Analysis
-
max time kernel
208s -
max time network
228s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 11:37
Static task
static1
Behavioral task
behavioral1
Sample
b416ec47e06a2d93ed3dd5d08c5f357dd9a2a58b220d405f4b48366f83fd4ad4.exe
Resource
win7-20220414-en
General
-
Target
b416ec47e06a2d93ed3dd5d08c5f357dd9a2a58b220d405f4b48366f83fd4ad4.exe
-
Size
428KB
-
MD5
5c97a7efb2e566c2a07a5221dc6fdaf9
-
SHA1
4f73711d24f3f73e0258605eb80eb163e6d2eacc
-
SHA256
b416ec47e06a2d93ed3dd5d08c5f357dd9a2a58b220d405f4b48366f83fd4ad4
-
SHA512
4f976c28b41cde0bc1310a73a7bfcb20a1f81d34ac998bdd42a5822e5cef679b7981f57da3fd519e8d1a9043a310ffd565ab9570fc27badb1f745e1656950fc2
Malware Config
Extracted
nanocore
1.2.2.0
194.5.97.107:8462
127.0.0.1:8462
c1d1b480-0940-4605-a63e-4132bf3712e1
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-04-17T08:11:07.990222936Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
true
-
connect_delay
4000
-
connection_port
8462
-
default_group
A
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
c1d1b480-0940-4605-a63e-4132bf3712e1
-
mutex_timeout
5000
-
prevent_system_sleep
true
-
primary_connection_host
194.5.97.107
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
b416ec47e06a2d93ed3dd5d08c5f357dd9a2a58b220d405f4b48366f83fd4ad4.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion b416ec47e06a2d93ed3dd5d08c5f357dd9a2a58b220d405f4b48366f83fd4ad4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion b416ec47e06a2d93ed3dd5d08c5f357dd9a2a58b220d405f4b48366f83fd4ad4.exe -
Processes:
b416ec47e06a2d93ed3dd5d08c5f357dd9a2a58b220d405f4b48366f83fd4ad4.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA b416ec47e06a2d93ed3dd5d08c5f357dd9a2a58b220d405f4b48366f83fd4ad4.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
b416ec47e06a2d93ed3dd5d08c5f357dd9a2a58b220d405f4b48366f83fd4ad4.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum b416ec47e06a2d93ed3dd5d08c5f357dd9a2a58b220d405f4b48366f83fd4ad4.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 b416ec47e06a2d93ed3dd5d08c5f357dd9a2a58b220d405f4b48366f83fd4ad4.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
b416ec47e06a2d93ed3dd5d08c5f357dd9a2a58b220d405f4b48366f83fd4ad4.exedescription pid process target process PID 5032 set thread context of 616 5032 b416ec47e06a2d93ed3dd5d08c5f357dd9a2a58b220d405f4b48366f83fd4ad4.exe b416ec47e06a2d93ed3dd5d08c5f357dd9a2a58b220d405f4b48366f83fd4ad4.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
b416ec47e06a2d93ed3dd5d08c5f357dd9a2a58b220d405f4b48366f83fd4ad4.exeb416ec47e06a2d93ed3dd5d08c5f357dd9a2a58b220d405f4b48366f83fd4ad4.exepid process 5032 b416ec47e06a2d93ed3dd5d08c5f357dd9a2a58b220d405f4b48366f83fd4ad4.exe 5032 b416ec47e06a2d93ed3dd5d08c5f357dd9a2a58b220d405f4b48366f83fd4ad4.exe 616 b416ec47e06a2d93ed3dd5d08c5f357dd9a2a58b220d405f4b48366f83fd4ad4.exe 616 b416ec47e06a2d93ed3dd5d08c5f357dd9a2a58b220d405f4b48366f83fd4ad4.exe 616 b416ec47e06a2d93ed3dd5d08c5f357dd9a2a58b220d405f4b48366f83fd4ad4.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
b416ec47e06a2d93ed3dd5d08c5f357dd9a2a58b220d405f4b48366f83fd4ad4.exepid process 616 b416ec47e06a2d93ed3dd5d08c5f357dd9a2a58b220d405f4b48366f83fd4ad4.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
b416ec47e06a2d93ed3dd5d08c5f357dd9a2a58b220d405f4b48366f83fd4ad4.exeb416ec47e06a2d93ed3dd5d08c5f357dd9a2a58b220d405f4b48366f83fd4ad4.exedescription pid process Token: SeDebugPrivilege 5032 b416ec47e06a2d93ed3dd5d08c5f357dd9a2a58b220d405f4b48366f83fd4ad4.exe Token: SeDebugPrivilege 616 b416ec47e06a2d93ed3dd5d08c5f357dd9a2a58b220d405f4b48366f83fd4ad4.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
b416ec47e06a2d93ed3dd5d08c5f357dd9a2a58b220d405f4b48366f83fd4ad4.exeb416ec47e06a2d93ed3dd5d08c5f357dd9a2a58b220d405f4b48366f83fd4ad4.exedescription pid process target process PID 5032 wrote to memory of 1840 5032 b416ec47e06a2d93ed3dd5d08c5f357dd9a2a58b220d405f4b48366f83fd4ad4.exe b416ec47e06a2d93ed3dd5d08c5f357dd9a2a58b220d405f4b48366f83fd4ad4.exe PID 5032 wrote to memory of 1840 5032 b416ec47e06a2d93ed3dd5d08c5f357dd9a2a58b220d405f4b48366f83fd4ad4.exe b416ec47e06a2d93ed3dd5d08c5f357dd9a2a58b220d405f4b48366f83fd4ad4.exe PID 5032 wrote to memory of 1840 5032 b416ec47e06a2d93ed3dd5d08c5f357dd9a2a58b220d405f4b48366f83fd4ad4.exe b416ec47e06a2d93ed3dd5d08c5f357dd9a2a58b220d405f4b48366f83fd4ad4.exe PID 5032 wrote to memory of 616 5032 b416ec47e06a2d93ed3dd5d08c5f357dd9a2a58b220d405f4b48366f83fd4ad4.exe b416ec47e06a2d93ed3dd5d08c5f357dd9a2a58b220d405f4b48366f83fd4ad4.exe PID 5032 wrote to memory of 616 5032 b416ec47e06a2d93ed3dd5d08c5f357dd9a2a58b220d405f4b48366f83fd4ad4.exe b416ec47e06a2d93ed3dd5d08c5f357dd9a2a58b220d405f4b48366f83fd4ad4.exe PID 5032 wrote to memory of 616 5032 b416ec47e06a2d93ed3dd5d08c5f357dd9a2a58b220d405f4b48366f83fd4ad4.exe b416ec47e06a2d93ed3dd5d08c5f357dd9a2a58b220d405f4b48366f83fd4ad4.exe PID 5032 wrote to memory of 616 5032 b416ec47e06a2d93ed3dd5d08c5f357dd9a2a58b220d405f4b48366f83fd4ad4.exe b416ec47e06a2d93ed3dd5d08c5f357dd9a2a58b220d405f4b48366f83fd4ad4.exe PID 5032 wrote to memory of 616 5032 b416ec47e06a2d93ed3dd5d08c5f357dd9a2a58b220d405f4b48366f83fd4ad4.exe b416ec47e06a2d93ed3dd5d08c5f357dd9a2a58b220d405f4b48366f83fd4ad4.exe PID 5032 wrote to memory of 616 5032 b416ec47e06a2d93ed3dd5d08c5f357dd9a2a58b220d405f4b48366f83fd4ad4.exe b416ec47e06a2d93ed3dd5d08c5f357dd9a2a58b220d405f4b48366f83fd4ad4.exe PID 5032 wrote to memory of 616 5032 b416ec47e06a2d93ed3dd5d08c5f357dd9a2a58b220d405f4b48366f83fd4ad4.exe b416ec47e06a2d93ed3dd5d08c5f357dd9a2a58b220d405f4b48366f83fd4ad4.exe PID 5032 wrote to memory of 616 5032 b416ec47e06a2d93ed3dd5d08c5f357dd9a2a58b220d405f4b48366f83fd4ad4.exe b416ec47e06a2d93ed3dd5d08c5f357dd9a2a58b220d405f4b48366f83fd4ad4.exe PID 616 wrote to memory of 4356 616 b416ec47e06a2d93ed3dd5d08c5f357dd9a2a58b220d405f4b48366f83fd4ad4.exe schtasks.exe PID 616 wrote to memory of 4356 616 b416ec47e06a2d93ed3dd5d08c5f357dd9a2a58b220d405f4b48366f83fd4ad4.exe schtasks.exe PID 616 wrote to memory of 4356 616 b416ec47e06a2d93ed3dd5d08c5f357dd9a2a58b220d405f4b48366f83fd4ad4.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b416ec47e06a2d93ed3dd5d08c5f357dd9a2a58b220d405f4b48366f83fd4ad4.exe"C:\Users\Admin\AppData\Local\Temp\b416ec47e06a2d93ed3dd5d08c5f357dd9a2a58b220d405f4b48366f83fd4ad4.exe"1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b416ec47e06a2d93ed3dd5d08c5f357dd9a2a58b220d405f4b48366f83fd4ad4.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\b416ec47e06a2d93ed3dd5d08c5f357dd9a2a58b220d405f4b48366f83fd4ad4.exe"{path}"2⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "SCSI Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp6B48.tmp"3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp6B48.tmpFilesize
1KB
MD59849a537b20c6bea4ec0d4abae90763a
SHA15b22ceac8e1863340234917cc792cec5422f98c5
SHA2563a7e630a837a74bd73084fb3b4eab049f253915076d9922fe2aec0c6a75d39b2
SHA512f85607e77b13433bd6f5b680ad4edac096166b5d130ba00197558af188eec06da5bc2777add6fd9db5c7e2afbfa4b01d6517832f65e50aef0eb395f3bd70a534
-
memory/616-132-0x0000000000000000-mapping.dmp
-
memory/616-133-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/616-134-0x00000000749D0000-0x0000000074F81000-memory.dmpFilesize
5.7MB
-
memory/1840-131-0x0000000000000000-mapping.dmp
-
memory/4356-135-0x0000000000000000-mapping.dmp
-
memory/5032-130-0x00000000749D0000-0x0000000074F81000-memory.dmpFilesize
5.7MB