Analysis
-
max time kernel
100s -
max time network
147s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
21-04-2021 06:02
Static task
static1
Behavioral task
behavioral1
Sample
090090000000.exe
Resource
win7v20210410
General
-
Target
090090000000.exe
-
Size
371KB
-
MD5
b8019a09822153f1fd0081cd3f97e6af
-
SHA1
44cc6dd5c8c7c22b8a92976cf8c77705437faa00
-
SHA256
e100812a13dcc0b92ee42371dd7b03f674581c41dc3a2c70109acff79333cf30
-
SHA512
9cb5133d42a77234a714f50edc933684524ec7614e27d9f28fe141d03f07b5debd646670d6d64a0ad9795ad768bd6345b98f1de4c7a1c9e8a230996d338f883f
Malware Config
Extracted
nanocore
1.2.2.0
185.222.57.171:4445
2dd052c5-2546-4017-851f-7f690b3c80bf
-
activate_away_mode
true
- backup_connection_host
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2021-01-29T09:36:10.211722536Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
4445
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
2dd052c5-2546-4017-851f-7f690b3c80bf
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
185.222.57.171
-
primary_dns_server
8.8.8.8
-
request_elevation
false
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
090090000000.exepid process 660 090090000000.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
090090000000.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UPNP Subsystem = "C:\\Program Files (x86)\\UPNP Subsystem\\upnpss.exe" 090090000000.exe -
Processes:
090090000000.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 090090000000.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
090090000000.exedescription pid process target process PID 660 set thread context of 3512 660 090090000000.exe 090090000000.exe -
Drops file in Program Files directory 2 IoCs
Processes:
090090000000.exedescription ioc process File created C:\Program Files (x86)\UPNP Subsystem\upnpss.exe 090090000000.exe File opened for modification C:\Program Files (x86)\UPNP Subsystem\upnpss.exe 090090000000.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
090090000000.exepid process 3512 090090000000.exe 3512 090090000000.exe 3512 090090000000.exe 3512 090090000000.exe 3512 090090000000.exe 3512 090090000000.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
090090000000.exepid process 3512 090090000000.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
090090000000.exepid process 660 090090000000.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
090090000000.exedescription pid process Token: SeDebugPrivilege 3512 090090000000.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
090090000000.exe090090000000.exedescription pid process target process PID 660 wrote to memory of 3512 660 090090000000.exe 090090000000.exe PID 660 wrote to memory of 3512 660 090090000000.exe 090090000000.exe PID 660 wrote to memory of 3512 660 090090000000.exe 090090000000.exe PID 660 wrote to memory of 3512 660 090090000000.exe 090090000000.exe PID 3512 wrote to memory of 2832 3512 090090000000.exe schtasks.exe PID 3512 wrote to memory of 2832 3512 090090000000.exe schtasks.exe PID 3512 wrote to memory of 2832 3512 090090000000.exe schtasks.exe PID 3512 wrote to memory of 220 3512 090090000000.exe schtasks.exe PID 3512 wrote to memory of 220 3512 090090000000.exe schtasks.exe PID 3512 wrote to memory of 220 3512 090090000000.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\090090000000.exe"C:\Users\Admin\AppData\Local\Temp\090090000000.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\090090000000.exe"C:\Users\Admin\AppData\Local\Temp\090090000000.exe"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "UPNP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp648C.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "UPNP Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp6604.tmp"3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp648C.tmpMD5
216524da36141b4c03b54996cf81e172
SHA19cfb4085c34863bd5a1289568e972a85fccb16e9
SHA256159f97971eb222a1b81ea6e1366a48db0a8e1cdfd426f0f29c250eab1e83d546
SHA512a64685345aabb46cf2cf6398ca6808431836fd678c9aed0b7a6b872cd5a45f5ae4778c97f39eb1389ef5e20e56217291d670f62b63859ae6ef08cef72003d2b9
-
C:\Users\Admin\AppData\Local\Temp\tmp6604.tmpMD5
af9986f5e128fd8bd3ae748fcba6576d
SHA18060072c35108b48649a03be91803b97f1ad40a4
SHA256f3242f6480b3d1a8f9285135fdce9a201c4802ce062eee4fb41c488a21d53303
SHA512f35c8e1699905bc972ae48a5a4a9fd33ea04b2d851ffc1cb1d1573a2087121d803b4186a696b2edad10a9c46c388a478e105f5a730020b598aa9f483086dba38
-
\Users\Admin\AppData\Local\Temp\nst50C7.tmp\ulwfuy.dllMD5
1948a6b2f6f9092393adda25ecc49cbc
SHA1f9438d6dd5a08018c45662d63232606d87526d83
SHA25697000d24be3ce1a208ccb9115245466022d66505eceb03e39a2286107e0eecef
SHA51270faf5541bc6d2ca9ab8cdd4b731ac6544d76320124afc6f995c31d34792a065298a7a516f013b2c662d18f92227e68b3fd0fa8f7aa33f353a409546e50fdbc0
-
memory/220-126-0x0000000000000000-mapping.dmp
-
memory/660-116-0x0000000002C51000-0x0000000002C56000-memory.dmpFilesize
20KB
-
memory/660-115-0x0000000002C50000-0x0000000002C51000-memory.dmpFilesize
4KB
-
memory/2832-124-0x0000000000000000-mapping.dmp
-
memory/3512-119-0x0000000002350000-0x0000000002351000-memory.dmpFilesize
4KB
-
memory/3512-122-0x0000000002357000-0x0000000002358000-memory.dmpFilesize
4KB
-
memory/3512-123-0x0000000002358000-0x0000000002359000-memory.dmpFilesize
4KB
-
memory/3512-121-0x0000000002352000-0x0000000002354000-memory.dmpFilesize
8KB
-
memory/3512-120-0x0000000002351000-0x0000000002352000-memory.dmpFilesize
4KB
-
memory/3512-118-0x0000000000400000-0x0000000000448000-memory.dmpFilesize
288KB
-
memory/3512-117-0x000000000040188B-mapping.dmp