Analysis
-
max time kernel
145s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 18:40
Static task
static1
Behavioral task
behavioral1
Sample
USPS.exe
Resource
win7-20220414-en
General
-
Target
USPS.exe
-
Size
1.3MB
-
MD5
2b88bb3a1dc7d15f7ee00323f4d8f142
-
SHA1
920e2fadf1372cd0d0f0c5f086d18a7eda79587f
-
SHA256
944b633d92799fe6aeefae5de7945b6b0b69020ed669d9d7e68ebd80868771e6
-
SHA512
445fa6eb36f0e7748a8e803819a11df1905076ef0b0d33c431aef26b35997df774bd3a46eac04f9be8a4f78550f1f99384bef0589490637fee529fecc84aab0e
Malware Config
Extracted
nanocore
1.2.2.0
u852121.nvpn.to:3410
6600ee3d-9113-495f-9807-2cbadaeabc68
-
activate_away_mode
true
-
backup_connection_host
u852121.nvpn.to
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-03-29T22:15:11.322294736Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
3410
-
default_group
usp
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
6600ee3d-9113-495f-9807-2cbadaeabc68
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
u852121.nvpn.to
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Drops startup file 1 IoCs
Processes:
USPS.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WWAHost.url USPS.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
USPS.exedescription pid process target process PID 2228 set thread context of 3232 2228 USPS.exe MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
MSBuild.exepid process 3232 MSBuild.exe 3232 MSBuild.exe 3232 MSBuild.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
MSBuild.exepid process 3232 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
MSBuild.exedescription pid process Token: SeDebugPrivilege 3232 MSBuild.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
USPS.exepid process 2228 USPS.exe 2228 USPS.exe 2228 USPS.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
USPS.exepid process 2228 USPS.exe 2228 USPS.exe 2228 USPS.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
USPS.exedescription pid process target process PID 2228 wrote to memory of 3232 2228 USPS.exe MSBuild.exe PID 2228 wrote to memory of 3232 2228 USPS.exe MSBuild.exe PID 2228 wrote to memory of 3232 2228 USPS.exe MSBuild.exe PID 2228 wrote to memory of 3232 2228 USPS.exe MSBuild.exe PID 2228 wrote to memory of 3232 2228 USPS.exe MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\USPS.exe"C:\Users\Admin\AppData\Local\Temp\USPS.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\MSBuild.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2228-130-0x0000000003010000-0x0000000003076000-memory.dmpFilesize
408KB
-
memory/2228-131-0x0000000003A40000-0x0000000003AA6000-memory.dmpFilesize
408KB
-
memory/3232-133-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/3232-132-0x0000000000000000-mapping.dmp
-
memory/3232-138-0x0000000074D20000-0x00000000752D1000-memory.dmpFilesize
5.7MB