Overview

overview

10

Static

static

WT2lH6ZAAx8eKUZ.exe

windows10-2004_x64

10

Resubmissions

21-01-2022 05:27

220121-f5q46sdhc7 10

21-01-2022 03:41

220121-d8r5jadbhn 10

Analysis

  • max time kernel
    1794s
  • max time network
    1796s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    21-01-2022 05:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    WT2lH6ZAAx8eKUZ.exe

  • Size

    1.1MB

  • MD5

    e53db947fce99439608c9a9553f69498

  • SHA1

    95375e0e9ccf538d02b37ece3f6f9abc069d28b2

  • SHA256

    17cb794e094d6cf35a700c399316360eb20eb235be61377ffd6dd0022ac3bb5f

  • SHA512

    2f49647eabd7b743c265ebcd3f5c1e4ac4d315594558b3ca4214db8f0aa22ac57062ac9930e01b2ce4836db54e65bcc77f0d6e9106f64b14239b600e84fc315a

Score
10/10
asyncratnanocorekeyloggerpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

newcracker.duckdns.org:19864

mansengco778.ddns.net:19864
Mutex

78c2a1b8-c3ee-4490-87c7-ebf1799a33a0

Attributes
  • activate_away_mode

    false

  • backup_connection_host

    mansengco778.ddns.net

  • backup_dns_server

  • buffer_size

    65538

  • build_time

    2021-07-31T15:07:21.224394636Z

  • bypass_user_account_control

    false

  • bypass_user_account_control_data

    PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+

  • clear_access_control

    false

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    19864

  • default_group

    END YEAR

  • enable_debug_mode

    true

  • gc_threshold

    1.0485772e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.0485772e+07

  • mutex

    78c2a1b8-c3ee-4490-87c7-ebf1799a33a0

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    newcracker.duckdns.org

  • primary_dns_server

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    false

  • set_critical_process

    false

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8009

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • Async RAT payload 1 IoCs
    rat
  • Executes dropped EXE 3 IoCs
  • Sets service image path in registry 2 TTPs
    persistence
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 41 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\WT2lH6ZAAx8eKUZ.exe
    "C:\Users\Admin\AppData\Local\Temp\WT2lH6ZAAx8eKUZ.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3076
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DitCsNFxpO" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6228.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:4000
    • C:\Users\Admin\AppData\Local\Temp\WT2lH6ZAAx8eKUZ.exe
      "{path}"
      2⤵
        PID:3556
      • C:\Users\Admin\AppData\Local\Temp\WT2lH6ZAAx8eKUZ.exe
        "{path}"
        2⤵
        • Checks computer location settings
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2764
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\vgssyl.exe"' & exit
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4008
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\vgssyl.exe"'
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:544
            • C:\Users\Admin\AppData\Local\Temp\vgssyl.exe
              "C:\Users\Admin\AppData\Local\Temp\vgssyl.exe"
              5⤵
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:2236
              • C:\Windows\SysWOW64\fondue.exe
                "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:1520
                • C:\Windows\system32\FonDUE.EXE
                  "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
                  7⤵
                    PID:1136
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\vlypak.scr"' & exit
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:3840
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\vlypak.scr"'
              4⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:560
              • C:\Users\Admin\AppData\Local\Temp\vlypak.scr
                "C:\Users\Admin\AppData\Local\Temp\vlypak.scr" /S
                5⤵
                • Executes dropped EXE
                • Checks computer location settings
                • Suspicious use of WriteProcessMemory
                PID:3384
                • C:\Users\Admin\AppData\Local\Temp\71389037\uonsewk.pif
                  "C:\Users\Admin\AppData\Local\Temp\71389037\uonsewk.pif" svpqc.nrr
                  6⤵
                  • Executes dropped EXE
                  PID:1496
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p
        1⤵
          PID:3980
        • C:\Windows\System32\WaaSMedicAgent.exe
          C:\Windows\System32\WaaSMedicAgent.exe faa615816241a1205b38889cb3ee1fa9 Pjx81x9EX0yx/8/CJ1J92A.0.1.0.0.0
          1⤵
          • Modifies data under HKEY_USERS
          PID:1576
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k wusvcs -p
          1⤵
            PID:2356
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k wusvcs -p
            1⤵
              PID:3732
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe -k wsappx -p
              1⤵
                PID:2328
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe -k wusvcs -p
                1⤵
                  PID:1036
                • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
                  C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
                  1⤵
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3744

                Network

                MITRE ATT&CK Matrix ATT&CK v6

                Initial Access

                Execution

                Scheduled Task

                1
                T1053

                Persistence

                Registry Run Keys / Startup Folder

                1
                T1060

                Scheduled Task

                1
                T1053

                Privilege Escalation

                Scheduled Task

                1
                T1053

                Defense Evasion

                Modify Registry

                1
                T1112

                Credential Access

                Discovery

                Query Registry

                1
                T1012

                System Information Discovery

                2
                T1082

                Lateral Movement

                Collection

                Exfiltration

                Command and Control

                Impact

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WT2lH6ZAAx8eKUZ.exe.log
                  MD5

                  17573558c4e714f606f997e5157afaac

                  SHA1

                  13e16e9415ceef429aaf124139671ebeca09ed23

                  SHA256

                  c18db6aecad2436da4a63ff26af4e3a337cca48f01c21b8db494fe5ccc60e553

                  SHA512

                  f4edf13f05a0d142e4dd42802098c8c44988ee8869621a62c2b565a77c9a95857f636583ff8d6d9baa366603d98b9bfbf1fc75bc6f9f8f83c80cb1215b2941cc

                  Download Submit
                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
                  MD5

                  5315900105942deb090a358a315b06fe

                  SHA1

                  22fe5d2e1617c31afbafb91c117508d41ef0ce44

                  SHA256

                  e8bd7d8d1d0437c71aceb032f9fb08dd1147f41c048540254971cc60e95d6cd7

                  SHA512

                  77e8d15b8c34a1cb01dbee7147987e2cc25c747e0f80d254714a93937a6d2fe08cb5a772cf85ceb8fec56415bfa853234a003173718c4229ba8cfcf2ce6335a6

                  Download Submit
                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                  MD5

                  e96883050c4ec06d58183718b5967286

                  SHA1

                  f5a60dde971a1886d7234ee7ca08c25a3b060e0e

                  SHA256

                  b902c7e3efe2aa8cb5eb09f3a6baa2c0b42806cc810eefe6c06554421f93432f

                  SHA512

                  39812a9a9b097d0f085c678d6f1481a95053da6bded5826f3eaa71a3274ff94da50a5d69fe19eb12a0c2da079a18175dbe6f6d1f2b151e5b661831b13505dd45

                  Download Submit
                • C:\Users\Admin\AppData\Local\Temp\71389037\uonsewk.pif
                  MD5

                  f4ec7a7f74a8038814157a33ca2cf5c4

                  SHA1

                  46f2847056c85bda7bfac259ce80b43f6d20762e

                  SHA256

                  93dbd6e25b11e7512787153cb23e44ee9c463cc561ac04f4226631ab58bdf0a6

                  SHA512

                  67df6ccc37a467e44d8a945850dfc468ffc37c4bf660f1bc2c1e0fb923d6b6fa505349f4d1d55d7b4102449a8f073ec63493993220f57f07f0ad7ac1accd3b3d

                  Download Submit
                • C:\Users\Admin\AppData\Local\Temp\71389037\uonsewk.pif
                  MD5

                  f4ec7a7f74a8038814157a33ca2cf5c4

                  SHA1

                  46f2847056c85bda7bfac259ce80b43f6d20762e

                  SHA256

                  93dbd6e25b11e7512787153cb23e44ee9c463cc561ac04f4226631ab58bdf0a6

                  SHA512

                  67df6ccc37a467e44d8a945850dfc468ffc37c4bf660f1bc2c1e0fb923d6b6fa505349f4d1d55d7b4102449a8f073ec63493993220f57f07f0ad7ac1accd3b3d

                  Download Submit
                • C:\Users\Admin\AppData\Local\Temp\tmp6228.tmp
                  MD5

                  9c3e05c918e87520497934b9eab66cc2

                  SHA1

                  6c0d77d60c6f27a90415bdbc4a8a66c5da50bace

                  SHA256

                  085cb3e0de8a99f223979ec59cf7968e829d437c22948417f3dc291e025eaeeb

                  SHA512

                  986dc57017bb509cf7d9317a401a08b45dce874af2c48b4cc9b9d05d9514b245aa561bd394d8a60012871f4f62e8b5567db5eec05e96094d492eab50a3b43dec

                  Download Submit
                • C:\Users\Admin\AppData\Local\Temp\vgssyl.exe
                  MD5

                  0023ecce99e706dfc8653684fde09de5

                  SHA1

                  73c62f0a520457a701079003b230affc8ce31e20

                  SHA256

                  33957cc4479b6e6465101ea76f536142b3dda64c5c3025c96c0e63ade66410da

                  SHA512

                  c7bb4f3fb8678c3c926bcd93dd9755ade2c89c9e4e3799c11a017235f1be1b72b1d634c6c60080829a2c8c774d47b74291ac17c8864a87288ee88aa726a90d91

                  Download Submit
                • C:\Users\Admin\AppData\Local\Temp\vgssyl.exe
                  MD5

                  0023ecce99e706dfc8653684fde09de5

                  SHA1

                  73c62f0a520457a701079003b230affc8ce31e20

                  SHA256

                  33957cc4479b6e6465101ea76f536142b3dda64c5c3025c96c0e63ade66410da

                  SHA512

                  c7bb4f3fb8678c3c926bcd93dd9755ade2c89c9e4e3799c11a017235f1be1b72b1d634c6c60080829a2c8c774d47b74291ac17c8864a87288ee88aa726a90d91

                  Download Submit
                • C:\Users\Admin\AppData\Local\Temp\vlypak.scr
                  MD5

                  87b3045af8d9eaccfc30d02c188c5aac

                  SHA1

                  1f598d0213e56c64ce06b5726d6238d8be625120

                  SHA256

                  053bb72cb0f173c2c3294af0f1dcf41073ddecbc19dcf3f4ce1f586c41ae970f

                  SHA512

                  f9e3c510746c06129d2ae5b9fee6e290553b27b8a8624bbfbf345cadf50d4c523e173ba3bd051301b0e29528f79b075d6966a9d2906d2e59485dabdd6fc558f1

                  Download Submit
                • C:\Users\Admin\AppData\Local\Temp\vlypak.scr
                  MD5

                  87b3045af8d9eaccfc30d02c188c5aac

                  SHA1

                  1f598d0213e56c64ce06b5726d6238d8be625120

                  SHA256

                  053bb72cb0f173c2c3294af0f1dcf41073ddecbc19dcf3f4ce1f586c41ae970f

                  SHA512

                  f9e3c510746c06129d2ae5b9fee6e290553b27b8a8624bbfbf345cadf50d4c523e173ba3bd051301b0e29528f79b075d6966a9d2906d2e59485dabdd6fc558f1

                  Download Submit
                • memory/544-158-0x0000000008C20000-0x0000000008C42000-memory.dmp
                  Filesize

                  136KB

                  Download
                • memory/544-157-0x0000000008BD0000-0x0000000008BEA000-memory.dmp
                  Filesize

                  104KB

                  Download
                • memory/544-156-0x0000000008C50000-0x0000000008CE6000-memory.dmp
                  Filesize

                  600KB

                  Download
                • memory/544-155-0x0000000004F15000-0x0000000004F17000-memory.dmp
                  Filesize

                  8KB

                  Download
                • memory/544-148-0x0000000004DB0000-0x0000000004DE6000-memory.dmp
                  Filesize

                  216KB

                  Download
                • memory/544-149-0x0000000004F10000-0x0000000004F11000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/544-150-0x0000000004F12000-0x0000000004F13000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/544-151-0x0000000007950000-0x0000000007F78000-memory.dmp
                  Filesize

                  6.2MB

                  Download
                • memory/544-152-0x0000000007FB0000-0x0000000007FD2000-memory.dmp
                  Filesize

                  136KB

                  Download
                • memory/544-153-0x0000000008050000-0x00000000080B6000-memory.dmp
                  Filesize

                  408KB

                  Download
                • memory/544-154-0x00000000086F0000-0x000000000870E000-memory.dmp
                  Filesize

                  120KB

                  Download
                • memory/560-167-0x0000000004152000-0x0000000004153000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/560-166-0x0000000004150000-0x0000000004151000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/2764-144-0x00000000070C0000-0x0000000007136000-memory.dmp
                  Filesize

                  472KB

                  Download
                • memory/2764-143-0x00000000059E0000-0x0000000005A46000-memory.dmp
                  Filesize

                  408KB

                  Download
                • memory/2764-145-0x0000000007060000-0x000000000707E000-memory.dmp
                  Filesize

                  120KB

                  Download
                • memory/2764-140-0x0000000005A50000-0x0000000005A51000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/2764-138-0x0000000000400000-0x0000000000412000-memory.dmp
                  Filesize

                  72KB

                  Download
                • memory/3076-130-0x00000000002F0000-0x000000000040C000-memory.dmp
                  Filesize

                  1.1MB

                  Download
                • memory/3076-135-0x0000000004ED0000-0x0000000004F26000-memory.dmp
                  Filesize

                  344KB

                  Download
                • memory/3076-136-0x0000000004ED0000-0x0000000005474000-memory.dmp
                  Filesize

                  5.6MB

                  Download
                • memory/3076-134-0x0000000004E40000-0x0000000004E4A000-memory.dmp
                  Filesize

                  40KB

                  Download
                • memory/3076-133-0x0000000004F70000-0x0000000005002000-memory.dmp
                  Filesize

                  584KB

                  Download
                • memory/3076-132-0x0000000005480000-0x0000000005A24000-memory.dmp
                  Filesize

                  5.6MB

                  Download
                • memory/3076-131-0x0000000004D90000-0x0000000004E2C000-memory.dmp
                  Filesize

                  624KB

                  Download