Overview

overview

10

Static

static

Doc#662020...53.exe

windows7_x64

10

Doc#662020...53.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    12-01-2021 16:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Doc#6620200947535257653.exe

  • Size

    5.2MB

  • MD5

    6618b8298100d5fb25d23b498a33d492

  • SHA1

    bd61a9c97e54b031ae4eaeb7f69f2006454e1edc

  • SHA256

    96cdf96daea9002d2dcf31e5d37b7df4942ef6085209df1f6b269b9baca3e40a

  • SHA512

    0bfacd251083ebb01be36b37c18237954fca2e87532e0e2b63560fb259167e7365416ce6a573cf1fb31f8fbea40fd824c110ccb929bfa925852c1225ef5812a7

Score
10/10
nanocoreevasionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

185.157.160.233:2212

annapro.linkpc.net:2212
Mutex

5c958888-f81c-42a4-939d-31983a2cd9ba

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    annapro.linkpc.net

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2020-10-24T06:39:59.095270636Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    2212

  • default_group

    wuzzy122

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    5c958888-f81c-42a4-939d-31983a2cd9ba

  • mutex_timeout

    5000

  • prevent_system_sleep

    true

  • primary_connection_host

    185.157.160.233

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    true

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • Executes dropped EXE 4 IoCs
  • Drops startup file 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 32 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Doc#6620200947535257653.exe
    "C:\Users\Admin\AppData\Local\Temp\Doc#6620200947535257653.exe"
    1⤵
    • Drops startup file
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:508
    • C:\Users\Admin\AppData\Roaming\gjhgkuytgkgfgd.exe
      "C:\Users\Admin\AppData\Roaming\gjhgkuytgkgfgd.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3968
      • C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
        "C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
        3⤵
        • Executes dropped EXE
        • Checks whether UAC is enabled
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:1788
      • C:\Users\Admin\AppData\Local\Temp\ffgfhfjftdghghrghse.exe
        "C:\Users\Admin\AppData\Local\Temp\ffgfhfjftdghghrghse.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2140
        • C:\Users\Admin\AppData\Local\Temp\ffgfhfjftdghghrghse.exe
          "C:\Users\Admin\AppData\Local\Temp\ffgfhfjftdghghrghse.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2828

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ffgfhfjftdghghrghse.exe.log
    MD5

    e555c48cb712a9597ecb55a60135d1f8

    SHA1

    2081c72d30c34ec3f61f9944545ecdaae11521f7

    SHA256

    815c80df060afa8acf7640ca011735ef77c66666d03901e04a8767827d5da4e9

    SHA512

    32129b5be15217e5400f1e7536270a703d62db60ebb06396b9d74703e6a0dcd2e78f7f42b2019093be1508a9310912f305b88de274a295c9135a4086cd8c8427

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
    MD5

    6a673bfc3b67ae9782cb31af2f234c68

    SHA1

    7544e89566d91e84e3cd437b9a073e5f6b56566e

    SHA256

    978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

    SHA512

    72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
    MD5

    6a673bfc3b67ae9782cb31af2f234c68

    SHA1

    7544e89566d91e84e3cd437b9a073e5f6b56566e

    SHA256

    978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

    SHA512

    72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\ffgfhfjftdghghrghse.exe
    MD5

    0e362e7005823d0bec3719b902ed6d62

    SHA1

    590d860b909804349e0cdc2f1662b37bd62f7463

    SHA256

    2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

    SHA512

    518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\ffgfhfjftdghghrghse.exe
    MD5

    0e362e7005823d0bec3719b902ed6d62

    SHA1

    590d860b909804349e0cdc2f1662b37bd62f7463

    SHA256

    2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

    SHA512

    518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\ffgfhfjftdghghrghse.exe
    MD5

    0e362e7005823d0bec3719b902ed6d62

    SHA1

    590d860b909804349e0cdc2f1662b37bd62f7463

    SHA256

    2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

    SHA512

    518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\ffgfhfjftdghghrghse.txt
    MD5

    e55de6bbfb86c5ec43474ce47781722d

    SHA1

    1fc2299151462b35b61a02b453f5af8680aba578

    SHA256

    dca7456ceaec5e40b131400bb8b508d7734437d1015461589e11f1a051502d62

    SHA512

    c8054358af71838bb243136b1920d5dc8cfd302de68fc732e1b166389fa34be626f7ad539e67c8152dd905f5aa38c846df8389f2a1679ced492eb03f7ca20816

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\ffgfhfjftdghghrghse.txt
    MD5

    7dc86a799aa0c5cfaf0542656ac5cef0

    SHA1

    3efaf6d7cbcfe3306099bd2ce9985a1d02d3361f

    SHA256

    6544f2c00e5a487e6f0b6bbc8a0428ce86aa6e04962b59f8bede34cd8e5d3835

    SHA512

    4d0e4b91189173292d098b54431edeb4de729b10ce413124b3c41fab7c67c99b3f6d51da156d05766b6da6c53f108fba26e60501818a94c8de0a9e08ea4d93f6

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\ffgfhfjftdghghrghse.txt
    MD5

    7a388ba689441f2560228f4480579151

    SHA1

    f0176948f7beecb02ab26e1dd12b73479971c56b

    SHA256

    3c06e8670c56e4da5e068eadba36783300b2ebd5108c92d65a8fbac98cd7238b

    SHA512

    974633bd1ae09e21342650d02da36db457bed6b818928a81350bb2c3c945ca989c29812d4d9590e6077850a058916671727b70aa1eee8addab59b3c41e01953c

    Download Submit
  • C:\Users\Admin\AppData\Roaming\gjhgkuytgkgfgd.exe
    MD5

    6618b8298100d5fb25d23b498a33d492

    SHA1

    bd61a9c97e54b031ae4eaeb7f69f2006454e1edc

    SHA256

    96cdf96daea9002d2dcf31e5d37b7df4942ef6085209df1f6b269b9baca3e40a

    SHA512

    0bfacd251083ebb01be36b37c18237954fca2e87532e0e2b63560fb259167e7365416ce6a573cf1fb31f8fbea40fd824c110ccb929bfa925852c1225ef5812a7

    Download Submit
  • C:\Users\Admin\AppData\Roaming\gjhgkuytgkgfgd.exe
    MD5

    6618b8298100d5fb25d23b498a33d492

    SHA1

    bd61a9c97e54b031ae4eaeb7f69f2006454e1edc

    SHA256

    96cdf96daea9002d2dcf31e5d37b7df4942ef6085209df1f6b269b9baca3e40a

    SHA512

    0bfacd251083ebb01be36b37c18237954fca2e87532e0e2b63560fb259167e7365416ce6a573cf1fb31f8fbea40fd824c110ccb929bfa925852c1225ef5812a7

    Download Submit
  • memory/508-8-0x0000000007D10000-0x0000000007D11000-memory.dmp
    Filesize

    4KB

    Download
  • memory/508-7-0x0000000005380000-0x0000000005381000-memory.dmp
    Filesize

    4KB

    Download
  • memory/508-6-0x0000000005350000-0x000000000536E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/508-5-0x0000000005400000-0x0000000005401000-memory.dmp
    Filesize

    4KB

    Download
  • memory/508-3-0x00000000006D0000-0x00000000006D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/508-2-0x0000000073520000-0x0000000073C0E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1788-25-0x0000000073520000-0x0000000073C0E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1788-31-0x00000000054B0000-0x00000000054B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1788-32-0x00000000055D0000-0x00000000055D5000-memory.dmp
    Filesize

    20KB

    Download
  • memory/1788-33-0x00000000057C0000-0x00000000057D9000-memory.dmp
    Filesize

    100KB

    Download
  • memory/1788-21-0x0000000000400000-0x0000000000438000-memory.dmp
    Filesize

    224KB

    Download
  • memory/1788-28-0x0000000005AF0000-0x0000000005AF1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1788-22-0x000000000041E792-mapping.dmp
    Download
  • memory/1788-37-0x0000000005AC0000-0x0000000005AC3000-memory.dmp
    Filesize

    12KB

    Download
  • memory/2140-39-0x0000000000560000-0x0000000000561000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2140-38-0x0000000073520000-0x0000000073C0E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2140-34-0x0000000000000000-mapping.dmp
    Download
  • memory/2828-44-0x0000000000000000-mapping.dmp
    Download
  • memory/2828-47-0x0000000073520000-0x0000000073C0E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/3968-20-0x0000000001AC0000-0x0000000001AC1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3968-19-0x0000000005A00000-0x0000000005A0B000-memory.dmp
    Filesize

    44KB

    Download
  • memory/3968-12-0x0000000073520000-0x0000000073C0E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/3968-9-0x0000000000000000-mapping.dmp
    Download