Analysis
-
max time kernel
646s -
max time network
665s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system -
submitted
21-07-2022 22:27
Static task
static1
Behavioral task
behavioral1
Sample
orxVwulQulmYSAf.exe
Resource
win7-20220715-en
General
-
Target
orxVwulQulmYSAf.exe
-
Size
968KB
-
MD5
99b689cff9e00db87bbcf91174b8b7f3
-
SHA1
0ee1d70a16c7d6b6c1c87a1ce4f76db76eb4b153
-
SHA256
a3bff9b4fb3f28a222c1c9658440b31e57d53b1c0ce9e36fda779726f75daa71
-
SHA512
29973550ca4bef56a3d54d61d89717af98f62ec5e6ec480e3bc93dd6917a16d4abb8e27787232651fc41897f196c4e729190c91542af0feac73535d16e7aedae
Malware Config
Extracted
nanocore
1.2.2.0
smithcity123.ddns.net:57689
194.5.98.180:57689
c01c81ab-6469-4a53-a74b-1d51499279d4
-
activate_away_mode
true
-
backup_connection_host
194.5.98.180
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2022-03-06T19:31:37.368246236Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
57689
-
default_group
GREAT
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
c01c81ab-6469-4a53-a74b-1d51499279d4
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
smithcity123.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
suricata: ET MALWARE Possible NanoCore C2 60B
suricata: ET MALWARE Possible NanoCore C2 60B
-
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PCI Service = "C:\\Program Files (x86)\\PCI Service\\pcisv.exe" vbc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
orxVwulQulmYSAf.exedescription pid process target process PID 852 set thread context of 1648 852 orxVwulQulmYSAf.exe vbc.exe -
Drops file in Program Files directory 2 IoCs
Processes:
vbc.exedescription ioc process File created C:\Program Files (x86)\PCI Service\pcisv.exe vbc.exe File opened for modification C:\Program Files (x86)\PCI Service\pcisv.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 1084 schtasks.exe 1484 schtasks.exe 1800 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
vbc.exepid process 1648 vbc.exe 1648 vbc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
vbc.exepid process 1648 vbc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
vbc.exedescription pid process Token: SeDebugPrivilege 1648 vbc.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
orxVwulQulmYSAf.exevbc.exedescription pid process target process PID 852 wrote to memory of 1800 852 orxVwulQulmYSAf.exe schtasks.exe PID 852 wrote to memory of 1800 852 orxVwulQulmYSAf.exe schtasks.exe PID 852 wrote to memory of 1800 852 orxVwulQulmYSAf.exe schtasks.exe PID 852 wrote to memory of 1800 852 orxVwulQulmYSAf.exe schtasks.exe PID 852 wrote to memory of 1648 852 orxVwulQulmYSAf.exe vbc.exe PID 852 wrote to memory of 1648 852 orxVwulQulmYSAf.exe vbc.exe PID 852 wrote to memory of 1648 852 orxVwulQulmYSAf.exe vbc.exe PID 852 wrote to memory of 1648 852 orxVwulQulmYSAf.exe vbc.exe PID 852 wrote to memory of 1648 852 orxVwulQulmYSAf.exe vbc.exe PID 852 wrote to memory of 1648 852 orxVwulQulmYSAf.exe vbc.exe PID 852 wrote to memory of 1648 852 orxVwulQulmYSAf.exe vbc.exe PID 852 wrote to memory of 1648 852 orxVwulQulmYSAf.exe vbc.exe PID 852 wrote to memory of 1648 852 orxVwulQulmYSAf.exe vbc.exe PID 1648 wrote to memory of 1084 1648 vbc.exe schtasks.exe PID 1648 wrote to memory of 1084 1648 vbc.exe schtasks.exe PID 1648 wrote to memory of 1084 1648 vbc.exe schtasks.exe PID 1648 wrote to memory of 1084 1648 vbc.exe schtasks.exe PID 1648 wrote to memory of 1484 1648 vbc.exe schtasks.exe PID 1648 wrote to memory of 1484 1648 vbc.exe schtasks.exe PID 1648 wrote to memory of 1484 1648 vbc.exe schtasks.exe PID 1648 wrote to memory of 1484 1648 vbc.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\orxVwulQulmYSAf.exe"C:\Users\Admin\AppData\Local\Temp\orxVwulQulmYSAf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kXNiPNjdbyLARR" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA95A.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"{path}"2⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "PCI Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmpAE0C.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "PCI Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpAF54.tmp"3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpA95A.tmpFilesize
1KB
MD511f2e1d2f89a442ca94cdd3f07138b75
SHA1a9cb155b0046533cbe16da7acb5307a3dbe4ed80
SHA25613d40d0daa2f9ba77e9ffa9135ce8e9438645881967f64bb09b015fc2dd69821
SHA512d357addceb41cb42104dd9cf33c3fcc5c84e98d593e9886c9537ccf0c1b9a8adb94c33bd37350497ba3190f94ccefd93ced67483f79a7ca2a475bc959e9d6711
-
C:\Users\Admin\AppData\Local\Temp\tmpAE0C.tmpFilesize
1KB
MD5808c6e96c170c90d0db522e8947eb2bd
SHA144583694c3c23410d637bb96c0df0921363533ad
SHA256c6b75fb7740d34d55d74b8664ff1ea778638a4916c2b52348ea34de60edd3afc
SHA512928b85e9fddfd7c93623e954dc53367aaf355f74a14601d77e45612ebdb77f3d6c0fc853e154f91f61e64306361885467c16fc211cf1bbdc023658ad35dba1eb
-
C:\Users\Admin\AppData\Local\Temp\tmpAF54.tmpFilesize
1KB
MD5bbb0d424bb7cb3b0e6aeb68cf82b8f5f
SHA17e95dcd21a27ee53e5c23ed5a163df56a43d572a
SHA25608d6bee474edf0151a0d8ff942ba9e6a1efe069585c63477abd1c7bd8046e130
SHA5120dc790a415f9717f6e7633c1d5f2749a2eca5582c5bbe114119c3ddba6d4e4d0df48029622e2fe07f94d8ae97c334b88691b7721da50ada261449769ae31d466
-
memory/852-54-0x0000000000B60000-0x0000000000C58000-memory.dmpFilesize
992KB
-
memory/852-55-0x00000000766A1000-0x00000000766A3000-memory.dmpFilesize
8KB
-
memory/852-56-0x0000000000280000-0x000000000028A000-memory.dmpFilesize
40KB
-
memory/852-57-0x0000000005350000-0x00000000053DC000-memory.dmpFilesize
560KB
-
memory/852-58-0x00000000006E0000-0x000000000071A000-memory.dmpFilesize
232KB
-
memory/1084-74-0x0000000000000000-mapping.dmp
-
memory/1484-76-0x0000000000000000-mapping.dmp
-
memory/1648-65-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1648-67-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1648-68-0x000000000041E792-mapping.dmp
-
memory/1648-70-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1648-72-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1648-64-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1648-62-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1648-61-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1648-78-0x00000000003E0000-0x00000000003EA000-memory.dmpFilesize
40KB
-
memory/1648-79-0x0000000000450000-0x000000000046E000-memory.dmpFilesize
120KB
-
memory/1648-80-0x00000000003F0000-0x00000000003FA000-memory.dmpFilesize
40KB
-
memory/1648-81-0x0000000000C05000-0x0000000000C16000-memory.dmpFilesize
68KB
-
memory/1800-59-0x0000000000000000-mapping.dmp