Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 00:36
Static task
static1
Behavioral task
behavioral1
Sample
Teklif açıklaması bilgileri Z0T5nOBüyükşehir Mh.Cumhuriyet Cdoc.exe
Resource
win7-20220414-en
General
-
Target
Teklif açıklaması bilgileri Z0T5nOBüyükşehir Mh.Cumhuriyet Cdoc.exe
-
Size
489KB
-
MD5
10862bd9538040e6ce9d8c093d9e5abc
-
SHA1
96be2d74c24287941e0c683e920cdff848efa2c1
-
SHA256
430a7e324ab686d71a38548850bb90d018b0d7aec9cdbccb7289beb4d09f5a9f
-
SHA512
bbb44029fb769fb266b3e42b7e0e0fed6365c98ec61b0049fd1533f93eff691f3bedcf9ce48f816d7f39bfdc31146d2ca4916f6c5f3be2c3da63ed18504a0d99
Malware Config
Extracted
nanocore
1.2.2.0
postnl.duckdns.org:1969
127.0.0.1:1969
03803fb4-9846-4772-b30e-fac43bb55ddb
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-04-27T07:08:14.039616336Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
true
-
connect_delay
4000
-
connection_port
1969
-
default_group
POSTNL
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
03803fb4-9846-4772-b30e-fac43bb55ddb
-
mutex_timeout
5000
-
prevent_system_sleep
true
-
primary_connection_host
postnl.duckdns.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
suricata: ET MALWARE Possible NanoCore C2 60B
suricata: ET MALWARE Possible NanoCore C2 60B
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Teklif açıklaması bilgileri Z0T5nOBüyükşehir Mh.Cumhuriyet Cdoc.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Teklif açıklaması bilgileri Z0T5nOBüyükşehir Mh.Cumhuriyet Cdoc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Teklif açıklaması bilgileri Z0T5nOBüyükşehir Mh.Cumhuriyet Cdoc.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
Teklif açıklaması bilgileri Z0T5nOBüyükşehir Mh.Cumhuriyet Cdoc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Teklif açıklaması bilgileri Z0T5nOBüyükşehir Mh.Cumhuriyet Cdoc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 Teklif açıklaması bilgileri Z0T5nOBüyükşehir Mh.Cumhuriyet Cdoc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Teklif açıklaması bilgileri Z0T5nOBüyükşehir Mh.Cumhuriyet Cdoc.exedescription pid process target process PID 1596 set thread context of 456 1596 Teklif açıklaması bilgileri Z0T5nOBüyükşehir Mh.Cumhuriyet Cdoc.exe MSBuild.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
Teklif açıklaması bilgileri Z0T5nOBüyükşehir Mh.Cumhuriyet Cdoc.exeMSBuild.exepid process 1596 Teklif açıklaması bilgileri Z0T5nOBüyükşehir Mh.Cumhuriyet Cdoc.exe 456 MSBuild.exe 456 MSBuild.exe 456 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Teklif açıklaması bilgileri Z0T5nOBüyükşehir Mh.Cumhuriyet Cdoc.exeMSBuild.exedescription pid process Token: SeDebugPrivilege 1596 Teklif açıklaması bilgileri Z0T5nOBüyükşehir Mh.Cumhuriyet Cdoc.exe Token: SeDebugPrivilege 456 MSBuild.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
Teklif açıklaması bilgileri Z0T5nOBüyükşehir Mh.Cumhuriyet Cdoc.exedescription pid process target process PID 1596 wrote to memory of 564 1596 Teklif açıklaması bilgileri Z0T5nOBüyükşehir Mh.Cumhuriyet Cdoc.exe schtasks.exe PID 1596 wrote to memory of 564 1596 Teklif açıklaması bilgileri Z0T5nOBüyükşehir Mh.Cumhuriyet Cdoc.exe schtasks.exe PID 1596 wrote to memory of 564 1596 Teklif açıklaması bilgileri Z0T5nOBüyükşehir Mh.Cumhuriyet Cdoc.exe schtasks.exe PID 1596 wrote to memory of 564 1596 Teklif açıklaması bilgileri Z0T5nOBüyükşehir Mh.Cumhuriyet Cdoc.exe schtasks.exe PID 1596 wrote to memory of 456 1596 Teklif açıklaması bilgileri Z0T5nOBüyükşehir Mh.Cumhuriyet Cdoc.exe MSBuild.exe PID 1596 wrote to memory of 456 1596 Teklif açıklaması bilgileri Z0T5nOBüyükşehir Mh.Cumhuriyet Cdoc.exe MSBuild.exe PID 1596 wrote to memory of 456 1596 Teklif açıklaması bilgileri Z0T5nOBüyükşehir Mh.Cumhuriyet Cdoc.exe MSBuild.exe PID 1596 wrote to memory of 456 1596 Teklif açıklaması bilgileri Z0T5nOBüyükşehir Mh.Cumhuriyet Cdoc.exe MSBuild.exe PID 1596 wrote to memory of 456 1596 Teklif açıklaması bilgileri Z0T5nOBüyükşehir Mh.Cumhuriyet Cdoc.exe MSBuild.exe PID 1596 wrote to memory of 456 1596 Teklif açıklaması bilgileri Z0T5nOBüyükşehir Mh.Cumhuriyet Cdoc.exe MSBuild.exe PID 1596 wrote to memory of 456 1596 Teklif açıklaması bilgileri Z0T5nOBüyükşehir Mh.Cumhuriyet Cdoc.exe MSBuild.exe PID 1596 wrote to memory of 456 1596 Teklif açıklaması bilgileri Z0T5nOBüyükşehir Mh.Cumhuriyet Cdoc.exe MSBuild.exe PID 1596 wrote to memory of 456 1596 Teklif açıklaması bilgileri Z0T5nOBüyükşehir Mh.Cumhuriyet Cdoc.exe MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Teklif açıklaması bilgileri Z0T5nOBüyükşehir Mh.Cumhuriyet Cdoc.exe"C:\Users\Admin\AppData\Local\Temp\Teklif açıklaması bilgileri Z0T5nOBüyükşehir Mh.Cumhuriyet Cdoc.exe"1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yzgSDq" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6604.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp6604.tmpFilesize
1KB
MD57c131edf6573d76ff566007c4eaeb438
SHA18d30e052313902a4c5e64d8a895da2dbafcf4941
SHA25662b96aced1da00991ebe65dc9c1855ec51a016d954058dfbf7b06852b41acf95
SHA5126c10bc254eac54eb38465eb0720aebb5f60835d45855b3b22749830696de58fb34c8fe59badbfb485549528f611991b247b82a1dcb41e05820f76db1a12df14e
-
memory/456-69-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/456-73-0x0000000000460000-0x000000000046A000-memory.dmpFilesize
40KB
-
memory/456-61-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/456-76-0x0000000004995000-0x00000000049A6000-memory.dmpFilesize
68KB
-
memory/456-60-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/456-64-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/456-63-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/456-67-0x000000000041E792-mapping.dmp
-
memory/456-75-0x0000000000470000-0x000000000047A000-memory.dmpFilesize
40KB
-
memory/456-74-0x00000000004D0000-0x00000000004EE000-memory.dmpFilesize
120KB
-
memory/456-66-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/456-71-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/564-58-0x0000000000000000-mapping.dmp
-
memory/1596-54-0x0000000000260000-0x00000000002E0000-memory.dmpFilesize
512KB
-
memory/1596-56-0x0000000000350000-0x000000000035A000-memory.dmpFilesize
40KB
-
memory/1596-55-0x0000000075C51000-0x0000000075C53000-memory.dmpFilesize
8KB
-
memory/1596-57-0x00000000020D0000-0x0000000002110000-memory.dmpFilesize
256KB