Analysis
-
max time kernel
94s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
02-07-2022 05:37
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.Olock.1.12577.exe
Resource
win7-20220414-en
General
-
Target
SecuriteInfo.com.Trojan.Olock.1.12577.exe
-
Size
619KB
-
MD5
f335a0ae9553c9acbee866d8990ee9e1
-
SHA1
ce0a21956e2c565e2e332a10f9c2b3346f8cf9b4
-
SHA256
21281c48dd7beeb19d22aef27f4d77f79c550fc32acc69d4c3b91966cc8a048b
-
SHA512
61148e48009d7c3e9d9c3b061008a916020c613b4a6c753140257c5f30f5e5869ab1523818d535d56e5836b3d7f4c52d11970ec0ecb7ca6a67a9adb53ef14a8d
Malware Config
Extracted
nanocore
1.2.2.0
config.linkpc.net:3425
e5ec3588-c148-476e-a8f8-2e9038dcba4d
-
activate_away_mode
true
- backup_connection_host
- backup_dns_server
-
buffer_size
65535
-
build_time
2022-04-01T12:01:12.053123736Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
3425
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
e5ec3588-c148-476e-a8f8-2e9038dcba4d
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
config.linkpc.net
-
primary_dns_server
config.linkpc.net
-
request_elevation
true
-
restart_delay
5000
-
run_delay
15
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
suricata: ET MALWARE Possible NanoCore C2 60B
suricata: ET MALWARE Possible NanoCore C2 60B
-
Processes:
SecuriteInfo.com.Trojan.Olock.1.12577.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SecuriteInfo.com.Trojan.Olock.1.12577.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SecuriteInfo.com.Trojan.Olock.1.12577.exedescription pid process target process PID 1100 set thread context of 1884 1100 SecuriteInfo.com.Trojan.Olock.1.12577.exe SecuriteInfo.com.Trojan.Olock.1.12577.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
SecuriteInfo.com.Trojan.Olock.1.12577.exepowershell.exeSecuriteInfo.com.Trojan.Olock.1.12577.exepid process 1100 SecuriteInfo.com.Trojan.Olock.1.12577.exe 1100 SecuriteInfo.com.Trojan.Olock.1.12577.exe 2032 powershell.exe 1884 SecuriteInfo.com.Trojan.Olock.1.12577.exe 1884 SecuriteInfo.com.Trojan.Olock.1.12577.exe 1884 SecuriteInfo.com.Trojan.Olock.1.12577.exe 1884 SecuriteInfo.com.Trojan.Olock.1.12577.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
SecuriteInfo.com.Trojan.Olock.1.12577.exepid process 1884 SecuriteInfo.com.Trojan.Olock.1.12577.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
SecuriteInfo.com.Trojan.Olock.1.12577.exepowershell.exeSecuriteInfo.com.Trojan.Olock.1.12577.exedescription pid process Token: SeDebugPrivilege 1100 SecuriteInfo.com.Trojan.Olock.1.12577.exe Token: SeDebugPrivilege 2032 powershell.exe Token: SeDebugPrivilege 1884 SecuriteInfo.com.Trojan.Olock.1.12577.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
SecuriteInfo.com.Trojan.Olock.1.12577.exeSecuriteInfo.com.Trojan.Olock.1.12577.exedescription pid process target process PID 1100 wrote to memory of 2032 1100 SecuriteInfo.com.Trojan.Olock.1.12577.exe powershell.exe PID 1100 wrote to memory of 2032 1100 SecuriteInfo.com.Trojan.Olock.1.12577.exe powershell.exe PID 1100 wrote to memory of 2032 1100 SecuriteInfo.com.Trojan.Olock.1.12577.exe powershell.exe PID 1100 wrote to memory of 2032 1100 SecuriteInfo.com.Trojan.Olock.1.12577.exe powershell.exe PID 1100 wrote to memory of 1984 1100 SecuriteInfo.com.Trojan.Olock.1.12577.exe schtasks.exe PID 1100 wrote to memory of 1984 1100 SecuriteInfo.com.Trojan.Olock.1.12577.exe schtasks.exe PID 1100 wrote to memory of 1984 1100 SecuriteInfo.com.Trojan.Olock.1.12577.exe schtasks.exe PID 1100 wrote to memory of 1984 1100 SecuriteInfo.com.Trojan.Olock.1.12577.exe schtasks.exe PID 1100 wrote to memory of 1884 1100 SecuriteInfo.com.Trojan.Olock.1.12577.exe SecuriteInfo.com.Trojan.Olock.1.12577.exe PID 1100 wrote to memory of 1884 1100 SecuriteInfo.com.Trojan.Olock.1.12577.exe SecuriteInfo.com.Trojan.Olock.1.12577.exe PID 1100 wrote to memory of 1884 1100 SecuriteInfo.com.Trojan.Olock.1.12577.exe SecuriteInfo.com.Trojan.Olock.1.12577.exe PID 1100 wrote to memory of 1884 1100 SecuriteInfo.com.Trojan.Olock.1.12577.exe SecuriteInfo.com.Trojan.Olock.1.12577.exe PID 1100 wrote to memory of 1884 1100 SecuriteInfo.com.Trojan.Olock.1.12577.exe SecuriteInfo.com.Trojan.Olock.1.12577.exe PID 1100 wrote to memory of 1884 1100 SecuriteInfo.com.Trojan.Olock.1.12577.exe SecuriteInfo.com.Trojan.Olock.1.12577.exe PID 1100 wrote to memory of 1884 1100 SecuriteInfo.com.Trojan.Olock.1.12577.exe SecuriteInfo.com.Trojan.Olock.1.12577.exe PID 1100 wrote to memory of 1884 1100 SecuriteInfo.com.Trojan.Olock.1.12577.exe SecuriteInfo.com.Trojan.Olock.1.12577.exe PID 1100 wrote to memory of 1884 1100 SecuriteInfo.com.Trojan.Olock.1.12577.exe SecuriteInfo.com.Trojan.Olock.1.12577.exe PID 1884 wrote to memory of 536 1884 SecuriteInfo.com.Trojan.Olock.1.12577.exe schtasks.exe PID 1884 wrote to memory of 536 1884 SecuriteInfo.com.Trojan.Olock.1.12577.exe schtasks.exe PID 1884 wrote to memory of 536 1884 SecuriteInfo.com.Trojan.Olock.1.12577.exe schtasks.exe PID 1884 wrote to memory of 536 1884 SecuriteInfo.com.Trojan.Olock.1.12577.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Olock.1.12577.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Olock.1.12577.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\jSJiBOvzra.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jSJiBOvzra" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCF13.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Olock.1.12577.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Olock.1.12577.exe"2⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DSL Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmpD5D6.tmp"3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpCF13.tmpFilesize
1KB
MD5d697934158fa2f8874bdb6a1277e54aa
SHA12fa7b13671711e5ec91f725f0b74d6e16cea46ee
SHA25648bbadc12c591a9b1e4c4c788ae9d20ee949c2a5fc208986ada260cd1e890223
SHA512fe2b29f0534de60b4dd029a79c58ee657fe65412d0859eb2b1fc0db17658910b94a4ba6247f24429e815e7500d25fdc86b305c81b83d74b089ee938b585230ba
-
C:\Users\Admin\AppData\Local\Temp\tmpD5D6.tmpFilesize
1KB
MD5a2eae455df5420cb1005fa3c74610f83
SHA1e19612b890f43f1757a3fb6ab38276a6d054b920
SHA2567f664882b19cfc9e1e59a1b99b8a433ebbc1b867f167ee1de4ed4bc9fded0bb9
SHA512086e116a75c59209b1b6cbe20b25c86b87e6b04a81c088cea8f5b4fb5708ad55687974d8b408bfaa188979842c91a00cb31166d32cec2d60d3c9ffe79e275bae
-
memory/536-77-0x0000000000000000-mapping.dmp
-
memory/1100-55-0x0000000074B51000-0x0000000074B53000-memory.dmpFilesize
8KB
-
memory/1100-56-0x00000000003E0000-0x00000000003F6000-memory.dmpFilesize
88KB
-
memory/1100-57-0x0000000000440000-0x000000000044A000-memory.dmpFilesize
40KB
-
memory/1100-58-0x0000000004FC0000-0x0000000005032000-memory.dmpFilesize
456KB
-
memory/1100-54-0x0000000000D50000-0x0000000000DF0000-memory.dmpFilesize
640KB
-
memory/1100-63-0x0000000004CF0000-0x0000000004D2A000-memory.dmpFilesize
232KB
-
memory/1884-87-0x00000000008C0000-0x00000000008D2000-memory.dmpFilesize
72KB
-
memory/1884-82-0x00000000004F0000-0x00000000004FA000-memory.dmpFilesize
40KB
-
memory/1884-67-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1884-68-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1884-70-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1884-71-0x000000000041E792-mapping.dmp
-
memory/1884-73-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1884-75-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1884-64-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1884-95-0x0000000000A00000-0x0000000000A14000-memory.dmpFilesize
80KB
-
memory/1884-94-0x0000000002230000-0x000000000225E000-memory.dmpFilesize
184KB
-
memory/1884-80-0x00000000004C0000-0x00000000004CA000-memory.dmpFilesize
40KB
-
memory/1884-81-0x00000000004D0000-0x00000000004EE000-memory.dmpFilesize
120KB
-
memory/1884-65-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1884-93-0x00000000009E0000-0x00000000009EE000-memory.dmpFilesize
56KB
-
memory/1884-84-0x00000000005A0000-0x00000000005B2000-memory.dmpFilesize
72KB
-
memory/1884-85-0x0000000000630000-0x000000000064A000-memory.dmpFilesize
104KB
-
memory/1884-86-0x00000000008A0000-0x00000000008AE000-memory.dmpFilesize
56KB
-
memory/1884-92-0x00000000009D0000-0x00000000009E4000-memory.dmpFilesize
80KB
-
memory/1884-88-0x0000000000910000-0x000000000091C000-memory.dmpFilesize
48KB
-
memory/1884-89-0x0000000000920000-0x000000000092E000-memory.dmpFilesize
56KB
-
memory/1884-90-0x0000000000930000-0x0000000000944000-memory.dmpFilesize
80KB
-
memory/1884-91-0x0000000000980000-0x0000000000990000-memory.dmpFilesize
64KB
-
memory/1984-60-0x0000000000000000-mapping.dmp
-
memory/2032-59-0x0000000000000000-mapping.dmp
-
memory/2032-83-0x000000006E410000-0x000000006E9BB000-memory.dmpFilesize
5.7MB
-
memory/2032-78-0x000000006E410000-0x000000006E9BB000-memory.dmpFilesize
5.7MB