Overview

overview

10

Static

static

8

Purchase O...21.xls

windows7_x64

10

Purchase O...21.xls

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Purchase OrderDated19032021.xls

  • Size

    81KB

  • Sample

    210322-r5jek2vn12

  • MD5

    1a49fe1a9c135ccd9c9f2d9cf395f378

  • SHA1

    24d6ab599cef554a8e8e6b2e3abffb7072e6e1db

  • SHA256

    e4d560c489dba28369b781106a1334767ff82bb44b69b9e4cc6d068feb29ab6b

  • SHA512

    9659a2da6cebb7d4beec1142f0a04030ce0abf08cbf75899dc903115e8160d4277429f2a23d06dcc55c1477424e8333fe8990b7a42de3c06eae2561ae3a263b3

Score
10/10
nanocorekeyloggermacromacro_on_actionspywarestealertrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://cdn.discordapp.com/attachments/814408945828626445/822323767334273094/VEqScSTKqHP3LQI.exe

Extracted

Family

nanocore

Version

1.2.2.0

C2

185.140.53.130:2364

mydnsnanocore123.ddns.net:2364

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    mydnsnanocore123.ddns.net

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2020-12-27T15:43:00.135192036Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    2364

  • default_group

    17-03-2021NANO

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    af625c00-d1f5-4435-80be-9f676efc59dc

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    185.140.53.130

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    true

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Targets

    • Target

      Purchase OrderDated19032021.xls

    • Size

      81KB

    • MD5

      1a49fe1a9c135ccd9c9f2d9cf395f378

    • SHA1

      24d6ab599cef554a8e8e6b2e3abffb7072e6e1db

    • SHA256

      e4d560c489dba28369b781106a1334767ff82bb44b69b9e4cc6d068feb29ab6b

    • SHA512

      9659a2da6cebb7d4beec1142f0a04030ce0abf08cbf75899dc903115e8160d4277429f2a23d06dcc55c1477424e8333fe8990b7a42de3c06eae2561ae3a263b3

    Score
    10/10
    nanocorekeyloggerspywarestealertrojan

    • NanoCore

      NanoCore is a remote access tool (RAT) with a variety of capabilities.

      keyloggertrojanstealerspywarenanocore

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

        Discovery

        Execution

          Exfiltration

            Impact

              Initial Access

                Lateral Movement

                  Persistence

                  Privilege Escalation

                    Tasks