Overview

overview

10

Static

static

10

751f66bf22...82.exe

windows7_x64

751f66bf22...82.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    159s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    14-09-2021 06:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    751f66bf226c6773d41ee1b16788dc509d64af36206785fd9edb39eaf6028982.exe

  • Size

    1.9MB

  • MD5

    82cb908a68275e3bc35158b546323631

  • SHA1

    4ffe5f66cfc667df8a3acce200199b2a5419a281

  • SHA256

    751f66bf226c6773d41ee1b16788dc509d64af36206785fd9edb39eaf6028982

  • SHA512

    ada9b9053e0cf8ea3d2f5a581366792c2c90a2009c53319f0bb435b915d586beab4d4ae46ed6b51284dc0973cf69418a1c2ab2c2b90cab86afc8e35989dc4729

Score
10/10
nanocorenjrathackedevasionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Hacked

C2

gtawins.ddns.net:1177

Mutex

3ce17b94d100323a220dbf54788571e1

Attributes
  • reg_key

    3ce17b94d100323a220dbf54788571e1

  • splitter

    |'|'|

Extracted

Family

nanocore

Version

1.2.2.0

C2

gtawins.ddns.net:2001

Mutex

91e727ee-d078-4218-882c-3f74b732d29c

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    gtawins.ddns.net

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2018-03-24T23:10:56.497932536Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    2001

  • default_group

    Default

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    91e727ee-d078-4218-882c-3f74b732d29c

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    gtawins.ddns.net

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    5000

  • run_on_startup

    false

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Executes dropped EXE 5 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 47 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\751f66bf226c6773d41ee1b16788dc509d64af36206785fd9edb39eaf6028982.exe
    "C:\Users\Admin\AppData\Local\Temp\751f66bf226c6773d41ee1b16788dc509d64af36206785fd9edb39eaf6028982.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:636
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Executes dropped EXE
      • Drops startup file
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:368
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\svchost.exe" "svchost.exe" ENABLE
        3⤵
          PID:2184
      • C:\Users\Admin\AppData\Roaming\Dllhost.exe
        "C:\Users\Admin\AppData\Roaming\Dllhost.exe"
        2⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:1116
      • C:\Users\Admin\AppData\Local\Temp\2Cheat Loader.exe
        "C:\Users\Admin\AppData\Local\Temp\2Cheat Loader.exe"
        2⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1320
        • C:\Users\Admin\AppData\Roaming\2CFUpdater.exe
          "C:\Users\Admin\AppData\Roaming\2CFUpdater.exe" "C:\Users\Admin\AppData\Local\Temp\2Cheat Loader.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4136
          • C:\Users\Admin\AppData\Local\Temp\2Cheat Loader.exe
            "C:\Users\Admin\AppData\Local\Temp\2Cheat Loader.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:4340
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
      1⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:504
    • C:\Windows\system32\browser_broker.exe
      C:\Windows\system32\browser_broker.exe -Embedding
      1⤵
      • Modifies Internet Explorer settings
      PID:772
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2288
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      PID:868
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      PID:4660
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      PID:4152
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      PID:2068

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Modify Existing Service

    1
    T1031

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    2
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    3
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\2Cheat Loader.exe
      MD5

      4d367a5e08908246d9e2d3aadf977f7b

      SHA1

      4f6a51a40e78d11ba3fbcb253b5193634f2cde99

      SHA256

      4d96d255b6332130d71cda946af18287e08eb2cf622360ca8526dac0c6df9220

      SHA512

      27cfb0486cf331ad975ffdb609779c0a43d881389fc6fa73c81750d3abdcff3429fdffe77c0badedf2841a7442e19236ae7d266940643eae3401f0d173838d7c

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\2Cheat Loader.exe
      MD5

      e14f2dc9f0a38b9c9d6bbb3cd8f3e1a7

      SHA1

      297c154be52302c19587a860ef24bef0e551d7d1

      SHA256

      baaf061c5385480df0f55779ac4967618bb9cd61289021ac648578083530e343

      SHA512

      81c40b776b0f0575107f8675d6ac78748aa69278d12b4482be425a24ae71a1d7782f2021345fda97e12ed92847ced2e10b713cc4a68b926cb14d60387e486725

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\2Cheat Loader.exe
      MD5

      e14f2dc9f0a38b9c9d6bbb3cd8f3e1a7

      SHA1

      297c154be52302c19587a860ef24bef0e551d7d1

      SHA256

      baaf061c5385480df0f55779ac4967618bb9cd61289021ac648578083530e343

      SHA512

      81c40b776b0f0575107f8675d6ac78748aa69278d12b4482be425a24ae71a1d7782f2021345fda97e12ed92847ced2e10b713cc4a68b926cb14d60387e486725

      Download Submit
    • C:\Users\Admin\AppData\Roaming\2CFUpdated.exe
      MD5

      4d367a5e08908246d9e2d3aadf977f7b

      SHA1

      4f6a51a40e78d11ba3fbcb253b5193634f2cde99

      SHA256

      4d96d255b6332130d71cda946af18287e08eb2cf622360ca8526dac0c6df9220

      SHA512

      27cfb0486cf331ad975ffdb609779c0a43d881389fc6fa73c81750d3abdcff3429fdffe77c0badedf2841a7442e19236ae7d266940643eae3401f0d173838d7c

      Download Submit
    • C:\Users\Admin\AppData\Roaming\2CFUpdater.exe
      MD5

      703c120638a2fc135eb709495725e165

      SHA1

      c260dc9d0b3bea6ddd4d471df3e1396fb2821078

      SHA256

      a71c9b3a633069ff7b73aac047afc971b549460e86bfb7df4631383885aac9bf

      SHA512

      4aacff11361cfa0b7320ee84652db9ae29a5f09e46f123e537e5c46551e04961ea81863225dd40866f260795c638b4f3147e52580889c37787f8c1ad1383128b

      Download Submit
    • C:\Users\Admin\AppData\Roaming\2CFUpdater.exe
      MD5

      703c120638a2fc135eb709495725e165

      SHA1

      c260dc9d0b3bea6ddd4d471df3e1396fb2821078

      SHA256

      a71c9b3a633069ff7b73aac047afc971b549460e86bfb7df4631383885aac9bf

      SHA512

      4aacff11361cfa0b7320ee84652db9ae29a5f09e46f123e537e5c46551e04961ea81863225dd40866f260795c638b4f3147e52580889c37787f8c1ad1383128b

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Dllhost.exe
      MD5

      04ad2a13ef7cdf6c28ba52c79b362b31

      SHA1

      a1beaed9995ea784756e89f31b457194d5e4e6d3

      SHA256

      aa54457bbebfdbd3b2164df231638643edbec7ef9e2f58faa279df05ebe3abe3

      SHA512

      6f0dd0e9918d58653512dfe1d896f91ea8909b2c50294cdacec391da365c1f24bcca57045c9920c1d17a53951b62b661012aa8f24a267d02ecb500b816af04bc

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Dllhost.exe
      MD5

      04ad2a13ef7cdf6c28ba52c79b362b31

      SHA1

      a1beaed9995ea784756e89f31b457194d5e4e6d3

      SHA256

      aa54457bbebfdbd3b2164df231638643edbec7ef9e2f58faa279df05ebe3abe3

      SHA512

      6f0dd0e9918d58653512dfe1d896f91ea8909b2c50294cdacec391da365c1f24bcca57045c9920c1d17a53951b62b661012aa8f24a267d02ecb500b816af04bc

      Download Submit
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      MD5

      faba023813022c6a15b113ed6c6d1734

      SHA1

      df5683eb6557092451a6b65ed5fb0077d2d2d290

      SHA256

      b55ba6a4ed2cf82ac285c364723f099e5b1716144654b058f76bb646f4a69c08

      SHA512

      643e7276cf3fbc147a8a71641b39aec5bfe6d749cdf5560d2049f9fb735a252a93cb5f451c48ee63687588729c8c795e463eba32500d59a09f445e26f421f55e

      Download Submit
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      MD5

      faba023813022c6a15b113ed6c6d1734

      SHA1

      df5683eb6557092451a6b65ed5fb0077d2d2d290

      SHA256

      b55ba6a4ed2cf82ac285c364723f099e5b1716144654b058f76bb646f4a69c08

      SHA512

      643e7276cf3fbc147a8a71641b39aec5bfe6d749cdf5560d2049f9fb735a252a93cb5f451c48ee63687588729c8c795e463eba32500d59a09f445e26f421f55e

      Download Submit
    • memory/368-116-0x0000000000000000-mapping.dmp
      Download
    • memory/368-127-0x0000000003701000-0x0000000003702000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1116-119-0x0000000000000000-mapping.dmp
      Download
    • memory/1116-126-0x00000000017B0000-0x00000000017B1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1320-130-0x00000000057A0000-0x00000000057A1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1320-125-0x0000000000C60000-0x0000000000C61000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1320-132-0x0000000005650000-0x0000000005651000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1320-133-0x0000000005840000-0x0000000005841000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1320-134-0x00000000057A0000-0x0000000005C9E000-memory.dmp
      Filesize

      5.0MB

      Download
    • memory/1320-122-0x0000000000000000-mapping.dmp
      Download
    • memory/1320-129-0x0000000005CA0000-0x0000000005CA1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1320-131-0x00000000057A0000-0x0000000005C9E000-memory.dmp
      Filesize

      5.0MB

      Download
    • memory/1320-128-0x0000000005690000-0x0000000005691000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2184-135-0x0000000000000000-mapping.dmp
      Download
    • memory/4136-140-0x00000000007C0000-0x00000000007C1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4136-136-0x0000000000000000-mapping.dmp
      Download
    • memory/4340-144-0x0000000000000000-mapping.dmp
      Download
    • memory/4340-146-0x0000000000E90000-0x0000000000E91000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4340-152-0x0000000005B20000-0x0000000005B21000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4340-153-0x0000000005B23000-0x0000000005B25000-memory.dmp
      Filesize

      8KB

      Download