Overview

overview

10

Static

static

FedEx's AW...43.exe

windows7_x64

10

FedEx's AW...43.exe

windows10_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    26-02-2021 06:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    FedEx's AWB#5305323204643.exe

  • Size

    20KB

  • MD5

    b3e24269e8f4d613dab013ba26e08f8a

  • SHA1

    81adf63b98379e81b82925ccc64c7a219b81a7fd

  • SHA256

    3dfc4c40e95c69c2f87baf8ce364a350823404e78bb4ed97807330f398753f76

  • SHA512

    477d9eefcd769cceb181df5d11038b8d9ca6b8a42d027b15cdb0c7eb0999e228041b0a86fa746ed26b1adf1e2bc73a83acff9751fba9816570945ca0d23176ea

Score
10/10
nanocoreevasionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

185.157.160.233:2212

annapro.linkpc.net:2212
Mutex

5c958888-f81c-42a4-939d-31983a2cd9ba

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    annapro.linkpc.net

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2020-10-24T06:39:59.095270636Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    2212

  • default_group

    wuzzy122

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    5c958888-f81c-42a4-939d-31983a2cd9ba

  • mutex_timeout

    5000

  • prevent_system_sleep

    true

  • primary_connection_host

    185.157.160.233

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    true

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • Windows security bypass 2 TTPs
    evasiontrojan
  • Nirsoft 7 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Windows security modification 2 TTPs 9 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\FedEx's AWB#5305323204643.exe
    "C:\Users\Admin\AppData\Local\Temp\FedEx's AWB#5305323204643.exe"
    1⤵
    • Loads dropped DLL
    • Windows security modification
    • Adds Run key to start application
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1852
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\OGQgtbhjcqQVstkulzRPyghcHKV\svchost.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:776
    • C:\Users\Admin\AppData\Local\Temp\480aa062-04a7-4e94-bd9b-8f7e1beb86d0\AdvancedRun.exe
      "C:\Users\Admin\AppData\Local\Temp\480aa062-04a7-4e94-bd9b-8f7e1beb86d0\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\480aa062-04a7-4e94-bd9b-8f7e1beb86d0\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1312
      • C:\Users\Admin\AppData\Local\Temp\480aa062-04a7-4e94-bd9b-8f7e1beb86d0\AdvancedRun.exe
        "C:\Users\Admin\AppData\Local\Temp\480aa062-04a7-4e94-bd9b-8f7e1beb86d0\AdvancedRun.exe" /SpecialRun 4101d8 1312
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1016
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\FedEx's AWB#5305323204643.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1384
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout 1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1620
      • C:\Windows\SysWOW64\timeout.exe
        timeout 1
        3⤵
        • Delays execution with timeout.exe
        PID:964
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      PID:928
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1852 -s 1448
      2⤵
      • Program crash
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:328

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\480aa062-04a7-4e94-bd9b-8f7e1beb86d0\AdvancedRun.exe
    MD5

    17fc12902f4769af3a9271eb4e2dacce

    SHA1

    9a4a1581cc3971579574f837e110f3bd6d529dab

    SHA256

    29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

    SHA512

    036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\480aa062-04a7-4e94-bd9b-8f7e1beb86d0\AdvancedRun.exe
    MD5

    17fc12902f4769af3a9271eb4e2dacce

    SHA1

    9a4a1581cc3971579574f837e110f3bd6d529dab

    SHA256

    29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

    SHA512

    036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\480aa062-04a7-4e94-bd9b-8f7e1beb86d0\AdvancedRun.exe
    MD5

    17fc12902f4769af3a9271eb4e2dacce

    SHA1

    9a4a1581cc3971579574f837e110f3bd6d529dab

    SHA256

    29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

    SHA512

    036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    MD5

    11903fea4d6138c1a12d3a160917f2d8

    SHA1

    95a0f2b71951d347847f4ea91edbc5cb15c1f2a1

    SHA256

    7a1ca816004c1875d487750942cb424a7d869ee3a992b0996741642348df47b8

    SHA512

    572904333ef54a085fd3913b6ad5563cb92be9c6a2d2654fd5f3800f0dc7f0805c9cb7bf57f636460e9389df8efdd07bd7e63b65a8470fb6ad98e82354404290

    Download Submit
  • \Users\Admin\AppData\Local\Temp\480aa062-04a7-4e94-bd9b-8f7e1beb86d0\AdvancedRun.exe
    MD5

    17fc12902f4769af3a9271eb4e2dacce

    SHA1

    9a4a1581cc3971579574f837e110f3bd6d529dab

    SHA256

    29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

    SHA512

    036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

    Download Submit
  • \Users\Admin\AppData\Local\Temp\480aa062-04a7-4e94-bd9b-8f7e1beb86d0\AdvancedRun.exe
    MD5

    17fc12902f4769af3a9271eb4e2dacce

    SHA1

    9a4a1581cc3971579574f837e110f3bd6d529dab

    SHA256

    29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

    SHA512

    036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

    Download Submit
  • \Users\Admin\AppData\Local\Temp\480aa062-04a7-4e94-bd9b-8f7e1beb86d0\AdvancedRun.exe
    MD5

    17fc12902f4769af3a9271eb4e2dacce

    SHA1

    9a4a1581cc3971579574f837e110f3bd6d529dab

    SHA256

    29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

    SHA512

    036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

    Download Submit
  • \Users\Admin\AppData\Local\Temp\480aa062-04a7-4e94-bd9b-8f7e1beb86d0\AdvancedRun.exe
    MD5

    17fc12902f4769af3a9271eb4e2dacce

    SHA1

    9a4a1581cc3971579574f837e110f3bd6d529dab

    SHA256

    29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

    SHA512

    036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

    Download Submit
  • memory/328-84-0x00000000002C0000-0x00000000002C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/328-78-0x0000000001DE0000-0x0000000001DF1000-memory.dmp
    Filesize

    68KB

    Download
  • memory/328-77-0x0000000000000000-mapping.dmp
    Download
  • memory/776-43-0x0000000005610000-0x0000000005611000-memory.dmp
    Filesize

    4KB

    Download
  • memory/776-58-0x0000000006300000-0x0000000006301000-memory.dmp
    Filesize

    4KB

    Download
  • memory/776-11-0x0000000004AE0000-0x0000000004AE1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/776-10-0x00000000021A0000-0x00000000021A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/776-9-0x0000000074840000-0x0000000074F2E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/776-7-0x0000000000000000-mapping.dmp
    Download
  • memory/776-8-0x00000000756C1000-0x00000000756C3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/776-24-0x0000000004AA2000-0x0000000004AA3000-memory.dmp
    Filesize

    4KB

    Download
  • memory/776-23-0x0000000004AA0000-0x0000000004AA1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/776-25-0x0000000002590000-0x0000000002591000-memory.dmp
    Filesize

    4KB

    Download
  • memory/776-26-0x0000000002710000-0x0000000002711000-memory.dmp
    Filesize

    4KB

    Download
  • memory/776-29-0x0000000005650000-0x0000000005651000-memory.dmp
    Filesize

    4KB

    Download
  • memory/776-34-0x0000000005710000-0x0000000005711000-memory.dmp
    Filesize

    4KB

    Download
  • memory/776-35-0x0000000006180000-0x0000000006181000-memory.dmp
    Filesize

    4KB

    Download
  • memory/776-42-0x0000000006280000-0x0000000006281000-memory.dmp
    Filesize

    4KB

    Download
  • memory/776-59-0x0000000006310000-0x0000000006311000-memory.dmp
    Filesize

    4KB

    Download
  • memory/776-54-0x000000007EF30000-0x000000007EF31000-memory.dmp
    Filesize

    4KB

    Download
  • memory/928-72-0x0000000000400000-0x000000000043A000-memory.dmp
    Filesize

    232KB

    Download
  • memory/928-79-0x0000000000360000-0x0000000000365000-memory.dmp
    Filesize

    20KB

    Download
  • memory/928-83-0x0000000004D65000-0x0000000004D76000-memory.dmp
    Filesize

    68KB

    Download
  • memory/928-82-0x0000000004D60000-0x0000000004D61000-memory.dmp
    Filesize

    4KB

    Download
  • memory/928-81-0x00000000003D0000-0x00000000003D3000-memory.dmp
    Filesize

    12KB

    Download
  • memory/928-80-0x0000000000370000-0x0000000000389000-memory.dmp
    Filesize

    100KB

    Download
  • memory/928-75-0x0000000000400000-0x000000000043A000-memory.dmp
    Filesize

    232KB

    Download
  • memory/928-74-0x0000000074840000-0x0000000074F2E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/928-73-0x000000000041E792-mapping.dmp
    Download
  • memory/964-63-0x0000000000000000-mapping.dmp
    Download
  • memory/1016-20-0x0000000000000000-mapping.dmp
    Download
  • memory/1312-14-0x0000000000000000-mapping.dmp
    Download
  • memory/1384-67-0x0000000004800000-0x0000000004801000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1384-68-0x0000000002300000-0x0000000002301000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1384-71-0x0000000002772000-0x0000000002773000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1384-66-0x0000000000B50000-0x0000000000B51000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1384-65-0x0000000074840000-0x0000000074F2E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1384-70-0x0000000002770000-0x0000000002771000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1384-69-0x0000000005300000-0x0000000005301000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1384-60-0x0000000000000000-mapping.dmp
    Download
  • memory/1620-61-0x0000000000000000-mapping.dmp
    Download
  • memory/1852-6-0x0000000000620000-0x00000000006C9000-memory.dmp
    Filesize

    676KB

    Download
  • memory/1852-5-0x0000000004230000-0x0000000004231000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1852-2-0x0000000074840000-0x0000000074F2E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1852-3-0x0000000000920000-0x0000000000921000-memory.dmp
    Filesize

    4KB

    Download