Analysis
-
max time kernel
91s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
04-07-2022 06:23
Static task
static1
Behavioral task
behavioral1
Sample
CV.exe
Resource
win7-20220414-en
General
-
Target
CV.exe
-
Size
559KB
-
MD5
3bbf14c6d3a535492bae4c32d890f931
-
SHA1
e345246d1f217357f4e351ff68b7967252149795
-
SHA256
10719517c091034e447d93a999e4797a32bdea3c651601ded9560fca01087cab
-
SHA512
90750190857b8632894db2a9b1ec8c144f0397d048a3b0472f1835093831051fcf06e17c5d57e58fcd051d7546c76bed41484ffde9875b5bed7b44a94a32a98a
Malware Config
Extracted
nanocore
1.2.2.0
derananocore.ddns.net:1187
194.87.84.118:1187
aee28d0a-78bc-4586-8c8c-8f93e292a11b
-
activate_away_mode
true
-
backup_connection_host
194.87.84.118
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2022-04-09T10:37:01.806212736Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
1187
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
aee28d0a-78bc-4586-8c8c-8f93e292a11b
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
derananocore.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
suricata: ET MALWARE Possible NanoCore C2 60B
suricata: ET MALWARE Possible NanoCore C2 60B
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
CV.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WPA Monitor = "C:\\Program Files (x86)\\WPA Monitor\\wpamon.exe" CV.exe -
Processes:
CV.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA CV.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
CV.exedescription pid process target process PID 2600 set thread context of 3020 2600 CV.exe CV.exe -
Drops file in Program Files directory 2 IoCs
Processes:
CV.exedescription ioc process File created C:\Program Files (x86)\WPA Monitor\wpamon.exe CV.exe File opened for modification C:\Program Files (x86)\WPA Monitor\wpamon.exe CV.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
CV.exepid process 3020 CV.exe 3020 CV.exe 3020 CV.exe 3020 CV.exe 3020 CV.exe 3020 CV.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
CV.exepid process 3020 CV.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
CV.exedescription pid process Token: SeDebugPrivilege 3020 CV.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
CV.exedescription pid process target process PID 2600 wrote to memory of 3020 2600 CV.exe CV.exe PID 2600 wrote to memory of 3020 2600 CV.exe CV.exe PID 2600 wrote to memory of 3020 2600 CV.exe CV.exe PID 2600 wrote to memory of 3020 2600 CV.exe CV.exe PID 2600 wrote to memory of 3020 2600 CV.exe CV.exe PID 2600 wrote to memory of 3020 2600 CV.exe CV.exe PID 2600 wrote to memory of 3020 2600 CV.exe CV.exe PID 2600 wrote to memory of 3020 2600 CV.exe CV.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\CV.exe"C:\Users\Admin\AppData\Local\Temp\CV.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\CV.exe"C:\Users\Admin\AppData\Local\Temp\CV.exe"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CV.exe.logFilesize
1KB
MD5e08f822522c617a40840c62e4b0fb45e
SHA1ae516dca4da5234be6676d3f234c19ec55725be7
SHA256bd9d5e9f7fe6fcff17d873555d4077d15f7d6cdda1183e7f7d278b735ffe1fd7
SHA512894a7fb7bbc18ac6ba13378f58a7db80ad00d6080be9a66b01cae8e23e41d9d2d4cd53c1e20669356b73590c8a3ebfda4bdda3258f81240db56c4a81b7313fe4
-
memory/2600-130-0x00000000009D0000-0x0000000000A62000-memory.dmpFilesize
584KB
-
memory/2600-131-0x0000000005A80000-0x0000000006024000-memory.dmpFilesize
5.6MB
-
memory/2600-132-0x0000000005400000-0x0000000005492000-memory.dmpFilesize
584KB
-
memory/2600-133-0x00000000054A0000-0x00000000054AA000-memory.dmpFilesize
40KB
-
memory/2600-134-0x0000000008F30000-0x0000000008FCC000-memory.dmpFilesize
624KB
-
memory/2600-135-0x0000000009190000-0x00000000091F6000-memory.dmpFilesize
408KB
-
memory/3020-136-0x0000000000000000-mapping.dmp
-
memory/3020-137-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB