Analysis
-
max time kernel
147s -
max time network
147s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
26-02-2021 14:31
Static task
static1
Behavioral task
behavioral1
Sample
aa640f67c221be6fc236d3fb8a75f72e.exe
Resource
win7v20201028
General
-
Target
aa640f67c221be6fc236d3fb8a75f72e.exe
-
Size
710KB
-
MD5
aa640f67c221be6fc236d3fb8a75f72e
-
SHA1
eb08edf7c0934b0a77c9a0beef2534892b952927
-
SHA256
88ff1e98dcbd97e019e62abc039b84689c902b602f6b2f6ca2b1094b2643280d
-
SHA512
2961b0e39c94a3c14e56ebe001b7750260a78e29592d135e84b9cc9d43340a8597a1a4349b1c3f4dbef3f10991449e2f4a53bb063eb11ac235e79b418178d0de
Malware Config
Extracted
nanocore
1.2.2.0
strongodss.ddns.net:58103
79.134.225.43:58103
572eb7a9-aedf-4b39-8669-f7563dab8a38
-
activate_away_mode
false
-
backup_connection_host
79.134.225.43
- backup_dns_server
-
buffer_size
65538
-
build_time
2020-08-31T08:01:57.275180636Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
false
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
58103
-
default_group
GREAT
-
enable_debug_mode
true
-
gc_threshold
1.0485772e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.0485772e+07
-
mutex
572eb7a9-aedf-4b39-8669-f7563dab8a38
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
strongodss.ddns.net
- primary_dns_server
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
false
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8009
Signatures
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
aa640f67c221be6fc236d3fb8a75f72e.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion aa640f67c221be6fc236d3fb8a75f72e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion aa640f67c221be6fc236d3fb8a75f72e.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WPA Host = "C:\\Program Files (x86)\\WPA Host\\wpahost.exe" RegSvcs.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
aa640f67c221be6fc236d3fb8a75f72e.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum aa640f67c221be6fc236d3fb8a75f72e.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 aa640f67c221be6fc236d3fb8a75f72e.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
aa640f67c221be6fc236d3fb8a75f72e.exedescription pid process target process PID 1932 set thread context of 400 1932 aa640f67c221be6fc236d3fb8a75f72e.exe RegSvcs.exe -
Drops file in Program Files directory 2 IoCs
Processes:
RegSvcs.exedescription ioc process File opened for modification C:\Program Files (x86)\WPA Host\wpahost.exe RegSvcs.exe File created C:\Program Files (x86)\WPA Host\wpahost.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 1616 schtasks.exe 576 schtasks.exe 1348 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
aa640f67c221be6fc236d3fb8a75f72e.exeRegSvcs.exepid process 1932 aa640f67c221be6fc236d3fb8a75f72e.exe 400 RegSvcs.exe 400 RegSvcs.exe 400 RegSvcs.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegSvcs.exepid process 400 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
aa640f67c221be6fc236d3fb8a75f72e.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 1932 aa640f67c221be6fc236d3fb8a75f72e.exe Token: SeDebugPrivilege 400 RegSvcs.exe Token: SeDebugPrivilege 400 RegSvcs.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
aa640f67c221be6fc236d3fb8a75f72e.exeRegSvcs.exedescription pid process target process PID 1932 wrote to memory of 1616 1932 aa640f67c221be6fc236d3fb8a75f72e.exe schtasks.exe PID 1932 wrote to memory of 1616 1932 aa640f67c221be6fc236d3fb8a75f72e.exe schtasks.exe PID 1932 wrote to memory of 1616 1932 aa640f67c221be6fc236d3fb8a75f72e.exe schtasks.exe PID 1932 wrote to memory of 1616 1932 aa640f67c221be6fc236d3fb8a75f72e.exe schtasks.exe PID 1932 wrote to memory of 400 1932 aa640f67c221be6fc236d3fb8a75f72e.exe RegSvcs.exe PID 1932 wrote to memory of 400 1932 aa640f67c221be6fc236d3fb8a75f72e.exe RegSvcs.exe PID 1932 wrote to memory of 400 1932 aa640f67c221be6fc236d3fb8a75f72e.exe RegSvcs.exe PID 1932 wrote to memory of 400 1932 aa640f67c221be6fc236d3fb8a75f72e.exe RegSvcs.exe PID 1932 wrote to memory of 400 1932 aa640f67c221be6fc236d3fb8a75f72e.exe RegSvcs.exe PID 1932 wrote to memory of 400 1932 aa640f67c221be6fc236d3fb8a75f72e.exe RegSvcs.exe PID 1932 wrote to memory of 400 1932 aa640f67c221be6fc236d3fb8a75f72e.exe RegSvcs.exe PID 1932 wrote to memory of 400 1932 aa640f67c221be6fc236d3fb8a75f72e.exe RegSvcs.exe PID 1932 wrote to memory of 400 1932 aa640f67c221be6fc236d3fb8a75f72e.exe RegSvcs.exe PID 1932 wrote to memory of 400 1932 aa640f67c221be6fc236d3fb8a75f72e.exe RegSvcs.exe PID 1932 wrote to memory of 400 1932 aa640f67c221be6fc236d3fb8a75f72e.exe RegSvcs.exe PID 1932 wrote to memory of 400 1932 aa640f67c221be6fc236d3fb8a75f72e.exe RegSvcs.exe PID 400 wrote to memory of 576 400 RegSvcs.exe schtasks.exe PID 400 wrote to memory of 576 400 RegSvcs.exe schtasks.exe PID 400 wrote to memory of 576 400 RegSvcs.exe schtasks.exe PID 400 wrote to memory of 576 400 RegSvcs.exe schtasks.exe PID 400 wrote to memory of 1348 400 RegSvcs.exe schtasks.exe PID 400 wrote to memory of 1348 400 RegSvcs.exe schtasks.exe PID 400 wrote to memory of 1348 400 RegSvcs.exe schtasks.exe PID 400 wrote to memory of 1348 400 RegSvcs.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aa640f67c221be6fc236d3fb8a75f72e.exe"C:\Users\Admin\AppData\Local\Temp\aa640f67c221be6fc236d3fb8a75f72e.exe"1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vRkjjKXkJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp99A1.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"{path}"2⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "WPA Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmp9D1A.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "WPA Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp9DA7.tmp"3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp99A1.tmpMD5
d740ac432a152d0078292df846f650d1
SHA1f7795e42bdf2eee09e6f16f8c1179caf71ac98bf
SHA2567be219b677c95d0e0d6317fa66b329ca5b301aa45082d1b99f49146b21ce65cf
SHA512d28912ebd60deb3af9d42cd668f9bf0b4137c01f25bd0bb9144e03bc2a32ca0765826dcdc9a1fa5a7533ed39c2d50ad0cbd4e7d03d20e2e54690f50363de39a9
-
C:\Users\Admin\AppData\Local\Temp\tmp9D1A.tmpMD5
40b11ef601fb28f9b2e69d36857bf2ec
SHA1b6454020ad2ceed193f4792b77001d0bd741b370
SHA256c51e12d18cc664425f6711d8ae2507068884c7057092cfa11884100e1e9d49e1
SHA512e3c5bcc714cbfca4b8058ddcddf231dcefa69c15881ce3f8123e59ed45cfb5da052b56e1945dcf8dc7f800d62f9a4eecb82bca69a66a1530787aeffeb15e2bd5
-
C:\Users\Admin\AppData\Local\Temp\tmp9DA7.tmpMD5
819bdbdac3be050783d203020e6c4c30
SHA1a373521fceb21cac8b93e55ee48578e40a6e740b
SHA2560e5dedca6d0d3c50ebcedb5bbf51ef3d434eb6b43da46764205de7636131f053
SHA512cece1c4d8b4db79fc6e3cd225efaccdf9d2493f28991b1d48439944af38aaa61a215bd00a0beedcbdecc4f1ec5be0843774375a483f3d4a573a3980c54798cbd
-
memory/400-12-0x00000000006B0000-0x00000000006B1000-memory.dmpFilesize
4KB
-
memory/400-7-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/400-8-0x000000000041E792-mapping.dmp
-
memory/400-15-0x00000000006B1000-0x00000000006B2000-memory.dmpFilesize
4KB
-
memory/400-16-0x00000000006B6000-0x00000000006C7000-memory.dmpFilesize
68KB
-
memory/576-10-0x0000000000000000-mapping.dmp
-
memory/1348-13-0x0000000000000000-mapping.dmp
-
memory/1616-5-0x0000000000000000-mapping.dmp
-
memory/1932-4-0x0000000000BE1000-0x0000000000BE2000-memory.dmpFilesize
4KB
-
memory/1932-2-0x00000000750C1000-0x00000000750C3000-memory.dmpFilesize
8KB
-
memory/1932-3-0x0000000000BE0000-0x0000000000BE1000-memory.dmpFilesize
4KB