Analysis
-
max time kernel
69s -
max time network
302s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
05-07-2022 16:21
Static task
static1
Behavioral task
behavioral1
Sample
RegistryKeyPermissionCh.exe
Resource
win7-20220414-en
General
-
Target
RegistryKeyPermissionCh.exe
-
Size
728KB
-
MD5
f9a9d6614542c8e1ed8eff17f9bfd527
-
SHA1
5b6c2304de9daf1ff1a5dfc4b3bcb69a3e07e348
-
SHA256
7e7550af6931e5e5ccb8dab52ea5976762c5fe1aae8b91dd6db6a122654c83ae
-
SHA512
cb33c069b288b67f6bac6dd54f4f34dc0e70bdd6cac615d65885afec9033800cef80cbd704f44059599f8e2f8ad0599ee1eb38e14d910e780fd16a257ab7f9b6
Malware Config
Extracted
nanocore
1.2.2.0
config.linkpc.net:3425
e5ec3588-c148-476e-a8f8-2e9038dcba4d
-
activate_away_mode
true
- backup_connection_host
- backup_dns_server
-
buffer_size
65535
-
build_time
2022-04-01T12:01:12.053123736Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
3425
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
e5ec3588-c148-476e-a8f8-2e9038dcba4d
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
config.linkpc.net
-
primary_dns_server
config.linkpc.net
-
request_elevation
true
-
restart_delay
5000
-
run_delay
15
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
suricata: ET MALWARE Possible NanoCore C2 60B
suricata: ET MALWARE Possible NanoCore C2 60B
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
RegistryKeyPermissionCh.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation RegistryKeyPermissionCh.exe -
Processes:
RegistryKeyPermissionCh.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegistryKeyPermissionCh.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
RegistryKeyPermissionCh.exedescription pid process target process PID 1372 set thread context of 208 1372 RegistryKeyPermissionCh.exe RegistryKeyPermissionCh.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2536 schtasks.exe 3856 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
RegistryKeyPermissionCh.exepowershell.exeRegistryKeyPermissionCh.exepid process 1372 RegistryKeyPermissionCh.exe 1372 RegistryKeyPermissionCh.exe 5084 powershell.exe 5084 powershell.exe 208 RegistryKeyPermissionCh.exe 208 RegistryKeyPermissionCh.exe 208 RegistryKeyPermissionCh.exe 208 RegistryKeyPermissionCh.exe 208 RegistryKeyPermissionCh.exe 208 RegistryKeyPermissionCh.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegistryKeyPermissionCh.exepid process 208 RegistryKeyPermissionCh.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
RegistryKeyPermissionCh.exepowershell.exeRegistryKeyPermissionCh.exedescription pid process Token: SeDebugPrivilege 1372 RegistryKeyPermissionCh.exe Token: SeDebugPrivilege 5084 powershell.exe Token: SeDebugPrivilege 208 RegistryKeyPermissionCh.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
RegistryKeyPermissionCh.exeRegistryKeyPermissionCh.exedescription pid process target process PID 1372 wrote to memory of 5084 1372 RegistryKeyPermissionCh.exe powershell.exe PID 1372 wrote to memory of 5084 1372 RegistryKeyPermissionCh.exe powershell.exe PID 1372 wrote to memory of 5084 1372 RegistryKeyPermissionCh.exe powershell.exe PID 1372 wrote to memory of 2536 1372 RegistryKeyPermissionCh.exe schtasks.exe PID 1372 wrote to memory of 2536 1372 RegistryKeyPermissionCh.exe schtasks.exe PID 1372 wrote to memory of 2536 1372 RegistryKeyPermissionCh.exe schtasks.exe PID 1372 wrote to memory of 208 1372 RegistryKeyPermissionCh.exe RegistryKeyPermissionCh.exe PID 1372 wrote to memory of 208 1372 RegistryKeyPermissionCh.exe RegistryKeyPermissionCh.exe PID 1372 wrote to memory of 208 1372 RegistryKeyPermissionCh.exe RegistryKeyPermissionCh.exe PID 1372 wrote to memory of 208 1372 RegistryKeyPermissionCh.exe RegistryKeyPermissionCh.exe PID 1372 wrote to memory of 208 1372 RegistryKeyPermissionCh.exe RegistryKeyPermissionCh.exe PID 1372 wrote to memory of 208 1372 RegistryKeyPermissionCh.exe RegistryKeyPermissionCh.exe PID 1372 wrote to memory of 208 1372 RegistryKeyPermissionCh.exe RegistryKeyPermissionCh.exe PID 1372 wrote to memory of 208 1372 RegistryKeyPermissionCh.exe RegistryKeyPermissionCh.exe PID 208 wrote to memory of 3856 208 RegistryKeyPermissionCh.exe schtasks.exe PID 208 wrote to memory of 3856 208 RegistryKeyPermissionCh.exe schtasks.exe PID 208 wrote to memory of 3856 208 RegistryKeyPermissionCh.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\RegistryKeyPermissionCh.exe"C:\Users\Admin\AppData\Local\Temp\RegistryKeyPermissionCh.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ZCzaLnETi.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZCzaLnETi" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3028.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\RegistryKeyPermissionCh.exe"C:\Users\Admin\AppData\Local\Temp\RegistryKeyPermissionCh.exe"2⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "SCSI Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp3306.tmp"3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp3028.tmpFilesize
1KB
MD52e4d3f5fed60856ea481668559cb23fa
SHA18966338c18254521c83335f28f698b7e3c247892
SHA25658098d5675cc9c6551d94e066a5281af26ca13b11fe3b3a48e348ef010daa531
SHA512ad33cc69e22f5ecbadb7163068adc1d053eba09626b5c9ca0ce1063bdc3b31f305fac8435134e5fedeb69dd67bfa3fb33c6f6ec0f81854d536f9b1b890990e41
-
C:\Users\Admin\AppData\Local\Temp\tmp3306.tmpFilesize
1KB
MD5de4f52bed4e8636f355b853a9dde1daf
SHA1f4bdae7d8f03697f482f5080478d6b9c954155fb
SHA25665e60082077485521e14361b66be04a3b5b00c4a0acf833f391dbc6a013c57c3
SHA51268d75f24832280100b4dfa323895cc37a9dc982298a2dc9fae681e84830147d7020eb813ecc4f0c03f60c1ebb1c15a232f8076454864019575e1eb2ff067fde0
-
memory/208-140-0x0000000000000000-mapping.dmp
-
memory/208-142-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1372-131-0x0000000005A20000-0x0000000005FC4000-memory.dmpFilesize
5.6MB
-
memory/1372-132-0x0000000005470000-0x0000000005502000-memory.dmpFilesize
584KB
-
memory/1372-133-0x00000000053C0000-0x00000000053CA000-memory.dmpFilesize
40KB
-
memory/1372-134-0x00000000094B0000-0x000000000954C000-memory.dmpFilesize
624KB
-
memory/1372-135-0x0000000009240000-0x00000000092A6000-memory.dmpFilesize
408KB
-
memory/1372-130-0x0000000000970000-0x0000000000A2C000-memory.dmpFilesize
752KB
-
memory/2536-137-0x0000000000000000-mapping.dmp
-
memory/3856-145-0x0000000000000000-mapping.dmp
-
memory/5084-144-0x0000000005E10000-0x0000000005E76000-memory.dmpFilesize
408KB
-
memory/5084-149-0x0000000070DC0000-0x0000000070E0C000-memory.dmpFilesize
304KB
-
memory/5084-141-0x00000000055F0000-0x0000000005C18000-memory.dmpFilesize
6.2MB
-
memory/5084-138-0x0000000004F50000-0x0000000004F86000-memory.dmpFilesize
216KB
-
memory/5084-136-0x0000000000000000-mapping.dmp
-
memory/5084-147-0x0000000006510000-0x000000000652E000-memory.dmpFilesize
120KB
-
memory/5084-148-0x0000000006AD0000-0x0000000006B02000-memory.dmpFilesize
200KB
-
memory/5084-143-0x0000000005D70000-0x0000000005D92000-memory.dmpFilesize
136KB
-
memory/5084-150-0x0000000006AB0000-0x0000000006ACE000-memory.dmpFilesize
120KB
-
memory/5084-151-0x0000000007E60000-0x00000000084DA000-memory.dmpFilesize
6.5MB
-
memory/5084-152-0x0000000007820000-0x000000000783A000-memory.dmpFilesize
104KB
-
memory/5084-153-0x0000000007890000-0x000000000789A000-memory.dmpFilesize
40KB
-
memory/5084-154-0x0000000007AA0000-0x0000000007B36000-memory.dmpFilesize
600KB
-
memory/5084-155-0x0000000007A50000-0x0000000007A5E000-memory.dmpFilesize
56KB
-
memory/5084-156-0x0000000007B60000-0x0000000007B7A000-memory.dmpFilesize
104KB
-
memory/5084-157-0x0000000007B40000-0x0000000007B48000-memory.dmpFilesize
32KB