Analysis
-
max time kernel
139s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
06-12-2022 07:01
Static task
static1
Behavioral task
behavioral1
Sample
DHL_Receipts_scanned^^^.scr.exe
Resource
win7-20220901-en
General
-
Target
DHL_Receipts_scanned^^^.scr.exe
-
Size
333KB
-
MD5
e5fcecd110753e63072de73e9b4ac671
-
SHA1
3de5eece281193ea60de8fdaf6001f9d7c973a91
-
SHA256
8eb139b9852b5f4259aff1b4bc39b07184f8fe088d7277ac0e3c8800fe0bc261
-
SHA512
0ecf6fe4467077b247c6a4dc870cd29c806222779fd79a1b1303fbb86225465144d2f6cc949e74fdcaef243a19e04408ad74ae1e650e218f663895954d048ef2
-
SSDEEP
6144:NBn0unJ8KzJGd/rkXPw+iW7LeZd0BG8Ct+MRCO73aLbV4rqXmpJLKDRGG1e7:Eu2KksPdi370BG8CtlD3aN42GL0GG1M
Malware Config
Extracted
nanocore
1.2.2.0
neoncorex.duckdns.org:2022
39dcee1b-ef73-4d3f-85a3-0a94551eac95
-
activate_away_mode
true
-
backup_connection_host
neoncorex.duckdns.org
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2021-11-21T01:20:38.920982636Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
true
-
connect_delay
4000
-
connection_port
2022
-
default_group
2022LOGS
-
enable_debug_mode
true
-
gc_threshold
1.0485798e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
39dcee1b-ef73-4d3f-85a3-0a94551eac95
-
mutex_timeout
5000
-
prevent_system_sleep
true
-
primary_connection_host
neoncorex.duckdns.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
bwbhwwvvw.exebwbhwwvvw.exepid process 1080 bwbhwwvvw.exe 1776 bwbhwwvvw.exe -
Loads dropped DLL 2 IoCs
Processes:
DHL_Receipts_scanned^^^.scr.exebwbhwwvvw.exepid process 1292 DHL_Receipts_scanned^^^.scr.exe 1080 bwbhwwvvw.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
bwbhwwvvw.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ksctecmgh = "C:\\Users\\Admin\\AppData\\Roaming\\imadsuuwig\\blhpmbfyr.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\bwbhwwvvw.exe\" C:\\Users\\Admin\\AppData\\L" bwbhwwvvw.exe -
Processes:
bwbhwwvvw.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bwbhwwvvw.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
bwbhwwvvw.exedescription pid process target process PID 1080 set thread context of 1776 1080 bwbhwwvvw.exe bwbhwwvvw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
bwbhwwvvw.exepid process 1776 bwbhwwvvw.exe 1776 bwbhwwvvw.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
bwbhwwvvw.exepid process 1776 bwbhwwvvw.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
bwbhwwvvw.exepid process 1080 bwbhwwvvw.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
bwbhwwvvw.exedescription pid process Token: SeDebugPrivilege 1776 bwbhwwvvw.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
DHL_Receipts_scanned^^^.scr.exebwbhwwvvw.exedescription pid process target process PID 1292 wrote to memory of 1080 1292 DHL_Receipts_scanned^^^.scr.exe bwbhwwvvw.exe PID 1292 wrote to memory of 1080 1292 DHL_Receipts_scanned^^^.scr.exe bwbhwwvvw.exe PID 1292 wrote to memory of 1080 1292 DHL_Receipts_scanned^^^.scr.exe bwbhwwvvw.exe PID 1292 wrote to memory of 1080 1292 DHL_Receipts_scanned^^^.scr.exe bwbhwwvvw.exe PID 1080 wrote to memory of 1776 1080 bwbhwwvvw.exe bwbhwwvvw.exe PID 1080 wrote to memory of 1776 1080 bwbhwwvvw.exe bwbhwwvvw.exe PID 1080 wrote to memory of 1776 1080 bwbhwwvvw.exe bwbhwwvvw.exe PID 1080 wrote to memory of 1776 1080 bwbhwwvvw.exe bwbhwwvvw.exe PID 1080 wrote to memory of 1776 1080 bwbhwwvvw.exe bwbhwwvvw.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DHL_Receipts_scanned^^^.scr.exe"C:\Users\Admin\AppData\Local\Temp\DHL_Receipts_scanned^^^.scr.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bwbhwwvvw.exe"C:\Users\Admin\AppData\Local\Temp\bwbhwwvvw.exe" C:\Users\Admin\AppData\Local\Temp\yjijqvmhf.bsq2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bwbhwwvvw.exe"C:\Users\Admin\AppData\Local\Temp\bwbhwwvvw.exe"3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\bwbhwwvvw.exeFilesize
13KB
MD5ce95f5952f0dc3740c324330a1f338da
SHA1e72400e1b7d4b7893bd65629fbe9fb6ac77e0135
SHA256a65938aca4f1aec627735e6650d0cb6ca78ed3439715a8a165ac07d0afc4dccc
SHA512b7afa3de57ec7d034432206fd6d8ca9a8023d72f34104422463f5192865a7e79463721d5c726d6807b1a16f52dfc65499850a33f8abb4ae0ac6c61936b5fd0ee
-
C:\Users\Admin\AppData\Local\Temp\bwbhwwvvw.exeFilesize
13KB
MD5ce95f5952f0dc3740c324330a1f338da
SHA1e72400e1b7d4b7893bd65629fbe9fb6ac77e0135
SHA256a65938aca4f1aec627735e6650d0cb6ca78ed3439715a8a165ac07d0afc4dccc
SHA512b7afa3de57ec7d034432206fd6d8ca9a8023d72f34104422463f5192865a7e79463721d5c726d6807b1a16f52dfc65499850a33f8abb4ae0ac6c61936b5fd0ee
-
C:\Users\Admin\AppData\Local\Temp\bwbhwwvvw.exeFilesize
13KB
MD5ce95f5952f0dc3740c324330a1f338da
SHA1e72400e1b7d4b7893bd65629fbe9fb6ac77e0135
SHA256a65938aca4f1aec627735e6650d0cb6ca78ed3439715a8a165ac07d0afc4dccc
SHA512b7afa3de57ec7d034432206fd6d8ca9a8023d72f34104422463f5192865a7e79463721d5c726d6807b1a16f52dfc65499850a33f8abb4ae0ac6c61936b5fd0ee
-
C:\Users\Admin\AppData\Local\Temp\hnslvwz.qgFilesize
280KB
MD51fcb86f0d8bcffb397724cd1ce51506c
SHA1794662229d284cc149a02847a8bfe987603d2675
SHA2561323328ea053d7be6056ffbd84baf7414cb78fe1dc77cb22f008a73ab66178a1
SHA51290fc2807949127ddaacc2029f983fe8152ea3ab4437dc242585013a4b9a60c5d355733332337100dd3cf8891b1320bc71cb76c5e24294571ac1b23c91d012d32
-
C:\Users\Admin\AppData\Local\Temp\yjijqvmhf.bsqFilesize
7KB
MD53f1f6fa65fd566b70196094b05b4bf2c
SHA1a78220174ee66983de6ee80722fae46a75c0d959
SHA256558340501757c00d168f244cc18feee60bb6c6e82cd41c0aaeb42826578a75bb
SHA51275248b2d81c8b855b322207debb182e35b2e07c75948c08f970eedf5b79df0655c21695be7de9bedc14794224955a8a2a8f7881044696e96699e95757f5b3aaf
-
\Users\Admin\AppData\Local\Temp\bwbhwwvvw.exeFilesize
13KB
MD5ce95f5952f0dc3740c324330a1f338da
SHA1e72400e1b7d4b7893bd65629fbe9fb6ac77e0135
SHA256a65938aca4f1aec627735e6650d0cb6ca78ed3439715a8a165ac07d0afc4dccc
SHA512b7afa3de57ec7d034432206fd6d8ca9a8023d72f34104422463f5192865a7e79463721d5c726d6807b1a16f52dfc65499850a33f8abb4ae0ac6c61936b5fd0ee
-
\Users\Admin\AppData\Local\Temp\bwbhwwvvw.exeFilesize
13KB
MD5ce95f5952f0dc3740c324330a1f338da
SHA1e72400e1b7d4b7893bd65629fbe9fb6ac77e0135
SHA256a65938aca4f1aec627735e6650d0cb6ca78ed3439715a8a165ac07d0afc4dccc
SHA512b7afa3de57ec7d034432206fd6d8ca9a8023d72f34104422463f5192865a7e79463721d5c726d6807b1a16f52dfc65499850a33f8abb4ae0ac6c61936b5fd0ee
-
memory/1080-56-0x0000000000000000-mapping.dmp
-
memory/1292-54-0x00000000762E1000-0x00000000762E3000-memory.dmpFilesize
8KB
-
memory/1776-63-0x0000000000401896-mapping.dmp
-
memory/1776-66-0x00000000008B0000-0x00000000008E8000-memory.dmpFilesize
224KB
-
memory/1776-67-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/1776-68-0x0000000000AC0000-0x0000000000ACA000-memory.dmpFilesize
40KB
-
memory/1776-69-0x0000000000AD0000-0x0000000000AEE000-memory.dmpFilesize
120KB
-
memory/1776-70-0x0000000000AF0000-0x0000000000AFA000-memory.dmpFilesize
40KB