Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
12-01-2021 06:19
Static task
static1
Behavioral task
behavioral1
Sample
Scan002.exe.exe
Resource
win7v20201028
General
-
Target
Scan002.exe.exe
-
Size
889KB
-
MD5
8e2315d05c47fefdddf0a686bf9e353e
-
SHA1
e56fe197d61518b5ea20696677c3fb444e39860e
-
SHA256
dd647e98e0bd3b1627a0385970c38cd046883967f39dbf9fe416d5300e8e310a
-
SHA512
d052fadfe382f2910992677f65bfdd1c5cdabd50837925b6b5ea14038026ec49e30112de25d3e88a78ce832cee7d79ae66a0821c2570276c12fbcad2676050cc
Malware Config
Extracted
nanocore
1.2.2.0
innocentbooii.hopto.org:55420
172.111.249.15:55420
f54d19ad-33bd-4372-9241-49940a512cfd
-
activate_away_mode
false
-
backup_connection_host
172.111.249.15
- backup_dns_server
-
buffer_size
65538
-
build_time
2020-10-21T16:20:24.090592536Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
false
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
55420
-
default_group
2021
-
enable_debug_mode
true
-
gc_threshold
1.0485772e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.0485772e+07
-
mutex
f54d19ad-33bd-4372-9241-49940a512cfd
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
innocentbooii.hopto.org
- primary_dns_server
-
request_elevation
false
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
false
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8009
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Scan002.exe.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WPA Host = "C:\\Program Files (x86)\\WPA Host\\wpahost.exe" Scan002.exe.exe -
Processes:
Scan002.exe.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Scan002.exe.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Scan002.exe.exedescription pid process target process PID 1584 set thread context of 316 1584 Scan002.exe.exe Scan002.exe.exe -
Drops file in Program Files directory 2 IoCs
Processes:
Scan002.exe.exedescription ioc process File created C:\Program Files (x86)\WPA Host\wpahost.exe Scan002.exe.exe File opened for modification C:\Program Files (x86)\WPA Host\wpahost.exe Scan002.exe.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 1356 schtasks.exe 564 schtasks.exe 1520 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
Scan002.exe.exepid process 316 Scan002.exe.exe 316 Scan002.exe.exe 316 Scan002.exe.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Scan002.exe.exepid process 316 Scan002.exe.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Scan002.exe.exedescription pid process Token: SeDebugPrivilege 316 Scan002.exe.exe Token: SeDebugPrivilege 316 Scan002.exe.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
Scan002.exe.exeScan002.exe.exedescription pid process target process PID 1584 wrote to memory of 1356 1584 Scan002.exe.exe schtasks.exe PID 1584 wrote to memory of 1356 1584 Scan002.exe.exe schtasks.exe PID 1584 wrote to memory of 1356 1584 Scan002.exe.exe schtasks.exe PID 1584 wrote to memory of 1356 1584 Scan002.exe.exe schtasks.exe PID 1584 wrote to memory of 316 1584 Scan002.exe.exe Scan002.exe.exe PID 1584 wrote to memory of 316 1584 Scan002.exe.exe Scan002.exe.exe PID 1584 wrote to memory of 316 1584 Scan002.exe.exe Scan002.exe.exe PID 1584 wrote to memory of 316 1584 Scan002.exe.exe Scan002.exe.exe PID 1584 wrote to memory of 316 1584 Scan002.exe.exe Scan002.exe.exe PID 1584 wrote to memory of 316 1584 Scan002.exe.exe Scan002.exe.exe PID 1584 wrote to memory of 316 1584 Scan002.exe.exe Scan002.exe.exe PID 1584 wrote to memory of 316 1584 Scan002.exe.exe Scan002.exe.exe PID 1584 wrote to memory of 316 1584 Scan002.exe.exe Scan002.exe.exe PID 316 wrote to memory of 564 316 Scan002.exe.exe schtasks.exe PID 316 wrote to memory of 564 316 Scan002.exe.exe schtasks.exe PID 316 wrote to memory of 564 316 Scan002.exe.exe schtasks.exe PID 316 wrote to memory of 564 316 Scan002.exe.exe schtasks.exe PID 316 wrote to memory of 1520 316 Scan002.exe.exe schtasks.exe PID 316 wrote to memory of 1520 316 Scan002.exe.exe schtasks.exe PID 316 wrote to memory of 1520 316 Scan002.exe.exe schtasks.exe PID 316 wrote to memory of 1520 316 Scan002.exe.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Scan002.exe.exe"C:\Users\Admin\AppData\Local\Temp\Scan002.exe.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UbebSiSIKndjd" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAA05.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Scan002.exe.exe"{path}"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "WPA Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmpADCC.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "WPA Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpAE69.tmp"3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpAA05.tmpMD5
bfd197fc91a538adf4fb05e1641213f4
SHA11b305544e6e6062d6ab1b0017e5a12b96f15321a
SHA256183d1a793ffa32e6098f947cfbcff4467f1a0b3a89d7a6c9c1df94ed318bbc17
SHA512b40c3f37c6e37bdcf54aab0e631561724090299efd343eaf1a9e39a73c34f9befd8a7c6e8b6b7c5dc89b0b855cb7cc6c06aab996ddf5bd47b38a6f9318682f38
-
C:\Users\Admin\AppData\Local\Temp\tmpADCC.tmpMD5
d0012a18a14a6cd74aed7e51145359ae
SHA1e0bf7fd2cf291fe3ac6f28a3c6bddf82574d1a9a
SHA25627193526db5391802b5b885ae0a04ea244164dc7e3407b83000e69efcb6a9998
SHA512e9dc0e040cac08f476251ffc5eab8e2981b867c555b0728f165427eccd6970261ea3896ffc3f450a1c9d4aee6fe646fca8fcdbbd8ebf8670aead6401368d54aa
-
C:\Users\Admin\AppData\Local\Temp\tmpAE69.tmpMD5
819bdbdac3be050783d203020e6c4c30
SHA1a373521fceb21cac8b93e55ee48578e40a6e740b
SHA2560e5dedca6d0d3c50ebcedb5bbf51ef3d434eb6b43da46764205de7636131f053
SHA512cece1c4d8b4db79fc6e3cd225efaccdf9d2493f28991b1d48439944af38aaa61a215bd00a0beedcbdecc4f1ec5be0843774375a483f3d4a573a3980c54798cbd
-
memory/316-4-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/316-5-0x000000000041E792-mapping.dmp
-
memory/316-6-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/316-7-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/564-8-0x0000000000000000-mapping.dmp
-
memory/1356-2-0x0000000000000000-mapping.dmp
-
memory/1520-10-0x0000000000000000-mapping.dmp