Overview

overview

10

Static

static

SecuriteIn...20.exe

windows7-x64

10

SecuriteIn...20.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    127s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    08-09-2022 05:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Win32.CrypterX-gen.26720.exe

  • Size

    564KB

  • MD5

    720d088da9cafaad486c347e0d09f696

  • SHA1

    9b751c34f71bb40b050dab0592ff45be56a602ad

  • SHA256

    a8eb775636faf8ab1f7083615f58d722b537467035be2f1e96360b3b700a1931

  • SHA512

    44addb293e0f363244c0b1830e7d0047703aaa2dcd66e1ed2b005c8c25d87e7eee90781bc3838df37a94d5214a02f98976b1965a5b3c0664d7747252f6c8fd30

  • SSDEEP

    12288:48l02b1zzUFFiRU9WnSmzxwTqZfs+0K+:TlfzzUFAKASmyTqY

Score
10/10
nanocorekeyloggerpersistencespywarestealertrojan

Malware Config

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Runs ping.exe 1 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.26720.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.26720.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2020
    • C:\Windows\SysWOW64\cmd.exe
      "cmd" /c ping 127.0.0.1 -n 6 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Bin" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Bin.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1728
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 6
        3⤵
        • Runs ping.exe
        PID:1816
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Bin" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Bin.exe"
        3⤵
        • Adds Run key to start application
        PID:1544
    • C:\Windows\SysWOW64\cmd.exe
      "cmd" /c ping 127.0.0.1 -n 15 > nul && copy "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.26720.exe" "C:\Users\Admin\AppData\Local\Bin.exe" && ping 127.0.0.1 -n 15 > nul && "C:\Users\Admin\AppData\Local\Bin.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:632
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 15
        3⤵
        • Runs ping.exe
        PID:808
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 15
        3⤵
        • Runs ping.exe
        PID:1764
      • C:\Users\Admin\AppData\Local\Bin.exe
        "C:\Users\Admin\AppData\Local\Bin.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2044
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
          4⤵
            PID:856

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Remote System Discovery

    1
    T1018

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Bin.exe
      Filesize

      564KB

      MD5

      720d088da9cafaad486c347e0d09f696

      SHA1

      9b751c34f71bb40b050dab0592ff45be56a602ad

      SHA256

      a8eb775636faf8ab1f7083615f58d722b537467035be2f1e96360b3b700a1931

      SHA512

      44addb293e0f363244c0b1830e7d0047703aaa2dcd66e1ed2b005c8c25d87e7eee90781bc3838df37a94d5214a02f98976b1965a5b3c0664d7747252f6c8fd30

      Download Submit
    • C:\Users\Admin\AppData\Local\Bin.exe
      Filesize

      564KB

      MD5

      720d088da9cafaad486c347e0d09f696

      SHA1

      9b751c34f71bb40b050dab0592ff45be56a602ad

      SHA256

      a8eb775636faf8ab1f7083615f58d722b537467035be2f1e96360b3b700a1931

      SHA512

      44addb293e0f363244c0b1830e7d0047703aaa2dcd66e1ed2b005c8c25d87e7eee90781bc3838df37a94d5214a02f98976b1965a5b3c0664d7747252f6c8fd30

      Download Submit
    • \Users\Admin\AppData\Local\Bin.exe
      Filesize

      564KB

      MD5

      720d088da9cafaad486c347e0d09f696

      SHA1

      9b751c34f71bb40b050dab0592ff45be56a602ad

      SHA256

      a8eb775636faf8ab1f7083615f58d722b537467035be2f1e96360b3b700a1931

      SHA512

      44addb293e0f363244c0b1830e7d0047703aaa2dcd66e1ed2b005c8c25d87e7eee90781bc3838df37a94d5214a02f98976b1965a5b3c0664d7747252f6c8fd30

      Download Submit
    • memory/632-60-0x0000000000000000-mapping.dmp
      Download
    • memory/808-61-0x0000000000000000-mapping.dmp
      Download
    • memory/856-77-0x0000000000400000-0x0000000000438000-memory.dmp
      Filesize

      224KB

      Download
    • memory/856-76-0x0000000000400000-0x0000000000438000-memory.dmp
      Filesize

      224KB

      Download
    • memory/856-74-0x0000000000400000-0x0000000000438000-memory.dmp
      Filesize

      224KB

      Download
    • memory/856-73-0x0000000000400000-0x0000000000438000-memory.dmp
      Filesize

      224KB

      Download
    • memory/1544-62-0x0000000000000000-mapping.dmp
      Download
    • memory/1728-58-0x0000000000000000-mapping.dmp
      Download
    • memory/1764-63-0x0000000000000000-mapping.dmp
      Download
    • memory/1816-59-0x0000000000000000-mapping.dmp
      Download
    • memory/2020-54-0x0000000000D00000-0x0000000000D92000-memory.dmp
      Filesize

      584KB

      Download
    • memory/2020-57-0x00000000006B0000-0x00000000006C8000-memory.dmp
      Filesize

      96KB

      Download
    • memory/2020-56-0x0000000000BB0000-0x0000000000BE4000-memory.dmp
      Filesize

      208KB

      Download
    • memory/2020-55-0x0000000074D81000-0x0000000074D83000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2044-65-0x0000000000000000-mapping.dmp
      Download
    • memory/2044-68-0x0000000000B60000-0x0000000000BF2000-memory.dmp
      Filesize

      584KB

      Download
    • memory/2044-70-0x0000000000B10000-0x0000000000B44000-memory.dmp
      Filesize

      208KB

      Download
    • memory/2044-71-0x0000000004DE0000-0x0000000004DFA000-memory.dmp
      Filesize

      104KB

      Download
    • memory/2044-72-0x0000000002250000-0x0000000002256000-memory.dmp
      Filesize

      24KB

      Download