Analysis
-
max time kernel
100s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
04-07-2022 04:34
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.W32.AIDetectNet.01.2429.exe
Resource
win7-20220414-en
General
-
Target
SecuriteInfo.com.W32.AIDetectNet.01.2429.exe
-
Size
731KB
-
MD5
8406fee4968c6482b14de0a3b5689017
-
SHA1
00bf295154b26dd8a0e7a7f5fd63b534b08f43f9
-
SHA256
02558d43b82050ac649bd7eff62a663dd98d141033f6cca56bc99bc811a059b8
-
SHA512
a9f0594557054b99bfd3a4d4155d47fceb93ea3f0d2eb05765e98d1cecf0c5a96aaceea2f6745e287b28b7f73f7fd317d2a97c9dbd1e5af3b54c26d72e2ab21c
Malware Config
Extracted
nanocore
1.2.2.0
config.linkpc.net:3425
e5ec3588-c148-476e-a8f8-2e9038dcba4d
-
activate_away_mode
true
- backup_connection_host
- backup_dns_server
-
buffer_size
65535
-
build_time
2022-04-01T12:01:12.053123736Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
3425
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
e5ec3588-c148-476e-a8f8-2e9038dcba4d
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
config.linkpc.net
-
primary_dns_server
config.linkpc.net
-
request_elevation
true
-
restart_delay
5000
-
run_delay
15
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
suricata: ET MALWARE Possible NanoCore C2 60B
suricata: ET MALWARE Possible NanoCore C2 60B
-
Processes:
SecuriteInfo.com.W32.AIDetectNet.01.2429.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SecuriteInfo.com.W32.AIDetectNet.01.2429.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SecuriteInfo.com.W32.AIDetectNet.01.2429.exedescription pid process target process PID 1712 set thread context of 692 1712 SecuriteInfo.com.W32.AIDetectNet.01.2429.exe SecuriteInfo.com.W32.AIDetectNet.01.2429.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
SecuriteInfo.com.W32.AIDetectNet.01.2429.exepowershell.exeSecuriteInfo.com.W32.AIDetectNet.01.2429.exepid process 1712 SecuriteInfo.com.W32.AIDetectNet.01.2429.exe 1712 SecuriteInfo.com.W32.AIDetectNet.01.2429.exe 2028 powershell.exe 692 SecuriteInfo.com.W32.AIDetectNet.01.2429.exe 692 SecuriteInfo.com.W32.AIDetectNet.01.2429.exe 692 SecuriteInfo.com.W32.AIDetectNet.01.2429.exe 692 SecuriteInfo.com.W32.AIDetectNet.01.2429.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
SecuriteInfo.com.W32.AIDetectNet.01.2429.exepid process 692 SecuriteInfo.com.W32.AIDetectNet.01.2429.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
SecuriteInfo.com.W32.AIDetectNet.01.2429.exepowershell.exeSecuriteInfo.com.W32.AIDetectNet.01.2429.exedescription pid process Token: SeDebugPrivilege 1712 SecuriteInfo.com.W32.AIDetectNet.01.2429.exe Token: SeDebugPrivilege 2028 powershell.exe Token: SeDebugPrivilege 692 SecuriteInfo.com.W32.AIDetectNet.01.2429.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
SecuriteInfo.com.W32.AIDetectNet.01.2429.exeSecuriteInfo.com.W32.AIDetectNet.01.2429.exedescription pid process target process PID 1712 wrote to memory of 2028 1712 SecuriteInfo.com.W32.AIDetectNet.01.2429.exe powershell.exe PID 1712 wrote to memory of 2028 1712 SecuriteInfo.com.W32.AIDetectNet.01.2429.exe powershell.exe PID 1712 wrote to memory of 2028 1712 SecuriteInfo.com.W32.AIDetectNet.01.2429.exe powershell.exe PID 1712 wrote to memory of 2028 1712 SecuriteInfo.com.W32.AIDetectNet.01.2429.exe powershell.exe PID 1712 wrote to memory of 964 1712 SecuriteInfo.com.W32.AIDetectNet.01.2429.exe schtasks.exe PID 1712 wrote to memory of 964 1712 SecuriteInfo.com.W32.AIDetectNet.01.2429.exe schtasks.exe PID 1712 wrote to memory of 964 1712 SecuriteInfo.com.W32.AIDetectNet.01.2429.exe schtasks.exe PID 1712 wrote to memory of 964 1712 SecuriteInfo.com.W32.AIDetectNet.01.2429.exe schtasks.exe PID 1712 wrote to memory of 692 1712 SecuriteInfo.com.W32.AIDetectNet.01.2429.exe SecuriteInfo.com.W32.AIDetectNet.01.2429.exe PID 1712 wrote to memory of 692 1712 SecuriteInfo.com.W32.AIDetectNet.01.2429.exe SecuriteInfo.com.W32.AIDetectNet.01.2429.exe PID 1712 wrote to memory of 692 1712 SecuriteInfo.com.W32.AIDetectNet.01.2429.exe SecuriteInfo.com.W32.AIDetectNet.01.2429.exe PID 1712 wrote to memory of 692 1712 SecuriteInfo.com.W32.AIDetectNet.01.2429.exe SecuriteInfo.com.W32.AIDetectNet.01.2429.exe PID 1712 wrote to memory of 692 1712 SecuriteInfo.com.W32.AIDetectNet.01.2429.exe SecuriteInfo.com.W32.AIDetectNet.01.2429.exe PID 1712 wrote to memory of 692 1712 SecuriteInfo.com.W32.AIDetectNet.01.2429.exe SecuriteInfo.com.W32.AIDetectNet.01.2429.exe PID 1712 wrote to memory of 692 1712 SecuriteInfo.com.W32.AIDetectNet.01.2429.exe SecuriteInfo.com.W32.AIDetectNet.01.2429.exe PID 1712 wrote to memory of 692 1712 SecuriteInfo.com.W32.AIDetectNet.01.2429.exe SecuriteInfo.com.W32.AIDetectNet.01.2429.exe PID 1712 wrote to memory of 692 1712 SecuriteInfo.com.W32.AIDetectNet.01.2429.exe SecuriteInfo.com.W32.AIDetectNet.01.2429.exe PID 692 wrote to memory of 1552 692 SecuriteInfo.com.W32.AIDetectNet.01.2429.exe schtasks.exe PID 692 wrote to memory of 1552 692 SecuriteInfo.com.W32.AIDetectNet.01.2429.exe schtasks.exe PID 692 wrote to memory of 1552 692 SecuriteInfo.com.W32.AIDetectNet.01.2429.exe schtasks.exe PID 692 wrote to memory of 1552 692 SecuriteInfo.com.W32.AIDetectNet.01.2429.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.2429.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.2429.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GnthScCuWyio.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GnthScCuWyio" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDBEE.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.2429.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.2429.exe"2⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "ARP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmpE283.tmp"3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpDBEE.tmpFilesize
1KB
MD531d8b8c5c3afe1d2bb524943edf3ea1d
SHA1d07eae276b8a353616bcd43e1a1738b83d39c5bc
SHA2560343486353da1cfd62ea330ed7542b6144af5a78173e13d81ef24c9bdd776d7c
SHA51234038626a3e7eccda423a7430d12b0fe0f9ab1f1ddc089a28f9dcd3f33df04eb09b079cd8eb3404e93f9c5fe8fe62735cf739ad5587de9298ab369feb204cd97
-
C:\Users\Admin\AppData\Local\Temp\tmpE283.tmpFilesize
1KB
MD5d9206fc82124b414f45f47af7d6c759b
SHA124ff5b78a2cd798927fe99751242ef928f6e292b
SHA256e021d39fd434c89a29be301d2942a7fd3156e4e33c072e55f515ecb099dbbd60
SHA512c5e74d098cbb97abc1222b8b080d2911966bcd90ed745efcb49cad3996cfa78c8433dde18044cea11be9180af961079b47a5cca6b28d5b4ec23656026080fc4e
-
memory/692-68-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/692-91-0x0000000004190000-0x00000000041A4000-memory.dmpFilesize
80KB
-
memory/692-72-0x000000000041E792-mapping.dmp
-
memory/692-92-0x0000000004700000-0x0000000004710000-memory.dmpFilesize
64KB
-
memory/692-71-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/692-86-0x0000000000840000-0x000000000085A000-memory.dmpFilesize
104KB
-
memory/692-95-0x0000000004BF0000-0x0000000004C1E000-memory.dmpFilesize
184KB
-
memory/692-74-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/692-65-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/692-66-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/692-87-0x0000000002040000-0x000000000204E000-memory.dmpFilesize
56KB
-
memory/692-69-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/692-93-0x0000000004750000-0x0000000004764000-memory.dmpFilesize
80KB
-
memory/692-94-0x0000000004760000-0x000000000476E000-memory.dmpFilesize
56KB
-
memory/692-90-0x0000000004180000-0x000000000418E000-memory.dmpFilesize
56KB
-
memory/692-76-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/692-89-0x0000000004170000-0x000000000417C000-memory.dmpFilesize
48KB
-
memory/692-85-0x0000000000720000-0x0000000000732000-memory.dmpFilesize
72KB
-
memory/692-96-0x0000000004BA0000-0x0000000004BB4000-memory.dmpFilesize
80KB
-
memory/692-81-0x0000000000540000-0x000000000054A000-memory.dmpFilesize
40KB
-
memory/692-82-0x0000000000550000-0x000000000056E000-memory.dmpFilesize
120KB
-
memory/692-83-0x0000000000570000-0x000000000057A000-memory.dmpFilesize
40KB
-
memory/692-88-0x0000000004120000-0x0000000004132000-memory.dmpFilesize
72KB
-
memory/964-61-0x0000000000000000-mapping.dmp
-
memory/1552-79-0x0000000000000000-mapping.dmp
-
memory/1712-64-0x0000000005E10000-0x0000000005E4A000-memory.dmpFilesize
232KB
-
memory/1712-54-0x0000000000860000-0x000000000091C000-memory.dmpFilesize
752KB
-
memory/1712-59-0x0000000005130000-0x00000000051AE000-memory.dmpFilesize
504KB
-
memory/1712-58-0x00000000005D0000-0x00000000005DE000-memory.dmpFilesize
56KB
-
memory/1712-57-0x0000000000590000-0x00000000005B0000-memory.dmpFilesize
128KB
-
memory/1712-56-0x0000000000620000-0x00000000006AC000-memory.dmpFilesize
560KB
-
memory/1712-55-0x0000000075A61000-0x0000000075A63000-memory.dmpFilesize
8KB
-
memory/2028-84-0x000000006E290000-0x000000006E83B000-memory.dmpFilesize
5.7MB
-
memory/2028-78-0x000000006E290000-0x000000006E83B000-memory.dmpFilesize
5.7MB
-
memory/2028-60-0x0000000000000000-mapping.dmp