Analysis
-
max time kernel
298s -
max time network
305s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
15-06-2022 15:55
Static task
static1
Behavioral task
behavioral1
Sample
isTnGiOeSX_XXXX.js
Resource
win7-20220414-en
General
-
Target
isTnGiOeSX_XXXX.js
-
Size
389KB
-
MD5
8f4664bec3329e9ce947e1138472cf09
-
SHA1
35a1fcf0da18270f4af8f88ab0945aa78a587574
-
SHA256
21984b3ae373371e2e0129bfd547de71ac5019895028e78df74d57cb536e9d1b
-
SHA512
72fecca2b119cad3745e6bcdec020db68b3205f33319b3af34e2d912faa8182df87ccc81cc545ea75b08e441166d6b729d5f1242641e90b7bba74f577077bb25
Malware Config
Extracted
nanocore
1.2.2.0
blessed147.ddns.net:8472
22d901d8-50a6-449d-9d3e-91609abcd463
-
activate_away_mode
true
-
backup_connection_host
blessed147.ddns.net
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2022-03-27T01:15:20.674706936Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
8472
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
22d901d8-50a6-449d-9d3e-91609abcd463
-
mutex_timeout
5000
-
prevent_system_sleep
false
- primary_connection_host
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
suricata: ET MALWARE Possible NanoCore C2 60B
suricata: ET MALWARE Possible NanoCore C2 60B
-
Blocklisted process makes network request 30 IoCs
Processes:
wscript.exeflow pid process 6 1740 wscript.exe 7 1740 wscript.exe 8 1740 wscript.exe 10 1740 wscript.exe 11 1740 wscript.exe 13 1740 wscript.exe 15 1740 wscript.exe 16 1740 wscript.exe 17 1740 wscript.exe 19 1740 wscript.exe 20 1740 wscript.exe 21 1740 wscript.exe 23 1740 wscript.exe 24 1740 wscript.exe 25 1740 wscript.exe 27 1740 wscript.exe 28 1740 wscript.exe 29 1740 wscript.exe 31 1740 wscript.exe 32 1740 wscript.exe 33 1740 wscript.exe 35 1740 wscript.exe 36 1740 wscript.exe 37 1740 wscript.exe 39 1740 wscript.exe 40 1740 wscript.exe 41 1740 wscript.exe 43 1740 wscript.exe 44 1740 wscript.exe 45 1740 wscript.exe -
Executes dropped EXE 1 IoCs
Processes:
XXXX.exepid process 1968 XXXX.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NikEQVikEy.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NikEQVikEy.js wscript.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
wscript.exeXXXX.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\NikEQVikEy.js\"" wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DSL Service = "C:\\Program Files (x86)\\DSL Service\\dslsvc.exe" XXXX.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe -
Processes:
XXXX.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA XXXX.exe -
Drops file in Program Files directory 2 IoCs
Processes:
XXXX.exedescription ioc process File created C:\Program Files (x86)\DSL Service\dslsvc.exe XXXX.exe File opened for modification C:\Program Files (x86)\DSL Service\dslsvc.exe XXXX.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
XXXX.exepid process 1968 XXXX.exe 1968 XXXX.exe 1968 XXXX.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
XXXX.exepid process 1968 XXXX.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
XXXX.exedescription pid process Token: SeDebugPrivilege 1968 XXXX.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
wscript.exedescription pid process target process PID 1932 wrote to memory of 1740 1932 wscript.exe wscript.exe PID 1932 wrote to memory of 1740 1932 wscript.exe wscript.exe PID 1932 wrote to memory of 1740 1932 wscript.exe wscript.exe PID 1932 wrote to memory of 1968 1932 wscript.exe XXXX.exe PID 1932 wrote to memory of 1968 1932 wscript.exe XXXX.exe PID 1932 wrote to memory of 1968 1932 wscript.exe XXXX.exe PID 1932 wrote to memory of 1968 1932 wscript.exe XXXX.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\isTnGiOeSX_XXXX.js1⤵
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\NikEQVikEy.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1740 -
C:\Users\Admin\AppData\Local\Temp\XXXX.exe"C:\Users\Admin\AppData\Local\Temp\XXXX.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1968
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\XXXX.exeFilesize
202KB
MD5a70fbdedac1fff6a9c3071d020e2fd80
SHA1504d3ed5f0eb7b712b7a05b1e3e4d454d55b0e82
SHA256a6522df2cfafd30431c698c266df59750ffb5816c81f4a9d729a873eed5b498f
SHA5124f783251044b32ce629df9e390b3a03f218bb34c4d1ce7f474be2de7fafc9384b11141140212978092f20aba96ccfebf2f3dc92197cd5b9c428e65d5220492b6
-
C:\Users\Admin\AppData\Local\Temp\XXXX.exeFilesize
202KB
MD5a70fbdedac1fff6a9c3071d020e2fd80
SHA1504d3ed5f0eb7b712b7a05b1e3e4d454d55b0e82
SHA256a6522df2cfafd30431c698c266df59750ffb5816c81f4a9d729a873eed5b498f
SHA5124f783251044b32ce629df9e390b3a03f218bb34c4d1ce7f474be2de7fafc9384b11141140212978092f20aba96ccfebf2f3dc92197cd5b9c428e65d5220492b6
-
C:\Users\Admin\AppData\Roaming\NikEQVikEy.jsFilesize
9KB
MD5b04b696ee7ec70e557f9debac8421068
SHA1eaf89f53d36ed21b9c254366b753e11f237f607f
SHA256438a2dbc38fece0757f74de646ee5d63df53b66af4b93198c5719d9e674c61cc
SHA5125e65254e058648de76d796e94782dec2f077a87eb791400ce071c7ca4a72094c21d7b0e07820743a0efa5021f0abf4724bbd8c65da3401c2f881cbe1c6414f57
-
memory/1740-55-0x0000000000000000-mapping.dmp
-
memory/1932-54-0x000007FEFB751000-0x000007FEFB753000-memory.dmpFilesize
8KB
-
memory/1968-57-0x0000000000000000-mapping.dmp
-
memory/1968-61-0x00000000757C1000-0x00000000757C3000-memory.dmpFilesize
8KB
-
memory/1968-62-0x00000000740E0000-0x000000007468B000-memory.dmpFilesize
5.7MB
-
memory/1968-63-0x00000000740E0000-0x000000007468B000-memory.dmpFilesize
5.7MB