Analysis

  • max time kernel
    149s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-10-2022 14:42

General

  • Target

    6fc3c0f8ac80e213b214721c63ccf070.exe

  • Size

    1.2MB

  • MD5

    6fc3c0f8ac80e213b214721c63ccf070

  • SHA1

    675f3134cbb346c7b6bb24245de72428e3288947

  • SHA256

    6e246fe3f0b1f37ab0732885249bd7d2b4a58d502d7d4ffe55720e3a903286d9

  • SHA512

    176da6fb8e29a8db4340178315c3b38885cc71cad8f9c653db0136fffa16651003e4c76127de81d834d83bc28964a3c8da247a66ca8bd2d6835630e92bc5be91

  • SSDEEP

    24576:0AOcZ2i7xba+E6Y7CUKbFiFn0W5faNnCLUEVYfA3zEqoGrYfC:iKba+t7b0Fn0W5faNrEVYfIzEdGE6

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

lowaspeed.ddnsfree.com:48562

411speed.duckdns.org:48562

Mutex

042723c4-0804-4212-bf56-4b1b2669ca7c

Attributes
  • activate_away_mode

    false

  • backup_connection_host

    411speed.duckdns.org

  • backup_dns_server

  • buffer_size

    65538

  • build_time

    2022-07-02T05:32:06.440076436Z

  • bypass_user_account_control

    false

  • bypass_user_account_control_data

    PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+

  • clear_access_control

    false

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    48562

  • default_group

    Clowns

  • enable_debug_mode

    true

  • gc_threshold

    1.0485772e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.0485772e+07

  • mutex

    042723c4-0804-4212-bf56-4b1b2669ca7c

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    lowaspeed.ddnsfree.com

  • primary_dns_server

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    false

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8009

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 4 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6fc3c0f8ac80e213b214721c63ccf070.exe
    "C:\Users\Admin\AppData\Local\Temp\6fc3c0f8ac80e213b214721c63ccf070.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1208
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\temp\10_14\phhqlxhjg.vbe"
      2⤵
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3212
      • C:\Users\Admin\AppData\Local\Temp\10_14\tixkbagfs.exe
        "C:\Users\Admin\AppData\Local\Temp\10_14\tixkbagfs.exe" ffxans.awe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1688
        • C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
          "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3528
          • C:\Windows\SysWOW64\schtasks.exe
            "schtasks.exe" /create /f /tn "DHCP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmpEC49.tmp"
            5⤵
            • Creates scheduled task(s)
            PID:3496
          • C:\Windows\SysWOW64\schtasks.exe
            "schtasks.exe" /create /f /tn "DHCP Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpEFA5.tmp"
            5⤵
            • Creates scheduled task(s)
            PID:372

Network

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

3
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\10_14\ffxans.awe
    Filesize

    134.1MB

    MD5

    0e1dd5ebf82ad7f5aadd656297c66c95

    SHA1

    40b9810bc46f0138fc57af11eb6c573a1eb829c1

    SHA256

    732fcb29f21b28c7cfb25ee995c81b3ca2f8c571c1d881855c8f837da904587e

    SHA512

    77165905782d6e5d2d24d3d6c17c48c5a95c892f8f3e51dcff3f02ae4c7eec662abc6e0d783a27f5f0e5550dcec583b1d0b537a6b1f35d37d3af27caec2ef0eb

  • C:\Users\Admin\AppData\Local\Temp\10_14\obde.jfo
    Filesize

    420KB

    MD5

    426086a7a8dae7bbc25d188d980fcf32

    SHA1

    1a2c15ac9b473d827f72b08a12268c293dd0103a

    SHA256

    d03f0db62329f0ef248e25f1ff64a4e8999d0513fb5b77cc05b2497e9cf94f08

    SHA512

    c1d9bad7566d4af52d03603dffe9d5e6dcb5a1d88d474c9fe7c475b61d718421cf0d6f128624341205b53793e6818a38436e4518e0903a3a4a4dd23bc28d3f51

  • C:\Users\Admin\AppData\Local\Temp\10_14\tixkbagfs.exe
    Filesize

    1.1MB

    MD5

    36f2cc80742b6e66a7cf997fd3b5b20b

    SHA1

    05947cdd2a59f0158516fd1705295b214f2dd065

    SHA256

    823b39d3b111ea4483d94d693768c49cbc7533c441483f75e5fcfdb223db8b1f

    SHA512

    457be34f92af93fce11bf0bed23642ab976008bf93e3fb47bc837ff5268a82f701406c6853e13127010c3ea502454c7711d22bc36db5e2e3fe20d22ca9e722bd

  • C:\Users\Admin\AppData\Local\Temp\10_14\tixkbagfs.exe
    Filesize

    1.1MB

    MD5

    36f2cc80742b6e66a7cf997fd3b5b20b

    SHA1

    05947cdd2a59f0158516fd1705295b214f2dd065

    SHA256

    823b39d3b111ea4483d94d693768c49cbc7533c441483f75e5fcfdb223db8b1f

    SHA512

    457be34f92af93fce11bf0bed23642ab976008bf93e3fb47bc837ff5268a82f701406c6853e13127010c3ea502454c7711d22bc36db5e2e3fe20d22ca9e722bd

  • C:\Users\Admin\AppData\Local\Temp\10_14\vhjomw.jpg
    Filesize

    49KB

    MD5

    5d769e7929d1758434c28d8f8cf5690f

    SHA1

    743d8c4bae1915057a70c4896f3b7c68ae251e8e

    SHA256

    435a778c035e8d007ed02dad54ddb2ac4a9445fd18b4fc3713d4acd0cf254233

    SHA512

    51aa7258d912f52e59308e229261d71ffda0c25fe8239932fdb9ec314a4eaec503e73635c7132c6e888736d8c3ef0eb956115b5b6ff8b881c017a0742ce38182

  • C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
    Filesize

    44KB

    MD5

    9d352bc46709f0cb5ec974633a0c3c94

    SHA1

    1969771b2f022f9a86d77ac4d4d239becdf08d07

    SHA256

    2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

    SHA512

    13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

  • C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
    Filesize

    44KB

    MD5

    9d352bc46709f0cb5ec974633a0c3c94

    SHA1

    1969771b2f022f9a86d77ac4d4d239becdf08d07

    SHA256

    2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

    SHA512

    13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

  • C:\Users\Admin\AppData\Local\Temp\tmpEC49.tmp
    Filesize

    1KB

    MD5

    95aceabc58acad5d73372b0966ee1b35

    SHA1

    2293b7ad4793cf574b1a5220e85f329b5601040a

    SHA256

    8d9642e1c3cd1e0b5d1763de2fb5e605ba593e5a918b93eec15acbc5dcc48fd4

    SHA512

    00760dfc9d8caf357f0cee5336e5448a4cca18e32cc63e1a69c16e34fe00ea29acd5b2cf278e86c6f9c3e66a1b176d27ed927361848212e6bf1fade7d3d06e74

  • C:\Users\Admin\AppData\Local\Temp\tmpEFA5.tmp
    Filesize

    1KB

    MD5

    2f26d92c1eeead3896820e56ec46f6f1

    SHA1

    d95533b61eed7d89e4ada56bc566d60e42ac1f61

    SHA256

    99a158463ce40c750bad6991ae1fceece305a0dbf8e209dd7147b5d539756bfa

    SHA512

    6c1ed12d5e1afcd9e7f327e0153786fd8594f75a995f341c408ef014e69917452a9fe99c511f0249aceb57b3045b707f1fd3f404e4086cfbf0aadcb3318db892

  • C:\Users\Admin\AppData\Local\temp\10_14\phhqlxhjg.vbe
    Filesize

    30KB

    MD5

    06c087670d6dcad3e9bde3fbd7e7cf45

    SHA1

    3f472622b7bd1374f30c0507e7ed9d04cb4831be

    SHA256

    e3489f379919aa1c1356d664513c83dc268a620408c13d3b9677627cced97d01

    SHA512

    9575819043bbbfdb9c546599dbd019aad5f35bb8519b058e371324b2f8932c5e49a38e8416e54cbd6cd6df4ac6871d44429f70a50f5a03ba97923989612d1508

  • memory/372-151-0x0000000000000000-mapping.dmp
  • memory/1688-135-0x0000000000000000-mapping.dmp
  • memory/3212-132-0x0000000000000000-mapping.dmp
  • memory/3496-149-0x0000000000000000-mapping.dmp
  • memory/3528-144-0x0000000001140000-0x000000000117A000-memory.dmp
    Filesize

    232KB

  • memory/3528-147-0x0000000005E80000-0x0000000005F1C000-memory.dmp
    Filesize

    624KB

  • memory/3528-148-0x0000000005DA0000-0x0000000005DAA000-memory.dmp
    Filesize

    40KB

  • memory/3528-146-0x0000000005DE0000-0x0000000005E72000-memory.dmp
    Filesize

    584KB

  • memory/3528-145-0x00000000062B0000-0x0000000006854000-memory.dmp
    Filesize

    5.6MB

  • memory/3528-141-0x000000000115E792-mapping.dmp
  • memory/3528-140-0x0000000001140000-0x0000000001771000-memory.dmp
    Filesize

    6.2MB