Analysis
-
max time kernel
142s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
24-10-2022 06:43
Static task
static1
Behavioral task
behavioral1
Sample
DHL AWB TRACKING DETAILS.exe
Resource
win7-20220812-en
General
-
Target
DHL AWB TRACKING DETAILS.exe
-
Size
816KB
-
MD5
a006d50fd29ad58affd9e8e5c47be126
-
SHA1
984005259c004b5c90bceef4d56cba5019f42baa
-
SHA256
60d3005a44a9f63ddedb7f955ddae4b22b9a986717ca862ef2053f7f254cbb5e
-
SHA512
6ce6eba40cc4b3ddee291f1ba0a0c89432a8a3728b766cf2ab2b3f0cbebe24414e5d1b6d6072c98e059e9c0e59282170b633a82c35c06e96078fe25fb9caf43c
-
SSDEEP
12288:ey10PPJaxEOCf5lpLR6AlAm563wsX+2tDVYOgKsi4dWlvb9lZfZnNvbAjbusXjgG:mwLXzYvi4Elvb1ZNvbKbu+gG
Malware Config
Extracted
nanocore
1.2.2.0
chinomso.duckdns.org:7688
1a89322e-5293-4ba8-a831-31eb0594f72f
-
activate_away_mode
true
-
backup_connection_host
chinomso.duckdns.org
-
backup_dns_server
chinomso.duckdns.org
-
buffer_size
65535
-
build_time
2022-07-04T03:07:42.605643236Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
7688
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
1a89322e-5293-4ba8-a831-31eb0594f72f
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
chinomso.duckdns.org
-
primary_dns_server
chinomso.duckdns.org
-
request_elevation
false
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
DHL AWB TRACKING DETAILS.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NTFS Monitor = "C:\\Program Files (x86)\\NTFS Monitor\\ntfsmon.exe" DHL AWB TRACKING DETAILS.exe -
Processes:
DHL AWB TRACKING DETAILS.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DHL AWB TRACKING DETAILS.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
DHL AWB TRACKING DETAILS.exedescription pid process target process PID 1652 set thread context of 1584 1652 DHL AWB TRACKING DETAILS.exe DHL AWB TRACKING DETAILS.exe -
Drops file in Program Files directory 2 IoCs
Processes:
DHL AWB TRACKING DETAILS.exedescription ioc process File created C:\Program Files (x86)\NTFS Monitor\ntfsmon.exe DHL AWB TRACKING DETAILS.exe File opened for modification C:\Program Files (x86)\NTFS Monitor\ntfsmon.exe DHL AWB TRACKING DETAILS.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1784 schtasks.exe 1404 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
DHL AWB TRACKING DETAILS.exeDHL AWB TRACKING DETAILS.exepid process 1652 DHL AWB TRACKING DETAILS.exe 1584 DHL AWB TRACKING DETAILS.exe 1584 DHL AWB TRACKING DETAILS.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
DHL AWB TRACKING DETAILS.exepid process 1584 DHL AWB TRACKING DETAILS.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
DHL AWB TRACKING DETAILS.exeDHL AWB TRACKING DETAILS.exedescription pid process Token: SeDebugPrivilege 1652 DHL AWB TRACKING DETAILS.exe Token: SeDebugPrivilege 1584 DHL AWB TRACKING DETAILS.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
DHL AWB TRACKING DETAILS.exeDHL AWB TRACKING DETAILS.exedescription pid process target process PID 1652 wrote to memory of 1252 1652 DHL AWB TRACKING DETAILS.exe DHL AWB TRACKING DETAILS.exe PID 1652 wrote to memory of 1252 1652 DHL AWB TRACKING DETAILS.exe DHL AWB TRACKING DETAILS.exe PID 1652 wrote to memory of 1252 1652 DHL AWB TRACKING DETAILS.exe DHL AWB TRACKING DETAILS.exe PID 1652 wrote to memory of 1252 1652 DHL AWB TRACKING DETAILS.exe DHL AWB TRACKING DETAILS.exe PID 1652 wrote to memory of 1584 1652 DHL AWB TRACKING DETAILS.exe DHL AWB TRACKING DETAILS.exe PID 1652 wrote to memory of 1584 1652 DHL AWB TRACKING DETAILS.exe DHL AWB TRACKING DETAILS.exe PID 1652 wrote to memory of 1584 1652 DHL AWB TRACKING DETAILS.exe DHL AWB TRACKING DETAILS.exe PID 1652 wrote to memory of 1584 1652 DHL AWB TRACKING DETAILS.exe DHL AWB TRACKING DETAILS.exe PID 1652 wrote to memory of 1584 1652 DHL AWB TRACKING DETAILS.exe DHL AWB TRACKING DETAILS.exe PID 1652 wrote to memory of 1584 1652 DHL AWB TRACKING DETAILS.exe DHL AWB TRACKING DETAILS.exe PID 1652 wrote to memory of 1584 1652 DHL AWB TRACKING DETAILS.exe DHL AWB TRACKING DETAILS.exe PID 1652 wrote to memory of 1584 1652 DHL AWB TRACKING DETAILS.exe DHL AWB TRACKING DETAILS.exe PID 1652 wrote to memory of 1584 1652 DHL AWB TRACKING DETAILS.exe DHL AWB TRACKING DETAILS.exe PID 1584 wrote to memory of 1784 1584 DHL AWB TRACKING DETAILS.exe schtasks.exe PID 1584 wrote to memory of 1784 1584 DHL AWB TRACKING DETAILS.exe schtasks.exe PID 1584 wrote to memory of 1784 1584 DHL AWB TRACKING DETAILS.exe schtasks.exe PID 1584 wrote to memory of 1784 1584 DHL AWB TRACKING DETAILS.exe schtasks.exe PID 1584 wrote to memory of 1404 1584 DHL AWB TRACKING DETAILS.exe schtasks.exe PID 1584 wrote to memory of 1404 1584 DHL AWB TRACKING DETAILS.exe schtasks.exe PID 1584 wrote to memory of 1404 1584 DHL AWB TRACKING DETAILS.exe schtasks.exe PID 1584 wrote to memory of 1404 1584 DHL AWB TRACKING DETAILS.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DHL AWB TRACKING DETAILS.exe"C:\Users\Admin\AppData\Local\Temp\DHL AWB TRACKING DETAILS.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Users\Admin\AppData\Local\Temp\DHL AWB TRACKING DETAILS.exe"C:\Users\Admin\AppData\Local\Temp\DHL AWB TRACKING DETAILS.exe"2⤵PID:1252
-
C:\Users\Admin\AppData\Local\Temp\DHL AWB TRACKING DETAILS.exe"C:\Users\Admin\AppData\Local\Temp\DHL AWB TRACKING DETAILS.exe"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "NTFS Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmpD663.tmp"3⤵
- Creates scheduled task(s)
PID:1784 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "NTFS Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpD895.tmp"3⤵
- Creates scheduled task(s)
PID:1404
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpD663.tmpFilesize
1KB
MD5c74a099ebd240106bc272f1d53b1c7ac
SHA1a772592d7b93dbb43f7b58c9a4cbb33028bdefad
SHA256cc7e2c2ed3cfef4753d80a47e20528785181788114d8ff4d78edd48a7af4e606
SHA51294315006216f64a3e18de69442d5140215e284063e49472b2edbdac68ca2015ed247a8da0377b114f105b3038744aa8a8e3817d006e5a1fbbd95cdd13024a83d
-
C:\Users\Admin\AppData\Local\Temp\tmpD895.tmpFilesize
1KB
MD5981e126601526eaa5b0ad45c496c4465
SHA1d610d6a21a8420cc73fcd3e54ddae75a5897b28b
SHA25611ae277dfa39e7038b782ca6557339e7fe88533fe83705c356a1500a1402d527
SHA512a59fb704d931ccb7e1ec1a7b98e24ccd8708be529066c6de4b673098cdebef539f7f50d9e051c43954b5a8e7f810862b3a4ede170f131e080dadc3e763ed4bdb
-
memory/1404-75-0x0000000000000000-mapping.dmp
-
memory/1584-66-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1584-71-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1584-79-0x00000000003F0000-0x00000000003FA000-memory.dmpFilesize
40KB
-
memory/1584-61-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1584-60-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1584-63-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1584-64-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1584-78-0x00000000003D0000-0x00000000003EE000-memory.dmpFilesize
120KB
-
memory/1584-67-0x000000000041E792-mapping.dmp
-
memory/1584-77-0x0000000000380000-0x000000000038A000-memory.dmpFilesize
40KB
-
memory/1584-69-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1652-57-0x0000000000580000-0x000000000058C000-memory.dmpFilesize
48KB
-
memory/1652-56-0x00000000004D0000-0x00000000004E6000-memory.dmpFilesize
88KB
-
memory/1652-55-0x0000000076041000-0x0000000076043000-memory.dmpFilesize
8KB
-
memory/1652-58-0x0000000005B40000-0x0000000005BB4000-memory.dmpFilesize
464KB
-
memory/1652-54-0x00000000107E0000-0x00000000108B0000-memory.dmpFilesize
832KB
-
memory/1652-59-0x0000000004230000-0x000000000426A000-memory.dmpFilesize
232KB
-
memory/1784-73-0x0000000000000000-mapping.dmp