Analysis
-
max time kernel
67s -
max time network
150s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
18-01-2021 09:24
Static task
static1
Behavioral task
behavioral1
Sample
a8aac7e2a92af01b0fc23c879558bbab.exe
Resource
win7v20201028
General
-
Target
a8aac7e2a92af01b0fc23c879558bbab.exe
-
Size
1.0MB
-
MD5
a8aac7e2a92af01b0fc23c879558bbab
-
SHA1
677cb1175654988f65e728265e9cba895251fcb2
-
SHA256
d8d44d6f407890cc863210c01ddec461112b1efb273bcf76bbb3e31419f0bcee
-
SHA512
6763333172126ce8c5eb5924779182a488c2c6ea4bedbd3f1265dd165e95816981b3f9e35d1d0dfb7c16b136de70b26ded51f1fd547b6a0157909ad215975039
Malware Config
Extracted
nanocore
1.2.2.0
sylviaoslh01.ddns.net:52943
23.105.131.216:52943
23e7eebd-240d-4908-b034-8afc79aa36ad
-
activate_away_mode
false
-
backup_connection_host
23.105.131.216
- backup_dns_server
-
buffer_size
65538
-
build_time
2020-10-26T11:59:49.749429636Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
false
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
52943
-
default_group
Logs wetyn you de wait for
-
enable_debug_mode
true
-
gc_threshold
1.0485772e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.0485772e+07
-
mutex
23e7eebd-240d-4908-b034-8afc79aa36ad
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
sylviaoslh01.ddns.net
- primary_dns_server
-
request_elevation
false
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
false
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8009
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WPA Host = "C:\\Program Files (x86)\\WPA Host\\wpahost.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
a8aac7e2a92af01b0fc23c879558bbab.exedescription pid process target process PID 296 set thread context of 268 296 a8aac7e2a92af01b0fc23c879558bbab.exe RegSvcs.exe -
Drops file in Program Files directory 2 IoCs
Processes:
RegSvcs.exedescription ioc process File created C:\Program Files (x86)\WPA Host\wpahost.exe RegSvcs.exe File opened for modification C:\Program Files (x86)\WPA Host\wpahost.exe RegSvcs.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 844 schtasks.exe 1560 schtasks.exe 1536 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
a8aac7e2a92af01b0fc23c879558bbab.exeRegSvcs.exepid process 296 a8aac7e2a92af01b0fc23c879558bbab.exe 268 RegSvcs.exe 268 RegSvcs.exe 268 RegSvcs.exe 268 RegSvcs.exe 268 RegSvcs.exe 268 RegSvcs.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegSvcs.exepid process 268 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
a8aac7e2a92af01b0fc23c879558bbab.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 296 a8aac7e2a92af01b0fc23c879558bbab.exe Token: SeDebugPrivilege 268 RegSvcs.exe Token: SeDebugPrivilege 268 RegSvcs.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
a8aac7e2a92af01b0fc23c879558bbab.exeRegSvcs.exedescription pid process target process PID 296 wrote to memory of 1536 296 a8aac7e2a92af01b0fc23c879558bbab.exe schtasks.exe PID 296 wrote to memory of 1536 296 a8aac7e2a92af01b0fc23c879558bbab.exe schtasks.exe PID 296 wrote to memory of 1536 296 a8aac7e2a92af01b0fc23c879558bbab.exe schtasks.exe PID 296 wrote to memory of 1536 296 a8aac7e2a92af01b0fc23c879558bbab.exe schtasks.exe PID 296 wrote to memory of 268 296 a8aac7e2a92af01b0fc23c879558bbab.exe RegSvcs.exe PID 296 wrote to memory of 268 296 a8aac7e2a92af01b0fc23c879558bbab.exe RegSvcs.exe PID 296 wrote to memory of 268 296 a8aac7e2a92af01b0fc23c879558bbab.exe RegSvcs.exe PID 296 wrote to memory of 268 296 a8aac7e2a92af01b0fc23c879558bbab.exe RegSvcs.exe PID 296 wrote to memory of 268 296 a8aac7e2a92af01b0fc23c879558bbab.exe RegSvcs.exe PID 296 wrote to memory of 268 296 a8aac7e2a92af01b0fc23c879558bbab.exe RegSvcs.exe PID 296 wrote to memory of 268 296 a8aac7e2a92af01b0fc23c879558bbab.exe RegSvcs.exe PID 296 wrote to memory of 268 296 a8aac7e2a92af01b0fc23c879558bbab.exe RegSvcs.exe PID 296 wrote to memory of 268 296 a8aac7e2a92af01b0fc23c879558bbab.exe RegSvcs.exe PID 296 wrote to memory of 268 296 a8aac7e2a92af01b0fc23c879558bbab.exe RegSvcs.exe PID 296 wrote to memory of 268 296 a8aac7e2a92af01b0fc23c879558bbab.exe RegSvcs.exe PID 296 wrote to memory of 268 296 a8aac7e2a92af01b0fc23c879558bbab.exe RegSvcs.exe PID 268 wrote to memory of 844 268 RegSvcs.exe schtasks.exe PID 268 wrote to memory of 844 268 RegSvcs.exe schtasks.exe PID 268 wrote to memory of 844 268 RegSvcs.exe schtasks.exe PID 268 wrote to memory of 844 268 RegSvcs.exe schtasks.exe PID 268 wrote to memory of 1560 268 RegSvcs.exe schtasks.exe PID 268 wrote to memory of 1560 268 RegSvcs.exe schtasks.exe PID 268 wrote to memory of 1560 268 RegSvcs.exe schtasks.exe PID 268 wrote to memory of 1560 268 RegSvcs.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a8aac7e2a92af01b0fc23c879558bbab.exe"C:\Users\Admin\AppData\Local\Temp\a8aac7e2a92af01b0fc23c879558bbab.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LpqUNyJQxR" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC5BF.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"{path}"2⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "WPA Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmpC948.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "WPA Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpC9F4.tmp"3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpC5BF.tmpMD5
22a68ce0965e2597d2278a2f7225cde2
SHA1342beb4b3b978d77b6686a7599638b3236e5a7a3
SHA256da1e8a149c2d0cf122f0742c97386cc2d52590aa8205572902149ddc0c6512ad
SHA5120b7136509bd74f7b76b2d66f728b6f15940a30cbecca7023b6cd0d0a8200cd5ecc91063ab47afa9d1784d69c6c3332b68e0dd141bb08b7aee74cb1675adbd0f8
-
C:\Users\Admin\AppData\Local\Temp\tmpC948.tmpMD5
40b11ef601fb28f9b2e69d36857bf2ec
SHA1b6454020ad2ceed193f4792b77001d0bd741b370
SHA256c51e12d18cc664425f6711d8ae2507068884c7057092cfa11884100e1e9d49e1
SHA512e3c5bcc714cbfca4b8058ddcddf231dcefa69c15881ce3f8123e59ed45cfb5da052b56e1945dcf8dc7f800d62f9a4eecb82bca69a66a1530787aeffeb15e2bd5
-
C:\Users\Admin\AppData\Local\Temp\tmpC9F4.tmpMD5
819bdbdac3be050783d203020e6c4c30
SHA1a373521fceb21cac8b93e55ee48578e40a6e740b
SHA2560e5dedca6d0d3c50ebcedb5bbf51ef3d434eb6b43da46764205de7636131f053
SHA512cece1c4d8b4db79fc6e3cd225efaccdf9d2493f28991b1d48439944af38aaa61a215bd00a0beedcbdecc4f1ec5be0843774375a483f3d4a573a3980c54798cbd
-
memory/268-15-0x00000000004A1000-0x00000000004A2000-memory.dmpFilesize
4KB
-
memory/268-7-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/268-8-0x000000000041E792-mapping.dmp
-
memory/268-16-0x00000000004A6000-0x00000000004B7000-memory.dmpFilesize
68KB
-
memory/268-14-0x00000000004A0000-0x00000000004A1000-memory.dmpFilesize
4KB
-
memory/296-3-0x00000000021E0000-0x00000000021E1000-memory.dmpFilesize
4KB
-
memory/296-4-0x00000000021E1000-0x00000000021E2000-memory.dmpFilesize
4KB
-
memory/296-2-0x0000000076381000-0x0000000076383000-memory.dmpFilesize
8KB
-
memory/844-10-0x0000000000000000-mapping.dmp
-
memory/1536-5-0x0000000000000000-mapping.dmp
-
memory/1560-12-0x0000000000000000-mapping.dmp