Analysis
-
max time kernel
69s -
max time network
302s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
05-07-2022 16:21
General
-
Target
RegistryKeyPermissionCh.exe
-
Size
728KB
-
MD5
f9a9d6614542c8e1ed8eff17f9bfd527
-
SHA1
5b6c2304de9daf1ff1a5dfc4b3bcb69a3e07e348
-
SHA256
7e7550af6931e5e5ccb8dab52ea5976762c5fe1aae8b91dd6db6a122654c83ae
-
SHA512
cb33c069b288b67f6bac6dd54f4f34dc0e70bdd6cac615d65885afec9033800cef80cbd704f44059599f8e2f8ad0599ee1eb38e14d910e780fd16a257ab7f9b6
Malware Config
Extracted
nanocore
1.2.2.0
config.linkpc.net:3425
e5ec3588-c148-476e-a8f8-2e9038dcba4d
-
activate_away_mode
true
- backup_connection_host
- backup_dns_server
-
buffer_size
65535
-
build_time
2022-04-01T12:01:12.053123736Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
3425
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
e5ec3588-c148-476e-a8f8-2e9038dcba4d
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
config.linkpc.net
-
primary_dns_server
config.linkpc.net
-
request_elevation
true
-
restart_delay
5000
-
run_delay
15
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
suricata: ET MALWARE Possible NanoCore C2 60B
suricata: ET MALWARE Possible NanoCore C2 60B
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\RegistryKeyPermissionCh.exe"C:\Users\Admin\AppData\Local\Temp\RegistryKeyPermissionCh.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ZCzaLnETi.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZCzaLnETi" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3028.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\RegistryKeyPermissionCh.exe"C:\Users\Admin\AppData\Local\Temp\RegistryKeyPermissionCh.exe"2⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "SCSI Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp3306.tmp"3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp3028.tmpFilesize
1KB
MD52e4d3f5fed60856ea481668559cb23fa
SHA18966338c18254521c83335f28f698b7e3c247892
SHA25658098d5675cc9c6551d94e066a5281af26ca13b11fe3b3a48e348ef010daa531
SHA512ad33cc69e22f5ecbadb7163068adc1d053eba09626b5c9ca0ce1063bdc3b31f305fac8435134e5fedeb69dd67bfa3fb33c6f6ec0f81854d536f9b1b890990e41
-
C:\Users\Admin\AppData\Local\Temp\tmp3306.tmpFilesize
1KB
MD5de4f52bed4e8636f355b853a9dde1daf
SHA1f4bdae7d8f03697f482f5080478d6b9c954155fb
SHA25665e60082077485521e14361b66be04a3b5b00c4a0acf833f391dbc6a013c57c3
SHA51268d75f24832280100b4dfa323895cc37a9dc982298a2dc9fae681e84830147d7020eb813ecc4f0c03f60c1ebb1c15a232f8076454864019575e1eb2ff067fde0
-
memory/208-140-0x0000000000000000-mapping.dmp
-
memory/208-142-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1372-131-0x0000000005A20000-0x0000000005FC4000-memory.dmpFilesize
5.6MB
-
memory/1372-132-0x0000000005470000-0x0000000005502000-memory.dmpFilesize
584KB
-
memory/1372-133-0x00000000053C0000-0x00000000053CA000-memory.dmpFilesize
40KB
-
memory/1372-134-0x00000000094B0000-0x000000000954C000-memory.dmpFilesize
624KB
-
memory/1372-135-0x0000000009240000-0x00000000092A6000-memory.dmpFilesize
408KB
-
memory/1372-130-0x0000000000970000-0x0000000000A2C000-memory.dmpFilesize
752KB
-
memory/2536-137-0x0000000000000000-mapping.dmp
-
memory/3856-145-0x0000000000000000-mapping.dmp
-
memory/5084-144-0x0000000005E10000-0x0000000005E76000-memory.dmpFilesize
408KB
-
memory/5084-149-0x0000000070DC0000-0x0000000070E0C000-memory.dmpFilesize
304KB
-
memory/5084-141-0x00000000055F0000-0x0000000005C18000-memory.dmpFilesize
6.2MB
-
memory/5084-138-0x0000000004F50000-0x0000000004F86000-memory.dmpFilesize
216KB
-
memory/5084-136-0x0000000000000000-mapping.dmp
-
memory/5084-147-0x0000000006510000-0x000000000652E000-memory.dmpFilesize
120KB
-
memory/5084-148-0x0000000006AD0000-0x0000000006B02000-memory.dmpFilesize
200KB
-
memory/5084-143-0x0000000005D70000-0x0000000005D92000-memory.dmpFilesize
136KB
-
memory/5084-150-0x0000000006AB0000-0x0000000006ACE000-memory.dmpFilesize
120KB
-
memory/5084-151-0x0000000007E60000-0x00000000084DA000-memory.dmpFilesize
6.5MB
-
memory/5084-152-0x0000000007820000-0x000000000783A000-memory.dmpFilesize
104KB
-
memory/5084-153-0x0000000007890000-0x000000000789A000-memory.dmpFilesize
40KB
-
memory/5084-154-0x0000000007AA0000-0x0000000007B36000-memory.dmpFilesize
600KB
-
memory/5084-155-0x0000000007A50000-0x0000000007A5E000-memory.dmpFilesize
56KB
-
memory/5084-156-0x0000000007B60000-0x0000000007B7A000-memory.dmpFilesize
104KB
-
memory/5084-157-0x0000000007B40000-0x0000000007B48000-memory.dmpFilesize
32KB