Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
18-05-2024 09:12
Static task
static1
Behavioral task
behavioral1
Sample
shipping document.exe
Resource
win7-20240508-en
General
-
Target
shipping document.exe
-
Size
258KB
-
MD5
612dbb3e0e9540bd711321f239e6ae59
-
SHA1
2f3f519aa1dda89459173f4d4df7b1a9edeb545f
-
SHA256
68035b3c8c61cb3fd66d50c97af1167418e84d169aa6424364d1effa09598497
-
SHA512
c8358bc80ba266e6ea7369ae29251e7d6ed30eb83ba1ed28b0369cd2bd7f515373eab55838194ac0e12095c4c4359237ba359d3a2f8cbd3f5b1a3feda4b4edaf
-
SSDEEP
6144:DT9Tn0sHnkKY3gJ3oQrU3gFE4qt2/gMq0f06:DRT0sHi3g/IgqZ2/J
Malware Config
Extracted
nanocore
1.2.2.0
dengsman.duckdns.org:30201
127.0.0.1:30201
68929715-1cd3-418e-9481-b31bf6322d48
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
-
backup_dns_server
37.235.1.177
-
buffer_size
65535
-
build_time
2018-04-15T16:24:33.310279636Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
30201
-
default_group
dengs
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
68929715-1cd3-418e-9481-b31bf6322d48
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
dengsman.duckdns.org
-
primary_dns_server
37.235.1.174
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
shipping document.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation shipping document.exe -
Executes dropped EXE 2 IoCs
Processes:
tmp.exesvhost.exepid process 4760 tmp.exe 1492 svhost.exe -
Unexpected DNS network traffic destination 7 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 37.235.1.174 Destination IP 37.235.1.174 Destination IP 37.235.1.177 Destination IP 37.235.1.174 Destination IP 37.235.1.174 Destination IP 37.235.1.177 Destination IP 37.235.1.177 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
svhost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LAN Monitor = "C:\\Program Files (x86)\\LAN Monitor\\lanmon.exe" svhost.exe -
Processes:
svhost.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA svhost.exe -
Drops desktop.ini file(s) 2 IoCs
Processes:
shipping document.exedescription ioc process File created C:\Windows\assembly\Desktop.ini shipping document.exe File opened for modification C:\Windows\assembly\Desktop.ini shipping document.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
shipping document.exedescription pid process target process PID 3080 set thread context of 1492 3080 shipping document.exe svhost.exe -
Drops file in Program Files directory 2 IoCs
Processes:
svhost.exedescription ioc process File created C:\Program Files (x86)\LAN Monitor\lanmon.exe svhost.exe File opened for modification C:\Program Files (x86)\LAN Monitor\lanmon.exe svhost.exe -
Drops file in Windows directory 3 IoCs
Processes:
shipping document.exedescription ioc process File opened for modification C:\Windows\assembly shipping document.exe File created C:\Windows\assembly\Desktop.ini shipping document.exe File opened for modification C:\Windows\assembly\Desktop.ini shipping document.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NTFS ADS 1 IoCs
Processes:
cmd.exedescription ioc process File created C:\Users\Admin\AppData\Local\Temp\FolderN\vname.exe:Zone.Identifier cmd.exe -
Suspicious behavior: EnumeratesProcesses 17 IoCs
Processes:
shipping document.exesvhost.exepid process 3080 shipping document.exe 3080 shipping document.exe 3080 shipping document.exe 3080 shipping document.exe 1492 svhost.exe 1492 svhost.exe 1492 svhost.exe 3080 shipping document.exe 3080 shipping document.exe 3080 shipping document.exe 3080 shipping document.exe 3080 shipping document.exe 3080 shipping document.exe 3080 shipping document.exe 3080 shipping document.exe 3080 shipping document.exe 3080 shipping document.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
svhost.exepid process 1492 svhost.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
shipping document.exesvhost.exedescription pid process Token: SeDebugPrivilege 3080 shipping document.exe Token: 33 3080 shipping document.exe Token: SeIncBasePriorityPrivilege 3080 shipping document.exe Token: SeDebugPrivilege 1492 svhost.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
shipping document.execmd.exedescription pid process target process PID 3080 wrote to memory of 4068 3080 shipping document.exe cmd.exe PID 3080 wrote to memory of 4068 3080 shipping document.exe cmd.exe PID 3080 wrote to memory of 4068 3080 shipping document.exe cmd.exe PID 4068 wrote to memory of 2896 4068 cmd.exe reg.exe PID 4068 wrote to memory of 2896 4068 cmd.exe reg.exe PID 4068 wrote to memory of 2896 4068 cmd.exe reg.exe PID 3080 wrote to memory of 4760 3080 shipping document.exe tmp.exe PID 3080 wrote to memory of 4760 3080 shipping document.exe tmp.exe PID 3080 wrote to memory of 4760 3080 shipping document.exe tmp.exe PID 3080 wrote to memory of 1492 3080 shipping document.exe svhost.exe PID 3080 wrote to memory of 1492 3080 shipping document.exe svhost.exe PID 3080 wrote to memory of 1492 3080 shipping document.exe svhost.exe PID 3080 wrote to memory of 1492 3080 shipping document.exe svhost.exe PID 3080 wrote to memory of 1492 3080 shipping document.exe svhost.exe PID 3080 wrote to memory of 1492 3080 shipping document.exe svhost.exe PID 3080 wrote to memory of 1492 3080 shipping document.exe svhost.exe PID 3080 wrote to memory of 1492 3080 shipping document.exe svhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\shipping document.exe"C:\Users\Admin\AppData\Local\Temp\shipping document.exe"1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe"2⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\vname.exe.lnk" /f3⤵PID:2896
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"2⤵
- Executes dropped EXE
PID:4760 -
C:\Users\Admin\AppData\Local\Temp\svhost.exe"C:\Users\Admin\AppData\Local\Temp\svhost.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1492
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\FolderN\vname.exeFilesize
258KB
MD5612dbb3e0e9540bd711321f239e6ae59
SHA12f3f519aa1dda89459173f4d4df7b1a9edeb545f
SHA25668035b3c8c61cb3fd66d50c97af1167418e84d169aa6424364d1effa09598497
SHA512c8358bc80ba266e6ea7369ae29251e7d6ed30eb83ba1ed28b0369cd2bd7f515373eab55838194ac0e12095c4c4359237ba359d3a2f8cbd3f5b1a3feda4b4edaf
-
C:\Users\Admin\AppData\Local\Temp\svhost.exeFilesize
89KB
MD584c42d0f2c1ae761bef884638bc1eacd
SHA14353881e7f4e9c7610f4e0489183b55bb58bb574
SHA256331487446653875bf1e628b797a5283e40056654f7ff328eafbe39b0304480d3
SHA51243c307a38faa3a4b311597034cf75035a4434a1024d2a54e867e6a94b53b677898d71a858438d119000e872a7a6e92c5b31d277a8c207a94375ed4fd3c7beb87
-
C:\Users\Admin\AppData\Local\Temp\tmp.exeFilesize
202KB
MD5780148d708a0dc38f4236938077bd24b
SHA1a48c8e96c1138f01ffcbe32c0bc9c8fd455d5398
SHA2561f71343d779b3d212243a90fc59658406b53a05b5f34fecb7bda4d6d36a2b713
SHA51254840659439f2acfecf07af7a0a3fcf928537a1b7fea40dbfd11d31d4903ebe2df86a14dd33ada78b5f3e1961bb7bca7bafd9e512abd60f0e0f8233b607964bb
-
memory/1492-35-0x0000000075570000-0x0000000075B21000-memory.dmpFilesize
5.7MB
-
memory/1492-21-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1492-26-0x0000000075570000-0x0000000075B21000-memory.dmpFilesize
5.7MB
-
memory/1492-25-0x0000000075570000-0x0000000075B21000-memory.dmpFilesize
5.7MB
-
memory/1492-27-0x0000000075570000-0x0000000075B21000-memory.dmpFilesize
5.7MB
-
memory/1492-34-0x0000000075570000-0x0000000075B21000-memory.dmpFilesize
5.7MB
-
memory/3080-2-0x0000000075570000-0x0000000075B21000-memory.dmpFilesize
5.7MB
-
memory/3080-1-0x0000000075570000-0x0000000075B21000-memory.dmpFilesize
5.7MB
-
memory/3080-33-0x0000000075570000-0x0000000075B21000-memory.dmpFilesize
5.7MB
-
memory/3080-0-0x0000000075572000-0x0000000075573000-memory.dmpFilesize
4KB
-
memory/4760-24-0x0000000075570000-0x0000000075B21000-memory.dmpFilesize
5.7MB
-
memory/4760-31-0x0000000075570000-0x0000000075B21000-memory.dmpFilesize
5.7MB
-
memory/4760-20-0x0000000075570000-0x0000000075B21000-memory.dmpFilesize
5.7MB