Overview

overview

10

Static

static

5

bc5216eb11...b0.exe

windows7-x64

10

bc5216eb11...b0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    156s
  • platform
    windows7_x64
  • resource
    win7-20220715-en
  • resource tags

    arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
  • submitted
    25-07-2022 04:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bc5216eb11fdf50e8e56159be45e89bca7396c057c9d9bfbfc54a52837fb99b0.exe

  • Size

    1.1MB

  • MD5

    0ea6ca9f4b58c8dda83575997e9a1b9c

  • SHA1

    7a151a23d6e48adbfc9fecd396ea1130c208f0cd

  • SHA256

    bc5216eb11fdf50e8e56159be45e89bca7396c057c9d9bfbfc54a52837fb99b0

  • SHA512

    ad48f1ee46011f922031defab05ef17dc6993f29fe8a81defbbfcb0b34307037e1702ece38ac77d14377c6af5ecd4e1b386b4008c1d46ccb55cb406beb6da415

Score
10/10
nanocoreevasionkeyloggerpersistencespywarestealertrojan

Malware Config

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 44 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bc5216eb11fdf50e8e56159be45e89bca7396c057c9d9bfbfc54a52837fb99b0.exe
    "C:\Users\Admin\AppData\Local\Temp\bc5216eb11fdf50e8e56159be45e89bca7396c057c9d9bfbfc54a52837fb99b0.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1656
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"
      2⤵
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      PID:1652

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1652-55-0x000000000041E792-mapping.dmp

    Download

  • memory/1652-58-0x00000000741B0000-0x000000007475B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1652-60-0x00000000741B0000-0x000000007475B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1656-54-0x0000000075CD1000-0x0000000075CD3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1656-57-0x0000000000120000-0x0000000000123000-memory.dmp

    Filesize

    12KB

    Download

  • memory/1656-59-0x0000000000120000-0x0000000000123000-memory.dmp

    Filesize

    12KB

    Download