Overview

overview

10

Static

static

shipping order#.scr

windows7_x64

10

shipping order#.scr

windows10_x64

10

Analysis

  • max time kernel
    146s
  • max time network
    147s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    08-01-2021 17:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    shipping order#.scr

  • Size

    2.7MB

  • MD5

    a916070df947a28ea73074c080189d35

  • SHA1

    2c4215352fecfbd74b596f1125177f54cd010a4b

  • SHA256

    b657538bf8bc1aca7ca8e7e02f1c5a39cbc8bc343bf7c5ebfe026f6dcc02fe32

  • SHA512

    3d5b554c97d6a093f6ce94b8c5d681438f5f4b74df391468e8adf36a7ab2b599b0ee49dcf7c57fb9aab03509d3f6a07747d94e05929eaaf627aa18d170abfc4e

Score
10/10
nanocoreevasionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

1.ispnano.dns-cloud.net:10004

Mutex

db5d3893-53a7-40c5-9e07-c472ba23289f

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    1.ispnano.dns-cloud.net

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2020-10-19T23:27:30.974613536Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    10004

  • default_group

    Default

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    db5d3893-53a7-40c5-9e07-c472ba23289f

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    1.ispnano.dns-cloud.net

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    false

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • Turns off Windows Defender SpyNet reporting 2 TTPs
    evasion
  • Windows security bypass 2 TTPs
    evasiontrojan
  • Looks for VirtualBox Guest Additions in registry 2 TTPs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops startup file 2 IoCs
  • Windows security modification 2 TTPs 11 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 15 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Program crash 1 IoCs
  • Delays execution with timeout.exe 3 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 37 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\shipping order#.scr
    "C:\Users\Admin\AppData\Local\Temp\shipping order#.scr" /S
    1⤵
    • Modifies WinLogon for persistence
    • Checks BIOS information in registry
    • Drops startup file
    • Windows security modification
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:528
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.scr" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2840
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.scr" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3528
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shipping order#.scr" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2928
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\shipping order#.scr" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:188
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout 1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2276
      • C:\Windows\SysWOW64\timeout.exe
        timeout 1
        3⤵
        • Delays execution with timeout.exe
        PID:2916
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout 1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1824
      • C:\Windows\SysWOW64\timeout.exe
        timeout 1
        3⤵
        • Delays execution with timeout.exe
        PID:3828
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout 1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3460
      • C:\Windows\SysWOW64\timeout.exe
        timeout 1
        3⤵
        • Delays execution with timeout.exe
        PID:2504
    • C:\Users\Admin\AppData\Local\Temp\shipping order#.scr
      "C:\Users\Admin\AppData\Local\Temp\shipping order#.scr"
      2⤵
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      PID:2936
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 528 -s 2324
      2⤵
      • Program crash
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1724

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1
T1004

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

5
T1112

Disabling Security Tools

3
T1089

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    MD5

    1c19c16e21c97ed42d5beabc93391fc5

    SHA1

    8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

    SHA256

    1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

    SHA512

    7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    MD5

    51556769203492e9758a54e908140bfd

    SHA1

    4472c4c95e48e2e05cbd35b50ea2033fa07ae650

    SHA256

    49546043e6c763995da4226e47248700fbbf990455e8bf03ab2b425cebd78b40

    SHA512

    db7c3a335759e190185b134c4e354f0d39695be588604a1ad6315ca637cd1533a1773b7c5365d2c05193e7497d050cf513f66323d99233c373f610d1badbf70b

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    MD5

    51556769203492e9758a54e908140bfd

    SHA1

    4472c4c95e48e2e05cbd35b50ea2033fa07ae650

    SHA256

    49546043e6c763995da4226e47248700fbbf990455e8bf03ab2b425cebd78b40

    SHA512

    db7c3a335759e190185b134c4e354f0d39695be588604a1ad6315ca637cd1533a1773b7c5365d2c05193e7497d050cf513f66323d99233c373f610d1badbf70b

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    MD5

    51556769203492e9758a54e908140bfd

    SHA1

    4472c4c95e48e2e05cbd35b50ea2033fa07ae650

    SHA256

    49546043e6c763995da4226e47248700fbbf990455e8bf03ab2b425cebd78b40

    SHA512

    db7c3a335759e190185b134c4e354f0d39695be588604a1ad6315ca637cd1533a1773b7c5365d2c05193e7497d050cf513f66323d99233c373f610d1badbf70b

    Download Submit
  • memory/188-12-0x0000000000000000-mapping.dmp
    Download
  • memory/188-47-0x0000000008620000-0x0000000008621000-memory.dmp
    Filesize

    4KB

    Download
  • memory/188-18-0x0000000073D50000-0x000000007443E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/188-102-0x0000000009700000-0x0000000009701000-memory.dmp
    Filesize

    4KB

    Download
  • memory/188-43-0x0000000007BA0000-0x0000000007BA1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/528-7-0x0000000006040000-0x0000000006041000-memory.dmp
    Filesize

    4KB

    Download
  • memory/528-8-0x0000000005B40000-0x0000000005B41000-memory.dmp
    Filesize

    4KB

    Download
  • memory/528-2-0x0000000073D50000-0x000000007443E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/528-6-0x0000000001A50000-0x0000000001A9F000-memory.dmp
    Filesize

    316KB

    Download
  • memory/528-5-0x00000000058D0000-0x00000000058D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/528-3-0x0000000000DD0000-0x0000000000DD1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1724-111-0x0000000004240000-0x0000000004241000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1824-55-0x0000000000000000-mapping.dmp
    Download
  • memory/2276-37-0x0000000000000000-mapping.dmp
    Download
  • memory/2504-63-0x0000000000000000-mapping.dmp
    Download
  • memory/2840-13-0x0000000073D50000-0x000000007443E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2840-51-0x0000000008810000-0x0000000008811000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2840-9-0x0000000000000000-mapping.dmp
    Download
  • memory/2840-19-0x00000000077E0000-0x00000000077E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2840-15-0x0000000004D60000-0x0000000004D61000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2916-42-0x0000000000000000-mapping.dmp
    Download
  • memory/2928-16-0x0000000073D50000-0x000000007443E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2928-38-0x00000000075A0000-0x00000000075A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2928-29-0x00000000072E0000-0x00000000072E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2928-25-0x0000000006BC0000-0x0000000006BC1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2928-11-0x0000000000000000-mapping.dmp
    Download
  • memory/2936-115-0x0000000005470000-0x0000000005475000-memory.dmp
    Filesize

    20KB

    Download
  • memory/2936-116-0x0000000005480000-0x0000000005499000-memory.dmp
    Filesize

    100KB

    Download
  • memory/2936-100-0x000000000041E792-mapping.dmp
    Download
  • memory/2936-101-0x0000000073D50000-0x000000007443E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2936-117-0x00000000056D0000-0x00000000056D3000-memory.dmp
    Filesize

    12KB

    Download
  • memory/2936-109-0x0000000005330000-0x0000000005331000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2936-99-0x0000000000400000-0x000000000043A000-memory.dmp
    Filesize

    232KB

    Download
  • memory/2936-114-0x00000000053D0000-0x00000000053D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3460-57-0x0000000000000000-mapping.dmp
    Download
  • memory/3528-64-0x00000000095F0000-0x0000000009623000-memory.dmp
    Filesize

    204KB

    Download
  • memory/3528-91-0x00000000073C0000-0x00000000073C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3528-95-0x0000000009720000-0x0000000009721000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3528-118-0x0000000009AB0000-0x0000000009AB1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3528-126-0x0000000009AA0000-0x0000000009AA1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3528-14-0x0000000073D50000-0x000000007443E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/3528-10-0x0000000000000000-mapping.dmp
    Download
  • memory/3828-56-0x0000000000000000-mapping.dmp
    Download