Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 11:54
General
-
Target
invoice copy.pdf.exe
-
Size
935KB
-
MD5
8b2f9a3638a60c5cc706ad212528784d
-
SHA1
5289963f790c86ec11f85948197fa132d70d6f38
-
SHA256
4de6466841226eea95bef6fe6868d1c3d5808d8fafa3449e333f0b6d03253c84
-
SHA512
e868d26932365d1c170148d1f02b298c1bd561cea91b965724441440f122861a76c5112855cf056ed0c4fc77da2e733f4793555453af1d3bb39146dc8cab4156
Score
10/10
Malware Config
Extracted
Family
nanocore
Version
1.2.2.0
C2
weddinglight.ddns.net:4040
Mutex
0786f2c0-e128-4479-a9aa-d40c52591ebf
Attributes
-
activate_away_mode
true
- backup_connection_host
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-04-25T20:55:59.623925336Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
4040
-
default_group
wedding
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
0786f2c0-e128-4479-a9aa-d40c52591ebf
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
weddinglight.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe"C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe"C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe"2⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/560-54-0x0000000075271000-0x0000000075273000-memory.dmpFilesize
8KB
-
memory/560-56-0x0000000000400000-0x00000000004F0000-memory.dmpFilesize
960KB
-
memory/908-55-0x000000000047D4C0-mapping.dmp
-
memory/908-57-0x00000000006E0000-0x0000000000718000-memory.dmpFilesize
224KB
-
memory/908-58-0x00000000006E0000-0x0000000000718000-memory.dmpFilesize
224KB
-
memory/908-60-0x00000000743D0000-0x000000007497B000-memory.dmpFilesize
5.7MB