General
-
Target
shipping order.exe
-
Size
2.7MB
-
Sample
210108-tq4es9es1e
-
MD5
b87925c7eb04ed03b7d1b9a5a39358d8
-
SHA1
cff199d7a3b2ecb1d5a6c2ba48de92901789cfda
-
SHA256
8daa3b16b15dd52ffb99eb0644b52712d889fe9528f8633dd16b4b405b017130
-
SHA512
0e9acf9fde99fc48dda2c878474d53716f4d574b2e488b4a80b96a9692f97a620efe9e14c7e1ab5c74c85808d2d38ef465cb489e210d0fe92dc1a3e6b35cf128
Malware Config
Extracted
nanocore
1.2.2.0
1.ispnano.dns-cloud.net:10004
db5d3893-53a7-40c5-9e07-c472ba23289f
-
activate_away_mode
true
-
backup_connection_host
1.ispnano.dns-cloud.net
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-10-19T23:27:30.974613536Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
10004
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
db5d3893-53a7-40c5-9e07-c472ba23289f
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
1.ispnano.dns-cloud.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Targets
-
-
Target
shipping order.exe
-
Size
2.7MB
-
MD5
b87925c7eb04ed03b7d1b9a5a39358d8
-
SHA1
cff199d7a3b2ecb1d5a6c2ba48de92901789cfda
-
SHA256
8daa3b16b15dd52ffb99eb0644b52712d889fe9528f8633dd16b4b405b017130
-
SHA512
0e9acf9fde99fc48dda2c878474d53716f4d574b2e488b4a80b96a9692f97a620efe9e14c7e1ab5c74c85808d2d38ef465cb489e210d0fe92dc1a3e6b35cf128
Score10/10-
Modifies WinLogon for persistence
-
Modifies Windows Defender Real-time Protection settings
-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Windows security bypass
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file
-
Windows security modification
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Legitimate hosting services abused for malware hosting/C2
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Winlogon Helper DLL
1Modify Existing Service
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
5Disabling Security Tools
3Virtualization/Sandbox Evasion
2