Overview

overview

10

Static

static

858f1b8a67...1e.exe

windows7_x64

10

858f1b8a67...1e.exe

windows10_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    11-05-2021 08:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    858f1b8a674c27585699974f7d6a471e.exe

  • Size

    1.3MB

  • MD5

    858f1b8a674c27585699974f7d6a471e

  • SHA1

    87e0520b23807e3f7e3e79e977e51d00f2e3a789

  • SHA256

    40b5ac8fcefc98a9feb178542659bc830beeae78e6bd813a3c1cb5d75d4b8801

  • SHA512

    aa3493c55478dce7f9f039d765e85ad491768d28d8d44433f880ba53b0970a1d85f72fb5c51e60a60e6bc45506965d60ca26c5627d0594a76ab50a31a8c12ae1

Score
10/10
nanocorekeyloggerspywarestealertrojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

194.5.98.208:5566

mustpay2211.ddns.net:5566
Mutex

6271a422-9054-4af4-800a-d95aff150568

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    mustpay2211.ddns.net

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2021-02-19T01:09:24.102448236Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    5566

  • default_group

    PRINCE

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    6271a422-9054-4af4-800a-d95aff150568

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    194.5.98.208

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    true

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\858f1b8a674c27585699974f7d6a471e.exe
    "C:\Users\Admin\AppData\Local\Temp\858f1b8a674c27585699974f7d6a471e.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1096
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RKmQwOp" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9195.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:268
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      PID:1880

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp9195.tmp
    MD5

    10f20eafed8044204b6616fa38531a37

    SHA1

    2255d82cabc3c821658b35353135c34d99e45eaf

    SHA256

    0ec3daccb900667f2e86f3bfe6cde3a8c97caaf7d19fafb25276451179e1e0ba

    SHA512

    3b7f041c558fffb02aa0fb9d9013204c665fde103ff2c6afde3d0e49157ed823caa39d21c1a7acc87b1c446fc33baf8574e9f1e9f6192e557d3dfc261dc346d9

    Download Submit
  • memory/268-65-0x0000000000000000-mapping.dmp
    Download
  • memory/1096-59-0x0000000000F60000-0x0000000000F61000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1096-61-0x00000000005E0000-0x00000000005E4000-memory.dmp
    Filesize

    16KB

    Download
  • memory/1096-62-0x0000000004AC0000-0x0000000004AC1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1096-63-0x0000000005230000-0x0000000005307000-memory.dmp
    Filesize

    860KB

    Download
  • memory/1096-64-0x00000000047E0000-0x0000000004870000-memory.dmp
    Filesize

    576KB

    Download
  • memory/1880-73-0x00000000003D0000-0x00000000003DD000-memory.dmp
    Filesize

    52KB

    Download
  • memory/1880-77-0x00000000005E0000-0x00000000005E6000-memory.dmp
    Filesize

    24KB

    Download
  • memory/1880-69-0x0000000000400000-0x000000000048C000-memory.dmp
    Filesize

    560KB

    Download
  • memory/1880-71-0x00000000003C0000-0x00000000003C5000-memory.dmp
    Filesize

    20KB

    Download
  • memory/1880-72-0x0000000004840000-0x0000000004841000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1880-67-0x0000000000400000-0x000000000048C000-memory.dmp
    Filesize

    560KB

    Download
  • memory/1880-74-0x00000000003E0000-0x00000000003F5000-memory.dmp
    Filesize

    84KB

    Download
  • memory/1880-75-0x0000000000540000-0x0000000000546000-memory.dmp
    Filesize

    24KB

    Download
  • memory/1880-76-0x0000000000550000-0x0000000000557000-memory.dmp
    Filesize

    28KB

    Download
  • memory/1880-68-0x000000000041E792-mapping.dmp
    Download
  • memory/1880-78-0x00000000005F0000-0x00000000005FD000-memory.dmp
    Filesize

    52KB

    Download
  • memory/1880-79-0x0000000000600000-0x0000000000609000-memory.dmp
    Filesize

    36KB

    Download
  • memory/1880-80-0x0000000000620000-0x000000000062F000-memory.dmp
    Filesize

    60KB

    Download
  • memory/1880-81-0x0000000000670000-0x000000000067A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/1880-82-0x0000000000690000-0x00000000006A9000-memory.dmp
    Filesize

    100KB

    Download
  • memory/1880-83-0x00000000008A0000-0x00000000008A3000-memory.dmp
    Filesize

    12KB

    Download
  • memory/1880-84-0x00000000008F0000-0x0000000000919000-memory.dmp
    Filesize

    164KB

    Download
  • memory/1880-85-0x0000000000AC0000-0x0000000000ACF000-memory.dmp
    Filesize

    60KB

    Download
  • memory/1880-86-0x0000000004845000-0x0000000004856000-memory.dmp
    Filesize

    68KB

    Download