Analysis
-
max time kernel
294s -
max time network
318s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
21-10-2021 00:10
Static task
static1
Behavioral task
behavioral1
Sample
DHL_1012617429350,pdf.exe
Resource
win7-en-20210920
General
-
Target
DHL_1012617429350,pdf.exe
-
Size
321KB
-
MD5
66399e9799830e4375a90c7527d1643d
-
SHA1
22bfe4f3525245ebbbe332b84f4c51f48f94fb20
-
SHA256
59a7f37f860925d6b3d8c666d255ada96c5ea855fed304161da561d12616ae0a
-
SHA512
d61fee25094a565f1cccc4c460c670ba620fca057f4baa7998b8560034d2ce90da58a1913c9a3ec399753f35bb34aa5f1276ed25fbb41f5dfad8f50ca1b11dfe
Malware Config
Extracted
nanocore
1.2.2.0
bnbnnjhjkii.ddns.net:2355
d78dbf2b-8a68-42bd-af35-aa036c54c154
-
activate_away_mode
true
- backup_connection_host
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2021-07-31T13:54:02.204062736Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
true
-
connect_delay
4000
-
connection_port
2355
-
default_group
JIMNHJ
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
d78dbf2b-8a68-42bd-af35-aa036c54c154
-
mutex_timeout
5000
-
prevent_system_sleep
true
-
primary_connection_host
bnbnnjhjkii.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
suricata: ET MALWARE Possible NanoCore C2 60B
suricata: ET MALWARE Possible NanoCore C2 60B
-
Loads dropped DLL 1 IoCs
Processes:
DHL_1012617429350,pdf.exepid process 1596 DHL_1012617429350,pdf.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
DHL_1012617429350,pdf.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UDP Subsystem = "C:\\Program Files (x86)\\UDP Subsystem\\udpss.exe" DHL_1012617429350,pdf.exe -
Processes:
DHL_1012617429350,pdf.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DHL_1012617429350,pdf.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
DHL_1012617429350,pdf.exedescription pid process target process PID 1596 set thread context of 1812 1596 DHL_1012617429350,pdf.exe DHL_1012617429350,pdf.exe -
Drops file in Program Files directory 2 IoCs
Processes:
DHL_1012617429350,pdf.exedescription ioc process File created C:\Program Files (x86)\UDP Subsystem\udpss.exe DHL_1012617429350,pdf.exe File opened for modification C:\Program Files (x86)\UDP Subsystem\udpss.exe DHL_1012617429350,pdf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
DHL_1012617429350,pdf.exepid process 1812 DHL_1012617429350,pdf.exe 1812 DHL_1012617429350,pdf.exe 1812 DHL_1012617429350,pdf.exe 1812 DHL_1012617429350,pdf.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
DHL_1012617429350,pdf.exepid process 1812 DHL_1012617429350,pdf.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
DHL_1012617429350,pdf.exedescription pid process Token: SeDebugPrivilege 1812 DHL_1012617429350,pdf.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
DHL_1012617429350,pdf.exedescription pid process target process PID 1596 wrote to memory of 1812 1596 DHL_1012617429350,pdf.exe DHL_1012617429350,pdf.exe PID 1596 wrote to memory of 1812 1596 DHL_1012617429350,pdf.exe DHL_1012617429350,pdf.exe PID 1596 wrote to memory of 1812 1596 DHL_1012617429350,pdf.exe DHL_1012617429350,pdf.exe PID 1596 wrote to memory of 1812 1596 DHL_1012617429350,pdf.exe DHL_1012617429350,pdf.exe PID 1596 wrote to memory of 1812 1596 DHL_1012617429350,pdf.exe DHL_1012617429350,pdf.exe PID 1596 wrote to memory of 1812 1596 DHL_1012617429350,pdf.exe DHL_1012617429350,pdf.exe PID 1596 wrote to memory of 1812 1596 DHL_1012617429350,pdf.exe DHL_1012617429350,pdf.exe PID 1596 wrote to memory of 1812 1596 DHL_1012617429350,pdf.exe DHL_1012617429350,pdf.exe PID 1596 wrote to memory of 1812 1596 DHL_1012617429350,pdf.exe DHL_1012617429350,pdf.exe PID 1596 wrote to memory of 1812 1596 DHL_1012617429350,pdf.exe DHL_1012617429350,pdf.exe PID 1596 wrote to memory of 1812 1596 DHL_1012617429350,pdf.exe DHL_1012617429350,pdf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DHL_1012617429350,pdf.exe"C:\Users\Admin\AppData\Local\Temp\DHL_1012617429350,pdf.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Users\Admin\AppData\Local\Temp\DHL_1012617429350,pdf.exe"C:\Users\Admin\AppData\Local\Temp\DHL_1012617429350,pdf.exe"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1812
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
e854945c316606824456ff4e3b665b0a
SHA1d75cb6c4920fea497da7c81483f80a0eb2a3782f
SHA2567a45be75b03cd245e7cf13298652c4bd1d5c127a1511350c8ad0d01b41b6a074
SHA512a7636949cbc68c6ba5418aa01b90c451460ad2d34d9bded53544df2bcae11a4f237038d988cc26eb2fc605c20e949c323f25f6ac04bf8a08d956c249b12d5bb9