Analysis
-
max time kernel
120s -
max time network
123s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
29-10-2021 14:39
Static task
static1
Behavioral task
behavioral1
Sample
#CHOO1.js
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
#CHOO1.js
Resource
win10-en-20211014
Behavioral task
behavioral3
Sample
#CHOO2.js
Resource
win7-en-20210920
General
-
Target
#CHOO2.js
-
Size
7KB
-
MD5
4fc18805b5686d320a0ccdab8438ed7e
-
SHA1
afbe3e8f7448be3ace8f48f37c1524748533ed94
-
SHA256
7257729274b6ab5c1a605900fa40b2a76f386b3dbb3c0f4ab29e85b780eaef73
-
SHA512
9ec6470aadce9ddaebd57167658d1a8a22ddb496e452b3a4574d3c8fa8b5d643e49d96b31df64f89fe3847bc4c7be792e21f8de063be07ef3452e936931ded14
Malware Config
Extracted
nanocore
1.2.2.0
nanoboss.duckdns.org:6129
f795cec6-1cfb-44f9-898a-e041c33422fe
-
activate_away_mode
false
-
backup_connection_host
nanoboss.duckdns.org
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2021-08-10T14:25:49.368918836Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
6129
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
f795cec6-1cfb-44f9-898a-e041c33422fe
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
nanoboss.duckdns.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016
suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016
-
suricata: ET MALWARE Possible Malicious Macro EXE DL AlphaNumL
suricata: ET MALWARE Possible Malicious Macro EXE DL AlphaNumL
-
suricata: ET MALWARE Possible NanoCore C2 60B
suricata: ET MALWARE Possible NanoCore C2 60B
-
Blocklisted process makes network request 1 IoCs
Processes:
wscript.exeflow pid process 6 656 wscript.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
nano6129.exepid process 3492 nano6129.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
nano6129.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SMTP Manager = "C:\\Program Files (x86)\\SMTP Manager\\smtpmgr.exe" nano6129.exe -
Processes:
nano6129.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA nano6129.exe -
Drops file in Program Files directory 2 IoCs
Processes:
nano6129.exedescription ioc process File created C:\Program Files (x86)\SMTP Manager\smtpmgr.exe nano6129.exe File opened for modification C:\Program Files (x86)\SMTP Manager\smtpmgr.exe nano6129.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1624 schtasks.exe 3596 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
nano6129.exepid process 3492 nano6129.exe 3492 nano6129.exe 3492 nano6129.exe 3492 nano6129.exe 3492 nano6129.exe 3492 nano6129.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
nano6129.exepid process 3492 nano6129.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
nano6129.exedescription pid process Token: SeDebugPrivilege 3492 nano6129.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
wscript.exenano6129.exedescription pid process target process PID 656 wrote to memory of 3492 656 wscript.exe nano6129.exe PID 656 wrote to memory of 3492 656 wscript.exe nano6129.exe PID 656 wrote to memory of 3492 656 wscript.exe nano6129.exe PID 3492 wrote to memory of 1624 3492 nano6129.exe schtasks.exe PID 3492 wrote to memory of 1624 3492 nano6129.exe schtasks.exe PID 3492 wrote to memory of 1624 3492 nano6129.exe schtasks.exe PID 3492 wrote to memory of 3596 3492 nano6129.exe schtasks.exe PID 3492 wrote to memory of 3596 3492 nano6129.exe schtasks.exe PID 3492 wrote to memory of 3596 3492 nano6129.exe schtasks.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\#CHOO2.js1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\nano6129.exe"C:\Users\Admin\AppData\Local\Temp\nano6129.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "SMTP Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmpB27.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "SMTP Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpCBF.tmp"3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\nano6129.exeMD5
4c342f040ad8b94e4f814e1f62e488ed
SHA1f440ce00e772abd74f9e9e0ff8d227792b48712c
SHA256988c1b9c99f74739edaf4e80ecaba04407e0ca7284f3dbd13c87a506bf0e97b7
SHA512046adff832e07b7dbca40020a4c65412e5ed5e2d342b9d55219258b59f25a391752c0065e4ff9b1d504149a6f7226a6c8c4282aeb4a3fad3aeb68aa8f88e58cc
-
C:\Users\Admin\AppData\Local\Temp\nano6129.exeMD5
4c342f040ad8b94e4f814e1f62e488ed
SHA1f440ce00e772abd74f9e9e0ff8d227792b48712c
SHA256988c1b9c99f74739edaf4e80ecaba04407e0ca7284f3dbd13c87a506bf0e97b7
SHA512046adff832e07b7dbca40020a4c65412e5ed5e2d342b9d55219258b59f25a391752c0065e4ff9b1d504149a6f7226a6c8c4282aeb4a3fad3aeb68aa8f88e58cc
-
C:\Users\Admin\AppData\Local\Temp\tmpB27.tmpMD5
c04dd5db5ad0101acca7163a01d3e067
SHA1d264e1533dd4275af3748d386a77843386fd4b38
SHA256d0c5ea5cd181a81af880a92988e689623f65586add14524daade790313167051
SHA51296bcce0ba28fc21621af5de08cb0d68258e02d90e699c90731dfa486712d6e2740932f17bef70933cbf7e3d4c29ab41f127ccc4b32480c5520a331f83fa36900
-
C:\Users\Admin\AppData\Local\Temp\tmpCBF.tmpMD5
b3b017f9df206021717a11f11d895402
SHA1e4ea12823af6550ee634536eec1eb14490580a3b
SHA256654dfce2c28024364e679e1b958f3fb81fc6d29685d534d905d1c83a84351024
SHA51295666cb81aa1fd1ade04a32f63381ce8bff274d7d300c0b59cbb10a294c4d1eebaa3000365a2000b38793de030044995cf23e623c5e3648d9b00501f97ff9343
-
memory/1624-119-0x0000000000000000-mapping.dmp
-
memory/3492-115-0x0000000000000000-mapping.dmp
-
memory/3492-118-0x00000000028F0000-0x00000000028F1000-memory.dmpFilesize
4KB
-
memory/3596-121-0x0000000000000000-mapping.dmp