820869d6bf485c32fd94fde70838b453.exe

General
Target

820869d6bf485c32fd94fde70838b453.exe

Filesize

613KB

Completed

27-07-2021 16:25

Score
10 /10
MD5

820869d6bf485c32fd94fde70838b453

SHA1

c387acae1c90dbfe7f5008516adcb510d2504ef0

SHA256

0971ed841b73f240346a0aac75acc3dd3ef1345420fba81b00b79366a2c8d6ce

Malware Config

Extracted

Family nanocore
Version 1.2.2.0
C2

asweee.jumpingcrab.com:8234

tryweaswweee.ydns.eu:8234

Attributes
activate_away_mode
true
backup_connection_host
tryweaswweee.ydns.eu
backup_dns_server
tryweaswweee.ydns.eu
buffer_size
65535
build_time
2021-05-02T14:48:34.703881636Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
8234
default_group
AUGUST
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
0bb207a5-6f92-4ff1-abb5-35e0dc25fe5d
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
asweee.jumpingcrab.com
primary_dns_server
asweee.jumpingcrab.com
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000
Signatures 8

Filter: none

Discovery
Persistence
  • NanoCore

    Description

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

  • Checks whether UAC is enabled
    820869d6bf485c32fd94fde70838b453.exe

    TTPs

    System Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA820869d6bf485c32fd94fde70838b453.exe
  • Suspicious use of SetThreadContext
    820869d6bf485c32fd94fde70838b453.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1924 set thread context of 7801924820869d6bf485c32fd94fde70838b453.exe820869d6bf485c32fd94fde70838b453.exe
  • Creates scheduled task(s)
    schtasks.exe

    Description

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    TTPs

    Scheduled Task

    Reported IOCs

    pidprocess
    1116schtasks.exe
  • Suspicious behavior: EnumeratesProcesses
    820869d6bf485c32fd94fde70838b453.exe820869d6bf485c32fd94fde70838b453.exe

    Reported IOCs

    pidprocess
    1924820869d6bf485c32fd94fde70838b453.exe
    1924820869d6bf485c32fd94fde70838b453.exe
    780820869d6bf485c32fd94fde70838b453.exe
    780820869d6bf485c32fd94fde70838b453.exe
  • Suspicious behavior: GetForegroundWindowSpam
    820869d6bf485c32fd94fde70838b453.exe

    Reported IOCs

    pidprocess
    780820869d6bf485c32fd94fde70838b453.exe
  • Suspicious use of AdjustPrivilegeToken
    820869d6bf485c32fd94fde70838b453.exe820869d6bf485c32fd94fde70838b453.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1924820869d6bf485c32fd94fde70838b453.exe
    Token: SeDebugPrivilege780820869d6bf485c32fd94fde70838b453.exe
  • Suspicious use of WriteProcessMemory
    820869d6bf485c32fd94fde70838b453.exe820869d6bf485c32fd94fde70838b453.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1924 wrote to memory of 7801924820869d6bf485c32fd94fde70838b453.exe820869d6bf485c32fd94fde70838b453.exe
    PID 1924 wrote to memory of 7801924820869d6bf485c32fd94fde70838b453.exe820869d6bf485c32fd94fde70838b453.exe
    PID 1924 wrote to memory of 7801924820869d6bf485c32fd94fde70838b453.exe820869d6bf485c32fd94fde70838b453.exe
    PID 1924 wrote to memory of 7801924820869d6bf485c32fd94fde70838b453.exe820869d6bf485c32fd94fde70838b453.exe
    PID 1924 wrote to memory of 7801924820869d6bf485c32fd94fde70838b453.exe820869d6bf485c32fd94fde70838b453.exe
    PID 1924 wrote to memory of 7801924820869d6bf485c32fd94fde70838b453.exe820869d6bf485c32fd94fde70838b453.exe
    PID 1924 wrote to memory of 7801924820869d6bf485c32fd94fde70838b453.exe820869d6bf485c32fd94fde70838b453.exe
    PID 1924 wrote to memory of 7801924820869d6bf485c32fd94fde70838b453.exe820869d6bf485c32fd94fde70838b453.exe
    PID 1924 wrote to memory of 7801924820869d6bf485c32fd94fde70838b453.exe820869d6bf485c32fd94fde70838b453.exe
    PID 780 wrote to memory of 1116780820869d6bf485c32fd94fde70838b453.exeschtasks.exe
    PID 780 wrote to memory of 1116780820869d6bf485c32fd94fde70838b453.exeschtasks.exe
    PID 780 wrote to memory of 1116780820869d6bf485c32fd94fde70838b453.exeschtasks.exe
    PID 780 wrote to memory of 1116780820869d6bf485c32fd94fde70838b453.exeschtasks.exe
Processes 3
  • C:\Users\Admin\AppData\Local\Temp\820869d6bf485c32fd94fde70838b453.exe
    "C:\Users\Admin\AppData\Local\Temp\820869d6bf485c32fd94fde70838b453.exe"
    Suspicious use of SetThreadContext
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:1924
    • C:\Users\Admin\AppData\Local\Temp\820869d6bf485c32fd94fde70838b453.exe
      C:\Users\Admin\AppData\Local\Temp\820869d6bf485c32fd94fde70838b453.exe
      Checks whether UAC is enabled
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:780
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks.exe" /create /f /tn "DPI Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmpBF88.tmp"
        Creates scheduled task(s)
        PID:1116
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • C:\Users\Admin\AppData\Local\Temp\tmpBF88.tmp

                        MD5

                        dc55b77f3b362375f7ad3378b763ab1a

                        SHA1

                        f6ea0790af5c6ba497238c2208383682e97f0315

                        SHA256

                        075e11b7883d64b8a871dbed5c72524a111419f1cfe30f2f4b37c7aa390b5c47

                        SHA512

                        f4b3acaf2f1014411b85e181cad9d4ef553a00afe7a94e0b7e3d23ae9a9daf8c70e9310839ce66869762a87b0dc0f0324b4683646247dad33666c93a9f5ae0be

                      • memory/780-72-0x000000000041E792-mapping.dmp

                      • memory/780-79-0x0000000000480000-0x0000000000499000-memory.dmp

                      • memory/780-78-0x00000000003D0000-0x00000000003D5000-memory.dmp

                      • memory/780-75-0x0000000001380000-0x0000000001381000-memory.dmp

                      • memory/780-73-0x0000000000400000-0x0000000000438000-memory.dmp

                      • memory/780-71-0x0000000000400000-0x0000000000438000-memory.dmp

                      • memory/780-80-0x00000000003E0000-0x00000000003E3000-memory.dmp

                      • memory/1116-76-0x0000000000000000-mapping.dmp

                      • memory/1924-70-0x0000000005CE0000-0x0000000005D5C000-memory.dmp

                      • memory/1924-65-0x0000000000D80000-0x0000000000DEB000-memory.dmp

                      • memory/1924-64-0x0000000004CA6000-0x0000000004CB7000-memory.dmp

                      • memory/1924-63-0x0000000004CA1000-0x0000000004CA2000-memory.dmp

                      • memory/1924-62-0x0000000004CA0000-0x0000000004CA1000-memory.dmp

                      • memory/1924-60-0x00000000013C0000-0x00000000013C1000-memory.dmp