Analysis
-
max time kernel
149s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
01-05-2024 23:19
Static task
static1
Behavioral task
behavioral1
Sample
TNT AWB TRACKING DETAILS.exe
Resource
win7-20240221-en
General
-
Target
TNT AWB TRACKING DETAILS.exe
-
Size
582KB
-
MD5
a2160c54b5929dd3f48a2a37eadf3920
-
SHA1
35868869844c5ed2dee892fd5f374573d2197ae9
-
SHA256
408b676c05cde3623e9271d39c20ec19aaa9ad9882db0f08451442379409be99
-
SHA512
3fd7356e2687dbb3e2d8447d49b482407afdc6b9e47c60ecfbab8d13ab974db043ffa79ea919eca6300f7ba3a574aa15020607d9d37b847785b999aebe1769c3
-
SSDEEP
12288:hf7K0Zn2uP81g3C2L8w+wasqwn1bIIB5V5ci3cf1QUJz/xHUXRlW3T/PC3f:hFZn2wxCHDx0hleTi
Malware Config
Extracted
nanocore
1.2.2.0
royal2222.duckdns.org:8804
60d737f3-27c0-4444-ae3f-df8da3235e11
-
activate_away_mode
true
-
backup_connection_host
royal2222.duckdns.org
-
backup_dns_server
royal2222.duckdns.org
-
buffer_size
65535
-
build_time
2020-03-15T08:22:35.514241336Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
8804
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
60d737f3-27c0-4444-ae3f-df8da3235e11
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
royal2222.duckdns.org
-
primary_dns_server
royal2222.duckdns.org
-
request_elevation
false
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
TNT AWB TRACKING DETAILS.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DDP Service = "C:\\Program Files (x86)\\DDP Service\\ddpsv.exe" TNT AWB TRACKING DETAILS.exe -
Processes:
TNT AWB TRACKING DETAILS.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA TNT AWB TRACKING DETAILS.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
TNT AWB TRACKING DETAILS.exedescription pid process target process PID 1500 set thread context of 2412 1500 TNT AWB TRACKING DETAILS.exe TNT AWB TRACKING DETAILS.exe -
Drops file in Program Files directory 2 IoCs
Processes:
TNT AWB TRACKING DETAILS.exedescription ioc process File created C:\Program Files (x86)\DDP Service\ddpsv.exe TNT AWB TRACKING DETAILS.exe File opened for modification C:\Program Files (x86)\DDP Service\ddpsv.exe TNT AWB TRACKING DETAILS.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 2560 schtasks.exe 1116 schtasks.exe 848 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
TNT AWB TRACKING DETAILS.exeTNT AWB TRACKING DETAILS.exepid process 1500 TNT AWB TRACKING DETAILS.exe 1500 TNT AWB TRACKING DETAILS.exe 2412 TNT AWB TRACKING DETAILS.exe 2412 TNT AWB TRACKING DETAILS.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
TNT AWB TRACKING DETAILS.exepid process 2412 TNT AWB TRACKING DETAILS.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
TNT AWB TRACKING DETAILS.exeTNT AWB TRACKING DETAILS.exedescription pid process Token: SeDebugPrivilege 1500 TNT AWB TRACKING DETAILS.exe Token: SeDebugPrivilege 2412 TNT AWB TRACKING DETAILS.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
TNT AWB TRACKING DETAILS.exeTNT AWB TRACKING DETAILS.exedescription pid process target process PID 1500 wrote to memory of 2560 1500 TNT AWB TRACKING DETAILS.exe schtasks.exe PID 1500 wrote to memory of 2560 1500 TNT AWB TRACKING DETAILS.exe schtasks.exe PID 1500 wrote to memory of 2560 1500 TNT AWB TRACKING DETAILS.exe schtasks.exe PID 1500 wrote to memory of 2560 1500 TNT AWB TRACKING DETAILS.exe schtasks.exe PID 1500 wrote to memory of 2412 1500 TNT AWB TRACKING DETAILS.exe TNT AWB TRACKING DETAILS.exe PID 1500 wrote to memory of 2412 1500 TNT AWB TRACKING DETAILS.exe TNT AWB TRACKING DETAILS.exe PID 1500 wrote to memory of 2412 1500 TNT AWB TRACKING DETAILS.exe TNT AWB TRACKING DETAILS.exe PID 1500 wrote to memory of 2412 1500 TNT AWB TRACKING DETAILS.exe TNT AWB TRACKING DETAILS.exe PID 1500 wrote to memory of 2412 1500 TNT AWB TRACKING DETAILS.exe TNT AWB TRACKING DETAILS.exe PID 1500 wrote to memory of 2412 1500 TNT AWB TRACKING DETAILS.exe TNT AWB TRACKING DETAILS.exe PID 1500 wrote to memory of 2412 1500 TNT AWB TRACKING DETAILS.exe TNT AWB TRACKING DETAILS.exe PID 1500 wrote to memory of 2412 1500 TNT AWB TRACKING DETAILS.exe TNT AWB TRACKING DETAILS.exe PID 1500 wrote to memory of 2412 1500 TNT AWB TRACKING DETAILS.exe TNT AWB TRACKING DETAILS.exe PID 2412 wrote to memory of 1116 2412 TNT AWB TRACKING DETAILS.exe schtasks.exe PID 2412 wrote to memory of 1116 2412 TNT AWB TRACKING DETAILS.exe schtasks.exe PID 2412 wrote to memory of 1116 2412 TNT AWB TRACKING DETAILS.exe schtasks.exe PID 2412 wrote to memory of 1116 2412 TNT AWB TRACKING DETAILS.exe schtasks.exe PID 2412 wrote to memory of 848 2412 TNT AWB TRACKING DETAILS.exe schtasks.exe PID 2412 wrote to memory of 848 2412 TNT AWB TRACKING DETAILS.exe schtasks.exe PID 2412 wrote to memory of 848 2412 TNT AWB TRACKING DETAILS.exe schtasks.exe PID 2412 wrote to memory of 848 2412 TNT AWB TRACKING DETAILS.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\TNT AWB TRACKING DETAILS.exe"C:\Users\Admin\AppData\Local\Temp\TNT AWB TRACKING DETAILS.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vXNNIWvBZ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2617.tmp"2⤵
- Creates scheduled task(s)
PID:2560 -
C:\Users\Admin\AppData\Local\Temp\TNT AWB TRACKING DETAILS.exe"{path}"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DDP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp2D28.tmp"3⤵
- Creates scheduled task(s)
PID:1116 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DDP Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp2EA0.tmp"3⤵
- Creates scheduled task(s)
PID:848
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD54a90bb41d05308df1f90c1e44fdc7944
SHA1b3231213113ec46636ebd5ee618705e5d41a03e0
SHA256558a90d56a479842ca715d0116c6789288a26c1e00ec9df8cbf3c60000270317
SHA5120055ace5e5960889e3be54ca1c374f15e71e3bdfbedff069b0a737d30c49b01594d1f9b9c99dbb42831b9a8eb03bd838a6972e7d225496c65a0a0f50d3e10732
-
Filesize
1KB
MD5d4343b952f5e92c7dd0cda4158a2965b
SHA1b34b2a0ea9ed2781da3fdad88bb60152cada238b
SHA256e10e7f2509a207cb6036e897f69cbfab1bc15540418362d2ea61441c982b13ca
SHA5122e60bcf166cc8ef6a7aeb9134562af0b3a0d81f3ab8bb9ec359de74a3dee51e20c0ecdde42c8c1bdf68542ece98bb17fb2dbc8ea9d3f0e4784dc473596970f27
-
Filesize
1KB
MD593d357e6194c8eb8d0616a9f592cc4bf
SHA15cc3a3d95d82cb88f65cb6dc6c188595fa272808
SHA256a18de0ef2102d2546c7afd07ad1d7a071a0e59aff0868cf3937a145f24feb713
SHA5124df079387f6a76e0deb96ab4c11f6cffa62a8b42dc4970e885dab10351fade2d9e933663c141b76409657f85f1bf9dbb533d92dce52dc62598aafc4793743f7f