Analysis
-
max time kernel
91s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
02-07-2022 07:04
Static task
static1
Behavioral task
behavioral1
Sample
Drawing spec.exe
Resource
win7-20220414-en
General
-
Target
Drawing spec.exe
-
Size
555KB
-
MD5
7b4c9b932a1997c653bab35e4d262e92
-
SHA1
7f4c637cfa61159c16309bef4a239470833e5a99
-
SHA256
d600a317cb183c413a54410e7f4273aac1d54daa3dbc7a35bb0442ea244c3998
-
SHA512
b5e2f370501031908ceba00be8b233a3f7e01f9828a31d48017ba695296293fd6da8f5b67fd3753907458205703aa5c9ccf07198574b887523ec1578cb12a668
Malware Config
Extracted
nanocore
1.2.2.0
104.144.69.135:7600
a3a43703-10dc-476d-91c6-82889de4ab85
-
activate_away_mode
true
-
backup_connection_host
104.144.69.135
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2022-04-07T16:58:14.755670936Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
7600
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
a3a43703-10dc-476d-91c6-82889de4ab85
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
104.144.69.135
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
suricata: ET MALWARE Possible NanoCore C2 60B
suricata: ET MALWARE Possible NanoCore C2 60B
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Drawing spec.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WPA Service = "C:\\Program Files (x86)\\WPA Service\\wpasv.exe" Drawing spec.exe -
Processes:
Drawing spec.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Drawing spec.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Drawing spec.exedescription pid process target process PID 4900 set thread context of 2112 4900 Drawing spec.exe Drawing spec.exe -
Drops file in Program Files directory 2 IoCs
Processes:
Drawing spec.exedescription ioc process File created C:\Program Files (x86)\WPA Service\wpasv.exe Drawing spec.exe File opened for modification C:\Program Files (x86)\WPA Service\wpasv.exe Drawing spec.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2424 schtasks.exe 3528 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
Drawing spec.exepid process 2112 Drawing spec.exe 2112 Drawing spec.exe 2112 Drawing spec.exe 2112 Drawing spec.exe 2112 Drawing spec.exe 2112 Drawing spec.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Drawing spec.exepid process 2112 Drawing spec.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Drawing spec.exedescription pid process Token: SeDebugPrivilege 2112 Drawing spec.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
Drawing spec.exeDrawing spec.exedescription pid process target process PID 4900 wrote to memory of 2112 4900 Drawing spec.exe Drawing spec.exe PID 4900 wrote to memory of 2112 4900 Drawing spec.exe Drawing spec.exe PID 4900 wrote to memory of 2112 4900 Drawing spec.exe Drawing spec.exe PID 4900 wrote to memory of 2112 4900 Drawing spec.exe Drawing spec.exe PID 4900 wrote to memory of 2112 4900 Drawing spec.exe Drawing spec.exe PID 4900 wrote to memory of 2112 4900 Drawing spec.exe Drawing spec.exe PID 4900 wrote to memory of 2112 4900 Drawing spec.exe Drawing spec.exe PID 4900 wrote to memory of 2112 4900 Drawing spec.exe Drawing spec.exe PID 2112 wrote to memory of 2424 2112 Drawing spec.exe schtasks.exe PID 2112 wrote to memory of 2424 2112 Drawing spec.exe schtasks.exe PID 2112 wrote to memory of 2424 2112 Drawing spec.exe schtasks.exe PID 2112 wrote to memory of 3528 2112 Drawing spec.exe schtasks.exe PID 2112 wrote to memory of 3528 2112 Drawing spec.exe schtasks.exe PID 2112 wrote to memory of 3528 2112 Drawing spec.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Drawing spec.exe"C:\Users\Admin\AppData\Local\Temp\Drawing spec.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Drawing spec.exe"C:\Users\Admin\AppData\Local\Temp\Drawing spec.exe"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "WPA Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "WPA Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp9CFC.tmp"3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp9BE2.tmpFilesize
1KB
MD5393e0de8396ba7033a19d6fe3695261e
SHA12b8ee59d3b0ed06607fbef664a5aabc9bf1a9018
SHA256b445ad9d8d1f2d860697efed7bfbbd749a05134a97e2d2a716d1522f8af6fcbb
SHA512bb7b8d44949a2a52e7eefce1d7515e446660f7e9fb7f28b09087f45604994ae25a862650540b985dd66306bd77f3f54fe34a05b85a1022eb2c38f60adb3f941f
-
C:\Users\Admin\AppData\Local\Temp\tmp9CFC.tmpFilesize
1KB
MD521de6c3a6440d917bdbb4b491191d9b2
SHA1c63c300affe7147910dc4544d2d5f3029bf321a6
SHA25623af17733a3882cdd82a5bbc321d896b2430dc1bb4b4ac034d129cde5027afc4
SHA512dcd1c464ed36593b990e072940ab415804ef8076743015fff4939211e30e436beb7ce6af3072769abe0214f737cedb210d2b45e6e90da20dac54c3945b11575f
-
memory/2112-135-0x0000000000000000-mapping.dmp
-
memory/2112-136-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2112-141-0x0000000007410000-0x0000000007476000-memory.dmpFilesize
408KB
-
memory/2424-137-0x0000000000000000-mapping.dmp
-
memory/3528-139-0x0000000000000000-mapping.dmp
-
memory/4900-130-0x0000000000920000-0x00000000009B2000-memory.dmpFilesize
584KB
-
memory/4900-131-0x00000000058D0000-0x0000000005E74000-memory.dmpFilesize
5.6MB
-
memory/4900-132-0x00000000053C0000-0x0000000005452000-memory.dmpFilesize
584KB
-
memory/4900-133-0x0000000005360000-0x000000000536A000-memory.dmpFilesize
40KB
-
memory/4900-134-0x0000000007D00000-0x0000000007D9C000-memory.dmpFilesize
624KB