Analysis
-
max time kernel
115s -
max time network
154s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
27-09-2021 18:18
General
-
Target
b462382cb954466386f9334247e0a34c.exe
-
Size
30KB
-
MD5
b462382cb954466386f9334247e0a34c
-
SHA1
0ac9e261eafc36f2d8a7bda5755b44c9d8c883e9
-
SHA256
6a19a144807268d406c6da55513ae24493b2d411ba8e2a2e15567d66e55d976b
-
SHA512
edf4ec1938ff467207c75e38b2bbea2445fec6accdcd325101a4e4b60e17c9041b3c9795cf100d194549372c60b07e143464181c63458fc8e753f384b2369f4a
Score
10/10
Malware Config
Extracted
Family
nanocore
Version
1.2.2.0
C2
friomo.duckdns.org:6746
Mutex
5fb3fc63-476b-43ac-865e-d84d77cfacac
Attributes
-
activate_away_mode
true
-
backup_connection_host
friomo.duckdns.org
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2021-07-05T20:20:00.814294736Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
6746
-
default_group
FRI OMO
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
5fb3fc63-476b-43ac-865e-d84d77cfacac
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
friomo.duckdns.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Windows security bypass 2 TTPs
-
suricata: ET MALWARE Possible NanoCore C2 60B
suricata: ET MALWARE Possible NanoCore C2 60B
-
Windows security modification 2 TTPs 4 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 15 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b462382cb954466386f9334247e0a34c.exe"C:\Users\Admin\AppData\Local\Temp\b462382cb954466386f9334247e0a34c.exe"1⤵
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\敖敁敇敦整斊斅敃敶整救敿敔敞敄\svchost.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\b462382cb954466386f9334247e0a34c.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\敖敁敇敦整斊斅敃敶整救敿敔敞敄\svchost.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\b462382cb954466386f9334247e0a34c.exe"C:\Users\Admin\AppData\Local\Temp\b462382cb954466386f9334247e0a34c.exe"2⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
ae2149cc365b74938921e96f396d85bd
SHA18f6e2034ce11e02c0ef5390a90bd653d063e555f
SHA256044c82d21148d91468139c849651fc771d3a7880843d12038330b630960066c6
SHA5123951d94d48524c7982543c46e9569b7df00a7ae718f1f0bd3f71e1d6a273baff200e446f5ba642eb6c73d4402db8b7c122fc9b0a4d68b8d4052984a664f1ac54
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
ae2149cc365b74938921e96f396d85bd
SHA18f6e2034ce11e02c0ef5390a90bd653d063e555f
SHA256044c82d21148d91468139c849651fc771d3a7880843d12038330b630960066c6
SHA5123951d94d48524c7982543c46e9569b7df00a7ae718f1f0bd3f71e1d6a273baff200e446f5ba642eb6c73d4402db8b7c122fc9b0a4d68b8d4052984a664f1ac54
-
memory/892-138-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/892-212-0x00000000066E0000-0x00000000066F5000-memory.dmpFilesize
84KB
-
memory/892-209-0x00000000066D0000-0x00000000066DD000-memory.dmpFilesize
52KB
-
memory/892-172-0x0000000005640000-0x0000000005643000-memory.dmpFilesize
12KB
-
memory/892-143-0x000000000041E792-mapping.dmp
-
memory/892-173-0x0000000005160000-0x000000000565E000-memory.dmpFilesize
5.0MB
-
memory/892-169-0x0000000005540000-0x0000000005559000-memory.dmpFilesize
100KB
-
memory/892-165-0x0000000005530000-0x0000000005535000-memory.dmpFilesize
20KB
-
memory/2636-118-0x0000000004C60000-0x0000000004C61000-memory.dmpFilesize
4KB
-
memory/2636-137-0x0000000005BA0000-0x0000000005BA1000-memory.dmpFilesize
4KB
-
memory/2636-115-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/2636-131-0x0000000006100000-0x0000000006101000-memory.dmpFilesize
4KB
-
memory/2636-117-0x0000000004A30000-0x0000000004A31000-memory.dmpFilesize
4KB
-
memory/2636-119-0x0000000005670000-0x00000000056FC000-memory.dmpFilesize
560KB
-
memory/2636-120-0x0000000005C00000-0x0000000005C01000-memory.dmpFilesize
4KB
-
memory/3052-287-0x00000000072B3000-0x00000000072B4000-memory.dmpFilesize
4KB
-
memory/3052-147-0x00000000072B2000-0x00000000072B3000-memory.dmpFilesize
4KB
-
memory/3052-232-0x000000007E800000-0x000000007E801000-memory.dmpFilesize
4KB
-
memory/3052-149-0x0000000008060000-0x0000000008061000-memory.dmpFilesize
4KB
-
memory/3052-146-0x0000000007FF0000-0x0000000007FF1000-memory.dmpFilesize
4KB
-
memory/3052-198-0x0000000009760000-0x0000000009793000-memory.dmpFilesize
204KB
-
memory/3052-157-0x00000000082B0000-0x00000000082B1000-memory.dmpFilesize
4KB
-
memory/3052-141-0x00000000072B0000-0x00000000072B1000-memory.dmpFilesize
4KB
-
memory/3052-164-0x0000000008130000-0x0000000008131000-memory.dmpFilesize
4KB
-
memory/3052-128-0x0000000007200000-0x0000000007201000-memory.dmpFilesize
4KB
-
memory/3052-167-0x0000000008A40000-0x0000000008A41000-memory.dmpFilesize
4KB
-
memory/3052-121-0x0000000000000000-mapping.dmp
-
memory/3300-130-0x00000000074E0000-0x00000000074E1000-memory.dmpFilesize
4KB
-
memory/3300-174-0x0000000008430000-0x0000000008431000-memory.dmpFilesize
4KB
-
memory/3300-145-0x0000000006EA2000-0x0000000006EA3000-memory.dmpFilesize
4KB
-
memory/3300-227-0x000000007E7C0000-0x000000007E7C1000-memory.dmpFilesize
4KB
-
memory/3300-144-0x0000000006EA0000-0x0000000006EA1000-memory.dmpFilesize
4KB
-
memory/3300-283-0x0000000006EA3000-0x0000000006EA4000-memory.dmpFilesize
4KB
-
memory/3300-139-0x00000000073A0000-0x00000000073A1000-memory.dmpFilesize
4KB
-
memory/3300-122-0x0000000000000000-mapping.dmp
-
memory/3976-151-0x00000000073A2000-0x00000000073A3000-memory.dmpFilesize
4KB
-
memory/3976-148-0x00000000073A0000-0x00000000073A1000-memory.dmpFilesize
4KB
-
memory/3976-237-0x000000007EBE0000-0x000000007EBE1000-memory.dmpFilesize
4KB
-
memory/3976-279-0x00000000073A3000-0x00000000073A4000-memory.dmpFilesize
4KB
-
memory/3976-123-0x0000000000000000-mapping.dmp