Analysis

  • max time kernel
    155s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/11/2022, 23:37

General

  • Target

    a028f14dde5e1cf076c6d180edc994cf385a91a7b0e858156bec56bc00877256.exe

  • Size

    270KB

  • MD5

    2cb181105e8d2aff82b0e4ffa1b9c0a3

  • SHA1

    e80ed3c708459baeeb65ba143e4a87b83869df55

  • SHA256

    a028f14dde5e1cf076c6d180edc994cf385a91a7b0e858156bec56bc00877256

  • SHA512

    a7973fd5c8403dfd4e3504e5ebf908aab1ba87dcb31c1e13de2c8fe8bed26c4989dbcad6105dce9c7215f1cc3d9309f934f7cfca8f2a05a0b85e91bea4d252b3

  • SSDEEP

    3072:UBixpea+2WPGOqsm7GMwU51cuFzLe02owBqRK6gb8ekFCgGbCuCE0TYB9JPpJJUw:gib+Hmp1QhBqRKH4GOExB9tJUZs+PVPe

Malware Config

Extracted

Family

nanocore

Attributes
  • activate_away_mode

    false

  • backup_connection_host

  • backup_dns_server

  • buffer_size

    0

  • build_time

    0001-01-01T00:00:00Z

  • bypass_user_account_control

    false

  • bypass_user_account_control_data

  • clear_access_control

    false

  • clear_zone_identifier

    false

  • connect_delay

    0

  • connection_port

    0

  • default_group

  • enable_debug_mode

    false

  • gc_threshold

    0

  • keep_alive_timeout

    0

  • keyboard_logging

    false

  • lan_timeout

    0

  • max_packet_size

    0

  • mutex

  • mutex_timeout

    0

  • prevent_system_sleep

    false

  • primary_connection_host

  • primary_dns_server

  • request_elevation

    false

  • restart_delay

    0

  • run_delay

    0

  • run_on_startup

    false

  • set_critical_process

    false

  • timeout_interval

    0

  • use_custom_dns_server

    false

  • version

  • wan_timeout

    0

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a028f14dde5e1cf076c6d180edc994cf385a91a7b0e858156bec56bc00877256.exe
    "C:\Users\Admin\AppData\Local\Temp\a028f14dde5e1cf076c6d180edc994cf385a91a7b0e858156bec56bc00877256.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2736
    • C:\Users\Admin\AppData\Local\Temp\6QZxCPSXxz.exe
      "C:\Users\Admin\AppData\Local\Temp\6QZxCPSXxz.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in Program Files directory
      PID:2016

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\6QZxCPSXxz.exe

          Filesize

          117KB

          MD5

          27ddcce8f1fce61204719d271f240aae

          SHA1

          7684d14fe04f0865fa1bdcb539f1223b1a17a194

          SHA256

          7c6403534a369f4f1184ed6283b89913b67c597facfeac7b18daf2685e08a879

          SHA512

          37f6b5cd8e8c65e1fbf1ec8115d97cabdf10a1882fb33db27508be0d3337214f08b89b69017ff2c6368538c4f76c992ac55914ed2b0d06cb3d40d6012466516b

        • C:\Users\Admin\AppData\Local\Temp\6QZxCPSXxz.exe

          Filesize

          117KB

          MD5

          27ddcce8f1fce61204719d271f240aae

          SHA1

          7684d14fe04f0865fa1bdcb539f1223b1a17a194

          SHA256

          7c6403534a369f4f1184ed6283b89913b67c597facfeac7b18daf2685e08a879

          SHA512

          37f6b5cd8e8c65e1fbf1ec8115d97cabdf10a1882fb33db27508be0d3337214f08b89b69017ff2c6368538c4f76c992ac55914ed2b0d06cb3d40d6012466516b

        • memory/2016-141-0x00000000703A0000-0x0000000070951000-memory.dmp

          Filesize

          5.7MB

        • memory/2016-142-0x00000000703A0000-0x0000000070951000-memory.dmp

          Filesize

          5.7MB

        • memory/2736-132-0x0000000000450000-0x000000000047C000-memory.dmp

          Filesize

          176KB

        • memory/2736-133-0x0000000004E20000-0x0000000004EBC000-memory.dmp

          Filesize

          624KB

        • memory/2736-134-0x0000000005660000-0x0000000005C04000-memory.dmp

          Filesize

          5.6MB

        • memory/2736-135-0x0000000004FA0000-0x0000000005032000-memory.dmp

          Filesize

          584KB

        • memory/2736-136-0x0000000004E10000-0x0000000004E1A000-memory.dmp

          Filesize

          40KB

        • memory/2736-137-0x0000000005040000-0x0000000005096000-memory.dmp

          Filesize

          344KB