Overview

overview

10

Static

static

APR 21SOA.xlsx

windows7_x64

10

APR 21SOA.xlsx

windows10_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    APR 21SOA.xlsx

  • Size

    2.4MB

  • Sample

    210408-78ya6jh8l6

  • MD5

    19182b5b4bdb03edc3b6b512eaaedc1c

  • SHA1

    5e5cfc315989c0b4e2fa94aa5b7ea40673bb2fa0

  • SHA256

    dd812fc747a7e389fd641eff10517478feef81056c21582061db8c3e2e7173f1

  • SHA512

    1c12a34bd6145f77e57283aec72278771c7d02bfbd038f396ac2696ec0694b1301d25551f458395005f4dd013a5af2c4da33d8276bfca5d2de625229d2fe2ea2

Score
10/10
nanocorekeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

79.134.225.30:1144

nassiru1155.ddns.net:1144
Mutex

f57d5a77-8670-45ef-b736-5f3a07b68725

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    nassiru1155.ddns.net

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2021-01-18T01:25:35.616724836Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    1144

  • default_group

    Addora

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    f57d5a77-8670-45ef-b736-5f3a07b68725

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    79.134.225.30

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    false

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Targets

    • Target

      APR 21SOA.xlsx

    • Size

      2.4MB

    • MD5

      19182b5b4bdb03edc3b6b512eaaedc1c

    • SHA1

      5e5cfc315989c0b4e2fa94aa5b7ea40673bb2fa0

    • SHA256

      dd812fc747a7e389fd641eff10517478feef81056c21582061db8c3e2e7173f1

    • SHA512

      1c12a34bd6145f77e57283aec72278771c7d02bfbd038f396ac2696ec0694b1301d25551f458395005f4dd013a5af2c4da33d8276bfca5d2de625229d2fe2ea2

    Score
    10/10
    nanocorekeyloggerpersistencespywarestealertrojan

    • NanoCore

      NanoCore is a remote access tool (RAT) with a variety of capabilities.

      keyloggertrojanstealerspywarenanocore

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Scheduled Task

1
T1053

Exploitation for Client Execution

1
T1203

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Scripting

1
T1064

Modify Registry

2
T1112

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks