Analysis
-
max time kernel
187s -
max time network
193s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 00:36
Static task
static1
Behavioral task
behavioral1
Sample
Teklif açıklaması bilgileri Z0T5nOBüyükşehir Mh.Cumhuriyet Cdoc.exe
Resource
win7-20220414-en
General
-
Target
Teklif açıklaması bilgileri Z0T5nOBüyükşehir Mh.Cumhuriyet Cdoc.exe
-
Size
489KB
-
MD5
10862bd9538040e6ce9d8c093d9e5abc
-
SHA1
96be2d74c24287941e0c683e920cdff848efa2c1
-
SHA256
430a7e324ab686d71a38548850bb90d018b0d7aec9cdbccb7289beb4d09f5a9f
-
SHA512
bbb44029fb769fb266b3e42b7e0e0fed6365c98ec61b0049fd1533f93eff691f3bedcf9ce48f816d7f39bfdc31146d2ca4916f6c5f3be2c3da63ed18504a0d99
Malware Config
Extracted
nanocore
1.2.2.0
postnl.duckdns.org:1969
127.0.0.1:1969
03803fb4-9846-4772-b30e-fac43bb55ddb
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-04-27T07:08:14.039616336Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
true
-
connect_delay
4000
-
connection_port
1969
-
default_group
POSTNL
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
03803fb4-9846-4772-b30e-fac43bb55ddb
-
mutex_timeout
5000
-
prevent_system_sleep
true
-
primary_connection_host
postnl.duckdns.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
suricata: ET MALWARE Possible NanoCore C2 60B
suricata: ET MALWARE Possible NanoCore C2 60B
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Teklif açıklaması bilgileri Z0T5nOBüyükşehir Mh.Cumhuriyet Cdoc.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Teklif açıklaması bilgileri Z0T5nOBüyükşehir Mh.Cumhuriyet Cdoc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Teklif açıklaması bilgileri Z0T5nOBüyükşehir Mh.Cumhuriyet Cdoc.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Teklif açıklaması bilgileri Z0T5nOBüyükşehir Mh.Cumhuriyet Cdoc.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation Teklif açıklaması bilgileri Z0T5nOBüyükşehir Mh.Cumhuriyet Cdoc.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
Teklif açıklaması bilgileri Z0T5nOBüyükşehir Mh.Cumhuriyet Cdoc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Teklif açıklaması bilgileri Z0T5nOBüyükşehir Mh.Cumhuriyet Cdoc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 Teklif açıklaması bilgileri Z0T5nOBüyükşehir Mh.Cumhuriyet Cdoc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Teklif açıklaması bilgileri Z0T5nOBüyükşehir Mh.Cumhuriyet Cdoc.exedescription pid process target process PID 4256 set thread context of 5072 4256 Teklif açıklaması bilgileri Z0T5nOBüyükşehir Mh.Cumhuriyet Cdoc.exe MSBuild.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
Teklif açıklaması bilgileri Z0T5nOBüyükşehir Mh.Cumhuriyet Cdoc.exeMSBuild.exepid process 4256 Teklif açıklaması bilgileri Z0T5nOBüyükşehir Mh.Cumhuriyet Cdoc.exe 5072 MSBuild.exe 5072 MSBuild.exe 5072 MSBuild.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
MSBuild.exepid process 5072 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Teklif açıklaması bilgileri Z0T5nOBüyükşehir Mh.Cumhuriyet Cdoc.exeMSBuild.exedescription pid process Token: SeDebugPrivilege 4256 Teklif açıklaması bilgileri Z0T5nOBüyükşehir Mh.Cumhuriyet Cdoc.exe Token: SeDebugPrivilege 5072 MSBuild.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
Teklif açıklaması bilgileri Z0T5nOBüyükşehir Mh.Cumhuriyet Cdoc.exedescription pid process target process PID 4256 wrote to memory of 1412 4256 Teklif açıklaması bilgileri Z0T5nOBüyükşehir Mh.Cumhuriyet Cdoc.exe schtasks.exe PID 4256 wrote to memory of 1412 4256 Teklif açıklaması bilgileri Z0T5nOBüyükşehir Mh.Cumhuriyet Cdoc.exe schtasks.exe PID 4256 wrote to memory of 1412 4256 Teklif açıklaması bilgileri Z0T5nOBüyükşehir Mh.Cumhuriyet Cdoc.exe schtasks.exe PID 4256 wrote to memory of 5072 4256 Teklif açıklaması bilgileri Z0T5nOBüyükşehir Mh.Cumhuriyet Cdoc.exe MSBuild.exe PID 4256 wrote to memory of 5072 4256 Teklif açıklaması bilgileri Z0T5nOBüyükşehir Mh.Cumhuriyet Cdoc.exe MSBuild.exe PID 4256 wrote to memory of 5072 4256 Teklif açıklaması bilgileri Z0T5nOBüyükşehir Mh.Cumhuriyet Cdoc.exe MSBuild.exe PID 4256 wrote to memory of 5072 4256 Teklif açıklaması bilgileri Z0T5nOBüyükşehir Mh.Cumhuriyet Cdoc.exe MSBuild.exe PID 4256 wrote to memory of 5072 4256 Teklif açıklaması bilgileri Z0T5nOBüyükşehir Mh.Cumhuriyet Cdoc.exe MSBuild.exe PID 4256 wrote to memory of 5072 4256 Teklif açıklaması bilgileri Z0T5nOBüyükşehir Mh.Cumhuriyet Cdoc.exe MSBuild.exe PID 4256 wrote to memory of 5072 4256 Teklif açıklaması bilgileri Z0T5nOBüyükşehir Mh.Cumhuriyet Cdoc.exe MSBuild.exe PID 4256 wrote to memory of 5072 4256 Teklif açıklaması bilgileri Z0T5nOBüyükşehir Mh.Cumhuriyet Cdoc.exe MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Teklif açıklaması bilgileri Z0T5nOBüyükşehir Mh.Cumhuriyet Cdoc.exe"C:\Users\Admin\AppData\Local\Temp\Teklif açıklaması bilgileri Z0T5nOBüyükşehir Mh.Cumhuriyet Cdoc.exe"1⤵
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yzgSDq" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBA52.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpBA52.tmpFilesize
1KB
MD56fd82e9816c16db80ac5fb98ca432860
SHA1b45e834e4b5706b5702a6bdf3e8b8f26b6356120
SHA256c9b4ffc25320370dd6a4c4628080550a5c5fe1cd01cff12f63bb9289edb94b4d
SHA5122754ba3982b6075222aaf5cc0af09985e569b2abc150333c46b4c6d2bcf3fe12b9bd414ef108a7cd788db98e469b914b2e4f6719e8e7d7a8efcc3802eb461e47
-
memory/1412-136-0x0000000000000000-mapping.dmp
-
memory/4256-130-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/4256-131-0x00000000054F0000-0x0000000005A94000-memory.dmpFilesize
5.6MB
-
memory/4256-132-0x0000000004E20000-0x0000000004EB2000-memory.dmpFilesize
584KB
-
memory/4256-133-0x0000000005AA0000-0x0000000005C26000-memory.dmpFilesize
1.5MB
-
memory/4256-134-0x0000000005360000-0x00000000053FC000-memory.dmpFilesize
624KB
-
memory/4256-135-0x0000000000A30000-0x0000000000A96000-memory.dmpFilesize
408KB
-
memory/5072-138-0x0000000000000000-mapping.dmp
-
memory/5072-139-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/5072-140-0x0000000004E40000-0x0000000004E4A000-memory.dmpFilesize
40KB