Analysis
-
max time kernel
91s -
max time network
93s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
10-04-2023 14:33
General
-
Target
NanoCore.exe
-
Size
1.1MB
-
MD5
e4aeb7b31d677a5a9a58a4762fab1321
-
SHA1
a5e7279b6d59236296031ff87976e33fbd8cf34d
-
SHA256
1111f013a010a57a6739a8d4d0891728547cbbf80e45e77369a05d3423a28915
-
SHA512
964dda5030a54493aeebb8b478a76ccd98456184224332e66d5b693d311c83da11c360355c8d73e539ebc7b6ed0d0d2e78f65eef0f75d48c64a63cf10411e1fa
-
SSDEEP
24576:sdZ1xuVVjfFoynPaVBUR8f+kN10EBIQXiClSI5tIkjh:snQDgok30Edb
Malware Config
Extracted
darkcomet
IDMAN
arrivals.ddns.net:2323
DC_MUTEX-391X2ZJ
-
InstallPath
MSDCSC\IDMAN.exe
-
gencode
CUWbhGwmWBMb
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
IDMAN
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
CRACKED.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\IDMAN.exe" CRACKED.EXE -
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
IDMAN.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile IDMAN.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" IDMAN.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" IDMAN.exe -
Executes dropped EXE 3 IoCs
Processes:
CRACKED.EXENANOCORE.EXEIDMAN.exepid process 2960 CRACKED.EXE 4068 NANOCORE.EXE 4120 IDMAN.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
CRACKED.EXEIDMAN.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Windows\CurrentVersion\Run\IDMAN = "C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\IDMAN.exe" CRACKED.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Windows\CurrentVersion\Run\IDMAN = "C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\IDMAN.exe" IDMAN.exe -
Drops file in Windows directory 2 IoCs
Processes:
taskmgr.exedescription ioc process File created C:\Windows\rescache\_merged\4183903823\810424605.pri taskmgr.exe File created C:\Windows\rescache\_merged\1601268389\3877292338.pri taskmgr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
Processes:
taskmgr.exedw20.exepid process 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe 1488 dw20.exe 1488 dw20.exe 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
IDMAN.exepid process 4120 IDMAN.exe -
Suspicious use of AdjustPrivilegeToken 53 IoCs
Processes:
CRACKED.EXEIDMAN.exetaskmgr.exedescription pid process Token: SeIncreaseQuotaPrivilege 2960 CRACKED.EXE Token: SeSecurityPrivilege 2960 CRACKED.EXE Token: SeTakeOwnershipPrivilege 2960 CRACKED.EXE Token: SeLoadDriverPrivilege 2960 CRACKED.EXE Token: SeSystemProfilePrivilege 2960 CRACKED.EXE Token: SeSystemtimePrivilege 2960 CRACKED.EXE Token: SeProfSingleProcessPrivilege 2960 CRACKED.EXE Token: SeIncBasePriorityPrivilege 2960 CRACKED.EXE Token: SeCreatePagefilePrivilege 2960 CRACKED.EXE Token: SeBackupPrivilege 2960 CRACKED.EXE Token: SeRestorePrivilege 2960 CRACKED.EXE Token: SeShutdownPrivilege 2960 CRACKED.EXE Token: SeDebugPrivilege 2960 CRACKED.EXE Token: SeSystemEnvironmentPrivilege 2960 CRACKED.EXE Token: SeChangeNotifyPrivilege 2960 CRACKED.EXE Token: SeRemoteShutdownPrivilege 2960 CRACKED.EXE Token: SeUndockPrivilege 2960 CRACKED.EXE Token: SeManageVolumePrivilege 2960 CRACKED.EXE Token: SeImpersonatePrivilege 2960 CRACKED.EXE Token: SeCreateGlobalPrivilege 2960 CRACKED.EXE Token: 33 2960 CRACKED.EXE Token: 34 2960 CRACKED.EXE Token: 35 2960 CRACKED.EXE Token: 36 2960 CRACKED.EXE Token: SeIncreaseQuotaPrivilege 4120 IDMAN.exe Token: SeSecurityPrivilege 4120 IDMAN.exe Token: SeTakeOwnershipPrivilege 4120 IDMAN.exe Token: SeLoadDriverPrivilege 4120 IDMAN.exe Token: SeSystemProfilePrivilege 4120 IDMAN.exe Token: SeSystemtimePrivilege 4120 IDMAN.exe Token: SeProfSingleProcessPrivilege 4120 IDMAN.exe Token: SeIncBasePriorityPrivilege 4120 IDMAN.exe Token: SeCreatePagefilePrivilege 4120 IDMAN.exe Token: SeBackupPrivilege 4120 IDMAN.exe Token: SeRestorePrivilege 4120 IDMAN.exe Token: SeShutdownPrivilege 4120 IDMAN.exe Token: SeDebugPrivilege 4120 IDMAN.exe Token: SeSystemEnvironmentPrivilege 4120 IDMAN.exe Token: SeChangeNotifyPrivilege 4120 IDMAN.exe Token: SeRemoteShutdownPrivilege 4120 IDMAN.exe Token: SeUndockPrivilege 4120 IDMAN.exe Token: SeManageVolumePrivilege 4120 IDMAN.exe Token: SeImpersonatePrivilege 4120 IDMAN.exe Token: SeCreateGlobalPrivilege 4120 IDMAN.exe Token: 33 4120 IDMAN.exe Token: 34 4120 IDMAN.exe Token: 35 4120 IDMAN.exe Token: 36 4120 IDMAN.exe Token: SeDebugPrivilege 3516 taskmgr.exe Token: SeSystemProfilePrivilege 3516 taskmgr.exe Token: SeCreateGlobalPrivilege 3516 taskmgr.exe Token: 33 3516 taskmgr.exe Token: SeIncBasePriorityPrivilege 3516 taskmgr.exe -
Suspicious use of FindShellTrayWindow 44 IoCs
Processes:
taskmgr.exedw20.exepid process 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe 1488 dw20.exe 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe -
Suspicious use of SendNotifyMessage 42 IoCs
Processes:
taskmgr.exepid process 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe 3516 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
IDMAN.exepid process 4120 IDMAN.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
NanoCore.exeCRACKED.EXEIDMAN.exeNANOCORE.EXEdescription pid process target process PID 2464 wrote to memory of 2960 2464 NanoCore.exe CRACKED.EXE PID 2464 wrote to memory of 2960 2464 NanoCore.exe CRACKED.EXE PID 2464 wrote to memory of 2960 2464 NanoCore.exe CRACKED.EXE PID 2464 wrote to memory of 4068 2464 NanoCore.exe NANOCORE.EXE PID 2464 wrote to memory of 4068 2464 NanoCore.exe NANOCORE.EXE PID 2960 wrote to memory of 4120 2960 CRACKED.EXE IDMAN.exe PID 2960 wrote to memory of 4120 2960 CRACKED.EXE IDMAN.exe PID 2960 wrote to memory of 4120 2960 CRACKED.EXE IDMAN.exe PID 4120 wrote to memory of 3060 4120 IDMAN.exe notepad.exe PID 4120 wrote to memory of 3060 4120 IDMAN.exe notepad.exe PID 4120 wrote to memory of 3060 4120 IDMAN.exe notepad.exe PID 4120 wrote to memory of 3060 4120 IDMAN.exe notepad.exe PID 4120 wrote to memory of 3060 4120 IDMAN.exe notepad.exe PID 4120 wrote to memory of 3060 4120 IDMAN.exe notepad.exe PID 4120 wrote to memory of 3060 4120 IDMAN.exe notepad.exe PID 4120 wrote to memory of 3060 4120 IDMAN.exe notepad.exe PID 4120 wrote to memory of 3060 4120 IDMAN.exe notepad.exe PID 4120 wrote to memory of 3060 4120 IDMAN.exe notepad.exe PID 4120 wrote to memory of 3060 4120 IDMAN.exe notepad.exe PID 4120 wrote to memory of 3060 4120 IDMAN.exe notepad.exe PID 4120 wrote to memory of 3060 4120 IDMAN.exe notepad.exe PID 4120 wrote to memory of 3060 4120 IDMAN.exe notepad.exe PID 4120 wrote to memory of 3060 4120 IDMAN.exe notepad.exe PID 4120 wrote to memory of 3060 4120 IDMAN.exe notepad.exe PID 4120 wrote to memory of 3060 4120 IDMAN.exe notepad.exe PID 4120 wrote to memory of 3060 4120 IDMAN.exe notepad.exe PID 4120 wrote to memory of 3060 4120 IDMAN.exe notepad.exe PID 4120 wrote to memory of 3060 4120 IDMAN.exe notepad.exe PID 4120 wrote to memory of 3060 4120 IDMAN.exe notepad.exe PID 4120 wrote to memory of 3060 4120 IDMAN.exe notepad.exe PID 4068 wrote to memory of 1488 4068 NANOCORE.EXE dw20.exe PID 4068 wrote to memory of 1488 4068 NANOCORE.EXE dw20.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\NanoCore.exe"C:\Users\Admin\AppData\Local\Temp\NanoCore.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\CRACKED.EXE"C:\Users\Admin\AppData\Roaming\CRACKED.EXE"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\MSDCSC\IDMAN.exe"C:\Users\Admin\AppData\Roaming\MSDCSC\IDMAN.exe"3⤵
- Modifies firewall policy service
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad4⤵
-
C:\Users\Admin\AppData\Roaming\NANOCORE.EXE"C:\Users\Admin\AppData\Roaming\NANOCORE.EXE"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 10363⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\CRACKED.EXEFilesize
659KB
MD594c5b3199414b8fca9f134724acdd88e
SHA16c95291364476fc10c4e343120225dae72d11233
SHA256dacd09444e389359d406450312e5fe66a2eb62c5c03948c8e7890303a43ee536
SHA5125fdbaf9ede009cbfdb13a92ba5c409b1a590b1bc1ddccec45c551deb5e7b7f9ecc57ed0dd1a66c7a38666bd5eb2cab9fc52a18056a5e676c292bab871aa343e1
-
C:\Users\Admin\AppData\Roaming\CRACKED.EXEFilesize
659KB
MD594c5b3199414b8fca9f134724acdd88e
SHA16c95291364476fc10c4e343120225dae72d11233
SHA256dacd09444e389359d406450312e5fe66a2eb62c5c03948c8e7890303a43ee536
SHA5125fdbaf9ede009cbfdb13a92ba5c409b1a590b1bc1ddccec45c551deb5e7b7f9ecc57ed0dd1a66c7a38666bd5eb2cab9fc52a18056a5e676c292bab871aa343e1
-
C:\Users\Admin\AppData\Roaming\MSDCSC\IDMAN.exeFilesize
659KB
MD594c5b3199414b8fca9f134724acdd88e
SHA16c95291364476fc10c4e343120225dae72d11233
SHA256dacd09444e389359d406450312e5fe66a2eb62c5c03948c8e7890303a43ee536
SHA5125fdbaf9ede009cbfdb13a92ba5c409b1a590b1bc1ddccec45c551deb5e7b7f9ecc57ed0dd1a66c7a38666bd5eb2cab9fc52a18056a5e676c292bab871aa343e1
-
C:\Users\Admin\AppData\Roaming\MSDCSC\IDMAN.exeFilesize
659KB
MD594c5b3199414b8fca9f134724acdd88e
SHA16c95291364476fc10c4e343120225dae72d11233
SHA256dacd09444e389359d406450312e5fe66a2eb62c5c03948c8e7890303a43ee536
SHA5125fdbaf9ede009cbfdb13a92ba5c409b1a590b1bc1ddccec45c551deb5e7b7f9ecc57ed0dd1a66c7a38666bd5eb2cab9fc52a18056a5e676c292bab871aa343e1
-
C:\Users\Admin\AppData\Roaming\MSDCSC\IDMAN.exeFilesize
659KB
MD594c5b3199414b8fca9f134724acdd88e
SHA16c95291364476fc10c4e343120225dae72d11233
SHA256dacd09444e389359d406450312e5fe66a2eb62c5c03948c8e7890303a43ee536
SHA5125fdbaf9ede009cbfdb13a92ba5c409b1a590b1bc1ddccec45c551deb5e7b7f9ecc57ed0dd1a66c7a38666bd5eb2cab9fc52a18056a5e676c292bab871aa343e1
-
C:\Users\Admin\AppData\Roaming\NANOCORE.EXEFilesize
403KB
MD5d902fb22b92a7455eeac95712e9c2179
SHA18e4e0d0965055517c1ddef8442cf74c4f3d700af
SHA25658f962401b52e043325cec66d88ad73032165cd0b8c3de1ec95292d83416b81f
SHA512d097b22e30c20322c30f464dabf5bffeedc3e3728b82911db5f3ba79735915a3bb0fbc4bce65a153f665dc5e04ba93b6000d4230f8610bd17dbe3d625dff4269
-
C:\Users\Admin\AppData\Roaming\NANOCORE.EXEFilesize
403KB
MD5d902fb22b92a7455eeac95712e9c2179
SHA18e4e0d0965055517c1ddef8442cf74c4f3d700af
SHA25658f962401b52e043325cec66d88ad73032165cd0b8c3de1ec95292d83416b81f
SHA512d097b22e30c20322c30f464dabf5bffeedc3e3728b82911db5f3ba79735915a3bb0fbc4bce65a153f665dc5e04ba93b6000d4230f8610bd17dbe3d625dff4269
-
memory/2960-139-0x0000000002230000-0x0000000002231000-memory.dmpFilesize
4KB
-
memory/2960-145-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3060-142-0x00000000033C0000-0x00000000033C1000-memory.dmpFilesize
4KB
-
memory/4068-143-0x000000001BBF0000-0x000000001C0BE000-memory.dmpFilesize
4.8MB
-
memory/4068-159-0x0000000000C00000-0x0000000000C10000-memory.dmpFilesize
64KB
-
memory/4068-140-0x000000001B670000-0x000000001B716000-memory.dmpFilesize
664KB
-
memory/4068-144-0x000000001C160000-0x000000001C1FC000-memory.dmpFilesize
624KB
-
memory/4068-135-0x00000000006E0000-0x000000000074C000-memory.dmpFilesize
432KB
-
memory/4068-141-0x0000000000C00000-0x0000000000C10000-memory.dmpFilesize
64KB
-
memory/4068-149-0x0000000000CB0000-0x0000000000CB8000-memory.dmpFilesize
32KB
-
memory/4068-151-0x000000001C380000-0x000000001C3CC000-memory.dmpFilesize
304KB
-
memory/4120-146-0x0000000000560000-0x0000000000561000-memory.dmpFilesize
4KB
-
memory/4120-158-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/4120-162-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/4120-163-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/4120-164-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/4120-165-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/4120-166-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/4120-167-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/4120-168-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB