Overview

overview

10

Static

static

7f78edb434...02.exe

windows7-x64

8

7f78edb434...02.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    174s
  • max time network
    193s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-10-2022 01:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7f78edb4342a13fb5534588c49b0ab64e67026b627accedadee2a92473437a02.exe

  • Size

    470KB

  • MD5

    15a861b54403084db2cfabc2f7e0dd40

  • SHA1

    6498b6fc584cc8af7265874b8bd9af77218760fb

  • SHA256

    7f78edb4342a13fb5534588c49b0ab64e67026b627accedadee2a92473437a02

  • SHA512

    6532568dd8fb03ac5573ece2019cac67eafbb4f51b50a56cd87976a92a06f3350c31043c7e08ab5049487e37bd7ee45a84e158867ddd0f271b73ba662010e80c

  • SSDEEP

    6144:+8SRDa8qLzrqUeQfHR2sle1tgk25MBqpp6joQ68SRDa8qLzrqUeQfHR2sle1tgkm:EPKrnsrkOBqdPKrnsrkOBqp

Score
10/10
nanocoreevasionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.2

C2

new555.ddns.net:9033

Mutex

8c75819e-ba86-4f76-b760-0b353e60a683

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    new555.ddns.net

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2015-05-09T09:12:09.414523536Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    true

  • connect_delay

    4000

  • connection_port

    9033

  • default_group

    FIREMANSS

  • enable_debug_mode

    true

  • gc_threshold

    1.0448576e+08

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.0448576e+08

  • mutex

    8c75819e-ba86-4f76-b760-0b353e60a683

  • mutex_timeout

    5000

  • prevent_system_sleep

    true

  • primary_connection_host

    new555.ddns.net

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    false

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.2

  • wan_timeout

    8000

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • Sets file to hidden 1 TTPs 1 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 47 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs ping.exe 1 TTPs 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 48 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\7f78edb4342a13fb5534588c49b0ab64e67026b627accedadee2a92473437a02.exe
    "C:\Users\Admin\AppData\Local\Temp\7f78edb4342a13fb5534588c49b0ab64e67026b627accedadee2a92473437a02.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:736
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
      2⤵
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      PID:1144
    • C:\Windows\SysWOW64\attrib.exe
      "C:\Windows\System32\attrib.exe" +s +h C:\Users\Admin\AppData\Local\Temp\7f78edb4342a13fb5534588c49b0ab64e67026b627accedadee2a92473437a02.exe
      2⤵
      • Sets file to hidden
      • Views/modifies file attributes
      PID:1092
    • C:\Windows\SysWOW64\ping.exe
      C:\Windows\System32\ping.exe google.com
      2⤵
      • Runs ping.exe
      PID:820
    • C:\Windows\SysWOW64\ping.exe
      C:\Windows\System32\ping.exe google.com
      2⤵
      • Runs ping.exe
      PID:2016
    • C:\Windows\SysWOW64\ping.exe
      C:\Windows\System32\ping.exe google.com
      2⤵
      • Runs ping.exe
      PID:3500
    • C:\Windows\SysWOW64\ping.exe
      C:\Windows\System32\ping.exe google.com
      2⤵
      • Runs ping.exe
      PID:3532
    • C:\Windows\SysWOW64\ping.exe
      C:\Windows\System32\ping.exe google.com
      2⤵
      • Runs ping.exe
      PID:3220
    • C:\Windows\SysWOW64\ping.exe
      C:\Windows\System32\ping.exe google.com
      2⤵
      • Runs ping.exe
      PID:2688
    • C:\Windows\SysWOW64\ping.exe
      C:\Windows\System32\ping.exe google.com
      2⤵
      • Runs ping.exe
      PID:1856
    • C:\Windows\SysWOW64\ping.exe
      C:\Windows\System32\ping.exe google.com
      2⤵
      • Runs ping.exe
      PID:4468
    • C:\Windows\SysWOW64\ping.exe
      C:\Windows\System32\ping.exe google.com
      2⤵
      • Runs ping.exe
      PID:3044
    • C:\Windows\SysWOW64\ping.exe
      C:\Windows\System32\ping.exe google.com
      2⤵
      • Runs ping.exe
      PID:924
    • C:\Windows\SysWOW64\REG.exe
      REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "chrome . exe" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\sub folder\google chrome.exe
      2⤵
      • Adds Run key to start application
      PID:3436
    • C:\Windows\SysWOW64\REG.exe
      REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "chrome . exe" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\sub folder\google chrome.exe
      2⤵
      • Adds Run key to start application
      PID:4044
    • C:\Windows\SysWOW64\REG.exe
      REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "chrome . exe" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\sub folder\google chrome.exe
      2⤵
      • Adds Run key to start application
      PID:3120
    • C:\Windows\SysWOW64\REG.exe
      REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "chrome . exe" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\sub folder\google chrome.exe
      2⤵
      • Adds Run key to start application
      PID:1044
    • C:\Windows\SysWOW64\REG.exe
      REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "chrome . exe" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\sub folder\google chrome.exe
      2⤵
      • Adds Run key to start application
      PID:4852
    • C:\Windows\SysWOW64\REG.exe
      REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "chrome . exe" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\sub folder\google chrome.exe
      2⤵
      • Adds Run key to start application
      PID:972
    • C:\Windows\SysWOW64\REG.exe
      REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "chrome . exe" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\sub folder\google chrome.exe
      2⤵
      • Adds Run key to start application
      PID:2712
    • C:\Windows\SysWOW64\REG.exe
      REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "chrome . exe" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\sub folder\google chrome.exe
      2⤵
      • Adds Run key to start application
      PID:2268
    • C:\Windows\SysWOW64\REG.exe
      REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "chrome . exe" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\sub folder\google chrome.exe
      2⤵
      • Adds Run key to start application
      PID:1324
    • C:\Windows\SysWOW64\REG.exe
      REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "chrome . exe" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\sub folder\google chrome.exe
      2⤵
      • Adds Run key to start application
      PID:4628
    • C:\Windows\SysWOW64\REG.exe
      REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "chrome . exe" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\sub folder\google chrome.exe
      2⤵
      • Adds Run key to start application
      PID:1060
    • C:\Windows\SysWOW64\REG.exe
      REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "chrome . exe" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\sub folder\google chrome.exe
      2⤵
      • Adds Run key to start application
      PID:344
    • C:\Windows\SysWOW64\REG.exe
      REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "chrome . exe" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\sub folder\google chrome.exe
      2⤵
      • Adds Run key to start application
      PID:3888
    • C:\Windows\SysWOW64\REG.exe
      REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "chrome . exe" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\sub folder\google chrome.exe
      2⤵
      • Adds Run key to start application
      PID:3528
    • C:\Windows\SysWOW64\REG.exe
      REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "chrome . exe" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\sub folder\google chrome.exe
      2⤵
      • Adds Run key to start application
      PID:2936
    • C:\Windows\SysWOW64\REG.exe
      REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "chrome . exe" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\sub folder\google chrome.exe
      2⤵
      • Adds Run key to start application
      PID:2384
    • C:\Windows\SysWOW64\REG.exe
      REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "chrome . exe" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\sub folder\google chrome.exe
      2⤵
      • Adds Run key to start application
      PID:880
    • C:\Windows\SysWOW64\REG.exe
      REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "chrome . exe" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\sub folder\google chrome.exe
      2⤵
      • Adds Run key to start application
      PID:1980
    • C:\Windows\SysWOW64\REG.exe
      REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "chrome . exe" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\sub folder\google chrome.exe
      2⤵
      • Adds Run key to start application
      PID:4944
    • C:\Windows\SysWOW64\REG.exe
      REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "chrome . exe" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\sub folder\google chrome.exe
      2⤵
      • Adds Run key to start application
      PID:2212
    • C:\Windows\SysWOW64\REG.exe
      REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "chrome . exe" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\sub folder\google chrome.exe
      2⤵
      • Adds Run key to start application
      PID:3764
    • C:\Windows\SysWOW64\REG.exe
      REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "chrome . exe" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\sub folder\google chrome.exe
      2⤵
      • Adds Run key to start application
      PID:1584
    • C:\Windows\SysWOW64\REG.exe
      REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "chrome . exe" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\sub folder\google chrome.exe
      2⤵
      • Adds Run key to start application
      PID:2540

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

2
T1158

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

2
T1158

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

3
T1082

Remote System Discovery

1
T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/344-160-0x0000000000000000-mapping.dmp
    Download
  • memory/736-132-0x0000000074A30000-0x0000000074FE1000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/736-140-0x0000000074A30000-0x0000000074FE1000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/820-137-0x0000000000000000-mapping.dmp
    Download
  • memory/880-165-0x0000000000000000-mapping.dmp
    Download
  • memory/924-148-0x0000000000000000-mapping.dmp
    Download
  • memory/972-154-0x0000000000000000-mapping.dmp
    Download
  • memory/1044-152-0x0000000000000000-mapping.dmp
    Download
  • memory/1060-159-0x0000000000000000-mapping.dmp
    Download
  • memory/1092-136-0x0000000000000000-mapping.dmp
    Download
  • memory/1144-142-0x0000000074A30000-0x0000000074FE1000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1144-133-0x0000000000000000-mapping.dmp
    Download
  • memory/1144-134-0x0000000000400000-0x0000000000438000-memory.dmp
    Filesize

    224KB

    Download
  • memory/1144-135-0x0000000074A30000-0x0000000074FE1000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1324-157-0x0000000000000000-mapping.dmp
    Download
  • memory/1584-170-0x0000000000000000-mapping.dmp
    Download
  • memory/1856-145-0x0000000000000000-mapping.dmp
    Download
  • memory/1980-166-0x0000000000000000-mapping.dmp
    Download
  • memory/2016-138-0x0000000000000000-mapping.dmp
    Download
  • memory/2212-168-0x0000000000000000-mapping.dmp
    Download
  • memory/2268-156-0x0000000000000000-mapping.dmp
    Download
  • memory/2384-164-0x0000000000000000-mapping.dmp
    Download
  • memory/2540-171-0x0000000000000000-mapping.dmp
    Download
  • memory/2688-144-0x0000000000000000-mapping.dmp
    Download
  • memory/2712-155-0x0000000000000000-mapping.dmp
    Download
  • memory/2936-163-0x0000000000000000-mapping.dmp
    Download
  • memory/3044-147-0x0000000000000000-mapping.dmp
    Download
  • memory/3120-151-0x0000000000000000-mapping.dmp
    Download
  • memory/3220-143-0x0000000000000000-mapping.dmp
    Download
  • memory/3436-149-0x0000000000000000-mapping.dmp
    Download
  • memory/3500-139-0x0000000000000000-mapping.dmp
    Download
  • memory/3528-162-0x0000000000000000-mapping.dmp
    Download
  • memory/3532-141-0x0000000000000000-mapping.dmp
    Download
  • memory/3764-169-0x0000000000000000-mapping.dmp
    Download
  • memory/3888-161-0x0000000000000000-mapping.dmp
    Download
  • memory/4044-150-0x0000000000000000-mapping.dmp
    Download
  • memory/4468-146-0x0000000000000000-mapping.dmp
    Download
  • memory/4628-158-0x0000000000000000-mapping.dmp
    Download
  • memory/4852-153-0x0000000000000000-mapping.dmp
    Download
  • memory/4944-167-0x0000000000000000-mapping.dmp
    Download