Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 18:40
General
-
Target
Purchase Order061720PDF.exe
-
Size
1.3MB
-
MD5
087c73bf612b9d9694409a763b3c270a
-
SHA1
d033c49a30a38a59764d2a1a2eab537574b53e98
-
SHA256
17fa709f1a866d573f997f8f1288d537de382cccc5a4f9c1811db9da34c016b2
-
SHA512
0f767f635e0edf66333835ced8e0f377aa9158137ff891af3d7ebaa3e18193c61bd88f22896dc7269aa03d97eb1852c9dbb882fe03d637a7b8e2107150db11c3
Malware Config
Extracted
nanocore
1.2.2.0
forwork61420.ddns.net:3118
forwork61420.duckdns.org:3118
713ef177-b6be-471f-adec-854b1cda1062
-
activate_away_mode
true
-
backup_connection_host
forwork61420.duckdns.org
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-03-28T15:15:12.586904536Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
true
-
connect_delay
4000
-
connection_port
3118
-
default_group
TT
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
713ef177-b6be-471f-adec-854b1cda1062
-
mutex_timeout
5000
-
prevent_system_sleep
true
-
primary_connection_host
forwork61420.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Drops startup file 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Purchase Order061720PDF.exe"C:\Users\Admin\AppData\Local\Temp\Purchase Order061720PDF.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\MSBuild.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/992-55-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/992-57-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/992-62-0x000000000041E792-mapping.dmp
-
memory/992-63-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/992-64-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/992-68-0x0000000074330000-0x00000000748DB000-memory.dmpFilesize
5.7MB
-
memory/992-69-0x0000000002096000-0x00000000020A7000-memory.dmpFilesize
68KB
-
memory/1452-54-0x0000000075EF1000-0x0000000075EF3000-memory.dmpFilesize
8KB
-
memory/1452-66-0x00000000001D0000-0x0000000000236000-memory.dmpFilesize
408KB
-
memory/1452-67-0x0000000000340000-0x00000000003A6000-memory.dmpFilesize
408KB