Overview

overview

10

Static

static

nass.exe

windows7_x64

10

nass.exe

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    30-06-2020 07:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    nass.exe

  • Size

    710KB

  • MD5

    9430ffb97fd0940e0c6fcaa11d409202

  • SHA1

    17b3a43c427429aa84624ab6a7f21c3621cdc464

  • SHA256

    f1fddc0cfd9632772ba10b059d83a1bb34b01a81766e61804bc39ca3898c5211

  • SHA512

    eeadcb7f802d07d17a31648b23b732beaae11b5a9e35853af47e6d8f3d5f0f84ef3ceb621cf6e236bc1e5e6b6f18ce855446494ed548ceeeb26d9017b91d6b40

Score
10/10
persistenceevasiontrojankeyloggerstealerspywarenanocore

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

mogs20.hopto.org:1085

185.244.30.251:1085
Mutex

1c8e1b25-da1c-4b7f-872b-7991ecf830f7

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    185.244.30.251

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2020-03-26T22:47:50.934251036Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    1085

  • default_group

    ANGEL RAPHAEL

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    1c8e1b25-da1c-4b7f-872b-7991ecf830f7

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    mogs20.hopto.org

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    true

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • Suspicious use of SetThreadContext 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Adds Run entry to start application 2 TTPs 6 IoCs
    persistence
  • Suspicious use of WriteProcessMemory 93 IoCs
  • Suspicious behavior: MapViewOfSection 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 628 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan

Processes

  • C:\Users\Admin\AppData\Local\Temp\nass.exe
    "C:\Users\Admin\AppData\Local\Temp\nass.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Adds Run entry to start application
    • Suspicious use of WriteProcessMemory
    • Suspicious behavior: MapViewOfSection
    • Suspicious behavior: EnumeratesProcesses
    PID:1152
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      2⤵
        PID:1056
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious behavior: GetForegroundWindowSpam
        • Checks whether UAC is enabled
        PID:1060
      • C:\Users\Admin\AppData\Local\Temp\nass.exe
        "C:\Users\Admin\AppData\Local\Temp\nass.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Adds Run entry to start application
        • Suspicious use of WriteProcessMemory
        • Suspicious behavior: MapViewOfSection
        PID:1816
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
          3⤵
            PID:1784
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            3⤵
              PID:1884
            • C:\Users\Admin\AppData\Local\Temp\nass.exe
              "C:\Users\Admin\AppData\Local\Temp\nass.exe"
              3⤵
              • Suspicious use of SetThreadContext
              • Suspicious use of AdjustPrivilegeToken
              • Adds Run entry to start application
              • Suspicious use of WriteProcessMemory
              • Suspicious behavior: MapViewOfSection
              PID:1912
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                4⤵
                  PID:1972
                • C:\Users\Admin\AppData\Local\Temp\nass.exe
                  "C:\Users\Admin\AppData\Local\Temp\nass.exe"
                  4⤵
                  • Suspicious use of SetThreadContext
                  • Suspicious use of AdjustPrivilegeToken
                  • Adds Run entry to start application
                  • Suspicious use of WriteProcessMemory
                  • Suspicious behavior: MapViewOfSection
                  PID:1348
                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                    5⤵
                      PID:1852
                    • C:\Users\Admin\AppData\Local\Temp\nass.exe
                      "C:\Users\Admin\AppData\Local\Temp\nass.exe"
                      5⤵
                      • Suspicious use of SetThreadContext
                      • Suspicious use of AdjustPrivilegeToken
                      • Adds Run entry to start application
                      • Suspicious use of WriteProcessMemory
                      • Suspicious behavior: MapViewOfSection
                      PID:1572
                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                        6⤵
                          PID:1676
                        • C:\Users\Admin\AppData\Local\Temp\nass.exe
                          "C:\Users\Admin\AppData\Local\Temp\nass.exe"
                          6⤵
                          • Suspicious use of SetThreadContext
                          • Suspicious use of AdjustPrivilegeToken
                          • Adds Run entry to start application
                          • Suspicious behavior: MapViewOfSection
                          PID:864
                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                            7⤵
                              PID:1400
                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                              7⤵
                                PID:1344
                              • C:\Users\Admin\AppData\Local\Temp\nass.exe
                                "C:\Users\Admin\AppData\Local\Temp\nass.exe"
                                7⤵
                                  PID:284

                    Network

                    MITRE ATT&CK Matrix ATT&CK v6

                    Initial Access

                    Execution

                    Persistence

                    Registry Run Keys / Startup Folder

                    1
                    T1060

                    Privilege Escalation

                    Defense Evasion

                    Modify Registry

                    1
                    T1112

                    Credential Access

                    Discovery

                    System Information Discovery

                    1
                    T1082

                    Lateral Movement

                    Collection

                    Exfiltration

                    Command and Control

                    Impact

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • memory/284-29-0x0000000000000000-mapping.dmp
                      Download
                    • memory/864-24-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1060-1-0x000000000041E792-mapping.dmp
                      Download
                    • memory/1060-2-0x0000000000400000-0x000000000047E000-memory.dmp
                      Filesize

                      504KB

                      Download
                    • memory/1060-3-0x0000000000400000-0x000000000047E000-memory.dmp
                      Filesize

                      504KB

                      Download
                    • memory/1060-0-0x0000000000400000-0x000000000047E000-memory.dmp
                      Filesize

                      504KB

                      Download
                    • memory/1344-26-0x000000000041E792-mapping.dmp
                      Download
                    • memory/1348-14-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1572-19-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1676-21-0x000000000041E792-mapping.dmp
                      Download
                    • memory/1816-4-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1852-16-0x000000000041E792-mapping.dmp
                      Download
                    • memory/1884-6-0x000000000041E792-mapping.dmp
                      Download
                    • memory/1912-9-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1972-11-0x000000000041E792-mapping.dmp
                      Download