General
Target

DOC20200602FACEMASK.exe

Filesize

1MB

Completed

21-05-2022 18:43

Task

behavioral1

Score
10/10
MD5

3fca62fe4fdde607ad0a4ebcfeffe3ce

SHA1

6374aaa5263ab37bbd59939febd9e94f2f5c1b0a

SHA256

ca05f7a026f3e7fe6cdb73437a37629a528a7a62564c4a1866bc00442a2f2750

SHA256

c5dcbcb222453829c451aacc2ff0d32cb2d43f29aaeef7ce471e286dad8d196cc2f15cf2b9c119418aedb8494357e312de5b5a1e95c4f02ec856521f606bb578

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

185.19.85.186:40510

Attributes
activate_away_mode
true
backup_connection_host
185.19.85.186
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2020-03-14T02:56:31.129410036Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
40510
default_group
JUNE
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
413937f8-0b4a-417f-a2dd-7581a42c5078
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
185.19.85.186
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000
Signatures 13

Filter: none

Defense Evasion
Persistence
  • NanoCore

    Description

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

  • Drops startup file
    DOC20200602FACEMASK.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\logman.urlDOC20200602FACEMASK.exe
  • Adds Run key to start application
    MSBuild.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ARP Service = "C:\\Program Files (x86)\\ARP Service\\arpsvc.exe"MSBuild.exe
  • Suspicious use of SetThreadContext
    DOC20200602FACEMASK.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1080 set thread context of 20201080DOC20200602FACEMASK.exeMSBuild.exe
  • Drops file in Program Files directory
    MSBuild.exe

    Reported IOCs

    descriptioniocprocess
    File createdC:\Program Files (x86)\ARP Service\arpsvc.exeMSBuild.exe
    File opened for modificationC:\Program Files (x86)\ARP Service\arpsvc.exeMSBuild.exe
  • Program crash
    WerFault.exe

    Reported IOCs

    pidpid_targetprocesstarget process
    9361080WerFault.exeDOC20200602FACEMASK.exe
  • Creates scheduled task(s)
    schtasks.exeschtasks.exe

    Description

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    TTPs

    Scheduled Task

    Reported IOCs

    pidprocess
    1728schtasks.exe
    1636schtasks.exe
  • Suspicious behavior: EnumeratesProcesses
    MSBuild.exe

    Reported IOCs

    pidprocess
    2020MSBuild.exe
    2020MSBuild.exe
  • Suspicious behavior: GetForegroundWindowSpam
    MSBuild.exe

    Reported IOCs

    pidprocess
    2020MSBuild.exe
  • Suspicious use of AdjustPrivilegeToken
    MSBuild.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege2020MSBuild.exe
  • Suspicious use of FindShellTrayWindow
    DOC20200602FACEMASK.exe

    Reported IOCs

    pidprocess
    1080DOC20200602FACEMASK.exe
    1080DOC20200602FACEMASK.exe
    1080DOC20200602FACEMASK.exe
  • Suspicious use of SendNotifyMessage
    DOC20200602FACEMASK.exe

    Reported IOCs

    pidprocess
    1080DOC20200602FACEMASK.exe
    1080DOC20200602FACEMASK.exe
    1080DOC20200602FACEMASK.exe
  • Suspicious use of WriteProcessMemory
    DOC20200602FACEMASK.exeMSBuild.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1080 wrote to memory of 20201080DOC20200602FACEMASK.exeMSBuild.exe
    PID 1080 wrote to memory of 20201080DOC20200602FACEMASK.exeMSBuild.exe
    PID 1080 wrote to memory of 20201080DOC20200602FACEMASK.exeMSBuild.exe
    PID 1080 wrote to memory of 20201080DOC20200602FACEMASK.exeMSBuild.exe
    PID 1080 wrote to memory of 20201080DOC20200602FACEMASK.exeMSBuild.exe
    PID 1080 wrote to memory of 20201080DOC20200602FACEMASK.exeMSBuild.exe
    PID 1080 wrote to memory of 9361080DOC20200602FACEMASK.exeWerFault.exe
    PID 1080 wrote to memory of 9361080DOC20200602FACEMASK.exeWerFault.exe
    PID 1080 wrote to memory of 9361080DOC20200602FACEMASK.exeWerFault.exe
    PID 1080 wrote to memory of 9361080DOC20200602FACEMASK.exeWerFault.exe
    PID 2020 wrote to memory of 17282020MSBuild.exeschtasks.exe
    PID 2020 wrote to memory of 17282020MSBuild.exeschtasks.exe
    PID 2020 wrote to memory of 17282020MSBuild.exeschtasks.exe
    PID 2020 wrote to memory of 17282020MSBuild.exeschtasks.exe
    PID 2020 wrote to memory of 16362020MSBuild.exeschtasks.exe
    PID 2020 wrote to memory of 16362020MSBuild.exeschtasks.exe
    PID 2020 wrote to memory of 16362020MSBuild.exeschtasks.exe
    PID 2020 wrote to memory of 16362020MSBuild.exeschtasks.exe
Processes 5
  • C:\Users\Admin\AppData\Local\Temp\DOC20200602FACEMASK.exe
    "C:\Users\Admin\AppData\Local\Temp\DOC20200602FACEMASK.exe"
    Drops startup file
    Suspicious use of SetThreadContext
    Suspicious use of FindShellTrayWindow
    Suspicious use of SendNotifyMessage
    Suspicious use of WriteProcessMemory
    PID:1080
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
      "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\MSBuild.exe"
      Adds Run key to start application
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2020
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks.exe" /create /f /tn "ARP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmpE82E.tmp"
        Creates scheduled task(s)
        PID:1728
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks.exe" /create /f /tn "ARP Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpEADD.tmp"
        Creates scheduled task(s)
        PID:1636
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1080 -s 316
      Program crash
      PID:936
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Discovery
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • C:\Users\Admin\AppData\Local\Temp\tmpE82E.tmp

                        MD5

                        ae766004c0d8792953bafffe8f6a2e3b

                        SHA1

                        14b12f27543a401e2fe0af8052e116cab0032426

                        SHA256

                        1abdd9b6a6b84e4ba1af1282dc84ce276c59ba253f4c4af05fea498a4fd99540

                        SHA512

                        e530da4a5d4336fc37838d0e93b5eb3804b9c489c71f6954a47fc81a4c655bb72ec493e109cf96e6e3617d7623ac80697ad3bbd5ffc6281bafc8b34dca5e6567

                      • C:\Users\Admin\AppData\Local\Temp\tmpEADD.tmp

                        MD5

                        1badb6e2b29a1c4bfff3c179d53ab96b

                        SHA1

                        4b2ad3e5f3826d252d1c8bf1c8f0702f39129fa1

                        SHA256

                        6259ac4e6859a1b528d77ccea12b378f7dfa1eff359d9b8899414b4b1c484699

                        SHA512

                        36338e2a74fd85c5f2c84be009981a7260692c1bcb121a42018209031082da69bf65640702d53e28b54871f9d44e65fdbebaf4771c530699c3e93981b58129b4

                      • memory/936-65-0x0000000000000000-mapping.dmp

                      • memory/1080-67-0x0000000001290000-0x00000000012F6000-memory.dmp

                      • memory/1080-66-0x0000000000E20000-0x0000000000E86000-memory.dmp

                      • memory/1080-54-0x00000000759F1000-0x00000000759F3000-memory.dmp

                      • memory/1636-72-0x0000000000000000-mapping.dmp

                      • memory/1728-70-0x0000000000000000-mapping.dmp

                      • memory/2020-64-0x0000000000400000-0x0000000000438000-memory.dmp

                      • memory/2020-57-0x0000000000400000-0x0000000000438000-memory.dmp

                      • memory/2020-69-0x0000000074420000-0x00000000749CB000-memory.dmp

                      • memory/2020-55-0x0000000000400000-0x0000000000438000-memory.dmp

                      • memory/2020-63-0x0000000000400000-0x0000000000438000-memory.dmp

                      • memory/2020-62-0x000000000041E792-mapping.dmp