Analysis
-
max time kernel
85s -
max time network
154s -
platform
windows7_x64 -
resource
win7 -
submitted
30-06-2020 13:02
General
-
Target
ZtwPj90AM5uNjVx.exe
-
Size
390KB
-
MD5
4c05e57f9047e2206f9e1d168fa06481
-
SHA1
6346ac10485dfb99bbf1a2570d306feacda3f7ba
-
SHA256
dd02cb85d94d9d687d5de330f198abd8f1a84720947c03dfad880526830986f3
-
SHA512
3f09c8173095b5fff64a43b0ba8259d9f358a27b55ab6fec637d93683f7abfb949edf89937481d3b15920329b1e41f34544203cc22976da6f6dc3334935a43fd
Malware Config
Extracted
nanocore
1.2.2.0
91.193.75.58:1985
596c2bb9-90b7-4362-af9a-082627ebed15
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-03-30T21:40:30.911959536Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
false
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
1985
-
default_group
official
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
596c2bb9-90b7-4362-af9a-082627ebed15
-
mutex_timeout
5000
-
prevent_system_sleep
true
-
primary_connection_host
91.193.75.58
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Adds Run entry to start application 2 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Drops file in Program Files directory 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ZtwPj90AM5uNjVx.exe"C:\Users\Admin\AppData\Local\Temp\ZtwPj90AM5uNjVx.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EmEIYFCwLYSPp" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9B54.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"{path}"2⤵
- Adds Run entry to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Checks whether UAC is enabled
- Drops file in Program Files directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp9B54.tmp
-
memory/732-2-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/732-3-0x000000000041E792-mapping.dmp
-
memory/732-4-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/732-5-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/740-0-0x0000000000000000-mapping.dmp