Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
26-10-2021 19:35
General
-
Target
n2m18_Payment_receipt.js
-
Size
81KB
-
MD5
b52fe288ee67ceccaeee80dc4749c358
-
SHA1
38c1641f3aa617170306572bfd41e8a30b42d693
-
SHA256
0aeb9b8280cf3a77ec5e44ff5b3866aa17f011a1e0b47dd7b70133d8fd607b56
-
SHA512
dbf83aee7ad7a2691883226a5a960a3b7e7484fcc96a4023572f30e4e34e35647ecf52b918f5323f625a474183bf716e01ab580ab13329d56638677643418c43
Malware Config
Extracted
nanocore
1.2.2.0
kenimaf.duckdns.org:8090
543e7469-d950-4ec2-a110-de54f8d16167
-
activate_away_mode
true
-
backup_connection_host
kenimaf.duckdns.org
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2021-08-01T06:39:50.225932136Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
8090
-
default_group
kenn
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
543e7469-d950-4ec2-a110-de54f8d16167
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
kenimaf.duckdns.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Extracted
vjw0rm
http://6200js.duckdns.org:6200
Signatures
-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
-
Windows security bypass 2 TTPs
-
suricata: ET MALWARE Possible NanoCore C2 60B
suricata: ET MALWARE Possible NanoCore C2 60B
-
Blocklisted process makes network request 5 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
-
Drops startup file 2 IoCs
-
Loads dropped DLL 6 IoCs
-
Windows security modification 2 TTPs 4 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 14 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of WriteProcessMemory 32 IoCs
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\n2m18_Payment_receipt.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr 'C:\Users\Admin\AppData\Local\Temp\n2m18_Payment_receipt.js2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\hqbo6d7.exe"C:\Users\Admin\AppData\Local\Temp\hqbo6d7.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\\svchost.exe" -Force3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\hqbo6d7.exe" -Force3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\\svchost.exe" -Force3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\hqbo6d7.exe"C:\Users\Admin\AppData\Local\Temp\hqbo6d7.exe"3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 17883⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\hqbo6d7.exeMD5
5429e76da1a8200f93eb9655d3b86a07
SHA149250d67b4427a41ac8ce27c62c09e1d1d6c15f0
SHA25656a84cc9c44d6db19720b5594362b74a683cc83d3f454a135fe6698269b364d3
SHA51295f6a6ea27f50c8c0b10bb1b6f8c6f0c75daecbb9f39f3a8bdc1b8bb4cebf4f6d1e12ad6b7890842e87aad7f07891db6624bbf23a40f4ebb4e1de839a0617ac1
-
C:\Users\Admin\AppData\Local\Temp\hqbo6d7.exeMD5
5429e76da1a8200f93eb9655d3b86a07
SHA149250d67b4427a41ac8ce27c62c09e1d1d6c15f0
SHA25656a84cc9c44d6db19720b5594362b74a683cc83d3f454a135fe6698269b364d3
SHA51295f6a6ea27f50c8c0b10bb1b6f8c6f0c75daecbb9f39f3a8bdc1b8bb4cebf4f6d1e12ad6b7890842e87aad7f07891db6624bbf23a40f4ebb4e1de839a0617ac1
-
C:\Users\Admin\AppData\Local\Temp\hqbo6d7.exeMD5
5429e76da1a8200f93eb9655d3b86a07
SHA149250d67b4427a41ac8ce27c62c09e1d1d6c15f0
SHA25656a84cc9c44d6db19720b5594362b74a683cc83d3f454a135fe6698269b364d3
SHA51295f6a6ea27f50c8c0b10bb1b6f8c6f0c75daecbb9f39f3a8bdc1b8bb4cebf4f6d1e12ad6b7890842e87aad7f07891db6624bbf23a40f4ebb4e1de839a0617ac1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msMD5
d1e5ee294ce69adaa02e15d16cd5079b
SHA1872fb44fb1848989fcabe3f1e2418f591e3704d1
SHA256e00ed03d5b4a01a7b286910b5651152be31d43b5f18a4da6bb852f7361d1d6c6
SHA51286de81a9bee288e9d200ca1ad6cf08eadc6f548613f65215d1326c90c63137c8bfabe55011d8c67a3828c645b549c455d13eb3282b788e502316dbe7081a7dbb
-
\Users\Admin\AppData\Local\Temp\hqbo6d7.exeMD5
5429e76da1a8200f93eb9655d3b86a07
SHA149250d67b4427a41ac8ce27c62c09e1d1d6c15f0
SHA25656a84cc9c44d6db19720b5594362b74a683cc83d3f454a135fe6698269b364d3
SHA51295f6a6ea27f50c8c0b10bb1b6f8c6f0c75daecbb9f39f3a8bdc1b8bb4cebf4f6d1e12ad6b7890842e87aad7f07891db6624bbf23a40f4ebb4e1de839a0617ac1
-
\Users\Admin\AppData\Local\Temp\hqbo6d7.exeMD5
5429e76da1a8200f93eb9655d3b86a07
SHA149250d67b4427a41ac8ce27c62c09e1d1d6c15f0
SHA25656a84cc9c44d6db19720b5594362b74a683cc83d3f454a135fe6698269b364d3
SHA51295f6a6ea27f50c8c0b10bb1b6f8c6f0c75daecbb9f39f3a8bdc1b8bb4cebf4f6d1e12ad6b7890842e87aad7f07891db6624bbf23a40f4ebb4e1de839a0617ac1
-
\Users\Admin\AppData\Local\Temp\hqbo6d7.exeMD5
5429e76da1a8200f93eb9655d3b86a07
SHA149250d67b4427a41ac8ce27c62c09e1d1d6c15f0
SHA25656a84cc9c44d6db19720b5594362b74a683cc83d3f454a135fe6698269b364d3
SHA51295f6a6ea27f50c8c0b10bb1b6f8c6f0c75daecbb9f39f3a8bdc1b8bb4cebf4f6d1e12ad6b7890842e87aad7f07891db6624bbf23a40f4ebb4e1de839a0617ac1
-
\Users\Admin\AppData\Local\Temp\hqbo6d7.exeMD5
5429e76da1a8200f93eb9655d3b86a07
SHA149250d67b4427a41ac8ce27c62c09e1d1d6c15f0
SHA25656a84cc9c44d6db19720b5594362b74a683cc83d3f454a135fe6698269b364d3
SHA51295f6a6ea27f50c8c0b10bb1b6f8c6f0c75daecbb9f39f3a8bdc1b8bb4cebf4f6d1e12ad6b7890842e87aad7f07891db6624bbf23a40f4ebb4e1de839a0617ac1
-
\Users\Admin\AppData\Local\Temp\hqbo6d7.exeMD5
5429e76da1a8200f93eb9655d3b86a07
SHA149250d67b4427a41ac8ce27c62c09e1d1d6c15f0
SHA25656a84cc9c44d6db19720b5594362b74a683cc83d3f454a135fe6698269b364d3
SHA51295f6a6ea27f50c8c0b10bb1b6f8c6f0c75daecbb9f39f3a8bdc1b8bb4cebf4f6d1e12ad6b7890842e87aad7f07891db6624bbf23a40f4ebb4e1de839a0617ac1
-
\Users\Admin\AppData\Local\Temp\hqbo6d7.exeMD5
5429e76da1a8200f93eb9655d3b86a07
SHA149250d67b4427a41ac8ce27c62c09e1d1d6c15f0
SHA25656a84cc9c44d6db19720b5594362b74a683cc83d3f454a135fe6698269b364d3
SHA51295f6a6ea27f50c8c0b10bb1b6f8c6f0c75daecbb9f39f3a8bdc1b8bb4cebf4f6d1e12ad6b7890842e87aad7f07891db6624bbf23a40f4ebb4e1de839a0617ac1
-
memory/824-73-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/824-102-0x0000000000760000-0x0000000000775000-memory.dmpFilesize
84KB
-
memory/824-112-0x0000000000EA0000-0x0000000000EAF000-memory.dmpFilesize
60KB
-
memory/824-110-0x0000000000DD0000-0x0000000000DDA000-memory.dmpFilesize
40KB
-
memory/824-111-0x0000000000E70000-0x0000000000E99000-memory.dmpFilesize
164KB
-
memory/824-74-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/824-75-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/824-76-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/824-77-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/824-78-0x000000000041E792-mapping.dmp
-
memory/824-103-0x00000000008B0000-0x00000000008B6000-memory.dmpFilesize
24KB
-
memory/824-80-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/824-104-0x0000000000C30000-0x0000000000C3C000-memory.dmpFilesize
48KB
-
memory/824-83-0x00000000004F0000-0x00000000004F1000-memory.dmpFilesize
4KB
-
memory/824-105-0x0000000000C40000-0x0000000000C46000-memory.dmpFilesize
24KB
-
memory/824-106-0x0000000000C50000-0x0000000000C57000-memory.dmpFilesize
28KB
-
memory/824-107-0x0000000000D60000-0x0000000000D6D000-memory.dmpFilesize
52KB
-
memory/824-108-0x0000000000D70000-0x0000000000D72000-memory.dmpFilesize
8KB
-
memory/824-109-0x0000000000D80000-0x0000000000D8F000-memory.dmpFilesize
60KB
-
memory/824-101-0x0000000000730000-0x000000000073D000-memory.dmpFilesize
52KB
-
memory/824-96-0x00000000006A0000-0x00000000006A3000-memory.dmpFilesize
12KB
-
memory/824-93-0x00000000006F0000-0x0000000000709000-memory.dmpFilesize
100KB
-
memory/824-92-0x00000000004E0000-0x00000000004E5000-memory.dmpFilesize
20KB
-
memory/888-64-0x0000000000260000-0x0000000000263000-memory.dmpFilesize
12KB
-
memory/888-57-0x0000000000000000-mapping.dmp
-
memory/888-65-0x00000000051B0000-0x000000000523C000-memory.dmpFilesize
560KB
-
memory/888-63-0x0000000000AF0000-0x0000000000AF1000-memory.dmpFilesize
4KB
-
memory/888-62-0x0000000075B71000-0x0000000075B73000-memory.dmpFilesize
8KB
-
memory/888-60-0x0000000001330000-0x0000000001331000-memory.dmpFilesize
4KB
-
memory/1256-55-0x000007FEFBC51000-0x000007FEFBC53000-memory.dmpFilesize
8KB
-
memory/1344-84-0x0000000000000000-mapping.dmp
-
memory/1344-100-0x0000000000200000-0x0000000000201000-memory.dmpFilesize
4KB
-
memory/1680-56-0x0000000000000000-mapping.dmp
-
memory/1696-67-0x0000000000000000-mapping.dmp
-
memory/1696-94-0x0000000002221000-0x0000000002222000-memory.dmpFilesize
4KB
-
memory/1696-97-0x0000000002222000-0x0000000002224000-memory.dmpFilesize
8KB
-
memory/1696-89-0x0000000002220000-0x0000000002221000-memory.dmpFilesize
4KB
-
memory/1920-95-0x0000000002330000-0x0000000002F7A000-memory.dmpFilesize
12.3MB
-
memory/1920-90-0x0000000002330000-0x0000000002F7A000-memory.dmpFilesize
12.3MB
-
memory/1920-68-0x0000000000000000-mapping.dmp
-
memory/1928-91-0x0000000002590000-0x00000000031DA000-memory.dmpFilesize
12.3MB
-
memory/1928-98-0x0000000002590000-0x00000000031DA000-memory.dmpFilesize
12.3MB
-
memory/1928-66-0x0000000000000000-mapping.dmp