Overview

overview

10

Static

static

f2651b4586...bf.exe

windows7_x64

10

f2651b4586...bf.exe

windows10_x64

10

Analysis

  • max time kernel
    7s
  • max time network
    10s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    18-01-2021 09:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f2651b458654fc1799efe0c9ab71fdbf.exe

  • Size

    956KB

  • MD5

    f2651b458654fc1799efe0c9ab71fdbf

  • SHA1

    acb40c16a5163ccaa66a5a86084005d696fd590a

  • SHA256

    3513df7406eef953434f0c75bcdf33c112ee42d6f81edb1928d1e008b691d703

  • SHA512

    19e1a21a15391eb6d77248d3bb4d0bc8ce3685b718a674eea627166b59e9edc3be69cc99eae1885c054a5f52eaa3a130383cd3757247b08b544eb97677ce55f2

Score
10/10
nanocorekeyloggerspywarestealertrojan

Malware Config

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 60 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f2651b458654fc1799efe0c9ab71fdbf.exe
    "C:\Users\Admin\AppData\Local\Temp\f2651b458654fc1799efe0c9ab71fdbf.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1064
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /Create /TN start /XML "C:\Users\Admin\AppData\Local\Temp\75485bf249a64428a958453421129ae0.xml"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2000
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /Create /TN start /XML "C:\Users\Admin\AppData\Local\Temp\75485bf249a64428a958453421129ae0.xml"
        3⤵
        • Creates scheduled task(s)
        PID:2036
    • C:\Users\Admin\AppData\Local\Temp\f2651b458654fc1799efe0c9ab71fdbf.exe
      "C:\Users\Admin\AppData\Local\Temp\f2651b458654fc1799efe0c9ab71fdbf.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2024
      • C:\Users\Admin\AppData\Local\Temp\f2651b458654fc1799efe0c9ab71fdbf.exe
        "C:\Users\Admin\AppData\Local\Temp\f2651b458654fc1799efe0c9ab71fdbf.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1408
        • C:\Users\Admin\AppData\Local\Temp\f2651b458654fc1799efe0c9ab71fdbf.exe
          "C:\Users\Admin\AppData\Local\Temp\f2651b458654fc1799efe0c9ab71fdbf.exe"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1964
          • C:\Users\Admin\AppData\Local\Temp\f2651b458654fc1799efe0c9ab71fdbf.exe
            "C:\Users\Admin\AppData\Local\Temp\f2651b458654fc1799efe0c9ab71fdbf.exe"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1960
            • C:\Users\Admin\AppData\Local\Temp\f2651b458654fc1799efe0c9ab71fdbf.exe
              "C:\Users\Admin\AppData\Local\Temp\f2651b458654fc1799efe0c9ab71fdbf.exe"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:1148
              • C:\Users\Admin\AppData\Local\Temp\f2651b458654fc1799efe0c9ab71fdbf.exe
                "C:\Users\Admin\AppData\Local\Temp\f2651b458654fc1799efe0c9ab71fdbf.exe"
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:1512
                • C:\Users\Admin\AppData\Local\Temp\f2651b458654fc1799efe0c9ab71fdbf.exe
                  "C:\Users\Admin\AppData\Local\Temp\f2651b458654fc1799efe0c9ab71fdbf.exe"
                  8⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1600
                  • C:\Users\Admin\AppData\Local\Temp\f2651b458654fc1799efe0c9ab71fdbf.exe
                    "C:\Users\Admin\AppData\Local\Temp\f2651b458654fc1799efe0c9ab71fdbf.exe"
                    9⤵
                    • Suspicious use of WriteProcessMemory
                    PID:328
                    • C:\Users\Admin\AppData\Local\Temp\f2651b458654fc1799efe0c9ab71fdbf.exe
                      "C:\Users\Admin\AppData\Local\Temp\f2651b458654fc1799efe0c9ab71fdbf.exe"
                      10⤵
                      • Suspicious use of WriteProcessMemory
                      PID:788
                      • C:\Users\Admin\AppData\Local\Temp\f2651b458654fc1799efe0c9ab71fdbf.exe
                        "C:\Users\Admin\AppData\Local\Temp\f2651b458654fc1799efe0c9ab71fdbf.exe"
                        11⤵
                        • Suspicious use of WriteProcessMemory
                        PID:968
                        • C:\Users\Admin\AppData\Local\Temp\f2651b458654fc1799efe0c9ab71fdbf.exe
                          "C:\Users\Admin\AppData\Local\Temp\f2651b458654fc1799efe0c9ab71fdbf.exe"
                          12⤵
                          • Suspicious use of WriteProcessMemory
                          PID:336
                          • C:\Users\Admin\AppData\Local\Temp\f2651b458654fc1799efe0c9ab71fdbf.exe
                            "C:\Users\Admin\AppData\Local\Temp\f2651b458654fc1799efe0c9ab71fdbf.exe"
                            13⤵
                            • Suspicious use of WriteProcessMemory
                            PID:1004
                            • C:\Users\Admin\AppData\Local\Temp\f2651b458654fc1799efe0c9ab71fdbf.exe
                              "C:\Users\Admin\AppData\Local\Temp\f2651b458654fc1799efe0c9ab71fdbf.exe"
                              14⤵
                                PID:1092

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\75485bf249a64428a958453421129ae0.xml
      MD5

      7ea4fe3df9a64ba26d0acee3fbac267b

      SHA1

      4dcaf7e5299f940763e4cecc4dd8285f697e0057

      SHA256

      4900f6f8b5bb77af08256e18af1b5e1854d7de7612be7e2260fbc172208590f4

      SHA512

      4a4f8d72544519a78fd702414519087220e4965a7d697b906cba9c2e8102d5a8634f1a42fe6671e99df8261a751e4da4b2eb51725a4f7fbc73c654c9c46735ff

      Download Submit
    • memory/328-20-0x0000000000000000-mapping.dmp
      Download
    • memory/336-26-0x0000000000000000-mapping.dmp
      Download
    • memory/788-22-0x0000000000000000-mapping.dmp
      Download
    • memory/968-24-0x0000000000000000-mapping.dmp
      Download
    • memory/1004-28-0x0000000000000000-mapping.dmp
      Download
    • memory/1064-2-0x0000000076101000-0x0000000076103000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1092-32-0x0000000000400000-0x000000000046E000-memory.dmp
      Filesize

      440KB

      Download
    • memory/1092-33-0x00000000001C0000-0x00000000001C1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1092-30-0x0000000000000000-mapping.dmp
      Download
    • memory/1148-14-0x0000000000000000-mapping.dmp
      Download
    • memory/1408-8-0x0000000000000000-mapping.dmp
      Download
    • memory/1512-16-0x0000000000000000-mapping.dmp
      Download
    • memory/1600-18-0x0000000000000000-mapping.dmp
      Download
    • memory/1960-12-0x0000000000000000-mapping.dmp
      Download
    • memory/1964-10-0x0000000000000000-mapping.dmp
      Download
    • memory/2000-3-0x0000000000000000-mapping.dmp
      Download
    • memory/2024-4-0x0000000000000000-mapping.dmp
      Download
    • memory/2036-5-0x0000000000000000-mapping.dmp
      Download