Analysis
-
max time kernel
122s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
14-05-2022 14:22
Static task
static1
Behavioral task
behavioral1
Sample
55d261de4ebfec14610e3019bdb47e1d.exe
Resource
win7-20220414-en
General
-
Target
55d261de4ebfec14610e3019bdb47e1d.exe
-
Size
663KB
-
MD5
55d261de4ebfec14610e3019bdb47e1d
-
SHA1
a89750499dca367037b9388a820e8fb56cd2f3bb
-
SHA256
28a8b5760f88ff56fccac79f506aa87de847161f5b3af7158792d098a60785dd
-
SHA512
1866b89a217f81de6b106a6094e526a872380ba35f45d83d74ca890dd97da331e127f5007b7e194e06b85b74866948f950fbff17773442e664fb0a364d2b339e
Malware Config
Extracted
nanocore
1.2.2.0
194.5.98.208:50720
suchwoni13.ddns.net:50720
b96b95d9-5642-498b-b1fc-e921a47a2e5a
-
activate_away_mode
true
-
backup_connection_host
suchwoni13.ddns.net
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2021-06-29T08:36:20.191838936Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
false
-
clear_zone_identifier
true
-
connect_delay
4000
-
connection_port
50720
-
default_group
PUNK44
-
enable_debug_mode
true
-
gc_threshold
1.0485779e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.0485779e+07
-
mutex
b96b95d9-5642-498b-b1fc-e921a47a2e5a
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
194.5.98.208
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5009
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
false
-
timeout_interval
5008
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
suricata: ET MALWARE Possible NanoCore C2 60B
suricata: ET MALWARE Possible NanoCore C2 60B
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
55d261de4ebfec14610e3019bdb47e1d.exe55d261de4ebfec14610e3019bdb47e1d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DSL Service = "C:\\Program Files (x86)\\DSL Service\\dslsv.exe" 55d261de4ebfec14610e3019bdb47e1d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DSL Service = "C:\\Program Files (x86)\\DSL Service\\dslsv.exe" 55d261de4ebfec14610e3019bdb47e1d.exe -
Processes:
55d261de4ebfec14610e3019bdb47e1d.exe55d261de4ebfec14610e3019bdb47e1d.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 55d261de4ebfec14610e3019bdb47e1d.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 55d261de4ebfec14610e3019bdb47e1d.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
55d261de4ebfec14610e3019bdb47e1d.exe55d261de4ebfec14610e3019bdb47e1d.exedescription pid process target process PID 848 set thread context of 1720 848 55d261de4ebfec14610e3019bdb47e1d.exe 55d261de4ebfec14610e3019bdb47e1d.exe PID 2044 set thread context of 1600 2044 55d261de4ebfec14610e3019bdb47e1d.exe 55d261de4ebfec14610e3019bdb47e1d.exe -
Drops file in Program Files directory 2 IoCs
Processes:
55d261de4ebfec14610e3019bdb47e1d.exedescription ioc process File created C:\Program Files (x86)\DSL Service\dslsv.exe 55d261de4ebfec14610e3019bdb47e1d.exe File opened for modification C:\Program Files (x86)\DSL Service\dslsv.exe 55d261de4ebfec14610e3019bdb47e1d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
55d261de4ebfec14610e3019bdb47e1d.exe55d261de4ebfec14610e3019bdb47e1d.exe55d261de4ebfec14610e3019bdb47e1d.exe55d261de4ebfec14610e3019bdb47e1d.exepid process 848 55d261de4ebfec14610e3019bdb47e1d.exe 1720 55d261de4ebfec14610e3019bdb47e1d.exe 1720 55d261de4ebfec14610e3019bdb47e1d.exe 2044 55d261de4ebfec14610e3019bdb47e1d.exe 1600 55d261de4ebfec14610e3019bdb47e1d.exe 1600 55d261de4ebfec14610e3019bdb47e1d.exe 1600 55d261de4ebfec14610e3019bdb47e1d.exe 1600 55d261de4ebfec14610e3019bdb47e1d.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
55d261de4ebfec14610e3019bdb47e1d.exepid process 1600 55d261de4ebfec14610e3019bdb47e1d.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
55d261de4ebfec14610e3019bdb47e1d.exe55d261de4ebfec14610e3019bdb47e1d.exe55d261de4ebfec14610e3019bdb47e1d.exe55d261de4ebfec14610e3019bdb47e1d.exedescription pid process Token: SeDebugPrivilege 848 55d261de4ebfec14610e3019bdb47e1d.exe Token: SeDebugPrivilege 1720 55d261de4ebfec14610e3019bdb47e1d.exe Token: SeDebugPrivilege 1720 55d261de4ebfec14610e3019bdb47e1d.exe Token: SeDebugPrivilege 1720 55d261de4ebfec14610e3019bdb47e1d.exe Token: SeDebugPrivilege 2044 55d261de4ebfec14610e3019bdb47e1d.exe Token: SeDebugPrivilege 1600 55d261de4ebfec14610e3019bdb47e1d.exe Token: SeDebugPrivilege 1600 55d261de4ebfec14610e3019bdb47e1d.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
55d261de4ebfec14610e3019bdb47e1d.exe55d261de4ebfec14610e3019bdb47e1d.exe55d261de4ebfec14610e3019bdb47e1d.exedescription pid process target process PID 848 wrote to memory of 1720 848 55d261de4ebfec14610e3019bdb47e1d.exe 55d261de4ebfec14610e3019bdb47e1d.exe PID 848 wrote to memory of 1720 848 55d261de4ebfec14610e3019bdb47e1d.exe 55d261de4ebfec14610e3019bdb47e1d.exe PID 848 wrote to memory of 1720 848 55d261de4ebfec14610e3019bdb47e1d.exe 55d261de4ebfec14610e3019bdb47e1d.exe PID 848 wrote to memory of 1720 848 55d261de4ebfec14610e3019bdb47e1d.exe 55d261de4ebfec14610e3019bdb47e1d.exe PID 848 wrote to memory of 1720 848 55d261de4ebfec14610e3019bdb47e1d.exe 55d261de4ebfec14610e3019bdb47e1d.exe PID 848 wrote to memory of 1720 848 55d261de4ebfec14610e3019bdb47e1d.exe 55d261de4ebfec14610e3019bdb47e1d.exe PID 848 wrote to memory of 1720 848 55d261de4ebfec14610e3019bdb47e1d.exe 55d261de4ebfec14610e3019bdb47e1d.exe PID 848 wrote to memory of 1720 848 55d261de4ebfec14610e3019bdb47e1d.exe 55d261de4ebfec14610e3019bdb47e1d.exe PID 848 wrote to memory of 1720 848 55d261de4ebfec14610e3019bdb47e1d.exe 55d261de4ebfec14610e3019bdb47e1d.exe PID 1720 wrote to memory of 2044 1720 55d261de4ebfec14610e3019bdb47e1d.exe 55d261de4ebfec14610e3019bdb47e1d.exe PID 1720 wrote to memory of 2044 1720 55d261de4ebfec14610e3019bdb47e1d.exe 55d261de4ebfec14610e3019bdb47e1d.exe PID 1720 wrote to memory of 2044 1720 55d261de4ebfec14610e3019bdb47e1d.exe 55d261de4ebfec14610e3019bdb47e1d.exe PID 1720 wrote to memory of 2044 1720 55d261de4ebfec14610e3019bdb47e1d.exe 55d261de4ebfec14610e3019bdb47e1d.exe PID 2044 wrote to memory of 1600 2044 55d261de4ebfec14610e3019bdb47e1d.exe 55d261de4ebfec14610e3019bdb47e1d.exe PID 2044 wrote to memory of 1600 2044 55d261de4ebfec14610e3019bdb47e1d.exe 55d261de4ebfec14610e3019bdb47e1d.exe PID 2044 wrote to memory of 1600 2044 55d261de4ebfec14610e3019bdb47e1d.exe 55d261de4ebfec14610e3019bdb47e1d.exe PID 2044 wrote to memory of 1600 2044 55d261de4ebfec14610e3019bdb47e1d.exe 55d261de4ebfec14610e3019bdb47e1d.exe PID 2044 wrote to memory of 1600 2044 55d261de4ebfec14610e3019bdb47e1d.exe 55d261de4ebfec14610e3019bdb47e1d.exe PID 2044 wrote to memory of 1600 2044 55d261de4ebfec14610e3019bdb47e1d.exe 55d261de4ebfec14610e3019bdb47e1d.exe PID 2044 wrote to memory of 1600 2044 55d261de4ebfec14610e3019bdb47e1d.exe 55d261de4ebfec14610e3019bdb47e1d.exe PID 2044 wrote to memory of 1600 2044 55d261de4ebfec14610e3019bdb47e1d.exe 55d261de4ebfec14610e3019bdb47e1d.exe PID 2044 wrote to memory of 1600 2044 55d261de4ebfec14610e3019bdb47e1d.exe 55d261de4ebfec14610e3019bdb47e1d.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\55d261de4ebfec14610e3019bdb47e1d.exe"C:\Users\Admin\AppData\Local\Temp\55d261de4ebfec14610e3019bdb47e1d.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\55d261de4ebfec14610e3019bdb47e1d.exe"{path}"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\55d261de4ebfec14610e3019bdb47e1d.exe"C:\Users\Admin\AppData\Local\Temp\55d261de4ebfec14610e3019bdb47e1d.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\55d261de4ebfec14610e3019bdb47e1d.exe"{path}"4⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\DSL Service\dslsv.exeFilesize
663KB
MD555d261de4ebfec14610e3019bdb47e1d
SHA1a89750499dca367037b9388a820e8fb56cd2f3bb
SHA25628a8b5760f88ff56fccac79f506aa87de847161f5b3af7158792d098a60785dd
SHA5121866b89a217f81de6b106a6094e526a872380ba35f45d83d74ca890dd97da331e127f5007b7e194e06b85b74866948f950fbff17773442e664fb0a364d2b339e
-
C:\Users\Admin\AppData\Roaming\5A8ED3AC-CAE1-4E8B-9FD6-2D374700ADEF\catalog.datFilesize
128B
MD50a9c5eae8756d6fc90f59d8d71a79e1e
SHA10f7d6aaed17cd18dc614535ed26335c147e29ed7
SHA256b1921ea14c66927397baf3fa456c22b93c30c3de23546087c0b18551ce5001c5
SHA51278c2f399ac49c78d89915dff99ac955b5e0ab07baad61b07b0ce073c88c1d3a9f1d302c2413691b349dd34441b0ff909c08a4f71e2f1b73f46c1ff308bc7cf9a
-
C:\Users\Admin\AppData\Roaming\5A8ED3AC-CAE1-4E8B-9FD6-2D374700ADEF\run.datFilesize
8B
MD502ed04c2b696af15b53ba88a6abaef66
SHA1b189b360761eb7b8996985887c6220c578a699ab
SHA25602d1c62f7dcb882380998930dd5ced798deb5a15c3791fc2e0e25ca9eed34483
SHA512058052e26ea94795bec2123b9bbe66bcb6cd74a232a9d9e9ec8cfe8a19379ad88856de287e07f66f70e33ed29c25da4d33acb721df78f2804e8909481344965e
-
C:\Users\Admin\AppData\Roaming\5A8ED3AC-CAE1-4E8B-9FD6-2D374700ADEF\storage.datFilesize
268KB
MD51e639455652305f70a15588dcee082c7
SHA17e147851acfe18053f60702108b956fdf977e766
SHA25631090e4756888688e0a0c50579e7f71b2880cb0ebe947d23c93a2225903da738
SHA512255d4eb3149250ebb6d7adfdb9eff9ad6700869c308c1cd37613b3218952a5ae644b08a387ce2f23442e003599c9b178e4474d3ceb59e9ea72c53af6b5eeb4be
-
memory/848-58-0x00000000009C0000-0x00000000009FA000-memory.dmpFilesize
232KB
-
memory/848-54-0x0000000000DD0000-0x0000000000E7C000-memory.dmpFilesize
688KB
-
memory/848-57-0x0000000005170000-0x00000000051FE000-memory.dmpFilesize
568KB
-
memory/848-56-0x0000000000480000-0x000000000048A000-memory.dmpFilesize
40KB
-
memory/848-55-0x0000000075951000-0x0000000075953000-memory.dmpFilesize
8KB
-
memory/1600-100-0x0000000000770000-0x0000000000784000-memory.dmpFilesize
80KB
-
memory/1600-99-0x0000000000790000-0x00000000007BE000-memory.dmpFilesize
184KB
-
memory/1600-98-0x0000000000750000-0x000000000075E000-memory.dmpFilesize
56KB
-
memory/1600-97-0x0000000000510000-0x0000000000524000-memory.dmpFilesize
80KB
-
memory/1600-96-0x00000000006D0000-0x00000000006EA000-memory.dmpFilesize
104KB
-
memory/1600-95-0x0000000000440000-0x000000000044C000-memory.dmpFilesize
48KB
-
memory/1600-85-0x000000000041E792-mapping.dmp
-
memory/1720-62-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1720-75-0x00000000005E0000-0x00000000005EA000-memory.dmpFilesize
40KB
-
memory/1720-74-0x00000000003E0000-0x00000000003FE000-memory.dmpFilesize
120KB
-
memory/1720-73-0x00000000003D0000-0x00000000003DC000-memory.dmpFilesize
48KB
-
memory/1720-72-0x0000000000380000-0x000000000038A000-memory.dmpFilesize
40KB
-
memory/1720-70-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1720-68-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1720-66-0x000000000041E792-mapping.dmp
-
memory/1720-65-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1720-63-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1720-59-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1720-60-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/2044-76-0x0000000000000000-mapping.dmp