Analysis
-
max time kernel
169s -
max time network
177s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 23:50
General
-
Target
SecuriteInfo.com.Variant.Tedy.122593.7296.exe
-
Size
1.0MB
-
MD5
a3f9db216c595bbb5081ad0430248975
-
SHA1
e06a7da7340e4e27d9737e58554ab4419116a0e2
-
SHA256
647c540fe4c9f3dc5a06c978ff0644905b07a53517e637f674a089f866a135d0
-
SHA512
3a6eb7aac3afed0438d1005f4534cc9a45b6697b8c0c266d1fae1b32cf84cd15726a005fc707ff2500f8b2bc045ea7ec20c715efeb4211e6b4b33d6c1afa56a5
Malware Config
Extracted
nanocore
1.2.2.0
185.220.69.56:6662
nwme22.duckdns.org:6662
20fcb0e8-3b1f-4bdb-88e7-54967ec4f249
-
activate_away_mode
true
-
backup_connection_host
nwme22.duckdns.org
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2022-02-27T22:17:25.361662736Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
6662
-
default_group
PDF
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
20fcb0e8-3b1f-4bdb-88e7-54967ec4f249
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
185.220.69.56
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Windows security bypass 2 TTPs
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Windows security modification 2 TTPs 4 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 19 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Tedy.122593.7296.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Tedy.122593.7296.exe"1⤵
- Checks BIOS information in registry
- Checks computer location settings
- Windows security modification
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\9f3df393cbbd19b\svchost.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\9f3df393cbbd19b\svchost.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Tedy.122593.7296.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Tedy.122593.7296.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Tedy.122593.7296.exe"2⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD56758b138e4d24e637c4dca50039f62b7
SHA1e8c3e85d1068c4a4524554d720de960282be8420
SHA25685da73fea35bffc001139379b68575dc733c16896dceb8a48f1f3a10fcd6a784
SHA51250bb69d778b88dfe1d096e47a6a9a374b887341c508593b841996bc9695fcaf115a8ee0eabd809925b40a29644b3de5bf8b821c1af97d524c3939027f4259481
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD57405491082b59c16603933cd96a91097
SHA1bd8786e265e3103a9a8f5a0be450178ff50bd75a
SHA256c9be617a8ac780664a1686b607fa680271ceac606187af0b47c5ddab187b6cb5
SHA51299c2557edf6a4261f6c1445e00977c854851f859f4220e5492ea545ed0cf7b2a38fff2a8b7e79ba77fd2c4f6d3e8eb71bc8db166fe9b4f5919af537e50ad5018
-
memory/1940-144-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1940-143-0x0000000000000000-mapping.dmp
-
memory/2240-131-0x0000000004AE0000-0x0000000004B7C000-memory.dmpFilesize
624KB
-
memory/2240-132-0x0000000005180000-0x0000000005724000-memory.dmpFilesize
5.6MB
-
memory/2240-133-0x0000000004C70000-0x0000000004D02000-memory.dmpFilesize
584KB
-
memory/2240-134-0x00000000050E0000-0x0000000005146000-memory.dmpFilesize
408KB
-
memory/2240-130-0x0000000000DC0000-0x0000000000ED2000-memory.dmpFilesize
1.1MB
-
memory/2240-140-0x0000000008680000-0x000000000868A000-memory.dmpFilesize
40KB
-
memory/3616-138-0x0000000000EE0000-0x0000000000F16000-memory.dmpFilesize
216KB
-
memory/3616-155-0x0000000007160000-0x000000000716E000-memory.dmpFilesize
56KB
-
memory/3616-157-0x0000000007250000-0x0000000007258000-memory.dmpFilesize
32KB
-
memory/3616-135-0x0000000000000000-mapping.dmp
-
memory/3616-154-0x00000000071B0000-0x0000000007246000-memory.dmpFilesize
600KB
-
memory/3616-152-0x00000000060A0000-0x00000000060BA000-memory.dmpFilesize
104KB
-
memory/3616-146-0x0000000006BD0000-0x0000000006C02000-memory.dmpFilesize
200KB
-
memory/3616-148-0x000000006F850000-0x000000006F89C000-memory.dmpFilesize
304KB
-
memory/4452-151-0x0000000007F30000-0x00000000085AA000-memory.dmpFilesize
6.5MB
-
memory/4452-150-0x000000006F850000-0x000000006F89C000-memory.dmpFilesize
304KB
-
memory/4452-153-0x0000000007970000-0x000000000797A000-memory.dmpFilesize
40KB
-
memory/4452-145-0x0000000006460000-0x000000000647E000-memory.dmpFilesize
120KB
-
memory/4452-142-0x0000000005EA0000-0x0000000005F06000-memory.dmpFilesize
408KB
-
memory/4452-156-0x0000000007C40000-0x0000000007C5A000-memory.dmpFilesize
104KB
-
memory/4452-139-0x0000000005650000-0x0000000005C78000-memory.dmpFilesize
6.2MB
-
memory/4452-136-0x0000000000000000-mapping.dmp
-
memory/4924-149-0x0000000006560000-0x000000000657E000-memory.dmpFilesize
120KB
-
memory/4924-147-0x000000006F850000-0x000000006F89C000-memory.dmpFilesize
304KB
-
memory/4924-141-0x0000000005050000-0x0000000005072000-memory.dmpFilesize
136KB
-
memory/4924-137-0x0000000000000000-mapping.dmp