Overview

overview

10

Static

static

10

12c08fb806...e3.exe

windows7_x64

10

12c08fb806...e3.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    132s
  • max time network
    165s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21-05-2022 00:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    12c08fb8068c6d4c0d31153ea39ff7afa4e1a5785ab427e5b24a9f8ae19438e3.exe

  • Size

    203KB

  • MD5

    67fac5f141a21e0f67be9e468301905c

  • SHA1

    75931783aac47d185a14b66cb3c2758f7d15c655

  • SHA256

    12c08fb8068c6d4c0d31153ea39ff7afa4e1a5785ab427e5b24a9f8ae19438e3

  • SHA512

    d55d9b43f2a5188beed0088b3d960387fbfd80303e74583a9118bf69ad21a1e04cc7536d8c18142373bb9e5fe6f17b6cd9083b6b9f9b59ef8836e5e94b7669d3

Score
10/10
nanocoreevasionkeyloggerpersistencespywarestealertrojan

Malware Config

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops file in Program Files directory 2 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\12c08fb8068c6d4c0d31153ea39ff7afa4e1a5785ab427e5b24a9f8ae19438e3.exe
    "C:\Users\Admin\AppData\Local\Temp\12c08fb8068c6d4c0d31153ea39ff7afa4e1a5785ab427e5b24a9f8ae19438e3.exe"
    1⤵
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:364
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /create /f /tn "WPA Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp386F.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1648
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /create /f /tn "WPA Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp49AF.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1052

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp386F.tmp
    Filesize

    1KB

    MD5

    e6b718a86322232f1da01d9b215f6993

    SHA1

    a318430619c9a8622fbe2d60e930a6ae21875273

    SHA256

    ec120957257cbac3ecf9de81b0449ca1c79827f1153bbe0133862000e4fc9fb1

    SHA512

    47087886ec280a4f133bf50fdc5a7b9969e3c170edb2d8a8e8f60cd5f0160f2214fc943556857d70bab6423a784b134835a446b0130fba73d70af6088ad61be0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp49AF.tmp
    Filesize

    1KB

    MD5

    4365cd1ae65923a319ef2683a45891fe

    SHA1

    85dde233112660e31c53884aedfbad52e4547e09

    SHA256

    84b6ce4ba26fa6fb57fa70b9ad191f7c42c71e259897955b5d514385bcd91b58

    SHA512

    d1bd24f504c5c2ecaa3ae98268ccc2e400ea3e16980c6caf394eadf7738225e4d5578fbe62bbe2de3fe0cb56a0d76bb3fc84cef3b9cd2f3d8be6d0becefdc035

    Download Submit

  • memory/364-54-0x00000000752A1000-0x00000000752A3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/364-55-0x00000000744E0000-0x0000000074A8B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1052-58-0x0000000000000000-mapping.dmp

    Download

  • memory/1648-56-0x0000000000000000-mapping.dmp

    Download