Analysis
-
max time kernel
140s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
14-05-2022 14:22
Static task
static1
Behavioral task
behavioral1
Sample
55d261de4ebfec14610e3019bdb47e1d.exe
Resource
win7-20220414-en
General
-
Target
55d261de4ebfec14610e3019bdb47e1d.exe
-
Size
663KB
-
MD5
55d261de4ebfec14610e3019bdb47e1d
-
SHA1
a89750499dca367037b9388a820e8fb56cd2f3bb
-
SHA256
28a8b5760f88ff56fccac79f506aa87de847161f5b3af7158792d098a60785dd
-
SHA512
1866b89a217f81de6b106a6094e526a872380ba35f45d83d74ca890dd97da331e127f5007b7e194e06b85b74866948f950fbff17773442e664fb0a364d2b339e
Malware Config
Extracted
nanocore
1.2.2.0
194.5.98.208:50720
suchwoni13.ddns.net:50720
b96b95d9-5642-498b-b1fc-e921a47a2e5a
-
activate_away_mode
true
-
backup_connection_host
suchwoni13.ddns.net
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2021-06-29T08:36:20.191838936Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
false
-
clear_zone_identifier
true
-
connect_delay
4000
-
connection_port
50720
-
default_group
PUNK44
-
enable_debug_mode
true
-
gc_threshold
1.0485779e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.0485779e+07
-
mutex
b96b95d9-5642-498b-b1fc-e921a47a2e5a
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
194.5.98.208
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5009
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
false
-
timeout_interval
5008
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
suricata: ET MALWARE Possible NanoCore C2 60B
suricata: ET MALWARE Possible NanoCore C2 60B
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
55d261de4ebfec14610e3019bdb47e1d.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 55d261de4ebfec14610e3019bdb47e1d.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
55d261de4ebfec14610e3019bdb47e1d.exe55d261de4ebfec14610e3019bdb47e1d.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TCP Service = "C:\\Program Files (x86)\\TCP Service\\tcpsvc.exe" 55d261de4ebfec14610e3019bdb47e1d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TCP Service = "C:\\Program Files (x86)\\TCP Service\\tcpsvc.exe" 55d261de4ebfec14610e3019bdb47e1d.exe -
Processes:
55d261de4ebfec14610e3019bdb47e1d.exe55d261de4ebfec14610e3019bdb47e1d.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 55d261de4ebfec14610e3019bdb47e1d.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 55d261de4ebfec14610e3019bdb47e1d.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
55d261de4ebfec14610e3019bdb47e1d.exe55d261de4ebfec14610e3019bdb47e1d.exedescription pid process target process PID 3372 set thread context of 2592 3372 55d261de4ebfec14610e3019bdb47e1d.exe 55d261de4ebfec14610e3019bdb47e1d.exe PID 3676 set thread context of 4412 3676 55d261de4ebfec14610e3019bdb47e1d.exe 55d261de4ebfec14610e3019bdb47e1d.exe -
Drops file in Program Files directory 2 IoCs
Processes:
55d261de4ebfec14610e3019bdb47e1d.exedescription ioc process File created C:\Program Files (x86)\TCP Service\tcpsvc.exe 55d261de4ebfec14610e3019bdb47e1d.exe File opened for modification C:\Program Files (x86)\TCP Service\tcpsvc.exe 55d261de4ebfec14610e3019bdb47e1d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
55d261de4ebfec14610e3019bdb47e1d.exe55d261de4ebfec14610e3019bdb47e1d.exe55d261de4ebfec14610e3019bdb47e1d.exe55d261de4ebfec14610e3019bdb47e1d.exepid process 3372 55d261de4ebfec14610e3019bdb47e1d.exe 2592 55d261de4ebfec14610e3019bdb47e1d.exe 2592 55d261de4ebfec14610e3019bdb47e1d.exe 2592 55d261de4ebfec14610e3019bdb47e1d.exe 3676 55d261de4ebfec14610e3019bdb47e1d.exe 3676 55d261de4ebfec14610e3019bdb47e1d.exe 3676 55d261de4ebfec14610e3019bdb47e1d.exe 4412 55d261de4ebfec14610e3019bdb47e1d.exe 4412 55d261de4ebfec14610e3019bdb47e1d.exe 4412 55d261de4ebfec14610e3019bdb47e1d.exe 4412 55d261de4ebfec14610e3019bdb47e1d.exe 4412 55d261de4ebfec14610e3019bdb47e1d.exe 4412 55d261de4ebfec14610e3019bdb47e1d.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
55d261de4ebfec14610e3019bdb47e1d.exepid process 4412 55d261de4ebfec14610e3019bdb47e1d.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
55d261de4ebfec14610e3019bdb47e1d.exe55d261de4ebfec14610e3019bdb47e1d.exe55d261de4ebfec14610e3019bdb47e1d.exe55d261de4ebfec14610e3019bdb47e1d.exedescription pid process Token: SeDebugPrivilege 3372 55d261de4ebfec14610e3019bdb47e1d.exe Token: SeDebugPrivilege 2592 55d261de4ebfec14610e3019bdb47e1d.exe Token: SeDebugPrivilege 2592 55d261de4ebfec14610e3019bdb47e1d.exe Token: SeDebugPrivilege 2592 55d261de4ebfec14610e3019bdb47e1d.exe Token: SeDebugPrivilege 3676 55d261de4ebfec14610e3019bdb47e1d.exe Token: SeDebugPrivilege 4412 55d261de4ebfec14610e3019bdb47e1d.exe Token: SeDebugPrivilege 4412 55d261de4ebfec14610e3019bdb47e1d.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
55d261de4ebfec14610e3019bdb47e1d.exe55d261de4ebfec14610e3019bdb47e1d.exe55d261de4ebfec14610e3019bdb47e1d.exedescription pid process target process PID 3372 wrote to memory of 2592 3372 55d261de4ebfec14610e3019bdb47e1d.exe 55d261de4ebfec14610e3019bdb47e1d.exe PID 3372 wrote to memory of 2592 3372 55d261de4ebfec14610e3019bdb47e1d.exe 55d261de4ebfec14610e3019bdb47e1d.exe PID 3372 wrote to memory of 2592 3372 55d261de4ebfec14610e3019bdb47e1d.exe 55d261de4ebfec14610e3019bdb47e1d.exe PID 3372 wrote to memory of 2592 3372 55d261de4ebfec14610e3019bdb47e1d.exe 55d261de4ebfec14610e3019bdb47e1d.exe PID 3372 wrote to memory of 2592 3372 55d261de4ebfec14610e3019bdb47e1d.exe 55d261de4ebfec14610e3019bdb47e1d.exe PID 3372 wrote to memory of 2592 3372 55d261de4ebfec14610e3019bdb47e1d.exe 55d261de4ebfec14610e3019bdb47e1d.exe PID 3372 wrote to memory of 2592 3372 55d261de4ebfec14610e3019bdb47e1d.exe 55d261de4ebfec14610e3019bdb47e1d.exe PID 3372 wrote to memory of 2592 3372 55d261de4ebfec14610e3019bdb47e1d.exe 55d261de4ebfec14610e3019bdb47e1d.exe PID 2592 wrote to memory of 3676 2592 55d261de4ebfec14610e3019bdb47e1d.exe 55d261de4ebfec14610e3019bdb47e1d.exe PID 2592 wrote to memory of 3676 2592 55d261de4ebfec14610e3019bdb47e1d.exe 55d261de4ebfec14610e3019bdb47e1d.exe PID 2592 wrote to memory of 3676 2592 55d261de4ebfec14610e3019bdb47e1d.exe 55d261de4ebfec14610e3019bdb47e1d.exe PID 3676 wrote to memory of 4120 3676 55d261de4ebfec14610e3019bdb47e1d.exe 55d261de4ebfec14610e3019bdb47e1d.exe PID 3676 wrote to memory of 4120 3676 55d261de4ebfec14610e3019bdb47e1d.exe 55d261de4ebfec14610e3019bdb47e1d.exe PID 3676 wrote to memory of 4120 3676 55d261de4ebfec14610e3019bdb47e1d.exe 55d261de4ebfec14610e3019bdb47e1d.exe PID 3676 wrote to memory of 4412 3676 55d261de4ebfec14610e3019bdb47e1d.exe 55d261de4ebfec14610e3019bdb47e1d.exe PID 3676 wrote to memory of 4412 3676 55d261de4ebfec14610e3019bdb47e1d.exe 55d261de4ebfec14610e3019bdb47e1d.exe PID 3676 wrote to memory of 4412 3676 55d261de4ebfec14610e3019bdb47e1d.exe 55d261de4ebfec14610e3019bdb47e1d.exe PID 3676 wrote to memory of 4412 3676 55d261de4ebfec14610e3019bdb47e1d.exe 55d261de4ebfec14610e3019bdb47e1d.exe PID 3676 wrote to memory of 4412 3676 55d261de4ebfec14610e3019bdb47e1d.exe 55d261de4ebfec14610e3019bdb47e1d.exe PID 3676 wrote to memory of 4412 3676 55d261de4ebfec14610e3019bdb47e1d.exe 55d261de4ebfec14610e3019bdb47e1d.exe PID 3676 wrote to memory of 4412 3676 55d261de4ebfec14610e3019bdb47e1d.exe 55d261de4ebfec14610e3019bdb47e1d.exe PID 3676 wrote to memory of 4412 3676 55d261de4ebfec14610e3019bdb47e1d.exe 55d261de4ebfec14610e3019bdb47e1d.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\55d261de4ebfec14610e3019bdb47e1d.exe"C:\Users\Admin\AppData\Local\Temp\55d261de4ebfec14610e3019bdb47e1d.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\55d261de4ebfec14610e3019bdb47e1d.exe"{path}"2⤵
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\55d261de4ebfec14610e3019bdb47e1d.exe"C:\Users\Admin\AppData\Local\Temp\55d261de4ebfec14610e3019bdb47e1d.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\55d261de4ebfec14610e3019bdb47e1d.exe"{path}"4⤵
-
C:\Users\Admin\AppData\Local\Temp\55d261de4ebfec14610e3019bdb47e1d.exe"{path}"4⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\TCP Service\tcpsvc.exeFilesize
663KB
MD555d261de4ebfec14610e3019bdb47e1d
SHA1a89750499dca367037b9388a820e8fb56cd2f3bb
SHA25628a8b5760f88ff56fccac79f506aa87de847161f5b3af7158792d098a60785dd
SHA5121866b89a217f81de6b106a6094e526a872380ba35f45d83d74ca890dd97da331e127f5007b7e194e06b85b74866948f950fbff17773442e664fb0a364d2b339e
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\55d261de4ebfec14610e3019bdb47e1d.exe.logFilesize
1KB
MD584e77a587d94307c0ac1357eb4d3d46f
SHA183cc900f9401f43d181207d64c5adba7a85edc1e
SHA256e16024b092a026a9dc00df69d4b9bbcab7b2dc178dc5291fc308a1abc9304a99
SHA512aefb5c62200b3ed97718d20a89990954d4d8acdc0a6a73c5a420f1bba619cb79e70c2cd0a579b9f52dc6b09e1de2cea6cd6cac4376cfee92d94e2c01d310f691
-
C:\Users\Admin\AppData\Roaming\2C37A701-1043-4F89-B4D1-D05ED25C6971\catalog.datFilesize
128B
MD50a9c5eae8756d6fc90f59d8d71a79e1e
SHA10f7d6aaed17cd18dc614535ed26335c147e29ed7
SHA256b1921ea14c66927397baf3fa456c22b93c30c3de23546087c0b18551ce5001c5
SHA51278c2f399ac49c78d89915dff99ac955b5e0ab07baad61b07b0ce073c88c1d3a9f1d302c2413691b349dd34441b0ff909c08a4f71e2f1b73f46c1ff308bc7cf9a
-
C:\Users\Admin\AppData\Roaming\2C37A701-1043-4F89-B4D1-D05ED25C6971\run.datFilesize
8B
MD5507b3af3fb96d7ec50d2cb98f1aecd5e
SHA14fb5b8cdeb5a7c09f7114e3831f577f30320b338
SHA2564ffdea2b09a2e305d7c08e0f6294e13f95776f3d3b522a41d3573f4767eeff44
SHA51250e54e3b38f8ee3bc91f2a53f822e167efad655ee765543883ab6dd69087113fef4f231c658047639ae19fabdffe2198318ab367a75cec288cdcc02ab90d51f7
-
C:\Users\Admin\AppData\Roaming\2C37A701-1043-4F89-B4D1-D05ED25C6971\storage.datFilesize
268KB
MD51e639455652305f70a15588dcee082c7
SHA17e147851acfe18053f60702108b956fdf977e766
SHA25631090e4756888688e0a0c50579e7f71b2880cb0ebe947d23c93a2225903da738
SHA512255d4eb3149250ebb6d7adfdb9eff9ad6700869c308c1cd37613b3218952a5ae644b08a387ce2f23442e003599c9b178e4474d3ceb59e9ea72c53af6b5eeb4be
-
memory/2592-135-0x0000000000000000-mapping.dmp
-
memory/2592-136-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/3372-132-0x0000000004B90000-0x0000000004C22000-memory.dmpFilesize
584KB
-
memory/3372-130-0x00000000000F0000-0x000000000019C000-memory.dmpFilesize
688KB
-
memory/3372-131-0x0000000005140000-0x00000000056E4000-memory.dmpFilesize
5.6MB
-
memory/3372-134-0x0000000004B20000-0x0000000004B2A000-memory.dmpFilesize
40KB
-
memory/3372-133-0x0000000004C30000-0x0000000004CCC000-memory.dmpFilesize
624KB
-
memory/3676-137-0x0000000000000000-mapping.dmp
-
memory/4120-139-0x0000000000000000-mapping.dmp
-
memory/4412-140-0x0000000000000000-mapping.dmp
-
memory/4412-146-0x0000000006780000-0x00000000067E6000-memory.dmpFilesize
408KB