Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
01-05-2024 23:19
Static task
static1
Behavioral task
behavioral1
Sample
TNT AWB TRACKING DETAILS.exe
Resource
win7-20240221-en
General
-
Target
TNT AWB TRACKING DETAILS.exe
-
Size
582KB
-
MD5
a2160c54b5929dd3f48a2a37eadf3920
-
SHA1
35868869844c5ed2dee892fd5f374573d2197ae9
-
SHA256
408b676c05cde3623e9271d39c20ec19aaa9ad9882db0f08451442379409be99
-
SHA512
3fd7356e2687dbb3e2d8447d49b482407afdc6b9e47c60ecfbab8d13ab974db043ffa79ea919eca6300f7ba3a574aa15020607d9d37b847785b999aebe1769c3
-
SSDEEP
12288:hf7K0Zn2uP81g3C2L8w+wasqwn1bIIB5V5ci3cf1QUJz/xHUXRlW3T/PC3f:hFZn2wxCHDx0hleTi
Malware Config
Extracted
nanocore
1.2.2.0
royal2222.duckdns.org:8804
60d737f3-27c0-4444-ae3f-df8da3235e11
-
activate_away_mode
true
-
backup_connection_host
royal2222.duckdns.org
-
backup_dns_server
royal2222.duckdns.org
-
buffer_size
65535
-
build_time
2020-03-15T08:22:35.514241336Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
8804
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
60d737f3-27c0-4444-ae3f-df8da3235e11
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
royal2222.duckdns.org
-
primary_dns_server
royal2222.duckdns.org
-
request_elevation
false
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
TNT AWB TRACKING DETAILS.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation TNT AWB TRACKING DETAILS.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
TNT AWB TRACKING DETAILS.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DDP Service = "C:\\Program Files (x86)\\DDP Service\\ddpsv.exe" TNT AWB TRACKING DETAILS.exe -
Processes:
TNT AWB TRACKING DETAILS.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA TNT AWB TRACKING DETAILS.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
TNT AWB TRACKING DETAILS.exedescription pid process target process PID 3704 set thread context of 4284 3704 TNT AWB TRACKING DETAILS.exe TNT AWB TRACKING DETAILS.exe -
Drops file in Program Files directory 2 IoCs
Processes:
TNT AWB TRACKING DETAILS.exedescription ioc process File created C:\Program Files (x86)\DDP Service\ddpsv.exe TNT AWB TRACKING DETAILS.exe File opened for modification C:\Program Files (x86)\DDP Service\ddpsv.exe TNT AWB TRACKING DETAILS.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 4576 schtasks.exe 4760 schtasks.exe 4264 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
TNT AWB TRACKING DETAILS.exeTNT AWB TRACKING DETAILS.exepid process 3704 TNT AWB TRACKING DETAILS.exe 3704 TNT AWB TRACKING DETAILS.exe 3704 TNT AWB TRACKING DETAILS.exe 4284 TNT AWB TRACKING DETAILS.exe 4284 TNT AWB TRACKING DETAILS.exe 4284 TNT AWB TRACKING DETAILS.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
TNT AWB TRACKING DETAILS.exepid process 4284 TNT AWB TRACKING DETAILS.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
TNT AWB TRACKING DETAILS.exeTNT AWB TRACKING DETAILS.exedescription pid process Token: SeDebugPrivilege 3704 TNT AWB TRACKING DETAILS.exe Token: SeDebugPrivilege 4284 TNT AWB TRACKING DETAILS.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
TNT AWB TRACKING DETAILS.exeTNT AWB TRACKING DETAILS.exedescription pid process target process PID 3704 wrote to memory of 4576 3704 TNT AWB TRACKING DETAILS.exe schtasks.exe PID 3704 wrote to memory of 4576 3704 TNT AWB TRACKING DETAILS.exe schtasks.exe PID 3704 wrote to memory of 4576 3704 TNT AWB TRACKING DETAILS.exe schtasks.exe PID 3704 wrote to memory of 4284 3704 TNT AWB TRACKING DETAILS.exe TNT AWB TRACKING DETAILS.exe PID 3704 wrote to memory of 4284 3704 TNT AWB TRACKING DETAILS.exe TNT AWB TRACKING DETAILS.exe PID 3704 wrote to memory of 4284 3704 TNT AWB TRACKING DETAILS.exe TNT AWB TRACKING DETAILS.exe PID 3704 wrote to memory of 4284 3704 TNT AWB TRACKING DETAILS.exe TNT AWB TRACKING DETAILS.exe PID 3704 wrote to memory of 4284 3704 TNT AWB TRACKING DETAILS.exe TNT AWB TRACKING DETAILS.exe PID 3704 wrote to memory of 4284 3704 TNT AWB TRACKING DETAILS.exe TNT AWB TRACKING DETAILS.exe PID 3704 wrote to memory of 4284 3704 TNT AWB TRACKING DETAILS.exe TNT AWB TRACKING DETAILS.exe PID 3704 wrote to memory of 4284 3704 TNT AWB TRACKING DETAILS.exe TNT AWB TRACKING DETAILS.exe PID 4284 wrote to memory of 4760 4284 TNT AWB TRACKING DETAILS.exe schtasks.exe PID 4284 wrote to memory of 4760 4284 TNT AWB TRACKING DETAILS.exe schtasks.exe PID 4284 wrote to memory of 4760 4284 TNT AWB TRACKING DETAILS.exe schtasks.exe PID 4284 wrote to memory of 4264 4284 TNT AWB TRACKING DETAILS.exe schtasks.exe PID 4284 wrote to memory of 4264 4284 TNT AWB TRACKING DETAILS.exe schtasks.exe PID 4284 wrote to memory of 4264 4284 TNT AWB TRACKING DETAILS.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\TNT AWB TRACKING DETAILS.exe"C:\Users\Admin\AppData\Local\Temp\TNT AWB TRACKING DETAILS.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3704 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vXNNIWvBZ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD1C7.tmp"2⤵
- Creates scheduled task(s)
PID:4576 -
C:\Users\Admin\AppData\Local\Temp\TNT AWB TRACKING DETAILS.exe"{path}"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4284 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DDP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmpD63C.tmp"3⤵
- Creates scheduled task(s)
PID:4760 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DDP Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpD68B.tmp"3⤵
- Creates scheduled task(s)
PID:4264
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
496B
MD57baa6583f69f63f7230df9bf98448356
SHA1fe9eb85b57192362da704a3c130377fe83862320
SHA256a632504621b4cac1d5ba5465c7ad9b30f3d036e9838682506782124a211bed4f
SHA5120e72541791281c0fdac1f5fc6beea0b9eb8766b2a386aecb92cb8a44e5b59b7114c79194393ddeff957ffe86021a311caed7ce2731b863d97ad441870efbc051
-
Filesize
1KB
MD5a87114f5028ad82250aac7a9df9d543c
SHA18dba7fde19dd21388deb862e88d2f058bb4e60e6
SHA256929b9cf55578283995eb844f316570dd894ef0ea0dfc6b242598b16dcf1a180d
SHA5126ac393b5d46adad03f807d3216075cf6b5954dabf70acfc250fa6e5db0f2039d94ee99ff0b50118b43fa6b47b1ab79660b3e5b3f412b3f93aa0cdf0c5a01b1be
-
Filesize
1KB
MD5d4343b952f5e92c7dd0cda4158a2965b
SHA1b34b2a0ea9ed2781da3fdad88bb60152cada238b
SHA256e10e7f2509a207cb6036e897f69cbfab1bc15540418362d2ea61441c982b13ca
SHA5122e60bcf166cc8ef6a7aeb9134562af0b3a0d81f3ab8bb9ec359de74a3dee51e20c0ecdde42c8c1bdf68542ece98bb17fb2dbc8ea9d3f0e4784dc473596970f27
-
Filesize
1KB
MD593d357e6194c8eb8d0616a9f592cc4bf
SHA15cc3a3d95d82cb88f65cb6dc6c188595fa272808
SHA256a18de0ef2102d2546c7afd07ad1d7a071a0e59aff0868cf3937a145f24feb713
SHA5124df079387f6a76e0deb96ab4c11f6cffa62a8b42dc4970e885dab10351fade2d9e933663c141b76409657f85f1bf9dbb533d92dce52dc62598aafc4793743f7f