Analysis
-
max time kernel
146s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
10-10-2022 16:13
Static task
static1
Behavioral task
behavioral1
Sample
Shipment receipt.exe
Resource
win7-20220812-en
General
-
Target
Shipment receipt.exe
-
Size
231KB
-
MD5
8af8789eac67de3b398fd91caad301c7
-
SHA1
46a834f5f2a07eefec376232b8785187c46bab5d
-
SHA256
0439c7d1f0b9dd75617a6cd78c086139feccd6a2eb91d43e3d09e6194f14bebd
-
SHA512
831f6d22a66a272cbe603d638a9e02685b587ce97ef7730f930c72a70f68a285afa005d090d950797bcb0c4fbb45d6a6f5401d29f7fd2037670086f656ffe7da
-
SSDEEP
3072:NW3q9x4CuQqhAp05FIGRnNadfS5AmqKnoeN:NmqvyhAp05FnNKmqKoe
Malware Config
Extracted
nanocore
1.2.2.0
ratagain.gleeze.com:5050
ratagainbk.gleeze.com:5050
facea582-6bb8-4111-bf8c-c4bbbdd42ea8
-
activate_away_mode
true
-
backup_connection_host
ratagainbk.gleeze.com
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2022-01-24T09:08:07.151828536Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
5050
-
default_group
April
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
facea582-6bb8-4111-bf8c-c4bbbdd42ea8
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
ratagain.gleeze.com
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Shipment receipt.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation Shipment receipt.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Shipment receipt.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Zxaxoqehw = "\"C:\\Users\\Admin\\AppData\\Roaming\\Nxbjycx\\Zxaxoqehw.exe\"" Shipment receipt.exe -
Processes:
RegAsm.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Shipment receipt.exedescription pid process target process PID 1504 set thread context of 2608 1504 Shipment receipt.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 5032 timeout.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
powershell.exeShipment receipt.exeRegAsm.exepid process 1792 powershell.exe 1792 powershell.exe 1504 Shipment receipt.exe 1504 Shipment receipt.exe 2608 RegAsm.exe 2608 RegAsm.exe 2608 RegAsm.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegAsm.exepid process 2608 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Shipment receipt.exepowershell.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 1504 Shipment receipt.exe Token: SeDebugPrivilege 1792 powershell.exe Token: SeDebugPrivilege 2608 RegAsm.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
Shipment receipt.execmd.exedescription pid process target process PID 1504 wrote to memory of 2476 1504 Shipment receipt.exe cmd.exe PID 1504 wrote to memory of 2476 1504 Shipment receipt.exe cmd.exe PID 1504 wrote to memory of 2476 1504 Shipment receipt.exe cmd.exe PID 2476 wrote to memory of 5032 2476 cmd.exe timeout.exe PID 2476 wrote to memory of 5032 2476 cmd.exe timeout.exe PID 2476 wrote to memory of 5032 2476 cmd.exe timeout.exe PID 1504 wrote to memory of 1792 1504 Shipment receipt.exe powershell.exe PID 1504 wrote to memory of 1792 1504 Shipment receipt.exe powershell.exe PID 1504 wrote to memory of 1792 1504 Shipment receipt.exe powershell.exe PID 1504 wrote to memory of 2608 1504 Shipment receipt.exe RegAsm.exe PID 1504 wrote to memory of 2608 1504 Shipment receipt.exe RegAsm.exe PID 1504 wrote to memory of 2608 1504 Shipment receipt.exe RegAsm.exe PID 1504 wrote to memory of 2608 1504 Shipment receipt.exe RegAsm.exe PID 1504 wrote to memory of 2608 1504 Shipment receipt.exe RegAsm.exe PID 1504 wrote to memory of 2608 1504 Shipment receipt.exe RegAsm.exe PID 1504 wrote to memory of 2608 1504 Shipment receipt.exe RegAsm.exe PID 1504 wrote to memory of 2608 1504 Shipment receipt.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Shipment receipt.exe"C:\Users\Admin\AppData\Local\Temp\Shipment receipt.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACcAQwA6AFwAJwAsACcAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAXABOAHgAYgBqAHkAYwB4AFwAWgB4AGEAeABvAHEAZQBoAHcALgBlAHgAZQAnAA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe2⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1504-132-0x0000000000AF0000-0x0000000000B30000-memory.dmpFilesize
256KB
-
memory/1504-133-0x0000000005AC0000-0x0000000006064000-memory.dmpFilesize
5.6MB
-
memory/1504-134-0x0000000005510000-0x00000000055A2000-memory.dmpFilesize
584KB
-
memory/1504-135-0x00000000054C0000-0x00000000054CA000-memory.dmpFilesize
40KB
-
memory/1792-144-0x0000000005D70000-0x0000000005D8E000-memory.dmpFilesize
120KB
-
memory/1792-147-0x0000000006310000-0x000000000632E000-memory.dmpFilesize
120KB
-
memory/1792-138-0x0000000000000000-mapping.dmp
-
memory/1792-139-0x00000000027B0000-0x00000000027E6000-memory.dmpFilesize
216KB
-
memory/1792-140-0x0000000004E60000-0x0000000005488000-memory.dmpFilesize
6.2MB
-
memory/1792-141-0x0000000004DC0000-0x0000000004DE2000-memory.dmpFilesize
136KB
-
memory/1792-142-0x0000000005510000-0x0000000005576000-memory.dmpFilesize
408KB
-
memory/1792-143-0x0000000005730000-0x0000000005796000-memory.dmpFilesize
408KB
-
memory/1792-154-0x00000000073A0000-0x00000000073A8000-memory.dmpFilesize
32KB
-
memory/1792-145-0x0000000006F30000-0x0000000006F62000-memory.dmpFilesize
200KB
-
memory/1792-146-0x000000006FE40000-0x000000006FE8C000-memory.dmpFilesize
304KB
-
memory/1792-153-0x00000000073C0000-0x00000000073DA000-memory.dmpFilesize
104KB
-
memory/1792-148-0x00000000076C0000-0x0000000007D3A000-memory.dmpFilesize
6.5MB
-
memory/1792-149-0x0000000007070000-0x000000000708A000-memory.dmpFilesize
104KB
-
memory/1792-150-0x00000000070F0000-0x00000000070FA000-memory.dmpFilesize
40KB
-
memory/1792-151-0x0000000007300000-0x0000000007396000-memory.dmpFilesize
600KB
-
memory/1792-152-0x00000000072B0000-0x00000000072BE000-memory.dmpFilesize
56KB
-
memory/2476-136-0x0000000000000000-mapping.dmp
-
memory/2608-155-0x0000000000000000-mapping.dmp
-
memory/2608-156-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/2608-157-0x00000000051D0000-0x000000000526C000-memory.dmpFilesize
624KB
-
memory/5032-137-0x0000000000000000-mapping.dmp