Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 01:48
General
-
Target
0K408j3RN7U8UB6.exe
-
Size
444KB
-
MD5
0d2a1d6662af45ba909226b2992798b0
-
SHA1
40f3e3e5f00436a1f779e9eafb15bcf3c1c8ae3e
-
SHA256
358935d89163fa342e0707a3be3e844b44df91341a48dcf1c28d8b8c8424e6b5
-
SHA512
f0eed196650f254d916c2041f157788dffed25e27f76c0f043f111492e058a1a784d94c062e0c3fd39e04671ba089b99b92c2159022d90992a9eb13877fa2727
Malware Config
Extracted
nanocore
1.2.2.0
darlingtondc.hopto.org:1905
185.165.153.17:1905
f1e189ea-bf5f-4d37-b84c-3b194f4e6fe7
-
activate_away_mode
true
-
backup_connection_host
185.165.153.17
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-03-14T23:32:54.424872236Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
1905
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
f1e189ea-bf5f-4d37-b84c-3b194f4e6fe7
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
darlingtondc.hopto.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0K408j3RN7U8UB6.exe"C:\Users\Admin\AppData\Local\Temp\0K408j3RN7U8UB6.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eECnqy" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1FAD.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\0K408j3RN7U8UB6.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\0K408j3RN7U8UB6.exe"{path}"2⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp1FAD.tmpFilesize
1KB
MD5dbafda3fab23f97ed35c006e4ad69e41
SHA1c948736c2e094d4d5b8cc228733860eef4e82f69
SHA256952997cf21e3e8f081cf5ae96dba05dd5b99261292af3596463006f757973906
SHA512bbbb6fded058ec3f73a338d26c816ac8d801810ee5b2e4f013d2d5a76af7d2e0fe1130d4ceb2a3b0e99365a71906049f02fb6b08868cdd54b406da9afc1a1107
-
memory/1320-130-0x0000000075210000-0x00000000757C1000-memory.dmpFilesize
5.7MB
-
memory/2148-131-0x0000000000000000-mapping.dmp
-
memory/5036-133-0x0000000000000000-mapping.dmp
-
memory/5108-134-0x0000000000000000-mapping.dmp
-
memory/5108-135-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/5108-136-0x0000000075210000-0x00000000757C1000-memory.dmpFilesize
5.7MB