Overview

overview

10

Static

static

DHL_docume...11.exe

windows7_x64

10

DHL_docume...11.exe

windows10_x64

10

Analysis

  • max time kernel
    133s
  • max time network
    185s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    14-10-2021 10:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DHL_document11022020680908911.exe

  • Size

    215KB

  • MD5

    f5740e959f892407f13054de42748917

  • SHA1

    ff4f01986dae809ebfbb807fbc88301dd5e7a23a

  • SHA256

    8bd97a0d17f61d747de38b520274c6afcb52cf89ce87a1818866428f1416ef1c

  • SHA512

    8172375d875d13c37f47bef437eb7bb46c92c57fabe01b67976d557bfcca42ff142b2194b3a675dd4bb6808b73a454984963784741fe3e3a0763e3d7d52d7b60

Score
10/10
nanocoreevasionkeyloggerpersistencespywarestealersuricatatrojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

195.133.18.136:3106

youngsouth.duckdns.org:3106
Mutex

57234f5b-55f8-460c-8f66-69edf39e1138

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    youngsouth.duckdns.org

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2021-07-23T14:15:23.128199136Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    true

  • connect_delay

    4000

  • connection_port

    3106

  • default_group

    October

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    57234f5b-55f8-460c-8f66-69edf39e1138

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    195.133.18.136

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    false

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • UAC bypass 3 TTPs
    evasiontrojan
  • Windows security bypass 2 TTPs
    evasiontrojan
  • suricata: ET MALWARE Possible NanoCore C2 60B

    suricata: ET MALWARE Possible NanoCore C2 60B

    suricata
  • Nirsoft 7 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Windows security modification 2 TTPs 8 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 13 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\DHL_document11022020680908911.exe
    "C:\Users\Admin\AppData\Local\Temp\DHL_document11022020680908911.exe"
    1⤵
    • Loads dropped DLL
    • Windows security modification
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1652
    • C:\Users\Admin\AppData\Local\Temp\2bf098b3-4cee-40f5-aa4f-0e39d131a34d\AdvancedRun.exe
      "C:\Users\Admin\AppData\Local\Temp\2bf098b3-4cee-40f5-aa4f-0e39d131a34d\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\2bf098b3-4cee-40f5-aa4f-0e39d131a34d\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1840
      • C:\Users\Admin\AppData\Local\Temp\2bf098b3-4cee-40f5-aa4f-0e39d131a34d\AdvancedRun.exe
        "C:\Users\Admin\AppData\Local\Temp\2bf098b3-4cee-40f5-aa4f-0e39d131a34d\AdvancedRun.exe" /SpecialRun 4101d8 1840
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1932
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\DHL_document11022020680908911.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:840
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\DHL_document11022020680908911.exe" -Force
      2⤵
        PID:1688
      • C:\Users\Admin\AppData\Local\Temp\DHL_document11022020680908911.exe
        "C:\Users\Admin\AppData\Local\Temp\DHL_document11022020680908911.exe"
        2⤵
          PID:616
        • C:\Users\Admin\AppData\Local\Temp\DHL_document11022020680908911.exe
          "C:\Users\Admin\AppData\Local\Temp\DHL_document11022020680908911.exe"
          2⤵
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          PID:864
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 1924
          2⤵
          • Program crash
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          PID:1144

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Modify Existing Service

      1
      T1031

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Bypass User Account Control

      1
      T1088

      Defense Evasion

      Modify Registry

      6
      T1112

      Disabling Security Tools

      4
      T1089

      Bypass User Account Control

      1
      T1088

      Credential Access

      Discovery

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\2bf098b3-4cee-40f5-aa4f-0e39d131a34d\AdvancedRun.exe
        MD5

        17fc12902f4769af3a9271eb4e2dacce

        SHA1

        9a4a1581cc3971579574f837e110f3bd6d529dab

        SHA256

        29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

        SHA512

        036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\2bf098b3-4cee-40f5-aa4f-0e39d131a34d\AdvancedRun.exe
        MD5

        17fc12902f4769af3a9271eb4e2dacce

        SHA1

        9a4a1581cc3971579574f837e110f3bd6d529dab

        SHA256

        29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

        SHA512

        036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\2bf098b3-4cee-40f5-aa4f-0e39d131a34d\AdvancedRun.exe
        MD5

        17fc12902f4769af3a9271eb4e2dacce

        SHA1

        9a4a1581cc3971579574f837e110f3bd6d529dab

        SHA256

        29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

        SHA512

        036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
        MD5

        d896db2933995806a11072795130f8da

        SHA1

        1eb6a397ac02d93720b1b49c84a2fe2c971f1ad4

        SHA256

        2a49c602d9c80572f4d6212cb43d680e0387b6c6197b3d0ba27faa9ccb790c04

        SHA512

        8f08ecd6722aa71eff7b16699865463b0074b6dfdeaf68a67b758dc0e10dc39617841dd375e8f69506c326632936a976afd9dba1855b28cb8cc557c7111cfff8

        Download Submit
      • \Users\Admin\AppData\Local\Temp\2bf098b3-4cee-40f5-aa4f-0e39d131a34d\AdvancedRun.exe
        MD5

        17fc12902f4769af3a9271eb4e2dacce

        SHA1

        9a4a1581cc3971579574f837e110f3bd6d529dab

        SHA256

        29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

        SHA512

        036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

        Download Submit
      • \Users\Admin\AppData\Local\Temp\2bf098b3-4cee-40f5-aa4f-0e39d131a34d\AdvancedRun.exe
        MD5

        17fc12902f4769af3a9271eb4e2dacce

        SHA1

        9a4a1581cc3971579574f837e110f3bd6d529dab

        SHA256

        29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

        SHA512

        036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

        Download Submit
      • \Users\Admin\AppData\Local\Temp\2bf098b3-4cee-40f5-aa4f-0e39d131a34d\AdvancedRun.exe
        MD5

        17fc12902f4769af3a9271eb4e2dacce

        SHA1

        9a4a1581cc3971579574f837e110f3bd6d529dab

        SHA256

        29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

        SHA512

        036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

        Download Submit
      • \Users\Admin\AppData\Local\Temp\2bf098b3-4cee-40f5-aa4f-0e39d131a34d\AdvancedRun.exe
        MD5

        17fc12902f4769af3a9271eb4e2dacce

        SHA1

        9a4a1581cc3971579574f837e110f3bd6d529dab

        SHA256

        29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

        SHA512

        036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

        Download Submit
      • memory/840-123-0x00000000060A0000-0x00000000060A1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/840-134-0x00000000055D0000-0x00000000055D1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/840-124-0x00000000060E0000-0x00000000060E1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/840-125-0x000000007EF30000-0x000000007EF31000-memory.dmp
        Filesize

        4KB

        Download
      • memory/840-86-0x00000000049B0000-0x00000000049B1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/840-76-0x0000000000000000-mapping.dmp
        Download
      • memory/840-118-0x00000000056B0000-0x00000000056B1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/840-115-0x00000000052A0000-0x00000000052A1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/840-103-0x0000000001050000-0x0000000001051000-memory.dmp
        Filesize

        4KB

        Download
      • memory/840-100-0x00000000049B2000-0x00000000049B3000-memory.dmp
        Filesize

        4KB

        Download
      • memory/840-133-0x0000000006280000-0x0000000006281000-memory.dmp
        Filesize

        4KB

        Download
      • memory/864-107-0x0000000000B30000-0x0000000000B36000-memory.dmp
        Filesize

        24KB

        Download
      • memory/864-102-0x0000000000570000-0x000000000057D000-memory.dmp
        Filesize

        52KB

        Download
      • memory/864-80-0x0000000000400000-0x000000000043A000-memory.dmp
        Filesize

        232KB

        Download
      • memory/864-114-0x0000000000CC0000-0x0000000000CCF000-memory.dmp
        Filesize

        60KB

        Download
      • memory/864-83-0x0000000000400000-0x000000000043A000-memory.dmp
        Filesize

        232KB

        Download
      • memory/864-85-0x0000000000400000-0x000000000043A000-memory.dmp
        Filesize

        232KB

        Download
      • memory/864-113-0x0000000000BE0000-0x0000000000C09000-memory.dmp
        Filesize

        164KB

        Download
      • memory/864-91-0x0000000000400000-0x000000000043A000-memory.dmp
        Filesize

        232KB

        Download
      • memory/864-112-0x0000000000BC0000-0x0000000000BCA000-memory.dmp
        Filesize

        40KB

        Download
      • memory/864-96-0x0000000000490000-0x0000000000495000-memory.dmp
        Filesize

        20KB

        Download
      • memory/864-97-0x00000000004A0000-0x00000000004B9000-memory.dmp
        Filesize

        100KB

        Download
      • memory/864-98-0x0000000000500000-0x0000000000503000-memory.dmp
        Filesize

        12KB

        Download
      • memory/864-111-0x0000000000B70000-0x0000000000B7F000-memory.dmp
        Filesize

        60KB

        Download
      • memory/864-101-0x0000000004730000-0x0000000004731000-memory.dmp
        Filesize

        4KB

        Download
      • memory/864-82-0x0000000000400000-0x000000000043A000-memory.dmp
        Filesize

        232KB

        Download
      • memory/864-81-0x0000000000400000-0x000000000043A000-memory.dmp
        Filesize

        232KB

        Download
      • memory/864-104-0x0000000000A60000-0x0000000000A75000-memory.dmp
        Filesize

        84KB

        Download
      • memory/864-87-0x000000000041E792-mapping.dmp
        Download
      • memory/864-105-0x0000000000A80000-0x0000000000A86000-memory.dmp
        Filesize

        24KB

        Download
      • memory/864-106-0x0000000000AD0000-0x0000000000ADC000-memory.dmp
        Filesize

        48KB

        Download
      • memory/864-110-0x0000000000B60000-0x0000000000B69000-memory.dmp
        Filesize

        36KB

        Download
      • memory/864-108-0x0000000000B40000-0x0000000000B47000-memory.dmp
        Filesize

        28KB

        Download
      • memory/864-109-0x0000000000B50000-0x0000000000B5D000-memory.dmp
        Filesize

        52KB

        Download
      • memory/1144-95-0x0000000000000000-mapping.dmp
        Download
      • memory/1144-126-0x0000000000A00000-0x0000000000A3C000-memory.dmp
        Filesize

        240KB

        Download
      • memory/1652-64-0x00000000005E0000-0x0000000000679000-memory.dmp
        Filesize

        612KB

        Download
      • memory/1652-2-0x0000000076641000-0x0000000076643000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1652-0-0x0000000001270000-0x0000000001271000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1652-3-0x0000000004B80000-0x0000000004B81000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1688-93-0x0000000004800000-0x0000000004801000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1688-78-0x0000000000000000-mapping.dmp
        Download
      • memory/1688-88-0x0000000000DE0000-0x0000000000DE1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1688-89-0x0000000001140000-0x0000000001141000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1688-99-0x0000000001142000-0x0000000001143000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1840-67-0x0000000000000000-mapping.dmp
        Download
      • memory/1932-73-0x0000000000000000-mapping.dmp
        Download