1605f0e74c7088b8a2ca7190b71c83f8dc0381e57d817df3530bda4ac5737511

Analysis

max time kernel
28s
max time network
30s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
24-03-2023 05:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

nanocore_Rat.exe
Size

296KB
MD5

5846c3588fbcf6a5078b7a2413da0345
SHA1

f474474c33a8eee420b2de86e6cb4e0daf18293c
SHA256

1605f0e74c7088b8a2ca7190b71c83f8dc0381e57d817df3530bda4ac5737511
SHA512

a4d1b481f65aeffca4ead4fc746d20f3f56fcd5e6b2ce4930f5d40912847bcd88f3c39437148aea6f69de263cc41fde61bdcd1b525ed12ff8af6ab5d41136a43
SSDEEP

6144:rGiaRPcq7Y6gr0uqZwNPXFLCrGsqExvp4bnCyvxR/ORA5HzqNPL:W17Y6WVqetFLCroEZc5MRAMt

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

cckgcf.exe

pid process

1216 cckgcf.exe
Loads dropped DLL 2 IoCs

Processes:

nanocore_Rat.execckgcf.exe

pid process

1944 nanocore_Rat.exe
1216 cckgcf.exe

pid	process
1216	cckgcf.exe

pid	process
1944	nanocore_Rat.exe
1216	cckgcf.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

cckgcf.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Run\hhtktvn = "C:\\Users\\Admin\\AppData\\Roaming\\gswccl\\ratotpvvsmo.exe"	cckgcf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

nanocore_Rat.execckgcf.exe

description	pid	process	target process
PID 1944 wrote to memory of 1216	1944	nanocore_Rat.exe	cckgcf.exe
PID 1944 wrote to memory of 1216	1944	nanocore_Rat.exe	cckgcf.exe
PID 1944 wrote to memory of 1216	1944	nanocore_Rat.exe	cckgcf.exe
PID 1944 wrote to memory of 1216	1944	nanocore_Rat.exe	cckgcf.exe
PID 1216 wrote to memory of 584	1216	cckgcf.exe	cckgcf.exe
PID 1216 wrote to memory of 584	1216	cckgcf.exe	cckgcf.exe
PID 1216 wrote to memory of 584	1216	cckgcf.exe	cckgcf.exe
PID 1216 wrote to memory of 584	1216	cckgcf.exe	cckgcf.exe

C:\Users\Admin\AppData\Local\Temp\nanocore_Rat.exe
"C:\Users\Admin\AppData\Local\Temp\nanocore_Rat.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1944

C:\Users\Admin\AppData\Local\Temp\cckgcf.exe
C:\Users\Admin\AppData\Local\Temp\cckgcf.exe C:\Users\Admin\AppData\Local\Temp\cmdkuqqy
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1216

C:\Users\Admin\AppData\Local\Temp\cckgcf.exe
C:\Users\Admin\AppData\Local\Temp\cckgcf.exe C:\Users\Admin\AppData\Local\Temp\cmdkuqqy
3⤵
PID:584

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cckgcf.exe
Filesize
5KB

MD5
dd04fd2c65e2561e96927755e4a99230

SHA1
3f0f1ef468f069800486ea75a611809448154f10

SHA256
43c6e4972eab4de64e6d2be141e455f31babf74cfe442de40c13e8d6ee058bdf

SHA512
9695d8deaff376946c18dcdcfc76f5afefaef0d77652038494f34d453164b7b2a494fd70fc4bb040159bfb20f71c38c688d6017648f77abeeacc81e4b06017e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\cckgcf.exe
Filesize
5KB

MD5
dd04fd2c65e2561e96927755e4a99230

SHA1
3f0f1ef468f069800486ea75a611809448154f10

SHA256
43c6e4972eab4de64e6d2be141e455f31babf74cfe442de40c13e8d6ee058bdf

SHA512
9695d8deaff376946c18dcdcfc76f5afefaef0d77652038494f34d453164b7b2a494fd70fc4bb040159bfb20f71c38c688d6017648f77abeeacc81e4b06017e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmdkuqqy
Filesize
7KB

MD5
ac7419c6c40074623f4083e654ed7790

SHA1
b6522164421b8cfc9c1fd1d269f952e98f476df0

SHA256
f3995d4ba646360c2fd6605e9a16c15f780256530aad47626f81773490562fd9

SHA512
21e5747df69abc6f86120e982232e8c69f5cbbaf6ffe2e393c3ad01f7866a313ad771b3886bc4c2aafc266ceb425054e179e6ef76ca4db434c107920a4909b25

Download Submit
C:\Users\Admin\AppData\Local\Temp\ka9zcqw3l6l48a1uuba
Filesize
271KB

MD5
299939960e34a642d9cc55ea0b438352

SHA1
dd3e21dcb96ca1f9602b451ef4b9fcc507c1a540

SHA256
376c0209b512f2acd6fa2b02dbc2e247834681a8ab7767d2d19978441f163921

SHA512
d0f192d1e36d22c328c7c23639b127579f6e38d4c5077e3a2b6eaf4ff6608a5f66456d59b459fa4d97d33bbc1dc0701bcfc428baec152e5d0dd2dcddbfe162a3

Download Submit
\Users\Admin\AppData\Local\Temp\cckgcf.exe
Filesize
5KB

MD5
dd04fd2c65e2561e96927755e4a99230

SHA1
3f0f1ef468f069800486ea75a611809448154f10

SHA256
43c6e4972eab4de64e6d2be141e455f31babf74cfe442de40c13e8d6ee058bdf

SHA512
9695d8deaff376946c18dcdcfc76f5afefaef0d77652038494f34d453164b7b2a494fd70fc4bb040159bfb20f71c38c688d6017648f77abeeacc81e4b06017e7

Download Submit
\Users\Admin\AppData\Local\Temp\cckgcf.exe
Filesize
5KB

MD5
dd04fd2c65e2561e96927755e4a99230

SHA1
3f0f1ef468f069800486ea75a611809448154f10

SHA256
43c6e4972eab4de64e6d2be141e455f31babf74cfe442de40c13e8d6ee058bdf

SHA512
9695d8deaff376946c18dcdcfc76f5afefaef0d77652038494f34d453164b7b2a494fd70fc4bb040159bfb20f71c38c688d6017648f77abeeacc81e4b06017e7

Download Submit