Analysis
-
max time kernel
143s -
max time network
148s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
12-01-2021 06:19
Static task
static1
Behavioral task
behavioral1
Sample
Scan002.exe.exe
Resource
win7v20201028
General
-
Target
Scan002.exe.exe
-
Size
889KB
-
MD5
8e2315d05c47fefdddf0a686bf9e353e
-
SHA1
e56fe197d61518b5ea20696677c3fb444e39860e
-
SHA256
dd647e98e0bd3b1627a0385970c38cd046883967f39dbf9fe416d5300e8e310a
-
SHA512
d052fadfe382f2910992677f65bfdd1c5cdabd50837925b6b5ea14038026ec49e30112de25d3e88a78ce832cee7d79ae66a0821c2570276c12fbcad2676050cc
Malware Config
Extracted
nanocore
1.2.2.0
innocentbooii.hopto.org:55420
172.111.249.15:55420
f54d19ad-33bd-4372-9241-49940a512cfd
-
activate_away_mode
false
-
backup_connection_host
172.111.249.15
- backup_dns_server
-
buffer_size
65538
-
build_time
2020-10-21T16:20:24.090592536Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
false
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
55420
-
default_group
2021
-
enable_debug_mode
true
-
gc_threshold
1.0485772e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.0485772e+07
-
mutex
f54d19ad-33bd-4372-9241-49940a512cfd
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
innocentbooii.hopto.org
- primary_dns_server
-
request_elevation
false
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
false
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8009
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Scan002.exe.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WAN Service = "C:\\Program Files (x86)\\WAN Service\\wansv.exe" Scan002.exe.exe -
Processes:
Scan002.exe.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Scan002.exe.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Scan002.exe.exedescription pid process target process PID 4776 set thread context of 4424 4776 Scan002.exe.exe Scan002.exe.exe -
Drops file in Program Files directory 2 IoCs
Processes:
Scan002.exe.exedescription ioc process File created C:\Program Files (x86)\WAN Service\wansv.exe Scan002.exe.exe File opened for modification C:\Program Files (x86)\WAN Service\wansv.exe Scan002.exe.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 1664 schtasks.exe 3452 schtasks.exe 4496 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
Scan002.exe.exeScan002.exe.exepid process 4776 Scan002.exe.exe 4424 Scan002.exe.exe 4424 Scan002.exe.exe 4424 Scan002.exe.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Scan002.exe.exepid process 4424 Scan002.exe.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Scan002.exe.exeScan002.exe.exedescription pid process Token: SeDebugPrivilege 4776 Scan002.exe.exe Token: SeDebugPrivilege 4424 Scan002.exe.exe Token: SeDebugPrivilege 4424 Scan002.exe.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
Scan002.exe.exeScan002.exe.exedescription pid process target process PID 4776 wrote to memory of 1664 4776 Scan002.exe.exe schtasks.exe PID 4776 wrote to memory of 1664 4776 Scan002.exe.exe schtasks.exe PID 4776 wrote to memory of 1664 4776 Scan002.exe.exe schtasks.exe PID 4776 wrote to memory of 4424 4776 Scan002.exe.exe Scan002.exe.exe PID 4776 wrote to memory of 4424 4776 Scan002.exe.exe Scan002.exe.exe PID 4776 wrote to memory of 4424 4776 Scan002.exe.exe Scan002.exe.exe PID 4776 wrote to memory of 4424 4776 Scan002.exe.exe Scan002.exe.exe PID 4776 wrote to memory of 4424 4776 Scan002.exe.exe Scan002.exe.exe PID 4776 wrote to memory of 4424 4776 Scan002.exe.exe Scan002.exe.exe PID 4776 wrote to memory of 4424 4776 Scan002.exe.exe Scan002.exe.exe PID 4776 wrote to memory of 4424 4776 Scan002.exe.exe Scan002.exe.exe PID 4424 wrote to memory of 3452 4424 Scan002.exe.exe schtasks.exe PID 4424 wrote to memory of 3452 4424 Scan002.exe.exe schtasks.exe PID 4424 wrote to memory of 3452 4424 Scan002.exe.exe schtasks.exe PID 4424 wrote to memory of 4496 4424 Scan002.exe.exe schtasks.exe PID 4424 wrote to memory of 4496 4424 Scan002.exe.exe schtasks.exe PID 4424 wrote to memory of 4496 4424 Scan002.exe.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Scan002.exe.exe"C:\Users\Admin\AppData\Local\Temp\Scan002.exe.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UbebSiSIKndjd" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCAC8.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Scan002.exe.exe"{path}"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "WAN Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmpCEA0.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "WAN Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpCEE0.tmp"3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Scan002.exe.exe.logMD5
ef140ef600b2463c9e7dbf064a104046
SHA1c08fd1853877be95575ea2e860dd8cafef31f54c
SHA256ad8ae97fdeb174b20f02c7ddf9466981856d77d51133599b5954f48f78a1b616
SHA512bf16df0994080bdc832cb39a312e0095de57608256fcf0d04d589e0bdf3283f918fb0d6ec86ea28a4b1af6db12813c52a724028f02330ebc3a9d32a4fcda706c
-
C:\Users\Admin\AppData\Local\Temp\tmpCAC8.tmpMD5
c0c2dd8f323651f85289a710de8117b3
SHA1df84465082664dd04b020fc0623ff4244b983987
SHA256530589b946336af62254190a3705b0fe34487e7588c0929a002cb4b429b56a43
SHA512c0f2706a781a9fe6cbd5fe8b3db5ff14387332055afbadba6dc6d0f3c01c0879d3967360e437eef8f33f883858320a2eb37cde27eee2135d02267d04f513d0e3
-
C:\Users\Admin\AppData\Local\Temp\tmpCEA0.tmpMD5
d0012a18a14a6cd74aed7e51145359ae
SHA1e0bf7fd2cf291fe3ac6f28a3c6bddf82574d1a9a
SHA25627193526db5391802b5b885ae0a04ea244164dc7e3407b83000e69efcb6a9998
SHA512e9dc0e040cac08f476251ffc5eab8e2981b867c555b0728f165427eccd6970261ea3896ffc3f450a1c9d4aee6fe646fca8fcdbbd8ebf8670aead6401368d54aa
-
C:\Users\Admin\AppData\Local\Temp\tmpCEE0.tmpMD5
eb527779d4a920bac8c3c59e8f4b4b4c
SHA14c9c48fd4ab89a983c87d810577133dc281160b4
SHA25697a200adfccc855ed435941fe1453a6add1a66b8390d033279c2f1a6a64c26a2
SHA512a48c1ca2310a4bceacca90d3b8748fdecc0169738905e0bc62a665ab048c1ae6bb801dc99f0f04d85287993c27bfd0a4e7f59d27a1c233b6662d6ba3ca586da0
-
memory/1664-2-0x0000000000000000-mapping.dmp
-
memory/3452-7-0x0000000000000000-mapping.dmp
-
memory/4424-4-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/4424-5-0x000000000041E792-mapping.dmp
-
memory/4496-9-0x0000000000000000-mapping.dmp