Analysis
-
max time kernel
118s -
max time network
151s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
19-10-2021 18:47
General
-
Target
Invoice and waybill.exe
-
Size
522KB
-
MD5
9cae0efc5e46764e812450c11f385dfd
-
SHA1
a3d56b062283d8acc79cc7310b4dcfca60a7b66f
-
SHA256
e9431fe2082e51e40fe79444314c55e511a90ef1d8abdf9304e653cf24d22d78
-
SHA512
eb4152cf8e038ec0b21dd4e200a78f6697eeadabef7c6b3449375c922b70fb470d80735d4507e16ada92947dfb5c4bedd140b388402f28371f3742c1dd7b039e
Malware Config
Extracted
nanocore
1.2.2.0
kamuchehddhgfgf.ddns.net:1187
37.0.10.22:1187
9ff0e8a4-a323-4111-bc49-0daecb63120d
-
activate_away_mode
true
-
backup_connection_host
37.0.10.22
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2021-07-17T00:05:39.048278936Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
1187
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
9ff0e8a4-a323-4111-bc49-0daecb63120d
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
kamuchehddhgfgf.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
suricata: ET MALWARE Possible NanoCore C2 60B
suricata: ET MALWARE Possible NanoCore C2 60B
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Invoice and waybill.exe"C:\Users\Admin\AppData\Local\Temp\Invoice and waybill.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Invoice and waybill.exe"C:\Users\Admin\AppData\Local\Temp\Invoice and waybill.exe"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Invoice and waybill.exe.logMD5
ef140ef600b2463c9e7dbf064a104046
SHA1c08fd1853877be95575ea2e860dd8cafef31f54c
SHA256ad8ae97fdeb174b20f02c7ddf9466981856d77d51133599b5954f48f78a1b616
SHA512bf16df0994080bdc832cb39a312e0095de57608256fcf0d04d589e0bdf3283f918fb0d6ec86ea28a4b1af6db12813c52a724028f02330ebc3a9d32a4fcda706c
-
memory/1736-118-0x000000000041E792-mapping.dmp
-
memory/1736-117-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1736-120-0x0000000002E80000-0x0000000002E81000-memory.dmpFilesize
4KB
-
memory/2324-115-0x00000000009F0000-0x0000000000A9E000-memory.dmpFilesize
696KB
-
memory/2324-116-0x00000000009F0000-0x0000000000A9E000-memory.dmpFilesize
696KB