f005c5ce660a97592fe68d7ebf3c2731713133f0ec2a8de94
-
memory/200-121-0x00000000021A0000-0x00000000021A1000-memory.dmpFilesize
4KB
-
memory/200-114-0x0000000000000000-mapping.dmp
-
memory/200-122-0x00000000021A1000-0x00000000021A3000-memory.dmpFilesize
8KB
-
memory/2220-137-0x0000000000000000-mapping.dmp
-
memory/2728-128-0x0000000004DF0000-0x0000000004DF1000-memory.dmpFilesize
4KB
-
memory/2728-134-0x0000000002370000-0x0000000002371000-memory.dmpFilesize
4KB
-
memory/2728-129-0x0000000004ED0000-0x0000000004ED1000-memory.dmpFilesize
4KB
-
memory/2728-130-0x0000000000400000-0x0000000000448000-memory.dmpFilesize
288KB
-
memory/2728-131-0x00000000022A0000-0x00000000022A1000-memory.dmpFilesize
4KB
-
memory/2728-132-0x00000000022A2000-0x00000000022A3000-memory.dmpFilesize
4KB
-
memory/2728-133-0x00000000022A3000-0x00000000022A4000-memory.dmpFilesize
4KB
-
memory/2728-123-0x000000000040188B-mapping.dmp
-
memory/2728-142-0x00000000022A4000-0x00000000022A5000-memory.dmpFilesize
4KB
-
memory/2728-127-0x00000000048F0000-0x00000000048F1000-memory.dmpFilesize
4KB
-
memory/2728-125-0x00000000022B0000-0x00000000022E3000-memory.dmpFilesize
204KB
-
memory/2728-141-0x0000000005820000-0x0000000005823000-memory.dmpFilesize
12KB
-
memory/2728-139-0x0000000005660000-0x0000000005665000-memory.dmpFilesize
20KB
-
memory/2728-140-0x00000000056F0000-0x0000000005709000-memory.dmpFilesize
100KB
-
memory/3360-135-0x0000000000000000-mapping.dmp
-
memory/3840-116-0x0000000000000000-mapping.dmp