Overview

overview

10

Static

static

IMG_0005_2020.exe

windows7_x64

10

IMG_0005_2020.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10_x64
  • resource
    win10v200430
  • submitted
    13-07-2020 06:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    IMG_0005_2020.exe

  • Size

    968KB

  • MD5

    d74a9763b4943ad54b0daefa5287709b

  • SHA1

    1675428f1f56ec47e93c2cea80b137d4d7f8a9ec

  • SHA256

    d1d26e5c1f43753746f62ef30a1ceaeb9c1309893999ffde6d1371db4e82ada8

  • SHA512

    bc17173959faf0b7fa4d175237261f6a5a38d52512cffd072e81f8460d9cda3a413848df749a8c85d80f0ca2bf459fee1b2798971c71b4ffe286027121a7c143

Score
10/10
evasiontrojankeyloggerstealerspywarenanocore

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

urualla.duckdns.org:3999

urualla3.duckdns.org:3999
Mutex

d15035f6-d9d3-4e8b-9141-2ca7d3ee51bb

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    urualla3.duckdns.org

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2019-11-15T10:43:13.463487336Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    3999

  • default_group

    Default

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    d15035f6-d9d3-4e8b-9141-2ca7d3ee51bb

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    urualla.duckdns.org

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    true

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Signatures

  • NTFS ADS 1 IoCs
  • Drops startup file 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2708 IoCs
  • Executes dropped EXE 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan

Processes

  • C:\Users\Admin\AppData\Local\Temp\IMG_0005_2020.exe
    "C:\Users\Admin\AppData\Local\Temp\IMG_0005_2020.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:636
    • C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\system32\notepad.exe"
      2⤵
      • NTFS ADS
      • Drops startup file
      • Suspicious use of WriteProcessMemory
      PID:816
      • C:\Users\Admin\AppData\Roaming\startup\skype.exe
        "C:\Users\Admin\AppData\Roaming\startup\skype.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        • Suspicious behavior: MapViewOfSection
        PID:904
        • C:\Users\Admin\AppData\Roaming\startup\skype.exe
          "C:\Users\Admin\AppData\Roaming\startup\skype.exe"
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Executes dropped EXE
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          • Checks whether UAC is enabled
          PID:688
        • C:\Users\Admin\AppData\Roaming\startup\skype.exe
          "C:\Users\Admin\AppData\Roaming\startup\skype.exe" 2 688 116031
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Executes dropped EXE
          PID:1036

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\startup\skype.exe
    Download Submit
  • C:\Users\Admin\AppData\Roaming\startup\skype.exe
    Download Submit
  • C:\Users\Admin\AppData\Roaming\startup\skype.exe
    Download Submit
  • C:\Users\Admin\AppData\Roaming\startup\skype.exe
    Download Submit
  • memory/688-4-0x0000000000400000-0x000000000047F000-memory.dmp
    Filesize

    508KB

    Download
  • memory/688-5-0x000000000047D4B0-mapping.dmp
    Download
  • memory/688-8-0x0000000000400000-0x000000000047F000-memory.dmp
    Filesize

    508KB

    Download
  • memory/688-10-0x0000000000400000-0x000000000047F000-memory.dmp
    Filesize

    508KB

    Download
  • memory/688-11-0x0000000002110000-0x0000000002148000-memory.dmp
    Filesize

    224KB

    Download
  • memory/816-0-0x0000000000000000-mapping.dmp
    Download
  • memory/904-1-0x0000000000000000-mapping.dmp
    Download
  • memory/1036-6-0x0000000000000000-mapping.dmp
    Download