Analysis
-
max time kernel
70s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
18-01-2021 09:24
Static task
static1
Behavioral task
behavioral1
Sample
a8aac7e2a92af01b0fc23c879558bbab.exe
Resource
win7v20201028
General
-
Target
a8aac7e2a92af01b0fc23c879558bbab.exe
-
Size
1.0MB
-
MD5
a8aac7e2a92af01b0fc23c879558bbab
-
SHA1
677cb1175654988f65e728265e9cba895251fcb2
-
SHA256
d8d44d6f407890cc863210c01ddec461112b1efb273bcf76bbb3e31419f0bcee
-
SHA512
6763333172126ce8c5eb5924779182a488c2c6ea4bedbd3f1265dd165e95816981b3f9e35d1d0dfb7c16b136de70b26ded51f1fd547b6a0157909ad215975039
Malware Config
Extracted
nanocore
1.2.2.0
sylviaoslh01.ddns.net:52943
23.105.131.216:52943
23e7eebd-240d-4908-b034-8afc79aa36ad
-
activate_away_mode
false
-
backup_connection_host
23.105.131.216
- backup_dns_server
-
buffer_size
65538
-
build_time
2020-10-26T11:59:49.749429636Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
false
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
52943
-
default_group
Logs wetyn you de wait for
-
enable_debug_mode
true
-
gc_threshold
1.0485772e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.0485772e+07
-
mutex
23e7eebd-240d-4908-b034-8afc79aa36ad
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
sylviaoslh01.ddns.net
- primary_dns_server
-
request_elevation
false
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
false
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8009
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SMTP Manager = "C:\\Program Files (x86)\\SMTP Manager\\smtpmgr.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
a8aac7e2a92af01b0fc23c879558bbab.exedescription pid process target process PID 1400 set thread context of 3496 1400 a8aac7e2a92af01b0fc23c879558bbab.exe RegSvcs.exe -
Drops file in Program Files directory 2 IoCs
Processes:
RegSvcs.exedescription ioc process File created C:\Program Files (x86)\SMTP Manager\smtpmgr.exe RegSvcs.exe File opened for modification C:\Program Files (x86)\SMTP Manager\smtpmgr.exe RegSvcs.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 2312 schtasks.exe 3956 schtasks.exe 1156 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
RegSvcs.exepid process 3496 RegSvcs.exe 3496 RegSvcs.exe 3496 RegSvcs.exe 3496 RegSvcs.exe 3496 RegSvcs.exe 3496 RegSvcs.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegSvcs.exepid process 3496 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 3496 RegSvcs.exe Token: SeDebugPrivilege 3496 RegSvcs.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
a8aac7e2a92af01b0fc23c879558bbab.exeRegSvcs.exedescription pid process target process PID 1400 wrote to memory of 2312 1400 a8aac7e2a92af01b0fc23c879558bbab.exe schtasks.exe PID 1400 wrote to memory of 2312 1400 a8aac7e2a92af01b0fc23c879558bbab.exe schtasks.exe PID 1400 wrote to memory of 2312 1400 a8aac7e2a92af01b0fc23c879558bbab.exe schtasks.exe PID 1400 wrote to memory of 3496 1400 a8aac7e2a92af01b0fc23c879558bbab.exe RegSvcs.exe PID 1400 wrote to memory of 3496 1400 a8aac7e2a92af01b0fc23c879558bbab.exe RegSvcs.exe PID 1400 wrote to memory of 3496 1400 a8aac7e2a92af01b0fc23c879558bbab.exe RegSvcs.exe PID 1400 wrote to memory of 3496 1400 a8aac7e2a92af01b0fc23c879558bbab.exe RegSvcs.exe PID 1400 wrote to memory of 3496 1400 a8aac7e2a92af01b0fc23c879558bbab.exe RegSvcs.exe PID 1400 wrote to memory of 3496 1400 a8aac7e2a92af01b0fc23c879558bbab.exe RegSvcs.exe PID 1400 wrote to memory of 3496 1400 a8aac7e2a92af01b0fc23c879558bbab.exe RegSvcs.exe PID 1400 wrote to memory of 3496 1400 a8aac7e2a92af01b0fc23c879558bbab.exe RegSvcs.exe PID 3496 wrote to memory of 3956 3496 RegSvcs.exe schtasks.exe PID 3496 wrote to memory of 3956 3496 RegSvcs.exe schtasks.exe PID 3496 wrote to memory of 3956 3496 RegSvcs.exe schtasks.exe PID 3496 wrote to memory of 1156 3496 RegSvcs.exe schtasks.exe PID 3496 wrote to memory of 1156 3496 RegSvcs.exe schtasks.exe PID 3496 wrote to memory of 1156 3496 RegSvcs.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a8aac7e2a92af01b0fc23c879558bbab.exe"C:\Users\Admin\AppData\Local\Temp\a8aac7e2a92af01b0fc23c879558bbab.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LpqUNyJQxR" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1B39.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"{path}"2⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "SMTP Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmp23B5.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "SMTP Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp2433.tmp"3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp1B39.tmpMD5
df99e4069ae2f1ae053b32d87ed67792
SHA1c657271f444963c4d0f6ad94242e559b1be2a655
SHA25626aa54713e0d713ce18b400ed9b349bfbc68bff31b4329f6c2393210c489833d
SHA512c324ed78b49a806043eb36892006e496b29da46349b77a344a4348036d449d5a1ea2475b64daf560043b5b9ff4ebf418cfc7f16901ab1b45921db29a9881e3fd
-
C:\Users\Admin\AppData\Local\Temp\tmp23B5.tmpMD5
40b11ef601fb28f9b2e69d36857bf2ec
SHA1b6454020ad2ceed193f4792b77001d0bd741b370
SHA256c51e12d18cc664425f6711d8ae2507068884c7057092cfa11884100e1e9d49e1
SHA512e3c5bcc714cbfca4b8058ddcddf231dcefa69c15881ce3f8123e59ed45cfb5da052b56e1945dcf8dc7f800d62f9a4eecb82bca69a66a1530787aeffeb15e2bd5
-
C:\Users\Admin\AppData\Local\Temp\tmp2433.tmpMD5
b3b017f9df206021717a11f11d895402
SHA1e4ea12823af6550ee634536eec1eb14490580a3b
SHA256654dfce2c28024364e679e1b958f3fb81fc6d29685d534d905d1c83a84351024
SHA51295666cb81aa1fd1ade04a32f63381ce8bff274d7d300c0b59cbb10a294c4d1eebaa3000365a2000b38793de030044995cf23e623c5e3648d9b00501f97ff9343
-
memory/1156-10-0x0000000000000000-mapping.dmp
-
memory/1400-2-0x0000000000F80000-0x0000000000F81000-memory.dmpFilesize
4KB
-
memory/2312-3-0x0000000000000000-mapping.dmp
-
memory/3496-5-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/3496-6-0x000000000041E792-mapping.dmp
-
memory/3496-8-0x0000000002900000-0x0000000002901000-memory.dmpFilesize
4KB
-
memory/3496-12-0x0000000002901000-0x0000000002902000-memory.dmpFilesize
4KB
-
memory/3956-7-0x0000000000000000-mapping.dmp