Overview

overview

10

Static

static

55d261de4e...1d.exe

windows7_x64

10

55d261de4e...1d.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    140s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    14-05-2022 14:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    55d261de4ebfec14610e3019bdb47e1d.exe

  • Size

    663KB

  • MD5

    55d261de4ebfec14610e3019bdb47e1d

  • SHA1

    a89750499dca367037b9388a820e8fb56cd2f3bb

  • SHA256

    28a8b5760f88ff56fccac79f506aa87de847161f5b3af7158792d098a60785dd

  • SHA512

    1866b89a217f81de6b106a6094e526a872380ba35f45d83d74ca890dd97da331e127f5007b7e194e06b85b74866948f950fbff17773442e664fb0a364d2b339e

Score
10/10
nanocoreevasionkeyloggerpersistencespywarestealersuricatatrojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

194.5.98.208:50720

suchwoni13.ddns.net:50720
Mutex

b96b95d9-5642-498b-b1fc-e921a47a2e5a

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    suchwoni13.ddns.net

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2021-06-29T08:36:20.191838936Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    false

  • clear_zone_identifier

    true

  • connect_delay

    4000

  • connection_port

    50720

  • default_group

    PUNK44

  • enable_debug_mode

    true

  • gc_threshold

    1.0485779e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.0485779e+07

  • mutex

    b96b95d9-5642-498b-b1fc-e921a47a2e5a

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    194.5.98.208

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5009

  • run_delay

    0

  • run_on_startup

    false

  • set_critical_process

    false

  • timeout_interval

    5008

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • suricata: ET MALWARE Possible NanoCore C2 60B

    suricata: ET MALWARE Possible NanoCore C2 60B

    suricata
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\55d261de4ebfec14610e3019bdb47e1d.exe
    "C:\Users\Admin\AppData\Local\Temp\55d261de4ebfec14610e3019bdb47e1d.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3372
    • C:\Users\Admin\AppData\Local\Temp\55d261de4ebfec14610e3019bdb47e1d.exe
      "{path}"
      2⤵
      • Checks computer location settings
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2592
      • C:\Users\Admin\AppData\Local\Temp\55d261de4ebfec14610e3019bdb47e1d.exe
        "C:\Users\Admin\AppData\Local\Temp\55d261de4ebfec14610e3019bdb47e1d.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3676
        • C:\Users\Admin\AppData\Local\Temp\55d261de4ebfec14610e3019bdb47e1d.exe
          "{path}"
          4⤵
            PID:4120
          • C:\Users\Admin\AppData\Local\Temp\55d261de4ebfec14610e3019bdb47e1d.exe
            "{path}"
            4⤵
            • Adds Run key to start application
            • Checks whether UAC is enabled
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:4412

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    3
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\TCP Service\tcpsvc.exe
      Filesize

      663KB

      MD5

      55d261de4ebfec14610e3019bdb47e1d

      SHA1

      a89750499dca367037b9388a820e8fb56cd2f3bb

      SHA256

      28a8b5760f88ff56fccac79f506aa87de847161f5b3af7158792d098a60785dd

      SHA512

      1866b89a217f81de6b106a6094e526a872380ba35f45d83d74ca890dd97da331e127f5007b7e194e06b85b74866948f950fbff17773442e664fb0a364d2b339e

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\55d261de4ebfec14610e3019bdb47e1d.exe.log
      Filesize

      1KB

      MD5

      84e77a587d94307c0ac1357eb4d3d46f

      SHA1

      83cc900f9401f43d181207d64c5adba7a85edc1e

      SHA256

      e16024b092a026a9dc00df69d4b9bbcab7b2dc178dc5291fc308a1abc9304a99

      SHA512

      aefb5c62200b3ed97718d20a89990954d4d8acdc0a6a73c5a420f1bba619cb79e70c2cd0a579b9f52dc6b09e1de2cea6cd6cac4376cfee92d94e2c01d310f691

      Download Submit
    • C:\Users\Admin\AppData\Roaming\2C37A701-1043-4F89-B4D1-D05ED25C6971\catalog.dat
      Filesize

      128B

      MD5

      0a9c5eae8756d6fc90f59d8d71a79e1e

      SHA1

      0f7d6aaed17cd18dc614535ed26335c147e29ed7

      SHA256

      b1921ea14c66927397baf3fa456c22b93c30c3de23546087c0b18551ce5001c5

      SHA512

      78c2f399ac49c78d89915dff99ac955b5e0ab07baad61b07b0ce073c88c1d3a9f1d302c2413691b349dd34441b0ff909c08a4f71e2f1b73f46c1ff308bc7cf9a

      Download Submit
    • C:\Users\Admin\AppData\Roaming\2C37A701-1043-4F89-B4D1-D05ED25C6971\run.dat
      Filesize

      8B

      MD5

      507b3af3fb96d7ec50d2cb98f1aecd5e

      SHA1

      4fb5b8cdeb5a7c09f7114e3831f577f30320b338

      SHA256

      4ffdea2b09a2e305d7c08e0f6294e13f95776f3d3b522a41d3573f4767eeff44

      SHA512

      50e54e3b38f8ee3bc91f2a53f822e167efad655ee765543883ab6dd69087113fef4f231c658047639ae19fabdffe2198318ab367a75cec288cdcc02ab90d51f7

      Download Submit
    • C:\Users\Admin\AppData\Roaming\2C37A701-1043-4F89-B4D1-D05ED25C6971\storage.dat
      Filesize

      268KB

      MD5

      1e639455652305f70a15588dcee082c7

      SHA1

      7e147851acfe18053f60702108b956fdf977e766

      SHA256

      31090e4756888688e0a0c50579e7f71b2880cb0ebe947d23c93a2225903da738

      SHA512

      255d4eb3149250ebb6d7adfdb9eff9ad6700869c308c1cd37613b3218952a5ae644b08a387ce2f23442e003599c9b178e4474d3ceb59e9ea72c53af6b5eeb4be

      Download Submit
    • memory/2592-135-0x0000000000000000-mapping.dmp
      Download
    • memory/2592-136-0x0000000000400000-0x000000000043A000-memory.dmp
      Filesize

      232KB

      Download
    • memory/3372-132-0x0000000004B90000-0x0000000004C22000-memory.dmp
      Filesize

      584KB

      Download
    • memory/3372-130-0x00000000000F0000-0x000000000019C000-memory.dmp
      Filesize

      688KB

      Download
    • memory/3372-131-0x0000000005140000-0x00000000056E4000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/3372-134-0x0000000004B20000-0x0000000004B2A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/3372-133-0x0000000004C30000-0x0000000004CCC000-memory.dmp
      Filesize

      624KB

      Download
    • memory/3676-137-0x0000000000000000-mapping.dmp
      Download
    • memory/4120-139-0x0000000000000000-mapping.dmp
      Download
    • memory/4412-140-0x0000000000000000-mapping.dmp
      Download
    • memory/4412-146-0x0000000006780000-0x00000000067E6000-memory.dmp
      Filesize

      408KB

      Download