Analysis
-
max time kernel
149s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 23:17
General
-
Target
RF172474228ES.exe
-
Size
506KB
-
MD5
8bbd8695bdfb7fb7438053fcdb6d79a4
-
SHA1
202966c54b72362c2e8c18e09d368eedd7dcc62a
-
SHA256
d278d26f9221b6542223942ce10c1a6c34c8a550c0d8e0d724798cadaf160bfd
-
SHA512
716cfd55b155014338fa2ff99e9c999a98163aa0977d1a274e3ca9505aa681509dccfe3853809c297140f58d9e8c6c669865bf285a0aabf552fe4b246feb849c
Malware Config
Extracted
nanocore
1.2.2.0
185.140.53.9:9124
127.0.0.1:9124
abee0a6e-9120-44aa-a70c-1e32c9a07128
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-04-05T19:51:22.629259936Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
true
-
connect_delay
4000
-
connection_port
9124
-
default_group
Wish
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
abee0a6e-9120-44aa-a70c-1e32c9a07128
-
mutex_timeout
5000
-
prevent_system_sleep
true
-
primary_connection_host
185.140.53.9
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\RF172474228ES.exe"C:\Users\Admin\AppData\Local\Temp\RF172474228ES.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\skzSSQhxUahA" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7E96.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp7E96.tmpFilesize
1KB
MD5ff85fa666ae3822f8be113c5b40652df
SHA1071d8a8500f9eabdd47d0ad9bd93278e6b651f0a
SHA256c563fc8c6d81ac40cfe4fc2e8b3ef41b8274f071babef24c067e40a0fa835859
SHA51291d2604e92ebbf6964c7a7237f14d1a5baca2e56df71862e4b095a01c1a5f0333acb031ca913ab19dfe7ac05bdd387dd2d8e279c5c0d222740651752891e2652
-
memory/3668-138-0x0000000000000000-mapping.dmp
-
memory/3668-139-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/4520-136-0x0000000000000000-mapping.dmp
-
memory/4716-130-0x00000000006E0000-0x0000000000764000-memory.dmpFilesize
528KB
-
memory/4716-131-0x0000000005130000-0x00000000051CC000-memory.dmpFilesize
624KB
-
memory/4716-132-0x0000000005780000-0x0000000005D24000-memory.dmpFilesize
5.6MB
-
memory/4716-133-0x00000000051D0000-0x0000000005262000-memory.dmpFilesize
584KB
-
memory/4716-134-0x00000000050F0000-0x00000000050FA000-memory.dmpFilesize
40KB
-
memory/4716-135-0x00000000053F0000-0x0000000005446000-memory.dmpFilesize
344KB