Overview

overview

10

Static

static

55d261de4e...1d.exe

windows7_x64

10

55d261de4e...1d.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    137s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    14-05-2022 14:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    55d261de4ebfec14610e3019bdb47e1d.exe

  • Size

    663KB

  • MD5

    55d261de4ebfec14610e3019bdb47e1d

  • SHA1

    a89750499dca367037b9388a820e8fb56cd2f3bb

  • SHA256

    28a8b5760f88ff56fccac79f506aa87de847161f5b3af7158792d098a60785dd

  • SHA512

    1866b89a217f81de6b106a6094e526a872380ba35f45d83d74ca890dd97da331e127f5007b7e194e06b85b74866948f950fbff17773442e664fb0a364d2b339e

Score
10/10
nanocoreevasionkeyloggerpersistencespywarestealersuricatatrojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

194.5.98.208:50720

suchwoni13.ddns.net:50720
Mutex

b96b95d9-5642-498b-b1fc-e921a47a2e5a

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    suchwoni13.ddns.net

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2021-06-29T08:36:20.191838936Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    false

  • clear_zone_identifier

    true

  • connect_delay

    4000

  • connection_port

    50720

  • default_group

    PUNK44

  • enable_debug_mode

    true

  • gc_threshold

    1.0485779e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.0485779e+07

  • mutex

    b96b95d9-5642-498b-b1fc-e921a47a2e5a

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    194.5.98.208

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5009

  • run_delay

    0

  • run_on_startup

    false

  • set_critical_process

    false

  • timeout_interval

    5008

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • suricata: ET MALWARE Possible NanoCore C2 60B

    suricata: ET MALWARE Possible NanoCore C2 60B

    suricata
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\55d261de4ebfec14610e3019bdb47e1d.exe
    "C:\Users\Admin\AppData\Local\Temp\55d261de4ebfec14610e3019bdb47e1d.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1604
    • C:\Users\Admin\AppData\Local\Temp\55d261de4ebfec14610e3019bdb47e1d.exe
      "{path}"
      2⤵
        PID:948
      • C:\Users\Admin\AppData\Local\Temp\55d261de4ebfec14610e3019bdb47e1d.exe
        "{path}"
        2⤵
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1092
        • C:\Users\Admin\AppData\Local\Temp\55d261de4ebfec14610e3019bdb47e1d.exe
          "C:\Users\Admin\AppData\Local\Temp\55d261de4ebfec14610e3019bdb47e1d.exe"
          3⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:964
          • C:\Users\Admin\AppData\Local\Temp\55d261de4ebfec14610e3019bdb47e1d.exe
            "{path}"
            4⤵
            • Adds Run key to start application
            • Checks whether UAC is enabled
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1840

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\DSL Service\dslsv.exe
      Filesize

      663KB

      MD5

      55d261de4ebfec14610e3019bdb47e1d

      SHA1

      a89750499dca367037b9388a820e8fb56cd2f3bb

      SHA256

      28a8b5760f88ff56fccac79f506aa87de847161f5b3af7158792d098a60785dd

      SHA512

      1866b89a217f81de6b106a6094e526a872380ba35f45d83d74ca890dd97da331e127f5007b7e194e06b85b74866948f950fbff17773442e664fb0a364d2b339e

      Download Submit
    • C:\Users\Admin\AppData\Roaming\5A8ED3AC-CAE1-4E8B-9FD6-2D374700ADEF\catalog.dat
      Filesize

      128B

      MD5

      0a9c5eae8756d6fc90f59d8d71a79e1e

      SHA1

      0f7d6aaed17cd18dc614535ed26335c147e29ed7

      SHA256

      b1921ea14c66927397baf3fa456c22b93c30c3de23546087c0b18551ce5001c5

      SHA512

      78c2f399ac49c78d89915dff99ac955b5e0ab07baad61b07b0ce073c88c1d3a9f1d302c2413691b349dd34441b0ff909c08a4f71e2f1b73f46c1ff308bc7cf9a

      Download Submit
    • C:\Users\Admin\AppData\Roaming\5A8ED3AC-CAE1-4E8B-9FD6-2D374700ADEF\run.dat
      Filesize

      8B

      MD5

      302686253d04257379c27a562bec8887

      SHA1

      2c6f8d3b2fcb096495afff51091d413c7a5791bd

      SHA256

      98bb7c0f657c23e5ae0ed82e863f65d31c94823c33835b395ea67e373d0e5d57

      SHA512

      4025ef8dfbfe7761663ae5d4c0e2f27179b265a9ee943518f63c445a907c3030324c4889550d3e1c1eaadef5f20e7f48d32c7c13f5defa515088cb5d6550a078

      Download Submit
    • C:\Users\Admin\AppData\Roaming\5A8ED3AC-CAE1-4E8B-9FD6-2D374700ADEF\storage.dat
      Filesize

      268KB

      MD5

      1e639455652305f70a15588dcee082c7

      SHA1

      7e147851acfe18053f60702108b956fdf977e766

      SHA256

      31090e4756888688e0a0c50579e7f71b2880cb0ebe947d23c93a2225903da738

      SHA512

      255d4eb3149250ebb6d7adfdb9eff9ad6700869c308c1cd37613b3218952a5ae644b08a387ce2f23442e003599c9b178e4474d3ceb59e9ea72c53af6b5eeb4be

      Download Submit
    • memory/964-76-0x0000000000000000-mapping.dmp
      Download
    • memory/1092-62-0x0000000000400000-0x000000000043A000-memory.dmp
      Filesize

      232KB

      Download
    • memory/1092-75-0x0000000000650000-0x000000000065A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/1092-59-0x0000000000400000-0x000000000043A000-memory.dmp
      Filesize

      232KB

      Download
    • memory/1092-63-0x0000000000400000-0x000000000043A000-memory.dmp
      Filesize

      232KB

      Download
    • memory/1092-65-0x0000000000400000-0x000000000043A000-memory.dmp
      Filesize

      232KB

      Download
    • memory/1092-66-0x000000000041E792-mapping.dmp
      Download
    • memory/1092-70-0x0000000000400000-0x000000000043A000-memory.dmp
      Filesize

      232KB

      Download
    • memory/1092-68-0x0000000000400000-0x000000000043A000-memory.dmp
      Filesize

      232KB

      Download
    • memory/1092-72-0x00000000005C0000-0x00000000005CA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/1092-73-0x00000000005D0000-0x00000000005DC000-memory.dmp
      Filesize

      48KB

      Download
    • memory/1092-74-0x0000000000630000-0x000000000064E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/1092-60-0x0000000000400000-0x000000000043A000-memory.dmp
      Filesize

      232KB

      Download
    • memory/1604-54-0x00000000011B0000-0x000000000125C000-memory.dmp
      Filesize

      688KB

      Download
    • memory/1604-58-0x00000000009C0000-0x00000000009FA000-memory.dmp
      Filesize

      232KB

      Download
    • memory/1604-57-0x0000000005750000-0x00000000057DE000-memory.dmp
      Filesize

      568KB

      Download
    • memory/1604-56-0x0000000000480000-0x000000000048A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/1604-55-0x0000000076241000-0x0000000076243000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1840-85-0x000000000041E792-mapping.dmp
      Download
    • memory/1840-95-0x00000000009A0000-0x00000000009AC000-memory.dmp
      Filesize

      48KB

      Download
    • memory/1840-96-0x0000000000A80000-0x0000000000A9A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/1840-97-0x0000000000A30000-0x0000000000A44000-memory.dmp
      Filesize

      80KB

      Download
    • memory/1840-98-0x0000000000BC0000-0x0000000000BCE000-memory.dmp
      Filesize

      56KB

      Download
    • memory/1840-99-0x0000000000DB0000-0x0000000000DDE000-memory.dmp
      Filesize

      184KB

      Download
    • memory/1840-100-0x0000000000D60000-0x0000000000D74000-memory.dmp
      Filesize

      80KB

      Download