Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
22-07-2021 04:49
Static task
static1
Behavioral task
behavioral1
Sample
DHL Delivery Details.exe
Resource
win7v20210410
General
-
Target
DHL Delivery Details.exe
-
Size
1.3MB
-
MD5
c340e5c9b74e0b154602372e9f65f005
-
SHA1
94e113dcb8273d9b0645cbfd99a49b5f0dbb6dbc
-
SHA256
ed272b8224137d8c590dc8623e1d7e024dd372d00cee1c2a3dac035d2aa8ffbc
-
SHA512
b174ffc70d299dd3aa90460e4d3bcf1f8794da9d61dd4e50a4eb6bf16060722280ca611b4c9f09b87af5e14a711b206e459dbb4225ae14ff5d48eddab6bc3561
Malware Config
Extracted
nanocore
1.2.2.0
23.105.131.230:21180
gintex.ddns.net:21180
d02ab855-af92-413e-97e9-f7830911e832
-
activate_away_mode
true
-
backup_connection_host
gintex.ddns.net
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2021-05-01T12:46:53.543931936Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
21180
-
default_group
kardinal2021
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
d02ab855-af92-413e-97e9-f7830911e832
-
mutex_timeout
5000
-
prevent_system_sleep
true
-
primary_connection_host
23.105.131.230
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LAN Host = "C:\\Program Files (x86)\\LAN Host\\lanhost.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
DHL Delivery Details.exedescription pid process target process PID 1240 set thread context of 616 1240 DHL Delivery Details.exe RegSvcs.exe -
Drops file in Program Files directory 2 IoCs
Processes:
RegSvcs.exedescription ioc process File created C:\Program Files (x86)\LAN Host\lanhost.exe RegSvcs.exe File opened for modification C:\Program Files (x86)\LAN Host\lanhost.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 552 schtasks.exe 828 schtasks.exe 384 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
DHL Delivery Details.exeRegSvcs.exepid process 1240 DHL Delivery Details.exe 616 RegSvcs.exe 616 RegSvcs.exe 616 RegSvcs.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegSvcs.exepid process 616 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
DHL Delivery Details.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 1240 DHL Delivery Details.exe Token: SeDebugPrivilege 616 RegSvcs.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
DHL Delivery Details.exeRegSvcs.exedescription pid process target process PID 1240 wrote to memory of 552 1240 DHL Delivery Details.exe schtasks.exe PID 1240 wrote to memory of 552 1240 DHL Delivery Details.exe schtasks.exe PID 1240 wrote to memory of 552 1240 DHL Delivery Details.exe schtasks.exe PID 1240 wrote to memory of 552 1240 DHL Delivery Details.exe schtasks.exe PID 1240 wrote to memory of 616 1240 DHL Delivery Details.exe RegSvcs.exe PID 1240 wrote to memory of 616 1240 DHL Delivery Details.exe RegSvcs.exe PID 1240 wrote to memory of 616 1240 DHL Delivery Details.exe RegSvcs.exe PID 1240 wrote to memory of 616 1240 DHL Delivery Details.exe RegSvcs.exe PID 1240 wrote to memory of 616 1240 DHL Delivery Details.exe RegSvcs.exe PID 1240 wrote to memory of 616 1240 DHL Delivery Details.exe RegSvcs.exe PID 1240 wrote to memory of 616 1240 DHL Delivery Details.exe RegSvcs.exe PID 1240 wrote to memory of 616 1240 DHL Delivery Details.exe RegSvcs.exe PID 1240 wrote to memory of 616 1240 DHL Delivery Details.exe RegSvcs.exe PID 1240 wrote to memory of 616 1240 DHL Delivery Details.exe RegSvcs.exe PID 1240 wrote to memory of 616 1240 DHL Delivery Details.exe RegSvcs.exe PID 1240 wrote to memory of 616 1240 DHL Delivery Details.exe RegSvcs.exe PID 616 wrote to memory of 828 616 RegSvcs.exe schtasks.exe PID 616 wrote to memory of 828 616 RegSvcs.exe schtasks.exe PID 616 wrote to memory of 828 616 RegSvcs.exe schtasks.exe PID 616 wrote to memory of 828 616 RegSvcs.exe schtasks.exe PID 616 wrote to memory of 384 616 RegSvcs.exe schtasks.exe PID 616 wrote to memory of 384 616 RegSvcs.exe schtasks.exe PID 616 wrote to memory of 384 616 RegSvcs.exe schtasks.exe PID 616 wrote to memory of 384 616 RegSvcs.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DHL Delivery Details.exe"C:\Users\Admin\AppData\Local\Temp\DHL Delivery Details.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BsUBNSmzi" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA110.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "LAN Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmpA4E7.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "LAN Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpA555.tmp"3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpA110.tmpMD5
413672d5fd8479caee5e21dbac12b81d
SHA174e420d4befc01c29ba6ec8be397ecffdd76694d
SHA256785fc8ba98fb8c40942b0c571c941936666f0e2b6754ee516b705356af460d59
SHA512f1280e4d43af06fa67850f8c913b40443ba45d6477287df8377fda6308b10d9343367534d9930fd0626184c10495049f88ff3ecec437b20b1e39e8e790bbb7fa
-
C:\Users\Admin\AppData\Local\Temp\tmpA4E7.tmpMD5
8cad1b41587ced0f1e74396794f31d58
SHA111054bf74fcf5e8e412768035e4dae43aa7b710f
SHA2563086d914f6b23268f8a12cb1a05516cd5465c2577e1d1e449f1b45c8e5e8f83c
SHA51299c2ef89029de51a866df932841684b7fc912df21e10e2dd0d09e400203bbdc6cba6319a31780b7bf8b286d2cea8ea3fc7d084348bf2f002ab4f5a34218ccbef
-
C:\Users\Admin\AppData\Local\Temp\tmpA555.tmpMD5
54865f98871478b2b88b7f8aa6100915
SHA16f8667f1ce25cebee2a7b460668736ff6bcfac54
SHA256287f7b4372926ff59bb9a14bdfc00ad63f92af8efdb2e14f6f6baf31878fd44e
SHA512caba0bd0cb0eda0710291f9754cfdef1a3d8fdb8b6d07f5d3e4d1e7b09c87f37032287ddef0a75485d6e685afa3510ee64453662e6c8d223ae171b392b58e493
-
memory/384-73-0x0000000000000000-mapping.dmp
-
memory/552-65-0x0000000000000000-mapping.dmp
-
memory/616-68-0x000000000041E792-mapping.dmp
-
memory/616-76-0x0000000000440000-0x0000000000459000-memory.dmpFilesize
100KB
-
memory/616-67-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/616-79-0x0000000004DC5000-0x0000000004DD6000-memory.dmpFilesize
68KB
-
memory/616-69-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/616-78-0x0000000004DC0000-0x0000000004DC1000-memory.dmpFilesize
4KB
-
memory/616-77-0x00000000003F0000-0x00000000003F3000-memory.dmpFilesize
12KB
-
memory/616-75-0x00000000003E0000-0x00000000003E5000-memory.dmpFilesize
20KB
-
memory/828-71-0x0000000000000000-mapping.dmp
-
memory/1240-61-0x0000000004D30000-0x0000000004D31000-memory.dmpFilesize
4KB
-
memory/1240-62-0x0000000000410000-0x0000000000412000-memory.dmpFilesize
8KB
-
memory/1240-64-0x0000000008080000-0x00000000080F2000-memory.dmpFilesize
456KB
-
memory/1240-63-0x0000000007DB0000-0x0000000007E70000-memory.dmpFilesize
768KB
-
memory/1240-59-0x0000000000180000-0x0000000000181000-memory.dmpFilesize
4KB