Analysis
-
max time kernel
145s -
max time network
146s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
26-02-2021 10:28
Static task
static1
Behavioral task
behavioral1
Sample
009CVHJR393024.exe
Resource
win7v20201028
General
-
Target
009CVHJR393024.exe
-
Size
755KB
-
MD5
187c9da5f62d3a607eb6ed956766d3d9
-
SHA1
806b3b923ded374e8aca787a8e9710bc305887c2
-
SHA256
7ef7ce0c066779863c31b25f016814f07fb6b940bb4957ee72eacee2f9a13ddc
-
SHA512
d703ef8d8b557a0adeb12d33457535201fc73e9e76498c264d441c9da581bfd7364f61aec1a601cb51f3ce2e8c69da12cd8226b8dd52e7acf8f6fd419f471593
Malware Config
Extracted
nanocore
1.2.2.0
strongodss.ddns.net:58103
79.134.225.43:58103
572eb7a9-aedf-4b39-8669-f7563dab8a38
-
activate_away_mode
false
-
backup_connection_host
79.134.225.43
- backup_dns_server
-
buffer_size
65538
-
build_time
2020-08-31T08:01:57.275180636Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
false
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
58103
-
default_group
GREAT
-
enable_debug_mode
true
-
gc_threshold
1.0485772e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.0485772e+07
-
mutex
572eb7a9-aedf-4b39-8669-f7563dab8a38
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
strongodss.ddns.net
- primary_dns_server
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
false
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8009
Signatures
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
009CVHJR393024.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 009CVHJR393024.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 009CVHJR393024.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SMTP Manager = "C:\\Program Files (x86)\\SMTP Manager\\smtpmgr.exe" RegSvcs.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
009CVHJR393024.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 009CVHJR393024.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 009CVHJR393024.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
009CVHJR393024.exedescription pid process target process PID 648 set thread context of 3948 648 009CVHJR393024.exe RegSvcs.exe -
Drops file in Program Files directory 2 IoCs
Processes:
RegSvcs.exedescription ioc process File created C:\Program Files (x86)\SMTP Manager\smtpmgr.exe RegSvcs.exe File opened for modification C:\Program Files (x86)\SMTP Manager\smtpmgr.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 1424 schtasks.exe 2116 schtasks.exe 1164 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
009CVHJR393024.exeRegSvcs.exepid process 648 009CVHJR393024.exe 3948 RegSvcs.exe 3948 RegSvcs.exe 3948 RegSvcs.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegSvcs.exepid process 3948 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
009CVHJR393024.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 648 009CVHJR393024.exe Token: SeDebugPrivilege 3948 RegSvcs.exe Token: SeDebugPrivilege 3948 RegSvcs.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
009CVHJR393024.exeRegSvcs.exedescription pid process target process PID 648 wrote to memory of 1424 648 009CVHJR393024.exe schtasks.exe PID 648 wrote to memory of 1424 648 009CVHJR393024.exe schtasks.exe PID 648 wrote to memory of 1424 648 009CVHJR393024.exe schtasks.exe PID 648 wrote to memory of 3948 648 009CVHJR393024.exe RegSvcs.exe PID 648 wrote to memory of 3948 648 009CVHJR393024.exe RegSvcs.exe PID 648 wrote to memory of 3948 648 009CVHJR393024.exe RegSvcs.exe PID 648 wrote to memory of 3948 648 009CVHJR393024.exe RegSvcs.exe PID 648 wrote to memory of 3948 648 009CVHJR393024.exe RegSvcs.exe PID 648 wrote to memory of 3948 648 009CVHJR393024.exe RegSvcs.exe PID 648 wrote to memory of 3948 648 009CVHJR393024.exe RegSvcs.exe PID 648 wrote to memory of 3948 648 009CVHJR393024.exe RegSvcs.exe PID 3948 wrote to memory of 2116 3948 RegSvcs.exe schtasks.exe PID 3948 wrote to memory of 2116 3948 RegSvcs.exe schtasks.exe PID 3948 wrote to memory of 2116 3948 RegSvcs.exe schtasks.exe PID 3948 wrote to memory of 1164 3948 RegSvcs.exe schtasks.exe PID 3948 wrote to memory of 1164 3948 RegSvcs.exe schtasks.exe PID 3948 wrote to memory of 1164 3948 RegSvcs.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\009CVHJR393024.exe"C:\Users\Admin\AppData\Local\Temp\009CVHJR393024.exe"1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SVafXAJvNYI" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2D79.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"{path}"2⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "SMTP Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmp353A.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "SMTP Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp35A8.tmp"3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp2D79.tmpMD5
aeb95524358c594c1ffb532ce018ad95
SHA180d9ac3991cb4828b6951355d3102ceae48861e4
SHA2564a30705c2b0e07d64dd2748553eb5a7a95a21791392703ad7beaf62e5cc56698
SHA5124495590916a9897788bad38fe94ec9dc686baf863663ff392daa976369b152ecce0ea3818a3f9bec65bc500591049e6d6979f2044e64f1a323b8880e303566e8
-
C:\Users\Admin\AppData\Local\Temp\tmp353A.tmpMD5
40b11ef601fb28f9b2e69d36857bf2ec
SHA1b6454020ad2ceed193f4792b77001d0bd741b370
SHA256c51e12d18cc664425f6711d8ae2507068884c7057092cfa11884100e1e9d49e1
SHA512e3c5bcc714cbfca4b8058ddcddf231dcefa69c15881ce3f8123e59ed45cfb5da052b56e1945dcf8dc7f800d62f9a4eecb82bca69a66a1530787aeffeb15e2bd5
-
C:\Users\Admin\AppData\Local\Temp\tmp35A8.tmpMD5
b3b017f9df206021717a11f11d895402
SHA1e4ea12823af6550ee634536eec1eb14490580a3b
SHA256654dfce2c28024364e679e1b958f3fb81fc6d29685d534d905d1c83a84351024
SHA51295666cb81aa1fd1ade04a32f63381ce8bff274d7d300c0b59cbb10a294c4d1eebaa3000365a2000b38793de030044995cf23e623c5e3648d9b00501f97ff9343
-
memory/648-2-0x0000000002600000-0x0000000002601000-memory.dmpFilesize
4KB
-
memory/648-3-0x0000000002601000-0x0000000002602000-memory.dmpFilesize
4KB
-
memory/1164-11-0x0000000000000000-mapping.dmp
-
memory/1424-4-0x0000000000000000-mapping.dmp
-
memory/2116-8-0x0000000000000000-mapping.dmp
-
memory/3948-6-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/3948-7-0x000000000041E792-mapping.dmp
-
memory/3948-9-0x0000000002E10000-0x0000000002E11000-memory.dmpFilesize
4KB
-
memory/3948-13-0x0000000002E11000-0x0000000002E12000-memory.dmpFilesize
4KB