Analysis
-
max time kernel
103s -
max time network
196s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
14-10-2021 10:14
Static task
static1
Behavioral task
behavioral1
Sample
DHL TRACKING DETAILS.exe
Resource
win7v20210408
General
-
Target
DHL TRACKING DETAILS.exe
-
Size
375KB
-
MD5
c83f7a1a326f7b47ec13eebea020a467
-
SHA1
90c2c4514dad7500f64ef90807841141cab506d4
-
SHA256
56f1040045ad7e244e7825dfb1c8d6a4714811511cc4c72d73d5c13c7411a168
-
SHA512
a5cfec49d6eb08f01bfdfa66cb2a3eb83221c48484efcb80f8a2d7802f92941ad8e21883e72cc0a4235f7bb758337b35a6868fcbb2fbda595d5d32cea1700a7a
Malware Config
Extracted
nanocore
1.2.2.0
chinomso.duckdns.org:7688
bee718f3-e47a-44f8-955e-2fe2c6c0351c
-
activate_away_mode
true
-
backup_connection_host
chinomso.duckdns.org
-
backup_dns_server
chinomso.duckdns.org
-
buffer_size
65535
-
build_time
2021-01-17T14:27:22.436365536Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
7688
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
bee718f3-e47a-44f8-955e-2fe2c6c0351c
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
chinomso.duckdns.org
-
primary_dns_server
chinomso.duckdns.org
-
request_elevation
false
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
DHL TRACKING DETAILS.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DPI Service = "C:\\Program Files (x86)\\DPI Service\\dpisv.exe" DHL TRACKING DETAILS.exe -
Processes:
DHL TRACKING DETAILS.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DHL TRACKING DETAILS.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
DHL TRACKING DETAILS.exedescription pid process target process PID 1472 set thread context of 1504 1472 DHL TRACKING DETAILS.exe DHL TRACKING DETAILS.exe -
Drops file in Program Files directory 2 IoCs
Processes:
DHL TRACKING DETAILS.exedescription ioc process File created C:\Program Files (x86)\DPI Service\dpisv.exe DHL TRACKING DETAILS.exe File opened for modification C:\Program Files (x86)\DPI Service\dpisv.exe DHL TRACKING DETAILS.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 1632 schtasks.exe 1776 schtasks.exe 1808 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
DHL TRACKING DETAILS.exepid process 1504 DHL TRACKING DETAILS.exe 1504 DHL TRACKING DETAILS.exe 1504 DHL TRACKING DETAILS.exe 1504 DHL TRACKING DETAILS.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
DHL TRACKING DETAILS.exepid process 1504 DHL TRACKING DETAILS.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
DHL TRACKING DETAILS.exedescription pid process Token: SeDebugPrivilege 1504 DHL TRACKING DETAILS.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
DHL TRACKING DETAILS.exeDHL TRACKING DETAILS.exedescription pid process target process PID 1472 wrote to memory of 1632 1472 DHL TRACKING DETAILS.exe schtasks.exe PID 1472 wrote to memory of 1632 1472 DHL TRACKING DETAILS.exe schtasks.exe PID 1472 wrote to memory of 1632 1472 DHL TRACKING DETAILS.exe schtasks.exe PID 1472 wrote to memory of 1632 1472 DHL TRACKING DETAILS.exe schtasks.exe PID 1472 wrote to memory of 1504 1472 DHL TRACKING DETAILS.exe DHL TRACKING DETAILS.exe PID 1472 wrote to memory of 1504 1472 DHL TRACKING DETAILS.exe DHL TRACKING DETAILS.exe PID 1472 wrote to memory of 1504 1472 DHL TRACKING DETAILS.exe DHL TRACKING DETAILS.exe PID 1472 wrote to memory of 1504 1472 DHL TRACKING DETAILS.exe DHL TRACKING DETAILS.exe PID 1472 wrote to memory of 1504 1472 DHL TRACKING DETAILS.exe DHL TRACKING DETAILS.exe PID 1472 wrote to memory of 1504 1472 DHL TRACKING DETAILS.exe DHL TRACKING DETAILS.exe PID 1472 wrote to memory of 1504 1472 DHL TRACKING DETAILS.exe DHL TRACKING DETAILS.exe PID 1472 wrote to memory of 1504 1472 DHL TRACKING DETAILS.exe DHL TRACKING DETAILS.exe PID 1472 wrote to memory of 1504 1472 DHL TRACKING DETAILS.exe DHL TRACKING DETAILS.exe PID 1504 wrote to memory of 1776 1504 DHL TRACKING DETAILS.exe schtasks.exe PID 1504 wrote to memory of 1776 1504 DHL TRACKING DETAILS.exe schtasks.exe PID 1504 wrote to memory of 1776 1504 DHL TRACKING DETAILS.exe schtasks.exe PID 1504 wrote to memory of 1776 1504 DHL TRACKING DETAILS.exe schtasks.exe PID 1504 wrote to memory of 1808 1504 DHL TRACKING DETAILS.exe schtasks.exe PID 1504 wrote to memory of 1808 1504 DHL TRACKING DETAILS.exe schtasks.exe PID 1504 wrote to memory of 1808 1504 DHL TRACKING DETAILS.exe schtasks.exe PID 1504 wrote to memory of 1808 1504 DHL TRACKING DETAILS.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DHL TRACKING DETAILS.exe"C:\Users\Admin\AppData\Local\Temp\DHL TRACKING DETAILS.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VwBkiqeJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3811.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\DHL TRACKING DETAILS.exe"C:\Users\Admin\AppData\Local\Temp\DHL TRACKING DETAILS.exe"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DPI Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp3CA3.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DPI Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp3E59.tmp"3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp3CA3.tmpMD5
473927eecfadb18098e36c3a1158a9c3
SHA1b04a7ceb104d6256ddb3e93810c4fae339c1066d
SHA256e483766a8138bf4dbffe48eeb9074cff494a56de667d853442556d91f70de908
SHA5124c832369091bb92bc30d4f4d34ea9812c2506a0716dc5f8057bd10287bbe3436432dd824dcbb57b37a66bdb24881df9eca276c6ef7f6f6eb7a8241ef009074eb
-
C:\Users\Admin\AppData\Local\Temp\tmp3E59.tmpMD5
a9af285136db016a568e4a53208f21d0
SHA1e1afef2b7ee8ae945353315daa19a15574b435b7
SHA2567dce876e35550f4a5b8ce8a8bbab3b0ccd7c5b8660f9db4b832466b77e3a8b7c
SHA51280a1f5e463a87cddc0f66336e2dc4262daf98984c6f6c662c3615d615ebe7c58677c3d694edb3bd7816ccee969aae967c7efe8526ba423f274ac1210c0c8bd6e
-
memory/1472-61-0x00000000757C1000-0x00000000757C3000-memory.dmpFilesize
8KB
-
memory/1472-62-0x0000000004EA0000-0x0000000004EA1000-memory.dmpFilesize
4KB
-
memory/1472-63-0x0000000000370000-0x0000000000375000-memory.dmpFilesize
20KB
-
memory/1472-64-0x0000000004FC0000-0x0000000005015000-memory.dmpFilesize
340KB
-
memory/1472-59-0x0000000000A20000-0x0000000000A21000-memory.dmpFilesize
4KB
-
memory/1504-85-0x00000000008A0000-0x00000000008AC000-memory.dmpFilesize
48KB
-
memory/1504-87-0x00000000008C0000-0x00000000008C6000-memory.dmpFilesize
24KB
-
memory/1504-69-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1504-70-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1504-71-0x000000000041E792-mapping.dmp
-
memory/1504-72-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1504-74-0x0000000004D50000-0x0000000004D51000-memory.dmpFilesize
4KB
-
memory/1504-93-0x0000000000960000-0x000000000096F000-memory.dmpFilesize
60KB
-
memory/1504-67-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1504-92-0x00000000009F0000-0x0000000000A19000-memory.dmpFilesize
164KB
-
memory/1504-66-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1504-79-0x0000000000440000-0x0000000000445000-memory.dmpFilesize
20KB
-
memory/1504-80-0x0000000000450000-0x0000000000469000-memory.dmpFilesize
100KB
-
memory/1504-81-0x0000000000470000-0x0000000000473000-memory.dmpFilesize
12KB
-
memory/1504-82-0x0000000000620000-0x000000000062D000-memory.dmpFilesize
52KB
-
memory/1504-83-0x0000000000630000-0x0000000000645000-memory.dmpFilesize
84KB
-
memory/1504-84-0x0000000000840000-0x0000000000846000-memory.dmpFilesize
24KB
-
memory/1504-91-0x0000000000940000-0x000000000094A000-memory.dmpFilesize
40KB
-
memory/1504-86-0x00000000008B0000-0x00000000008B7000-memory.dmpFilesize
28KB
-
memory/1504-68-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1504-88-0x00000000008D0000-0x00000000008DD000-memory.dmpFilesize
52KB
-
memory/1504-89-0x00000000008E0000-0x00000000008E9000-memory.dmpFilesize
36KB
-
memory/1504-90-0x00000000008F0000-0x00000000008FF000-memory.dmpFilesize
60KB
-
memory/1632-65-0x0000000000000000-mapping.dmp
-
memory/1776-75-0x0000000000000000-mapping.dmp
-
memory/1808-77-0x0000000000000000-mapping.dmp