Analysis
-
max time kernel
90s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
05-07-2022 07:38
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Variant.Ursu.713017.24574.exe
Resource
win7-20220414-en
General
-
Target
SecuriteInfo.com.Variant.Ursu.713017.24574.exe
-
Size
693KB
-
MD5
95ab053879eaa507897278d33c02c6e5
-
SHA1
8f4c6617609bd291d44912df0bb6aa7c00327627
-
SHA256
999c19bb669363e626ff41024ebe756e82a200fd874f8099dfbf8776360ccba2
-
SHA512
18c1fa98849a1e4e2ccfb8bf61d5f293883c5a770e90684b5f635eaf71d5a036126be41d5db6739450672b4b504cfb459fd80f9f64455c6f6453aaabdba1b75b
Malware Config
Extracted
nanocore
1.2.2.0
config.linkpc.net:3425
e5ec3588-c148-476e-a8f8-2e9038dcba4d
-
activate_away_mode
true
- backup_connection_host
- backup_dns_server
-
buffer_size
65535
-
build_time
2022-04-01T12:01:12.053123736Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
3425
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
e5ec3588-c148-476e-a8f8-2e9038dcba4d
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
config.linkpc.net
-
primary_dns_server
config.linkpc.net
-
request_elevation
true
-
restart_delay
5000
-
run_delay
15
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
suricata: ET MALWARE Possible NanoCore C2 60B
suricata: ET MALWARE Possible NanoCore C2 60B
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
SecuriteInfo.com.Variant.Ursu.713017.24574.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation SecuriteInfo.com.Variant.Ursu.713017.24574.exe -
Processes:
SecuriteInfo.com.Variant.Ursu.713017.24574.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SecuriteInfo.com.Variant.Ursu.713017.24574.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SecuriteInfo.com.Variant.Ursu.713017.24574.exedescription pid process target process PID 4052 set thread context of 4012 4052 SecuriteInfo.com.Variant.Ursu.713017.24574.exe SecuriteInfo.com.Variant.Ursu.713017.24574.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 3980 schtasks.exe 4436 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
SecuriteInfo.com.Variant.Ursu.713017.24574.exepowershell.exeSecuriteInfo.com.Variant.Ursu.713017.24574.exepid process 4052 SecuriteInfo.com.Variant.Ursu.713017.24574.exe 4052 SecuriteInfo.com.Variant.Ursu.713017.24574.exe 4548 powershell.exe 4548 powershell.exe 4012 SecuriteInfo.com.Variant.Ursu.713017.24574.exe 4012 SecuriteInfo.com.Variant.Ursu.713017.24574.exe 4012 SecuriteInfo.com.Variant.Ursu.713017.24574.exe 4012 SecuriteInfo.com.Variant.Ursu.713017.24574.exe 4012 SecuriteInfo.com.Variant.Ursu.713017.24574.exe 4012 SecuriteInfo.com.Variant.Ursu.713017.24574.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
SecuriteInfo.com.Variant.Ursu.713017.24574.exepid process 4012 SecuriteInfo.com.Variant.Ursu.713017.24574.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
SecuriteInfo.com.Variant.Ursu.713017.24574.exepowershell.exeSecuriteInfo.com.Variant.Ursu.713017.24574.exedescription pid process Token: SeDebugPrivilege 4052 SecuriteInfo.com.Variant.Ursu.713017.24574.exe Token: SeDebugPrivilege 4548 powershell.exe Token: SeDebugPrivilege 4012 SecuriteInfo.com.Variant.Ursu.713017.24574.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
SecuriteInfo.com.Variant.Ursu.713017.24574.exeSecuriteInfo.com.Variant.Ursu.713017.24574.exedescription pid process target process PID 4052 wrote to memory of 4548 4052 SecuriteInfo.com.Variant.Ursu.713017.24574.exe powershell.exe PID 4052 wrote to memory of 4548 4052 SecuriteInfo.com.Variant.Ursu.713017.24574.exe powershell.exe PID 4052 wrote to memory of 4548 4052 SecuriteInfo.com.Variant.Ursu.713017.24574.exe powershell.exe PID 4052 wrote to memory of 3980 4052 SecuriteInfo.com.Variant.Ursu.713017.24574.exe schtasks.exe PID 4052 wrote to memory of 3980 4052 SecuriteInfo.com.Variant.Ursu.713017.24574.exe schtasks.exe PID 4052 wrote to memory of 3980 4052 SecuriteInfo.com.Variant.Ursu.713017.24574.exe schtasks.exe PID 4052 wrote to memory of 4012 4052 SecuriteInfo.com.Variant.Ursu.713017.24574.exe SecuriteInfo.com.Variant.Ursu.713017.24574.exe PID 4052 wrote to memory of 4012 4052 SecuriteInfo.com.Variant.Ursu.713017.24574.exe SecuriteInfo.com.Variant.Ursu.713017.24574.exe PID 4052 wrote to memory of 4012 4052 SecuriteInfo.com.Variant.Ursu.713017.24574.exe SecuriteInfo.com.Variant.Ursu.713017.24574.exe PID 4052 wrote to memory of 4012 4052 SecuriteInfo.com.Variant.Ursu.713017.24574.exe SecuriteInfo.com.Variant.Ursu.713017.24574.exe PID 4052 wrote to memory of 4012 4052 SecuriteInfo.com.Variant.Ursu.713017.24574.exe SecuriteInfo.com.Variant.Ursu.713017.24574.exe PID 4052 wrote to memory of 4012 4052 SecuriteInfo.com.Variant.Ursu.713017.24574.exe SecuriteInfo.com.Variant.Ursu.713017.24574.exe PID 4052 wrote to memory of 4012 4052 SecuriteInfo.com.Variant.Ursu.713017.24574.exe SecuriteInfo.com.Variant.Ursu.713017.24574.exe PID 4052 wrote to memory of 4012 4052 SecuriteInfo.com.Variant.Ursu.713017.24574.exe SecuriteInfo.com.Variant.Ursu.713017.24574.exe PID 4012 wrote to memory of 4436 4012 SecuriteInfo.com.Variant.Ursu.713017.24574.exe schtasks.exe PID 4012 wrote to memory of 4436 4012 SecuriteInfo.com.Variant.Ursu.713017.24574.exe schtasks.exe PID 4012 wrote to memory of 4436 4012 SecuriteInfo.com.Variant.Ursu.713017.24574.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Ursu.713017.24574.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Ursu.713017.24574.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ebqkFAYCIl.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ebqkFAYCIl" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6B4D.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Ursu.713017.24574.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Ursu.713017.24574.exe"2⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "WPA Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmp7000.tmp"3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp6B4D.tmpFilesize
1KB
MD5dfd9ef137ba2fc6a4782fcbbb0994290
SHA15e89bc4a634ec97468adb4a53fc67f924074444d
SHA256777586d1bea3950f7abdce723522502a591961e768b5f150ed24a64c8e7eea54
SHA512831adbb1fe6750fd7c5c16f6f69cfd7471a25a86e9b707a3403e6afa52b166c1cbf52e1fa730715e5621bcd64f6331453fdc8110bc590a80751f37932fb49969
-
C:\Users\Admin\AppData\Local\Temp\tmp7000.tmpFilesize
1KB
MD587d52be1383828021e670c3b242277f5
SHA1c84b7765f7c263729f3eb9b3a63377a2e4fd0333
SHA25690d022d9ba0665b94fee44d404d10a2a1055167e69098fb4f09a96fdb42a5e6b
SHA512a076a4f487630c3bfa9a488b3e095ad09b19538d7a4602a2b280a82c47d14a5f77939b520a63ac183d09e7b0f09c97f71a1c8d7ddb0fe02e44cf412f38d576ef
-
memory/3980-137-0x0000000000000000-mapping.dmp
-
memory/4012-140-0x0000000000000000-mapping.dmp
-
memory/4012-142-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/4052-130-0x00000000009A0000-0x0000000000A54000-memory.dmpFilesize
720KB
-
memory/4052-131-0x00000000059E0000-0x0000000005F84000-memory.dmpFilesize
5.6MB
-
memory/4052-132-0x0000000005430000-0x00000000054C2000-memory.dmpFilesize
584KB
-
memory/4052-133-0x00000000053F0000-0x00000000053FA000-memory.dmpFilesize
40KB
-
memory/4052-134-0x0000000009320000-0x00000000093BC000-memory.dmpFilesize
624KB
-
memory/4052-135-0x0000000009670000-0x00000000096D6000-memory.dmpFilesize
408KB
-
memory/4436-145-0x0000000000000000-mapping.dmp
-
memory/4548-144-0x0000000005A90000-0x0000000005AF6000-memory.dmpFilesize
408KB
-
memory/4548-149-0x0000000070250000-0x000000007029C000-memory.dmpFilesize
304KB
-
memory/4548-141-0x0000000005360000-0x0000000005988000-memory.dmpFilesize
6.2MB
-
memory/4548-138-0x0000000002970000-0x00000000029A6000-memory.dmpFilesize
216KB
-
memory/4548-136-0x0000000000000000-mapping.dmp
-
memory/4548-147-0x0000000006270000-0x000000000628E000-memory.dmpFilesize
120KB
-
memory/4548-148-0x0000000006850000-0x0000000006882000-memory.dmpFilesize
200KB
-
memory/4548-143-0x00000000052C0000-0x00000000052E2000-memory.dmpFilesize
136KB
-
memory/4548-150-0x00000000067C0000-0x00000000067DE000-memory.dmpFilesize
120KB
-
memory/4548-151-0x0000000007BC0000-0x000000000823A000-memory.dmpFilesize
6.5MB
-
memory/4548-152-0x0000000007580000-0x000000000759A000-memory.dmpFilesize
104KB
-
memory/4548-153-0x00000000075F0000-0x00000000075FA000-memory.dmpFilesize
40KB
-
memory/4548-154-0x0000000007800000-0x0000000007896000-memory.dmpFilesize
600KB
-
memory/4548-155-0x00000000077B0000-0x00000000077BE000-memory.dmpFilesize
56KB
-
memory/4548-156-0x00000000078C0000-0x00000000078DA000-memory.dmpFilesize
104KB
-
memory/4548-157-0x00000000078A0000-0x00000000078A8000-memory.dmpFilesize
32KB