Overview

overview

10

Static

static

Order list...GU.exe

windows7_x64

1

Order list...GU.exe

windows10_x64

10

Analysis

  • max time kernel
    130s
  • max time network
    152s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    19-01-2021 06:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Order list 20.1.2021 07u9Uxttb5ltGU.exe

  • Size

    1.7MB

  • MD5

    8935c408c5650172e350acb92e7cc659

  • SHA1

    69fbb8236dc958388bdaf65b986894365d6dae6b

  • SHA256

    5fc84f25b331a01c87e4f7652a396a83403c0efc27cefeec6cea69b954a01040

  • SHA512

    55312234692bbd6e2b60128350a32e02d2d8affbaa154280b5f080044039f14660114483baaf81baa940122aa4b04a7a247ca5df02ef7ca993d287b8c6dfdd5e

Score
10/10
nanocoreevasionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

cool.gotdns.ch:7451

Mutex

47128c17-dc06-470e-8718-2173a7e3bbbd

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    cool.gotdns.ch

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2020-10-28T02:16:41.837658936Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    7451

  • default_group

    KING

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    47128c17-dc06-470e-8718-2173a7e3bbbd

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    cool.gotdns.ch

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    true

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Order list 20.1.2021 07u9Uxttb5ltGU.exe
    "C:\Users\Admin\AppData\Local\Temp\Order list 20.1.2021 07u9Uxttb5ltGU.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:796
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gIZSEI" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5B8E.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1940
    • C:\Users\Admin\AppData\Local\Temp\Order list 20.1.2021 07u9Uxttb5ltGU.exe
      "C:\Users\Admin\AppData\Local\Temp\Order list 20.1.2021 07u9Uxttb5ltGU.exe"
      2⤵
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      PID:2224

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Order list 20.1.2021 07u9Uxttb5ltGU.exe.log
    MD5

    90acfd72f14a512712b1a7380c0faf60

    SHA1

    40ba4accb8faa75887e84fb8e38d598dc8cf0f12

    SHA256

    20806822f0c130b340504132c1461b589261fbbc518e468f4f90733ab514cb86

    SHA512

    29dbf85e14e60868574cb4dc9bda83d3c229fb956733d8d2557f2475ee0e690ac9c2e72f31e02284996da6906ba2dbfa382a29b04c15a2406571d8ee19ad16b9

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmp5B8E.tmp
    MD5

    20f828c84e110706bdf2a7f1f8810509

    SHA1

    06a1310c66b41889ac244fe43f44308b8aa40308

    SHA256

    82cf1a999251ad3d3c6c76885bd4c5063b2964e9c8d0b54de259cb8e6391b400

    SHA512

    7042b6d46dd957717e4ef92dd296f0d19bc260b021b88951ccb369481f1da5b91421276102a807aaf1fd3dd485932035571d79c97adc703808c54fe25315c65a

    Download Submit
  • memory/796-9-0x00000000073C0000-0x00000000073C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/796-6-0x0000000007870000-0x0000000007871000-memory.dmp
    Filesize

    4KB

    Download
  • memory/796-7-0x0000000007410000-0x0000000007411000-memory.dmp
    Filesize

    4KB

    Download
  • memory/796-8-0x0000000007670000-0x0000000007671000-memory.dmp
    Filesize

    4KB

    Download
  • memory/796-5-0x00000000072D0000-0x00000000072D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/796-10-0x00000000075D0000-0x00000000075D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/796-11-0x0000000007570000-0x0000000007593000-memory.dmp
    Filesize

    140KB

    Download
  • memory/796-12-0x00000000080D0000-0x000000000813B000-memory.dmp
    Filesize

    428KB

    Download
  • memory/796-3-0x0000000000340000-0x0000000000341000-memory.dmp
    Filesize

    4KB

    Download
  • memory/796-2-0x00000000730E0000-0x00000000737CE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1940-13-0x0000000000000000-mapping.dmp
    Download
  • memory/2224-25-0x00000000056B0000-0x00000000056B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2224-31-0x0000000006B00000-0x0000000006B06000-memory.dmp
    Filesize

    24KB

    Download
  • memory/2224-18-0x00000000730E0000-0x00000000737CE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2224-15-0x0000000000400000-0x0000000000438000-memory.dmp
    Filesize

    224KB

    Download
  • memory/2224-26-0x00000000056A0000-0x00000000056A5000-memory.dmp
    Filesize

    20KB

    Download
  • memory/2224-27-0x0000000005830000-0x0000000005849000-memory.dmp
    Filesize

    100KB

    Download
  • memory/2224-28-0x00000000059E0000-0x00000000059E3000-memory.dmp
    Filesize

    12KB

    Download
  • memory/2224-29-0x0000000006AB0000-0x0000000006ABD000-memory.dmp
    Filesize

    52KB

    Download
  • memory/2224-30-0x0000000006AC0000-0x0000000006AD5000-memory.dmp
    Filesize

    84KB

    Download
  • memory/2224-16-0x000000000041E792-mapping.dmp
    Download
  • memory/2224-32-0x0000000006B10000-0x0000000006B1C000-memory.dmp
    Filesize

    48KB

    Download
  • memory/2224-33-0x0000000006B20000-0x0000000006B27000-memory.dmp
    Filesize

    28KB

    Download
  • memory/2224-34-0x0000000006B30000-0x0000000006B36000-memory.dmp
    Filesize

    24KB

    Download
  • memory/2224-35-0x0000000006B40000-0x0000000006B4D000-memory.dmp
    Filesize

    52KB

    Download
  • memory/2224-36-0x0000000006B50000-0x0000000006B59000-memory.dmp
    Filesize

    36KB

    Download
  • memory/2224-37-0x0000000006B60000-0x0000000006B6F000-memory.dmp
    Filesize

    60KB

    Download
  • memory/2224-38-0x0000000006B80000-0x0000000006B8A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/2224-39-0x0000000006B90000-0x0000000006BB9000-memory.dmp
    Filesize

    164KB

    Download
  • memory/2224-40-0x0000000006BD0000-0x0000000006BDF000-memory.dmp
    Filesize

    60KB

    Download
  • memory/2224-41-0x0000000006DA0000-0x0000000006DA1000-memory.dmp
    Filesize

    4KB

    Download