Analysis
-
max time kernel
73s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
04-07-2022 04:34
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.W32.AIDetectNet.01.2429.exe
Resource
win7-20220414-en
General
-
Target
SecuriteInfo.com.W32.AIDetectNet.01.2429.exe
-
Size
731KB
-
MD5
8406fee4968c6482b14de0a3b5689017
-
SHA1
00bf295154b26dd8a0e7a7f5fd63b534b08f43f9
-
SHA256
02558d43b82050ac649bd7eff62a663dd98d141033f6cca56bc99bc811a059b8
-
SHA512
a9f0594557054b99bfd3a4d4155d47fceb93ea3f0d2eb05765e98d1cecf0c5a96aaceea2f6745e287b28b7f73f7fd317d2a97c9dbd1e5af3b54c26d72e2ab21c
Malware Config
Extracted
nanocore
1.2.2.0
config.linkpc.net:3425
e5ec3588-c148-476e-a8f8-2e9038dcba4d
-
activate_away_mode
true
- backup_connection_host
- backup_dns_server
-
buffer_size
65535
-
build_time
2022-04-01T12:01:12.053123736Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
3425
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
e5ec3588-c148-476e-a8f8-2e9038dcba4d
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
config.linkpc.net
-
primary_dns_server
config.linkpc.net
-
request_elevation
true
-
restart_delay
5000
-
run_delay
15
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
suricata: ET MALWARE Possible NanoCore C2 60B
suricata: ET MALWARE Possible NanoCore C2 60B
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
SecuriteInfo.com.W32.AIDetectNet.01.2429.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation SecuriteInfo.com.W32.AIDetectNet.01.2429.exe -
Processes:
SecuriteInfo.com.W32.AIDetectNet.01.2429.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SecuriteInfo.com.W32.AIDetectNet.01.2429.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SecuriteInfo.com.W32.AIDetectNet.01.2429.exedescription pid process target process PID 948 set thread context of 2524 948 SecuriteInfo.com.W32.AIDetectNet.01.2429.exe SecuriteInfo.com.W32.AIDetectNet.01.2429.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 4964 schtasks.exe 3012 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
SecuriteInfo.com.W32.AIDetectNet.01.2429.exepowershell.exeSecuriteInfo.com.W32.AIDetectNet.01.2429.exepid process 948 SecuriteInfo.com.W32.AIDetectNet.01.2429.exe 948 SecuriteInfo.com.W32.AIDetectNet.01.2429.exe 4012 powershell.exe 4012 powershell.exe 2524 SecuriteInfo.com.W32.AIDetectNet.01.2429.exe 2524 SecuriteInfo.com.W32.AIDetectNet.01.2429.exe 2524 SecuriteInfo.com.W32.AIDetectNet.01.2429.exe 2524 SecuriteInfo.com.W32.AIDetectNet.01.2429.exe 2524 SecuriteInfo.com.W32.AIDetectNet.01.2429.exe 2524 SecuriteInfo.com.W32.AIDetectNet.01.2429.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
SecuriteInfo.com.W32.AIDetectNet.01.2429.exepid process 2524 SecuriteInfo.com.W32.AIDetectNet.01.2429.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
SecuriteInfo.com.W32.AIDetectNet.01.2429.exepowershell.exeSecuriteInfo.com.W32.AIDetectNet.01.2429.exedescription pid process Token: SeDebugPrivilege 948 SecuriteInfo.com.W32.AIDetectNet.01.2429.exe Token: SeDebugPrivilege 4012 powershell.exe Token: SeDebugPrivilege 2524 SecuriteInfo.com.W32.AIDetectNet.01.2429.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
SecuriteInfo.com.W32.AIDetectNet.01.2429.exeSecuriteInfo.com.W32.AIDetectNet.01.2429.exedescription pid process target process PID 948 wrote to memory of 4012 948 SecuriteInfo.com.W32.AIDetectNet.01.2429.exe powershell.exe PID 948 wrote to memory of 4012 948 SecuriteInfo.com.W32.AIDetectNet.01.2429.exe powershell.exe PID 948 wrote to memory of 4012 948 SecuriteInfo.com.W32.AIDetectNet.01.2429.exe powershell.exe PID 948 wrote to memory of 4964 948 SecuriteInfo.com.W32.AIDetectNet.01.2429.exe schtasks.exe PID 948 wrote to memory of 4964 948 SecuriteInfo.com.W32.AIDetectNet.01.2429.exe schtasks.exe PID 948 wrote to memory of 4964 948 SecuriteInfo.com.W32.AIDetectNet.01.2429.exe schtasks.exe PID 948 wrote to memory of 2524 948 SecuriteInfo.com.W32.AIDetectNet.01.2429.exe SecuriteInfo.com.W32.AIDetectNet.01.2429.exe PID 948 wrote to memory of 2524 948 SecuriteInfo.com.W32.AIDetectNet.01.2429.exe SecuriteInfo.com.W32.AIDetectNet.01.2429.exe PID 948 wrote to memory of 2524 948 SecuriteInfo.com.W32.AIDetectNet.01.2429.exe SecuriteInfo.com.W32.AIDetectNet.01.2429.exe PID 948 wrote to memory of 2524 948 SecuriteInfo.com.W32.AIDetectNet.01.2429.exe SecuriteInfo.com.W32.AIDetectNet.01.2429.exe PID 948 wrote to memory of 2524 948 SecuriteInfo.com.W32.AIDetectNet.01.2429.exe SecuriteInfo.com.W32.AIDetectNet.01.2429.exe PID 948 wrote to memory of 2524 948 SecuriteInfo.com.W32.AIDetectNet.01.2429.exe SecuriteInfo.com.W32.AIDetectNet.01.2429.exe PID 948 wrote to memory of 2524 948 SecuriteInfo.com.W32.AIDetectNet.01.2429.exe SecuriteInfo.com.W32.AIDetectNet.01.2429.exe PID 948 wrote to memory of 2524 948 SecuriteInfo.com.W32.AIDetectNet.01.2429.exe SecuriteInfo.com.W32.AIDetectNet.01.2429.exe PID 2524 wrote to memory of 3012 2524 SecuriteInfo.com.W32.AIDetectNet.01.2429.exe schtasks.exe PID 2524 wrote to memory of 3012 2524 SecuriteInfo.com.W32.AIDetectNet.01.2429.exe schtasks.exe PID 2524 wrote to memory of 3012 2524 SecuriteInfo.com.W32.AIDetectNet.01.2429.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.2429.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.2429.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GnthScCuWyio.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GnthScCuWyio" /XML "C:\Users\Admin\AppData\Local\Temp\tmp342F.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.2429.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.2429.exe"2⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "SCSI Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp37AA.tmp"3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp342F.tmpFilesize
1KB
MD5f987d04f83a919258c4770400884a7a4
SHA1026e194348f393c005f5743c812063e1ce9ae17b
SHA25627b10b03884d407e5fc366cf3bbdd904a6e75fcd6214bba8774e127d80d2fe4e
SHA51240b5ac81372a0bcee7a7bac9c2c92ed63b42b1efe118678e2a7585959f5cb9e98730b0f7bc717c2e785d1c2607c46c41745bdf3ad3fc5fd8297e499dece12d35
-
C:\Users\Admin\AppData\Local\Temp\tmp37AA.tmpFilesize
1KB
MD5d9206fc82124b414f45f47af7d6c759b
SHA124ff5b78a2cd798927fe99751242ef928f6e292b
SHA256e021d39fd434c89a29be301d2942a7fd3156e4e33c072e55f515ecb099dbbd60
SHA512c5e74d098cbb97abc1222b8b080d2911966bcd90ed745efcb49cad3996cfa78c8433dde18044cea11be9180af961079b47a5cca6b28d5b4ec23656026080fc4e
-
memory/948-131-0x0000000005EF0000-0x0000000006494000-memory.dmpFilesize
5.6MB
-
memory/948-132-0x0000000005940000-0x00000000059D2000-memory.dmpFilesize
584KB
-
memory/948-133-0x0000000005890000-0x000000000589A000-memory.dmpFilesize
40KB
-
memory/948-134-0x0000000009980000-0x0000000009A1C000-memory.dmpFilesize
624KB
-
memory/948-135-0x0000000009710000-0x0000000009776000-memory.dmpFilesize
408KB
-
memory/948-130-0x0000000000E40000-0x0000000000EFC000-memory.dmpFilesize
752KB
-
memory/2524-141-0x0000000000000000-mapping.dmp
-
memory/2524-142-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/3012-145-0x0000000000000000-mapping.dmp
-
memory/4012-151-0x0000000007570000-0x0000000007BEA000-memory.dmpFilesize
6.5MB
-
memory/4012-150-0x00000000061D0000-0x00000000061EE000-memory.dmpFilesize
120KB
-
memory/4012-143-0x00000000054B0000-0x00000000054D2000-memory.dmpFilesize
136KB
-
memory/4012-144-0x0000000005550000-0x00000000055B6000-memory.dmpFilesize
408KB
-
memory/4012-138-0x00000000046A0000-0x00000000046D6000-memory.dmpFilesize
216KB
-
memory/4012-146-0x0000000005C20000-0x0000000005C3E000-memory.dmpFilesize
120KB
-
memory/4012-157-0x0000000007250000-0x0000000007258000-memory.dmpFilesize
32KB
-
memory/4012-148-0x00000000061F0000-0x0000000006222000-memory.dmpFilesize
200KB
-
memory/4012-149-0x0000000070FC0000-0x000000007100C000-memory.dmpFilesize
304KB
-
memory/4012-140-0x0000000004D50000-0x0000000005378000-memory.dmpFilesize
6.2MB
-
memory/4012-136-0x0000000000000000-mapping.dmp
-
memory/4012-152-0x0000000006F30000-0x0000000006F4A000-memory.dmpFilesize
104KB
-
memory/4012-153-0x0000000006FA0000-0x0000000006FAA000-memory.dmpFilesize
40KB
-
memory/4012-154-0x00000000071B0000-0x0000000007246000-memory.dmpFilesize
600KB
-
memory/4012-155-0x0000000007160000-0x000000000716E000-memory.dmpFilesize
56KB
-
memory/4012-156-0x0000000007270000-0x000000000728A000-memory.dmpFilesize
104KB
-
memory/4964-137-0x0000000000000000-mapping.dmp