Analysis

  • max time kernel
    145s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    17-10-2022 14:42

General

  • Target

    6fc3c0f8ac80e213b214721c63ccf070.exe

  • Size

    1.2MB

  • MD5

    6fc3c0f8ac80e213b214721c63ccf070

  • SHA1

    675f3134cbb346c7b6bb24245de72428e3288947

  • SHA256

    6e246fe3f0b1f37ab0732885249bd7d2b4a58d502d7d4ffe55720e3a903286d9

  • SHA512

    176da6fb8e29a8db4340178315c3b38885cc71cad8f9c653db0136fffa16651003e4c76127de81d834d83bc28964a3c8da247a66ca8bd2d6835630e92bc5be91

  • SSDEEP

    24576:0AOcZ2i7xba+E6Y7CUKbFiFn0W5faNnCLUEVYfA3zEqoGrYfC:iKba+t7b0Fn0W5faNrEVYfIzEdGE6

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

lowaspeed.ddnsfree.com:48562

411speed.duckdns.org:48562

Mutex

042723c4-0804-4212-bf56-4b1b2669ca7c

Attributes
  • activate_away_mode

    false

  • backup_connection_host

    411speed.duckdns.org

  • backup_dns_server

  • buffer_size

    65538

  • build_time

    2022-07-02T05:32:06.440076436Z

  • bypass_user_account_control

    false

  • bypass_user_account_control_data

    PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+

  • clear_access_control

    false

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    48562

  • default_group

    Clowns

  • enable_debug_mode

    true

  • gc_threshold

    1.0485772e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.0485772e+07

  • mutex

    042723c4-0804-4212-bf56-4b1b2669ca7c

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    lowaspeed.ddnsfree.com

  • primary_dns_server

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    false

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8009

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6fc3c0f8ac80e213b214721c63ccf070.exe
    "C:\Users\Admin\AppData\Local\Temp\6fc3c0f8ac80e213b214721c63ccf070.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1672
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\temp\10_14\phhqlxhjg.vbe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1868
      • C:\Users\Admin\AppData\Local\Temp\10_14\tixkbagfs.exe
        "C:\Users\Admin\AppData\Local\Temp\10_14\tixkbagfs.exe" ffxans.awe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1640
        • C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
          "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1752
          • C:\Windows\SysWOW64\schtasks.exe
            "schtasks.exe" /create /f /tn "UDP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp7E64.tmp"
            5⤵
            • Creates scheduled task(s)
            PID:756
          • C:\Windows\SysWOW64\schtasks.exe
            "schtasks.exe" /create /f /tn "UDP Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp8058.tmp"
            5⤵
            • Creates scheduled task(s)
            PID:1744

Network

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Discovery

System Information Discovery

2
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\10_14\ffxans.awe
    Filesize

    134.1MB

    MD5

    0e1dd5ebf82ad7f5aadd656297c66c95

    SHA1

    40b9810bc46f0138fc57af11eb6c573a1eb829c1

    SHA256

    732fcb29f21b28c7cfb25ee995c81b3ca2f8c571c1d881855c8f837da904587e

    SHA512

    77165905782d6e5d2d24d3d6c17c48c5a95c892f8f3e51dcff3f02ae4c7eec662abc6e0d783a27f5f0e5550dcec583b1d0b537a6b1f35d37d3af27caec2ef0eb

  • C:\Users\Admin\AppData\Local\Temp\10_14\obde.jfo
    Filesize

    420KB

    MD5

    426086a7a8dae7bbc25d188d980fcf32

    SHA1

    1a2c15ac9b473d827f72b08a12268c293dd0103a

    SHA256

    d03f0db62329f0ef248e25f1ff64a4e8999d0513fb5b77cc05b2497e9cf94f08

    SHA512

    c1d9bad7566d4af52d03603dffe9d5e6dcb5a1d88d474c9fe7c475b61d718421cf0d6f128624341205b53793e6818a38436e4518e0903a3a4a4dd23bc28d3f51

  • C:\Users\Admin\AppData\Local\Temp\10_14\tixkbagfs.exe
    Filesize

    1.1MB

    MD5

    36f2cc80742b6e66a7cf997fd3b5b20b

    SHA1

    05947cdd2a59f0158516fd1705295b214f2dd065

    SHA256

    823b39d3b111ea4483d94d693768c49cbc7533c441483f75e5fcfdb223db8b1f

    SHA512

    457be34f92af93fce11bf0bed23642ab976008bf93e3fb47bc837ff5268a82f701406c6853e13127010c3ea502454c7711d22bc36db5e2e3fe20d22ca9e722bd

  • C:\Users\Admin\AppData\Local\Temp\10_14\tixkbagfs.exe
    Filesize

    1.1MB

    MD5

    36f2cc80742b6e66a7cf997fd3b5b20b

    SHA1

    05947cdd2a59f0158516fd1705295b214f2dd065

    SHA256

    823b39d3b111ea4483d94d693768c49cbc7533c441483f75e5fcfdb223db8b1f

    SHA512

    457be34f92af93fce11bf0bed23642ab976008bf93e3fb47bc837ff5268a82f701406c6853e13127010c3ea502454c7711d22bc36db5e2e3fe20d22ca9e722bd

  • C:\Users\Admin\AppData\Local\Temp\10_14\vhjomw.jpg
    Filesize

    49KB

    MD5

    5d769e7929d1758434c28d8f8cf5690f

    SHA1

    743d8c4bae1915057a70c4896f3b7c68ae251e8e

    SHA256

    435a778c035e8d007ed02dad54ddb2ac4a9445fd18b4fc3713d4acd0cf254233

    SHA512

    51aa7258d912f52e59308e229261d71ffda0c25fe8239932fdb9ec314a4eaec503e73635c7132c6e888736d8c3ef0eb956115b5b6ff8b881c017a0742ce38182

  • C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
    Filesize

    44KB

    MD5

    0e06054beb13192588e745ee63a84173

    SHA1

    30b7d4d1277bafd04a83779fd566a1f834a8d113

    SHA256

    c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

    SHA512

    251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

  • C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
    Filesize

    44KB

    MD5

    0e06054beb13192588e745ee63a84173

    SHA1

    30b7d4d1277bafd04a83779fd566a1f834a8d113

    SHA256

    c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

    SHA512

    251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

  • C:\Users\Admin\AppData\Local\Temp\tmp7E64.tmp
    Filesize

    1KB

    MD5

    95aceabc58acad5d73372b0966ee1b35

    SHA1

    2293b7ad4793cf574b1a5220e85f329b5601040a

    SHA256

    8d9642e1c3cd1e0b5d1763de2fb5e605ba593e5a918b93eec15acbc5dcc48fd4

    SHA512

    00760dfc9d8caf357f0cee5336e5448a4cca18e32cc63e1a69c16e34fe00ea29acd5b2cf278e86c6f9c3e66a1b176d27ed927361848212e6bf1fade7d3d06e74

  • C:\Users\Admin\AppData\Local\Temp\tmp8058.tmp
    Filesize

    1KB

    MD5

    0a24db62cb5b84309c4803346caaa25d

    SHA1

    67660778f61bb44168c33ed3fe56ed86cf9583e8

    SHA256

    38d38647af394a04ee6add9f05c43244f04e64a6b96257f4b241a5038efa82df

    SHA512

    d25d9df063f44595d5e0bf890755bd387655131ff369eeedf3d11ffcc6202ca4455bbb33a8a926dd06839cbd1ddec3d06809b3c66a82c6518aa14beaa469a548

  • C:\Users\Admin\AppData\Local\temp\10_14\phhqlxhjg.vbe
    Filesize

    30KB

    MD5

    06c087670d6dcad3e9bde3fbd7e7cf45

    SHA1

    3f472622b7bd1374f30c0507e7ed9d04cb4831be

    SHA256

    e3489f379919aa1c1356d664513c83dc268a620408c13d3b9677627cced97d01

    SHA512

    9575819043bbbfdb9c546599dbd019aad5f35bb8519b058e371324b2f8932c5e49a38e8416e54cbd6cd6df4ac6871d44429f70a50f5a03ba97923989612d1508

  • \Users\Admin\AppData\Local\Temp\10_14\tixkbagfs.exe
    Filesize

    1.1MB

    MD5

    36f2cc80742b6e66a7cf997fd3b5b20b

    SHA1

    05947cdd2a59f0158516fd1705295b214f2dd065

    SHA256

    823b39d3b111ea4483d94d693768c49cbc7533c441483f75e5fcfdb223db8b1f

    SHA512

    457be34f92af93fce11bf0bed23642ab976008bf93e3fb47bc837ff5268a82f701406c6853e13127010c3ea502454c7711d22bc36db5e2e3fe20d22ca9e722bd

  • \Users\Admin\AppData\Local\Temp\RegSvcs.exe
    Filesize

    44KB

    MD5

    0e06054beb13192588e745ee63a84173

    SHA1

    30b7d4d1277bafd04a83779fd566a1f834a8d113

    SHA256

    c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

    SHA512

    251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

  • memory/756-79-0x0000000000000000-mapping.dmp
  • memory/1640-60-0x0000000000000000-mapping.dmp
  • memory/1672-54-0x0000000075BD1000-0x0000000075BD3000-memory.dmp
    Filesize

    8KB

  • memory/1744-81-0x0000000000000000-mapping.dmp
  • memory/1752-69-0x0000000000500000-0x0000000000C26000-memory.dmp
    Filesize

    7.1MB

  • memory/1752-75-0x0000000000500000-0x0000000000C26000-memory.dmp
    Filesize

    7.1MB

  • memory/1752-77-0x0000000000500000-0x000000000053A000-memory.dmp
    Filesize

    232KB

  • memory/1752-73-0x0000000000500000-0x0000000000C26000-memory.dmp
    Filesize

    7.1MB

  • memory/1752-70-0x000000000051E792-mapping.dmp
  • memory/1752-67-0x0000000000500000-0x0000000000C26000-memory.dmp
    Filesize

    7.1MB

  • memory/1752-83-0x00000000003A0000-0x00000000003AA000-memory.dmp
    Filesize

    40KB

  • memory/1752-84-0x00000000003F0000-0x00000000003FC000-memory.dmp
    Filesize

    48KB

  • memory/1752-85-0x0000000000CE0000-0x0000000000CFE000-memory.dmp
    Filesize

    120KB

  • memory/1752-86-0x0000000000D00000-0x0000000000D0A000-memory.dmp
    Filesize

    40KB

  • memory/1868-55-0x0000000000000000-mapping.dmp