Overview

overview

10

Static

static

DHL_docume...11.exe

windows7_x64

10

DHL_docume...11.exe

windows10_x64

10

Analysis

  • max time kernel
    80s
  • max time network
    145s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    14-10-2021 11:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DHL_document11022020680908911.exe

  • Size

    215KB

  • MD5

    f5740e959f892407f13054de42748917

  • SHA1

    ff4f01986dae809ebfbb807fbc88301dd5e7a23a

  • SHA256

    8bd97a0d17f61d747de38b520274c6afcb52cf89ce87a1818866428f1416ef1c

  • SHA512

    8172375d875d13c37f47bef437eb7bb46c92c57fabe01b67976d557bfcca42ff142b2194b3a675dd4bb6808b73a454984963784741fe3e3a0763e3d7d52d7b60

Score
10/10
nanocoreevasionkeyloggerpersistencespywarestealersuricatatrojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

195.133.18.136:3106

youngsouth.duckdns.org:3106
Mutex

57234f5b-55f8-460c-8f66-69edf39e1138

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    youngsouth.duckdns.org

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2021-07-23T14:15:23.128199136Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    true

  • connect_delay

    4000

  • connection_port

    3106

  • default_group

    October

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    57234f5b-55f8-460c-8f66-69edf39e1138

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    195.133.18.136

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    false

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • Turns off Windows Defender SpyNet reporting 2 TTPs
    evasion
  • UAC bypass 3 TTPs
    evasiontrojan
  • Windows security bypass 2 TTPs
    evasiontrojan
  • suricata: ET MALWARE Possible NanoCore C2 60B

    suricata: ET MALWARE Possible NanoCore C2 60B

    suricata
  • Nirsoft 3 IoCs
  • Executes dropped EXE 2 IoCs
  • Windows security modification 2 TTPs 10 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 15 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 42 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\DHL_document11022020680908911.exe
    "C:\Users\Admin\AppData\Local\Temp\DHL_document11022020680908911.exe"
    1⤵
    • Windows security modification
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2412
    • C:\Users\Admin\AppData\Local\Temp\11248560-28cf-409d-adda-874225e0ef61\AdvancedRun.exe
      "C:\Users\Admin\AppData\Local\Temp\11248560-28cf-409d-adda-874225e0ef61\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\11248560-28cf-409d-adda-874225e0ef61\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:708
      • C:\Users\Admin\AppData\Local\Temp\11248560-28cf-409d-adda-874225e0ef61\AdvancedRun.exe
        "C:\Users\Admin\AppData\Local\Temp\11248560-28cf-409d-adda-874225e0ef61\AdvancedRun.exe" /SpecialRun 4101d8 708
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1340
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\DHL_document11022020680908911.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1568
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\DHL_document11022020680908911.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2116
    • C:\Users\Admin\AppData\Local\Temp\DHL_document11022020680908911.exe
      "C:\Users\Admin\AppData\Local\Temp\DHL_document11022020680908911.exe"
      2⤵
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      PID:3976
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2412 -s 2268
      2⤵
      • Drops file in Windows directory
      • Program crash
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3068

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    MD5

    1c19c16e21c97ed42d5beabc93391fc5

    SHA1

    8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

    SHA256

    1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

    SHA512

    7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\11248560-28cf-409d-adda-874225e0ef61\AdvancedRun.exe
    MD5

    17fc12902f4769af3a9271eb4e2dacce

    SHA1

    9a4a1581cc3971579574f837e110f3bd6d529dab

    SHA256

    29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

    SHA512

    036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\11248560-28cf-409d-adda-874225e0ef61\AdvancedRun.exe
    MD5

    17fc12902f4769af3a9271eb4e2dacce

    SHA1

    9a4a1581cc3971579574f837e110f3bd6d529dab

    SHA256

    29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

    SHA512

    036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\11248560-28cf-409d-adda-874225e0ef61\AdvancedRun.exe
    MD5

    17fc12902f4769af3a9271eb4e2dacce

    SHA1

    9a4a1581cc3971579574f837e110f3bd6d529dab

    SHA256

    29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

    SHA512

    036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

    Download Submit

  • memory/708-122-0x0000000000000000-mapping.dmp

    Download

  • memory/1340-125-0x0000000000000000-mapping.dmp

    Download

  • memory/1568-216-0x000000007EC80000-0x000000007EC81000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1568-161-0x0000000007F30000-0x0000000007F31000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1568-129-0x0000000002D20000-0x0000000002D21000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1568-130-0x0000000002D20000-0x0000000002D21000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1568-144-0x0000000007080000-0x0000000007081000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1568-180-0x0000000002D20000-0x0000000002D21000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1568-162-0x0000000008390000-0x0000000008391000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1568-255-0x0000000004793000-0x0000000004794000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1568-127-0x0000000000000000-mapping.dmp

    Download

  • memory/1568-152-0x0000000004790000-0x0000000004791000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1568-153-0x0000000004792000-0x0000000004793000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1568-133-0x0000000004720000-0x0000000004721000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1568-134-0x0000000007130000-0x0000000007131000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1568-148-0x00000000078F0000-0x00000000078F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1568-146-0x00000000077D0000-0x00000000077D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2116-155-0x0000000006E22000-0x0000000006E23000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2116-219-0x000000007ECB0000-0x000000007ECB1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2116-136-0x0000000002EB0000-0x0000000002EB1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2116-150-0x0000000007D50000-0x0000000007D51000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2116-137-0x0000000002EB0000-0x0000000002EB1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2116-257-0x0000000006E23000-0x0000000006E24000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2116-154-0x0000000006E20000-0x0000000006E21000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2116-166-0x0000000008460000-0x0000000008461000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2116-128-0x0000000000000000-mapping.dmp

    Download

  • memory/2116-182-0x0000000002EB0000-0x0000000002EB1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2412-115-0x0000000000CD0000-0x0000000000CD1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2412-117-0x0000000005660000-0x0000000005661000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2412-118-0x0000000002E50000-0x0000000002EE9000-memory.dmp

    Filesize

    612KB

    Download

  • memory/2412-120-0x00000000083A0000-0x00000000083A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2412-119-0x00000000088A0000-0x00000000088A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2412-121-0x0000000008440000-0x0000000008441000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3976-165-0x00000000057A0000-0x00000000057AD000-memory.dmp

    Filesize

    52KB

    Download

  • memory/3976-176-0x00000000068A0000-0x00000000068AA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3976-170-0x0000000006830000-0x000000000683C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/3976-169-0x0000000006810000-0x0000000006816000-memory.dmp

    Filesize

    24KB

    Download

  • memory/3976-171-0x0000000006840000-0x0000000006846000-memory.dmp

    Filesize

    24KB

    Download

  • memory/3976-172-0x0000000006850000-0x0000000006857000-memory.dmp

    Filesize

    28KB

    Download

  • memory/3976-173-0x0000000006860000-0x000000000686D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/3976-174-0x0000000006870000-0x0000000006879000-memory.dmp

    Filesize

    36KB

    Download

  • memory/3976-175-0x0000000006880000-0x000000000688F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/3976-168-0x00000000067F0000-0x0000000006805000-memory.dmp

    Filesize

    84KB

    Download

  • memory/3976-177-0x00000000068B0000-0x00000000068D9000-memory.dmp

    Filesize

    164KB

    Download

  • memory/3976-178-0x00000000068F0000-0x00000000068FF000-memory.dmp

    Filesize

    60KB

    Download

  • memory/3976-160-0x0000000005570000-0x0000000005573000-memory.dmp

    Filesize

    12KB

    Download

  • memory/3976-159-0x0000000005340000-0x0000000005359000-memory.dmp

    Filesize

    100KB

    Download

  • memory/3976-158-0x0000000005330000-0x0000000005335000-memory.dmp

    Filesize

    20KB

    Download

  • memory/3976-157-0x0000000005190000-0x0000000005191000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3976-156-0x00000000052C0000-0x00000000057BE000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/3976-131-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/3976-132-0x000000000041E792-mapping.dmp

    Download