Overview

overview

10

Static

static

5

Scan Copy$$.scr

windows7-x64

10

Scan Copy$$.scr

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220721-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-07-2022 05:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Scan Copy$$.scr

  • Size

    1.1MB

  • MD5

    7abe31b58ea898b5f25c33d9572d70ca

  • SHA1

    a6be14ddb35a3d13d826bcc5833836b5ef4c8e4a

  • SHA256

    01dbae054610259b1b33585a88a042e8762ec1c5a239c9fd0f821dc240235c16

  • SHA512

    bf56d9321467b93011258753e3fd976755e2f4a1e81a95a4b1fcdf3eff45a7e1a70d58049d6a9da2d00dc6a9c7536eaebe4a680f72f8a351b3456f246cf99110

Score
10/10
nanocoreevasionkeyloggerspywarestealertrojan

Malware Config

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 35 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Scan Copy$$.scr
    "C:\Users\Admin\AppData\Local\Temp\Scan Copy$$.scr" /S
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1868
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\Scan Copy$$.scr" "C:\Users\Admin\AppData\Roaming\pcaui\bdeunlock.exe"
      2⤵
        PID:604
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
        2⤵
          PID:2896
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
          2⤵
          • Checks whether UAC is enabled
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          PID:2300

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      3
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\pcaui\bdeunlock.exe
        Filesize

        1.1MB

        MD5

        7abe31b58ea898b5f25c33d9572d70ca

        SHA1

        a6be14ddb35a3d13d826bcc5833836b5ef4c8e4a

        SHA256

        01dbae054610259b1b33585a88a042e8762ec1c5a239c9fd0f821dc240235c16

        SHA512

        bf56d9321467b93011258753e3fd976755e2f4a1e81a95a4b1fcdf3eff45a7e1a70d58049d6a9da2d00dc6a9c7536eaebe4a680f72f8a351b3456f246cf99110

        Download Submit
      • memory/604-130-0x0000000000000000-mapping.dmp
        Download
      • memory/1868-132-0x0000000003B20000-0x0000000003B23000-memory.dmp
        Filesize

        12KB

        Download
      • memory/2300-133-0x0000000000000000-mapping.dmp
        Download
      • memory/2300-134-0x0000000073620000-0x0000000073BD1000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/2300-135-0x0000000073620000-0x0000000073BD1000-memory.dmp
        Filesize

        5.7MB

        Download