Analysis
-
max time kernel
57s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
05-01-2021 08:08
Static task
static1
Behavioral task
behavioral1
Sample
File.exe
Resource
win7v20201028
General
-
Target
File.exe
-
Size
1.0MB
-
MD5
64becd6a7a8590aea83f5d702b66a34b
-
SHA1
3b4b903509f057357ef73784f5ce8aaad027a067
-
SHA256
0c687ab49f5ce45edd012b56f690fe15cf0001769fa33b482c91c65cd5c626fc
-
SHA512
4ed2b6df7307289907e70fa8fac4cd01bc636787f97f9aca8ba782e33ea7f0e8b101ad035b26485b5c66f59fd674f45f39192ff15c18f217bb5daa5f14e59933
Malware Config
Extracted
nanocore
1.2.2.0
innocentbooii.hopto.org:55420
194.5.98.133:55420
aa47b8cc-db9f-4bb0-af63-a1d647549754
-
activate_away_mode
false
-
backup_connection_host
194.5.98.133
- backup_dns_server
-
buffer_size
65538
-
build_time
2020-09-25T13:39:29.523835236Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
false
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
55420
-
default_group
Bail
-
enable_debug_mode
true
-
gc_threshold
1.0485772e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.0485772e+07
-
mutex
aa47b8cc-db9f-4bb0-af63-a1d647549754
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
innocentbooii.hopto.org
- primary_dns_server
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
false
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8009
Signatures
-
Processes:
File.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA File.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
File.exedescription pid process target process PID 652 set thread context of 2252 652 File.exe File.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 3764 schtasks.exe 1064 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
File.exeFile.exepid process 652 File.exe 2252 File.exe 2252 File.exe 2252 File.exe 2252 File.exe 2252 File.exe 2252 File.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
File.exepid process 2252 File.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
File.exeFile.exedescription pid process Token: SeDebugPrivilege 652 File.exe Token: SeDebugPrivilege 2252 File.exe Token: SeDebugPrivilege 2252 File.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
File.exeFile.exedescription pid process target process PID 652 wrote to memory of 3764 652 File.exe schtasks.exe PID 652 wrote to memory of 3764 652 File.exe schtasks.exe PID 652 wrote to memory of 3764 652 File.exe schtasks.exe PID 652 wrote to memory of 2252 652 File.exe File.exe PID 652 wrote to memory of 2252 652 File.exe File.exe PID 652 wrote to memory of 2252 652 File.exe File.exe PID 652 wrote to memory of 2252 652 File.exe File.exe PID 652 wrote to memory of 2252 652 File.exe File.exe PID 652 wrote to memory of 2252 652 File.exe File.exe PID 652 wrote to memory of 2252 652 File.exe File.exe PID 652 wrote to memory of 2252 652 File.exe File.exe PID 2252 wrote to memory of 1064 2252 File.exe schtasks.exe PID 2252 wrote to memory of 1064 2252 File.exe schtasks.exe PID 2252 wrote to memory of 1064 2252 File.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\File.exe"C:\Users\Admin\AppData\Local\Temp\File.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uoiGoAgNIP" /XML "C:\Users\Admin\AppData\Local\Temp\tmp763.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\File.exe"{path}"2⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "WAN Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmpA71.tmp"3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp763.tmpMD5
a4f59b2d9946ffb2ce51b8d4c0bf18da
SHA18adece2f109282b3732ee70cd78f7bf70093151b
SHA25696e7c4c5d2ecd444979de6428ee0301f50755119e78f6794a31b5f85e9d5403f
SHA512969693106e4bf1bcab3a8d92f9dfbb0f64229a3355c043fdc8ed61eb4eb8c3204c564835f76448bcbb9b6a551a6b680749a7c35b18bed883a4f538cb0e9581cf
-
C:\Users\Admin\AppData\Local\Temp\tmpA71.tmpMD5
b9ff32dd5b07a822c08ca4550298ffd9
SHA130e7b594aec1f3f554ca7a460d3ed99fdbacd4f2
SHA2560a2419cb37d47c1ac8cfbf20d33e566f985f22f6ca810e3cb3e12dfc5d59202c
SHA512510a84f4e7df924edd8521ab91cb829204ee24b993994a06df0a86b660b763ced58f0d7851106ba6fc4133be47cef30320ca17de9afcf75b3f16cd614798ac89
-
memory/1064-8-0x0000000000000000-mapping.dmp
-
memory/2252-6-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/2252-7-0x000000000041E792-mapping.dmp
-
memory/3764-4-0x0000000000000000-mapping.dmp