Overview

overview

10

Static

static

a8aac7e2a9...ab.exe

windows7_x64

10

a8aac7e2a9...ab.exe

windows10_x64

10

Analysis

  • max time kernel
    70s
  • max time network
    152s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    18-01-2021 09:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a8aac7e2a92af01b0fc23c879558bbab.exe

  • Size

    1.0MB

  • MD5

    a8aac7e2a92af01b0fc23c879558bbab

  • SHA1

    677cb1175654988f65e728265e9cba895251fcb2

  • SHA256

    d8d44d6f407890cc863210c01ddec461112b1efb273bcf76bbb3e31419f0bcee

  • SHA512

    6763333172126ce8c5eb5924779182a488c2c6ea4bedbd3f1265dd165e95816981b3f9e35d1d0dfb7c16b136de70b26ded51f1fd547b6a0157909ad215975039

Score
10/10
nanocorekeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

sylviaoslh01.ddns.net:52943

23.105.131.216:52943
Mutex

23e7eebd-240d-4908-b034-8afc79aa36ad

Attributes
  • activate_away_mode

    false

  • backup_connection_host

    23.105.131.216

  • backup_dns_server

  • buffer_size

    65538

  • build_time

    2020-10-26T11:59:49.749429636Z

  • bypass_user_account_control

    false

  • bypass_user_account_control_data

    PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+

  • clear_access_control

    false

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    52943

  • default_group

    Logs wetyn you de wait for

  • enable_debug_mode

    true

  • gc_threshold

    1.0485772e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.0485772e+07

  • mutex

    23e7eebd-240d-4908-b034-8afc79aa36ad

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    sylviaoslh01.ddns.net

  • primary_dns_server

  • request_elevation

    false

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    false

  • set_critical_process

    false

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8009

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a8aac7e2a92af01b0fc23c879558bbab.exe
    "C:\Users\Admin\AppData\Local\Temp\a8aac7e2a92af01b0fc23c879558bbab.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1400
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LpqUNyJQxR" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1B39.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2312
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
      "{path}"
      2⤵
      • Adds Run key to start application
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3496
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks.exe" /create /f /tn "SMTP Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmp23B5.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:3956
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks.exe" /create /f /tn "SMTP Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp2433.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:1156

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp1B39.tmp
    MD5

    df99e4069ae2f1ae053b32d87ed67792

    SHA1

    c657271f444963c4d0f6ad94242e559b1be2a655

    SHA256

    26aa54713e0d713ce18b400ed9b349bfbc68bff31b4329f6c2393210c489833d

    SHA512

    c324ed78b49a806043eb36892006e496b29da46349b77a344a4348036d449d5a1ea2475b64daf560043b5b9ff4ebf418cfc7f16901ab1b45921db29a9881e3fd

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmp23B5.tmp
    MD5

    40b11ef601fb28f9b2e69d36857bf2ec

    SHA1

    b6454020ad2ceed193f4792b77001d0bd741b370

    SHA256

    c51e12d18cc664425f6711d8ae2507068884c7057092cfa11884100e1e9d49e1

    SHA512

    e3c5bcc714cbfca4b8058ddcddf231dcefa69c15881ce3f8123e59ed45cfb5da052b56e1945dcf8dc7f800d62f9a4eecb82bca69a66a1530787aeffeb15e2bd5

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmp2433.tmp
    MD5

    b3b017f9df206021717a11f11d895402

    SHA1

    e4ea12823af6550ee634536eec1eb14490580a3b

    SHA256

    654dfce2c28024364e679e1b958f3fb81fc6d29685d534d905d1c83a84351024

    SHA512

    95666cb81aa1fd1ade04a32f63381ce8bff274d7d300c0b59cbb10a294c4d1eebaa3000365a2000b38793de030044995cf23e623c5e3648d9b00501f97ff9343

    Download Submit
  • memory/1156-10-0x0000000000000000-mapping.dmp
    Download
  • memory/1400-2-0x0000000000F80000-0x0000000000F81000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2312-3-0x0000000000000000-mapping.dmp
    Download
  • memory/3496-5-0x0000000000400000-0x000000000043A000-memory.dmp
    Filesize

    232KB

    Download
  • memory/3496-6-0x000000000041E792-mapping.dmp
    Download
  • memory/3496-8-0x0000000002900000-0x0000000002901000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3496-12-0x0000000002901000-0x0000000002902000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3956-7-0x0000000000000000-mapping.dmp
    Download