Overview

overview

10

Static

static

order-1812...49.exe

windows7_x64

10

order-1812...49.exe

windows10_x64

10

Analysis

  • max time kernel
    112s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    14-01-2021 06:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    order-181289654312464649.exe

  • Size

    6.2MB

  • MD5

    bf057dc4b4f9acafa17ae6b08520903c

  • SHA1

    2548e9ffd49fbbfcd1f2ebd4aedfb843dfe6da29

  • SHA256

    b93e5081bef10f47b8e037da155852225e10cb46b0bdbcab6d57a68364cb98da

  • SHA512

    65417bfc6c2c9235aa7515596b1e18dc52c9538db72ca1ea7ab1a163be65fb04012077132b38252793229f3d52dce4ca05f673dbd21c9c0f8dee35e3371f94a7

Score
10/10
nanocoreevasionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

185.157.162.81:40700

nanopc.linkpc.net:40700
Mutex

ebbd9300-ed31-4d29-88d8-4f7b7a7f8653

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    nanopc.linkpc.net

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2020-09-04T02:29:42.194822936Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    40700

  • default_group

    LAGOS_BLESSED2

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    29933

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    ebbd9300-ed31-4d29-88d8-4f7b7a7f8653

  • mutex_timeout

    5000

  • prevent_system_sleep

    true

  • primary_connection_host

    185.157.162.81

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    true

  • set_critical_process

    true

  • timeout_interval

    4944

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • Executes dropped EXE 4 IoCs
  • Drops startup file 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\order-181289654312464649.exe
    "C:\Users\Admin\AppData\Local\Temp\order-181289654312464649.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2028
    • C:\Users\Admin\AppData\Roaming\vcdfcfghjghtkhjbnvgh.exe
      "C:\Users\Admin\AppData\Roaming\vcdfcfghjghtkhjbnvgh.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2020
      • C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
        "C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
        3⤵
        • Executes dropped EXE
        • Checks whether UAC is enabled
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:1332
      • C:\Users\Admin\AppData\Local\Temp\ffbbhioyfigdrstruii.exe
        "C:\Users\Admin\AppData\Local\Temp\ffbbhioyfigdrstruii.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1216
        • C:\Users\Admin\AppData\Local\Temp\ffbbhioyfigdrstruii.exe
          "C:\Users\Admin\AppData\Local\Temp\ffbbhioyfigdrstruii.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1316

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
    MD5

    6a673bfc3b67ae9782cb31af2f234c68

    SHA1

    7544e89566d91e84e3cd437b9a073e5f6b56566e

    SHA256

    978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

    SHA512

    72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
    MD5

    6a673bfc3b67ae9782cb31af2f234c68

    SHA1

    7544e89566d91e84e3cd437b9a073e5f6b56566e

    SHA256

    978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

    SHA512

    72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\ffbbhioyfigdrstruii.exe
    MD5

    0e362e7005823d0bec3719b902ed6d62

    SHA1

    590d860b909804349e0cdc2f1662b37bd62f7463

    SHA256

    2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

    SHA512

    518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\ffbbhioyfigdrstruii.exe
    MD5

    0e362e7005823d0bec3719b902ed6d62

    SHA1

    590d860b909804349e0cdc2f1662b37bd62f7463

    SHA256

    2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

    SHA512

    518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\ffbbhioyfigdrstruii.exe
    MD5

    0e362e7005823d0bec3719b902ed6d62

    SHA1

    590d860b909804349e0cdc2f1662b37bd62f7463

    SHA256

    2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

    SHA512

    518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\ffbbhioyfigdrstruii.txt
    MD5

    06663bec2c2b9fd8ef525ad4fafe332a

    SHA1

    be046a402d0eefe84c434065ba50822ba3ecec3e

    SHA256

    efe617433ecf0045f2051fa227c0bbfc1d40b6289b5bfe0f906259c76c04ac7f

    SHA512

    66bb4a790441e54519d09b0474e564ffc0d91430af8f04ec240a98ee80040836c61f4c9aeb4fc1ed08aa879b6f585b2ceaaa388dbef55bbaf2ad4031eb88dbd0

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\ffbbhioyfigdrstruii.txt
    MD5

    be9bdf8d7bc2422649eac9679451886f

    SHA1

    34c7533a8c8aaff400a231165464da9620b6f2ff

    SHA256

    b6e69d21f532d0055d7b42166cbbd7d9dbeee9da25a57302306867d776fae497

    SHA512

    f05a4c29dccb51e7fcf141237293c7cb8eaf06b4e2d1ffdbcf043b197ad3aec0857c785fb99a09d307ecfeac19aff9a94466ac3d6eea5ff0093c6ce85f0e644f

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\ffbbhioyfigdrstruii.txt
    MD5

    f1f31ae757804c3430558dbee939e607

    SHA1

    01218c7d65ea9bdeacf7311d7413a783e6a8a0f0

    SHA256

    fc4eac0986ffea30386ef831cdaf0affe879e6bfa502e0bd2916e9e0c61b4090

    SHA512

    722cbc52b2595d83a91cf9c55419ab18be35159c72c44325367411ce3520099e8dfc0bab95920487bf8267ed2cd868f815cb2219e05652c75b44073ef06172da

    Download Submit
  • C:\Users\Admin\AppData\Roaming\vcdfcfghjghtkhjbnvgh.exe
    MD5

    bf057dc4b4f9acafa17ae6b08520903c

    SHA1

    2548e9ffd49fbbfcd1f2ebd4aedfb843dfe6da29

    SHA256

    b93e5081bef10f47b8e037da155852225e10cb46b0bdbcab6d57a68364cb98da

    SHA512

    65417bfc6c2c9235aa7515596b1e18dc52c9538db72ca1ea7ab1a163be65fb04012077132b38252793229f3d52dce4ca05f673dbd21c9c0f8dee35e3371f94a7

    Download Submit
  • C:\Users\Admin\AppData\Roaming\vcdfcfghjghtkhjbnvgh.exe
    MD5

    bf057dc4b4f9acafa17ae6b08520903c

    SHA1

    2548e9ffd49fbbfcd1f2ebd4aedfb843dfe6da29

    SHA256

    b93e5081bef10f47b8e037da155852225e10cb46b0bdbcab6d57a68364cb98da

    SHA512

    65417bfc6c2c9235aa7515596b1e18dc52c9538db72ca1ea7ab1a163be65fb04012077132b38252793229f3d52dce4ca05f673dbd21c9c0f8dee35e3371f94a7

    Download Submit
  • \Users\Admin\AppData\Local\Temp\AddInProcess32.exe
    MD5

    6a673bfc3b67ae9782cb31af2f234c68

    SHA1

    7544e89566d91e84e3cd437b9a073e5f6b56566e

    SHA256

    978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

    SHA512

    72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

    Download Submit
  • \Users\Admin\AppData\Local\Temp\ffbbhioyfigdrstruii.exe
    MD5

    0e362e7005823d0bec3719b902ed6d62

    SHA1

    590d860b909804349e0cdc2f1662b37bd62f7463

    SHA256

    2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

    SHA512

    518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

    Download Submit
  • \Users\Admin\AppData\Local\Temp\ffbbhioyfigdrstruii.exe
    MD5

    0e362e7005823d0bec3719b902ed6d62

    SHA1

    590d860b909804349e0cdc2f1662b37bd62f7463

    SHA256

    2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

    SHA512

    518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

    Download Submit
  • \Users\Admin\AppData\Roaming\vcdfcfghjghtkhjbnvgh.exe
    MD5

    bf057dc4b4f9acafa17ae6b08520903c

    SHA1

    2548e9ffd49fbbfcd1f2ebd4aedfb843dfe6da29

    SHA256

    b93e5081bef10f47b8e037da155852225e10cb46b0bdbcab6d57a68364cb98da

    SHA512

    65417bfc6c2c9235aa7515596b1e18dc52c9538db72ca1ea7ab1a163be65fb04012077132b38252793229f3d52dce4ca05f673dbd21c9c0f8dee35e3371f94a7

    Download Submit
  • memory/1216-32-0x0000000000000000-mapping.dmp
    Download
  • memory/1216-35-0x0000000074EE0000-0x00000000755CE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1216-36-0x0000000000DD0000-0x0000000000DD1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1316-42-0x0000000074EE0000-0x00000000755CE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1316-40-0x0000000000000000-mapping.dmp
    Download
  • memory/1332-25-0x0000000074EE0000-0x00000000755CE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1332-47-0x00000000007C0000-0x00000000007CD000-memory.dmp
    Filesize

    52KB

    Download
  • memory/1332-29-0x0000000000540000-0x0000000000559000-memory.dmp
    Filesize

    100KB

    Download
  • memory/1332-30-0x0000000000750000-0x0000000000753000-memory.dmp
    Filesize

    12KB

    Download
  • memory/1332-20-0x0000000000400000-0x0000000000438000-memory.dmp
    Filesize

    224KB

    Download
  • memory/1332-56-0x0000000002200000-0x000000000220A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/1332-55-0x00000000021F0000-0x00000000021FF000-memory.dmp
    Filesize

    60KB

    Download
  • memory/1332-58-0x0000000002250000-0x000000000225F000-memory.dmp
    Filesize

    60KB

    Download
  • memory/1332-23-0x0000000000400000-0x0000000000438000-memory.dmp
    Filesize

    224KB

    Download
  • memory/1332-28-0x0000000000530000-0x0000000000535000-memory.dmp
    Filesize

    20KB

    Download
  • memory/1332-57-0x0000000002220000-0x0000000002249000-memory.dmp
    Filesize

    164KB

    Download
  • memory/1332-21-0x000000000041E792-mapping.dmp
    Download
  • memory/1332-49-0x00000000008C0000-0x00000000008C6000-memory.dmp
    Filesize

    24KB

    Download
  • memory/1332-50-0x00000000008D0000-0x00000000008DC000-memory.dmp
    Filesize

    48KB

    Download
  • memory/1332-54-0x00000000020E0000-0x00000000020E9000-memory.dmp
    Filesize

    36KB

    Download
  • memory/1332-52-0x00000000020C0000-0x00000000020C6000-memory.dmp
    Filesize

    24KB

    Download
  • memory/1332-53-0x00000000020D0000-0x00000000020DD000-memory.dmp
    Filesize

    52KB

    Download
  • memory/1332-24-0x0000000000400000-0x0000000000438000-memory.dmp
    Filesize

    224KB

    Download
  • memory/1332-48-0x0000000000820000-0x0000000000835000-memory.dmp
    Filesize

    84KB

    Download
  • memory/1332-51-0x0000000000AD0000-0x0000000000AD7000-memory.dmp
    Filesize

    28KB

    Download
  • memory/2020-17-0x0000000000590000-0x0000000000591000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2020-8-0x0000000000000000-mapping.dmp
    Download
  • memory/2020-11-0x0000000074EE0000-0x00000000755CE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2020-12-0x0000000000DF0000-0x0000000000DF1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2020-16-0x0000000000560000-0x000000000056B000-memory.dmp
    Filesize

    44KB

    Download
  • memory/2028-3-0x00000000012D0000-0x00000000012D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2028-5-0x0000000000240000-0x000000000025E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/2028-6-0x0000000000270000-0x0000000000271000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2028-2-0x0000000074EE0000-0x00000000755CE000-memory.dmp
    Filesize

    6.9MB

    Download