Analysis
-
max time kernel
76s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
30-09-2022 07:24
Static task
static1
Behavioral task
behavioral1
Sample
Shaheed CV.exe
Resource
win7-20220812-en
General
-
Target
Shaheed CV.exe
-
Size
941KB
-
MD5
bea958c83d0aa73cdf2c72485c4d2fe8
-
SHA1
ffc8e9e84a7b7cb625bfebd041ce39ec0f20c573
-
SHA256
3507dd4118b87dcecb315684892df75af68bcfa1860a10f17309a76fecc45fda
-
SHA512
4e045fac70205fdb6e872fcda7e56aad993941c4b95b1ec468d9fec2281ebdfd7855dd67d2479c520fa029f5911007bf9b84dd501d0f9a9262097ff96b4eba6f
-
SSDEEP
12288:Z9F2iNf2kIE8Jk84Hr7KYuzfUGCfA1s5DL8cCG1ADqjJ5npVNFDlnl/9yHWWDdjI:Z9F1A28KrHuDwIs5DoFwjrp7
Malware Config
Extracted
nanocore
1.2.2.0
xp230522.ddns.net:1996
99bdd317-26d2-4098-abcb-4bff156f262b
-
activate_away_mode
true
-
backup_connection_host
xp230522.ddns.net
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2022-05-07T04:04:00.193503536Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
1996
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
99bdd317-26d2-4098-abcb-4bff156f262b
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
xp230522.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Shaheed CV.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DHCP Subsystem = "C:\\Program Files (x86)\\DHCP Subsystem\\dhcpss.exe" Shaheed CV.exe -
Processes:
Shaheed CV.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Shaheed CV.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Shaheed CV.exedescription pid process target process PID 4888 set thread context of 4260 4888 Shaheed CV.exe Shaheed CV.exe -
Drops file in Program Files directory 2 IoCs
Processes:
Shaheed CV.exedescription ioc process File created C:\Program Files (x86)\DHCP Subsystem\dhcpss.exe Shaheed CV.exe File opened for modification C:\Program Files (x86)\DHCP Subsystem\dhcpss.exe Shaheed CV.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1400 schtasks.exe 2180 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
Shaheed CV.exeShaheed CV.exepid process 4888 Shaheed CV.exe 4888 Shaheed CV.exe 4260 Shaheed CV.exe 4260 Shaheed CV.exe 4260 Shaheed CV.exe 4260 Shaheed CV.exe 4260 Shaheed CV.exe 4260 Shaheed CV.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Shaheed CV.exepid process 4260 Shaheed CV.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Shaheed CV.exeShaheed CV.exedescription pid process Token: SeDebugPrivilege 4888 Shaheed CV.exe Token: SeDebugPrivilege 4260 Shaheed CV.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
Shaheed CV.exeShaheed CV.exedescription pid process target process PID 4888 wrote to memory of 2060 4888 Shaheed CV.exe Shaheed CV.exe PID 4888 wrote to memory of 2060 4888 Shaheed CV.exe Shaheed CV.exe PID 4888 wrote to memory of 2060 4888 Shaheed CV.exe Shaheed CV.exe PID 4888 wrote to memory of 4260 4888 Shaheed CV.exe Shaheed CV.exe PID 4888 wrote to memory of 4260 4888 Shaheed CV.exe Shaheed CV.exe PID 4888 wrote to memory of 4260 4888 Shaheed CV.exe Shaheed CV.exe PID 4888 wrote to memory of 4260 4888 Shaheed CV.exe Shaheed CV.exe PID 4888 wrote to memory of 4260 4888 Shaheed CV.exe Shaheed CV.exe PID 4888 wrote to memory of 4260 4888 Shaheed CV.exe Shaheed CV.exe PID 4888 wrote to memory of 4260 4888 Shaheed CV.exe Shaheed CV.exe PID 4888 wrote to memory of 4260 4888 Shaheed CV.exe Shaheed CV.exe PID 4260 wrote to memory of 1400 4260 Shaheed CV.exe schtasks.exe PID 4260 wrote to memory of 1400 4260 Shaheed CV.exe schtasks.exe PID 4260 wrote to memory of 1400 4260 Shaheed CV.exe schtasks.exe PID 4260 wrote to memory of 2180 4260 Shaheed CV.exe schtasks.exe PID 4260 wrote to memory of 2180 4260 Shaheed CV.exe schtasks.exe PID 4260 wrote to memory of 2180 4260 Shaheed CV.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Shaheed CV.exe"C:\Users\Admin\AppData\Local\Temp\Shaheed CV.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Shaheed CV.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Shaheed CV.exe"{path}"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DHCP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp67E2.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DHCP Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp687F.tmp"3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Shaheed CV.exe.logFilesize
1KB
MD5568cff9ba1570565b45bf9ef7e636f7f
SHA1d07d800e4334c2566181d3fcf9d644512a5a992e
SHA256b094cb1ef7da4d1a6ed0b9dc687619033e44b960f4be00652a46fe945398bc09
SHA512623e2fc4ba85f3465744dcd3e52cfa9e83009d18d5a8f4239842b2ddd0b0c91cd447072f7844cd9e6f8ef571f38743b22820f5cc741f9e55823d241146f9830b
-
C:\Users\Admin\AppData\Local\Temp\tmp67E2.tmpFilesize
1KB
MD5d48f566eec93c656b3b5333c24ea199e
SHA1916f6940f164d5c4024d3f979a1fff32d4485cfa
SHA256c3047f0d885b675b5a70ebce2336809feab8ddc685eee03309f9f726ddfa4f49
SHA512a72b66390c9720742090a7737cd893d8547cd5e83ab7ed65462b51f5fc701eba65509b1a56d15bc0f17d38879ac48cee0a67665f33b02dffbfa6de06433ee18d
-
C:\Users\Admin\AppData\Local\Temp\tmp687F.tmpFilesize
1KB
MD52f26d92c1eeead3896820e56ec46f6f1
SHA1d95533b61eed7d89e4ada56bc566d60e42ac1f61
SHA25699a158463ce40c750bad6991ae1fceece305a0dbf8e209dd7147b5d539756bfa
SHA5126c1ed12d5e1afcd9e7f327e0153786fd8594f75a995f341c408ef014e69917452a9fe99c511f0249aceb57b3045b707f1fd3f404e4086cfbf0aadcb3318db892
-
memory/1400-141-0x0000000000000000-mapping.dmp
-
memory/2060-137-0x0000000000000000-mapping.dmp
-
memory/2180-143-0x0000000000000000-mapping.dmp
-
memory/4260-138-0x0000000000000000-mapping.dmp
-
memory/4260-139-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/4260-145-0x0000000007170000-0x00000000071D6000-memory.dmpFilesize
408KB
-
memory/4888-132-0x0000000000D60000-0x0000000000E50000-memory.dmpFilesize
960KB
-
memory/4888-136-0x00000000057F0000-0x00000000057FA000-memory.dmpFilesize
40KB
-
memory/4888-135-0x0000000005840000-0x00000000058DC000-memory.dmpFilesize
624KB
-
memory/4888-134-0x00000000056B0000-0x0000000005742000-memory.dmpFilesize
584KB
-
memory/4888-133-0x0000000005D50000-0x00000000062F4000-memory.dmpFilesize
5.6MB