Overview

overview

10

Static

static

Doc#662020...53.exe

windows7_x64

10

Doc#662020...53.exe

windows10_x64

10

Analysis

  • max time kernel
    134s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    12-01-2021 16:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Doc#6620200947535257653.exe

  • Size

    5.2MB

  • MD5

    6618b8298100d5fb25d23b498a33d492

  • SHA1

    bd61a9c97e54b031ae4eaeb7f69f2006454e1edc

  • SHA256

    96cdf96daea9002d2dcf31e5d37b7df4942ef6085209df1f6b269b9baca3e40a

  • SHA512

    0bfacd251083ebb01be36b37c18237954fca2e87532e0e2b63560fb259167e7365416ce6a573cf1fb31f8fbea40fd824c110ccb929bfa925852c1225ef5812a7

Score
10/10
nanocoreevasionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

185.157.160.233:2212

annapro.linkpc.net:2212
Mutex

5c958888-f81c-42a4-939d-31983a2cd9ba

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    annapro.linkpc.net

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2020-10-24T06:39:59.095270636Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    2212

  • default_group

    wuzzy122

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    5c958888-f81c-42a4-939d-31983a2cd9ba

  • mutex_timeout

    5000

  • prevent_system_sleep

    true

  • primary_connection_host

    185.157.160.233

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    true

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • Executes dropped EXE 4 IoCs
  • Drops startup file 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Doc#6620200947535257653.exe
    "C:\Users\Admin\AppData\Local\Temp\Doc#6620200947535257653.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1048
    • C:\Users\Admin\AppData\Roaming\gjhgkuytgkgfgd.exe
      "C:\Users\Admin\AppData\Roaming\gjhgkuytgkgfgd.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1728
      • C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
        "C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
        3⤵
        • Executes dropped EXE
        • Checks whether UAC is enabled
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:544
      • C:\Users\Admin\AppData\Local\Temp\ffgfhfjftdghghrghse.exe
        "C:\Users\Admin\AppData\Local\Temp\ffgfhfjftdghghrghse.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1824
        • C:\Users\Admin\AppData\Local\Temp\ffgfhfjftdghghrghse.exe
          "C:\Users\Admin\AppData\Local\Temp\ffgfhfjftdghghrghse.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1836

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
    MD5

    6a673bfc3b67ae9782cb31af2f234c68

    SHA1

    7544e89566d91e84e3cd437b9a073e5f6b56566e

    SHA256

    978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

    SHA512

    72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
    MD5

    6a673bfc3b67ae9782cb31af2f234c68

    SHA1

    7544e89566d91e84e3cd437b9a073e5f6b56566e

    SHA256

    978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

    SHA512

    72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\ffgfhfjftdghghrghse.exe
    MD5

    0e362e7005823d0bec3719b902ed6d62

    SHA1

    590d860b909804349e0cdc2f1662b37bd62f7463

    SHA256

    2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

    SHA512

    518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\ffgfhfjftdghghrghse.exe
    MD5

    0e362e7005823d0bec3719b902ed6d62

    SHA1

    590d860b909804349e0cdc2f1662b37bd62f7463

    SHA256

    2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

    SHA512

    518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\ffgfhfjftdghghrghse.exe
    MD5

    0e362e7005823d0bec3719b902ed6d62

    SHA1

    590d860b909804349e0cdc2f1662b37bd62f7463

    SHA256

    2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

    SHA512

    518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\ffgfhfjftdghghrghse.txt
    MD5

    ca16327c8cedc82b3aadc44706b23ca6

    SHA1

    2b15c792ff4d2c73e13ffdc956059906a5c27a63

    SHA256

    200b5a83dbb9fa0487a2275bda9fa288862c3cc0a51ff81035b39fcb4d66c4d6

    SHA512

    f4cd406117ef3ee6f475dfd09e442e122f9afc4688b8898790ea8aa38274c29581f4b6eae0514f3a0ec4dbbf7d3abbf5ca0483d052eecd4315d8f0bec57a2be1

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\ffgfhfjftdghghrghse.txt
    MD5

    88738aed207d661a0219753cf8e9009f

    SHA1

    7e98a3e93072eb1912ff00278ac6ba7f5c2bcdf1

    SHA256

    83b4a005bb203ee5e2bed41d4dc8e89e7a0628502fdf4ff8641fcbb7b0510d0f

    SHA512

    f2833c0303ae1649bfd09d4ee27163e003bb73e38f423cdade298421ef8fcccaaa4d1640b45549f8ce305481f01a77bfd5eb5f9a98fe86d7092b95308ec9f30c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\ffgfhfjftdghghrghse.txt
    MD5

    00e3a17b690d9bf0636dda66dfd9960e

    SHA1

    18b16850e1e9e275176221f8ec478d134a379a0c

    SHA256

    698e81e0be3b81787966bde4a7591290b6ab5ed5511a0b3aa27d6b7a629cfbbf

    SHA512

    16f64d99ea5b3bd13de190b5d45b57579228536c939c16d80c83786de60eb86280541b1a47eca613296366c050872c40c8f0fcca167a96d9425c567b1cf12134

    Download Submit
  • C:\Users\Admin\AppData\Roaming\gjhgkuytgkgfgd.exe
    MD5

    6618b8298100d5fb25d23b498a33d492

    SHA1

    bd61a9c97e54b031ae4eaeb7f69f2006454e1edc

    SHA256

    96cdf96daea9002d2dcf31e5d37b7df4942ef6085209df1f6b269b9baca3e40a

    SHA512

    0bfacd251083ebb01be36b37c18237954fca2e87532e0e2b63560fb259167e7365416ce6a573cf1fb31f8fbea40fd824c110ccb929bfa925852c1225ef5812a7

    Download Submit
  • C:\Users\Admin\AppData\Roaming\gjhgkuytgkgfgd.exe
    MD5

    6618b8298100d5fb25d23b498a33d492

    SHA1

    bd61a9c97e54b031ae4eaeb7f69f2006454e1edc

    SHA256

    96cdf96daea9002d2dcf31e5d37b7df4942ef6085209df1f6b269b9baca3e40a

    SHA512

    0bfacd251083ebb01be36b37c18237954fca2e87532e0e2b63560fb259167e7365416ce6a573cf1fb31f8fbea40fd824c110ccb929bfa925852c1225ef5812a7

    Download Submit
  • \Users\Admin\AppData\Local\Temp\AddInProcess32.exe
    MD5

    6a673bfc3b67ae9782cb31af2f234c68

    SHA1

    7544e89566d91e84e3cd437b9a073e5f6b56566e

    SHA256

    978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

    SHA512

    72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

    Download Submit
  • \Users\Admin\AppData\Local\Temp\ffgfhfjftdghghrghse.exe
    MD5

    0e362e7005823d0bec3719b902ed6d62

    SHA1

    590d860b909804349e0cdc2f1662b37bd62f7463

    SHA256

    2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

    SHA512

    518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

    Download Submit
  • \Users\Admin\AppData\Local\Temp\ffgfhfjftdghghrghse.exe
    MD5

    0e362e7005823d0bec3719b902ed6d62

    SHA1

    590d860b909804349e0cdc2f1662b37bd62f7463

    SHA256

    2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

    SHA512

    518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

    Download Submit
  • \Users\Admin\AppData\Roaming\gjhgkuytgkgfgd.exe
    MD5

    6618b8298100d5fb25d23b498a33d492

    SHA1

    bd61a9c97e54b031ae4eaeb7f69f2006454e1edc

    SHA256

    96cdf96daea9002d2dcf31e5d37b7df4942ef6085209df1f6b269b9baca3e40a

    SHA512

    0bfacd251083ebb01be36b37c18237954fca2e87532e0e2b63560fb259167e7365416ce6a573cf1fb31f8fbea40fd824c110ccb929bfa925852c1225ef5812a7

    Download Submit
  • memory/544-30-0x00000000003F0000-0x00000000003F3000-memory.dmp
    Filesize

    12KB

    Download
  • memory/544-21-0x000000000041E792-mapping.dmp
    Download
  • memory/544-20-0x0000000000400000-0x0000000000438000-memory.dmp
    Filesize

    224KB

    Download
  • memory/544-23-0x0000000000400000-0x0000000000438000-memory.dmp
    Filesize

    224KB

    Download
  • memory/544-24-0x0000000000400000-0x0000000000438000-memory.dmp
    Filesize

    224KB

    Download
  • memory/544-25-0x0000000073C60000-0x000000007434E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/544-28-0x0000000000240000-0x0000000000245000-memory.dmp
    Filesize

    20KB

    Download
  • memory/544-29-0x0000000000440000-0x0000000000459000-memory.dmp
    Filesize

    100KB

    Download
  • memory/1048-2-0x0000000073C60000-0x000000007434E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1048-6-0x00000000004E0000-0x00000000004E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1048-5-0x0000000000470000-0x000000000048E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/1048-3-0x0000000000B90000-0x0000000000B91000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1728-12-0x0000000001360000-0x0000000001361000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1728-17-0x0000000000320000-0x0000000000321000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1728-16-0x00000000005D0000-0x00000000005DB000-memory.dmp
    Filesize

    44KB

    Download
  • memory/1728-11-0x0000000073C60000-0x000000007434E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1728-8-0x0000000000000000-mapping.dmp
    Download
  • memory/1824-35-0x0000000073C60000-0x000000007434E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1824-36-0x0000000001160000-0x0000000001161000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1824-32-0x0000000000000000-mapping.dmp
    Download
  • memory/1836-40-0x0000000000000000-mapping.dmp
    Download
  • memory/1836-42-0x0000000073C60000-0x000000007434E000-memory.dmp
    Filesize

    6.9MB

    Download