Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
03-06-2024 05:37
Static task
static1
Behavioral task
behavioral1
Sample
BILL OF LOADING/BILL OF LOADING.exe
Resource
win7-20240508-en
General
-
Target
BILL OF LOADING/BILL OF LOADING.exe
-
Size
906KB
-
MD5
63b7c9c97cb399ef233ce10e83b65663
-
SHA1
85e539468312c87fc6daed7164f246e5fa638f20
-
SHA256
feac8bae828a3756389b379ae1bc0eda56bdcbec371c62bd3c980ffe11c1b0a0
-
SHA512
137d2579c257ee22e7416fad42dcbb2e24c20a6a2ea9079a58bf7f8d30ab6203837646e74b24142bf015f806f26de5522edb40255fd4b479f9ba6e8b9dcd7fa2
-
SSDEEP
24576:f2O/GlPO2+Bl8CXU+b+lwmxhKbH3w1GthA0E:Bz8t+alwmxUT3zg0E
Malware Config
Extracted
nanocore
1.2.2.0
leosmart.zapto.org:3365
212.7.218.52:3365
5eddd847-a776-47e0-824c-cf94d3e848d6
-
activate_away_mode
true
-
backup_connection_host
212.7.218.52
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2017-12-05T04:53:06.594023236Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
3365
-
default_group
cash out
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
5eddd847-a776-47e0-824c-cf94d3e848d6
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
leosmart.zapto.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
BILL OF LOADING.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation BILL OF LOADING.exe -
Executes dropped EXE 2 IoCs
Processes:
epr.exeepr.exepid process 5104 epr.exe 4660 epr.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
epr.exeRegSvcs.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\goals = "C:\\Users\\Admin\\AppData\\Local\\Temp\\40633691\\epr.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\40633691\\CRI_BM~1" epr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DPI Service = "C:\\Program Files (x86)\\DPI Service\\dpisvc.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
epr.exedescription pid process target process PID 4660 set thread context of 884 4660 epr.exe RegSvcs.exe -
Drops file in Program Files directory 2 IoCs
Processes:
RegSvcs.exedescription ioc process File created C:\Program Files (x86)\DPI Service\dpisvc.exe RegSvcs.exe File opened for modification C:\Program Files (x86)\DPI Service\dpisvc.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
epr.exeRegSvcs.exepid process 5104 epr.exe 5104 epr.exe 884 RegSvcs.exe 884 RegSvcs.exe 884 RegSvcs.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegSvcs.exepid process 884 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 884 RegSvcs.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
BILL OF LOADING.exeepr.exeepr.exedescription pid process target process PID 4900 wrote to memory of 5104 4900 BILL OF LOADING.exe epr.exe PID 4900 wrote to memory of 5104 4900 BILL OF LOADING.exe epr.exe PID 4900 wrote to memory of 5104 4900 BILL OF LOADING.exe epr.exe PID 5104 wrote to memory of 4660 5104 epr.exe epr.exe PID 5104 wrote to memory of 4660 5104 epr.exe epr.exe PID 5104 wrote to memory of 4660 5104 epr.exe epr.exe PID 4660 wrote to memory of 884 4660 epr.exe RegSvcs.exe PID 4660 wrote to memory of 884 4660 epr.exe RegSvcs.exe PID 4660 wrote to memory of 884 4660 epr.exe RegSvcs.exe PID 4660 wrote to memory of 884 4660 epr.exe RegSvcs.exe PID 4660 wrote to memory of 884 4660 epr.exe RegSvcs.exe PID 4660 wrote to memory of 884 4660 epr.exe RegSvcs.exe PID 4660 wrote to memory of 884 4660 epr.exe RegSvcs.exe PID 4660 wrote to memory of 884 4660 epr.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\BILL OF LOADING\BILL OF LOADING.exe"C:\Users\Admin\AppData\Local\Temp\BILL OF LOADING\BILL OF LOADING.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\40633691\epr.exe"C:\Users\Admin\AppData\Local\Temp\40633691\epr.exe" cri=bmv2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\40633691\epr.exeC:\Users\Admin\AppData\Local\Temp\40633691\epr.exe C:\Users\Admin\AppData\Local\Temp\40633691\QKNOB3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\40633691\QKNOBFilesize
86KB
MD5458a1b6d11ccc54ff99f06fafbcc4f15
SHA1a52b6d318b797b3dbece1ba5c0fb87f212de81f7
SHA256433a04b587e62bd4baf7192d783bc4fdea4ce2ebb1a951332e03f32e46463f61
SHA512f7d73f100ee0b5f9e79f7fb119e1b0123b65a3d1d6ec8c7bec487f6b7027cb51a8a1262bf838dc97c0a0a39dfbef9a25dd1cdcb6d192cafe73d333e43cd3d879
-
C:\Users\Admin\AppData\Local\Temp\40633691\cri=bmvFilesize
183KB
MD5ca49d5e6c03a09032728e91d192b9905
SHA1ebbc137ac900d5e8fea261606024f35078ab2a21
SHA256f3d52b4c5fbcc79cdb3a249401cf5413df1e4d24656a5767e22380a0d1bbdc8d
SHA5124fbdef69b005276cb7e0129d6571d40a27dbcfd47c40c1d77c62a81c3694f341094188f94382087875a4032d11382aeb6b714e2bca9f3640d66c3ab52c84ac0c
-
C:\Users\Admin\AppData\Local\Temp\40633691\epr.exeFilesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\40633691\ipg.icmFilesize
64B
MD57a80edf15dc0a33c0019c9b37d38bc1c
SHA1b27c1be7d270b7478a1d7781bf1bef2bb7dd3893
SHA256db50b5f644811c57f4591bffb64d6aad80e48547318dc6a0831872e9c28f26e9
SHA512e6f39ed9885e781ebffd67f9589add54747e632320aa6997256b3e7c827b8e41e37e27c6de697f082feb5a76d2cd972dc4f981cc886080d435af04edd89a77e6
-
C:\Users\Admin\AppData\Local\Temp\40633691\wcn.icoFilesize
399B
MD5c91231980cac0c054acb16d337e660f6
SHA1a26bd4f0b3ba8b212c59b77b38e0a1105875071c
SHA256262e13318a1fe6de6fcabc2240323a50680164f0b4d553210542744c6f46330d
SHA5122f9c65ee51e859580d9ba51c5d6d2c3fcd69004ff029a28858d2fc33049964308ea6f255e56d6329cfd5e6f15d3f76d5b12cec6c4c73463c947bcf0faa822071
-
C:\Users\Admin\AppData\Local\Temp\40633691\wdv.pptFilesize
635KB
MD5d271c6cc1e107d4812b14b6aca3e8af4
SHA14f829384cf691c8a257936ca1858a9607ce71fbf
SHA256f9c07a3bf95df9704c38fa941894fc3b0c5b79d862afb47a6b92ef0b3a5ad462
SHA5124925016c1c937a1a2e60fa5db9a976f91e099e4d65f1bc5dc3c8894474c0f0d7ef464016b403d4ecfeca506de4abff7a74de4ef29d3f32f89e134d178ef16753
-
memory/884-121-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/884-122-0x0000000005840000-0x0000000005DE4000-memory.dmpFilesize
5.6MB
-
memory/884-123-0x00000000051D0000-0x0000000005262000-memory.dmpFilesize
584KB
-
memory/884-124-0x0000000005290000-0x000000000532C000-memory.dmpFilesize
624KB
-
memory/884-125-0x00000000051B0000-0x00000000051BA000-memory.dmpFilesize
40KB
-
memory/884-128-0x00000000053C0000-0x00000000053CA000-memory.dmpFilesize
40KB
-
memory/884-129-0x0000000005560000-0x000000000557E000-memory.dmpFilesize
120KB
-
memory/884-130-0x0000000006180000-0x000000000618A000-memory.dmpFilesize
40KB