Overview

overview

10

Static

static

47534a4dd4...55.exe

windows7-x64

10

47534a4dd4...55.exe

windows10-2004-x64

Analysis

  • max time kernel
    83s
  • max time network
    158s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 14:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    47534a4dd4deb5efd05fa32f8cc49b911832a735f0c1500e5d8de2700690f355.exe

  • Size

    544KB

  • MD5

    05fd0b57f4e2433c6ec515b40a0a9ebe

  • SHA1

    f18e540f9b20349bd431d78533e5ac8a40ae3ea2

  • SHA256

    47534a4dd4deb5efd05fa32f8cc49b911832a735f0c1500e5d8de2700690f355

  • SHA512

    4bc0a0c9fa06dda684621e670cb5f18c055187d3b535fec7955bb571ab7db151c0c60557814a96871eae42b687f3875efd926666edb7876a292bb7096f5687e5

  • SSDEEP

    3072:hqIQi2PAheBsUKTpoUHf0MeaiuVXk6QP9GzeQlufXATUDXxK6JK8v/AkwbiCD/Y9:voAh3TplHfMaBi9GzhurxLNm9K

Score
10/10
nanocorekeyloggerpersistencespywarestealertrojan

Malware Config

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\47534a4dd4deb5efd05fa32f8cc49b911832a735f0c1500e5d8de2700690f355.exe
    "C:\Users\Admin\AppData\Local\Temp\47534a4dd4deb5efd05fa32f8cc49b911832a735f0c1500e5d8de2700690f355.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1488
    • C:\Windows\SysWOW64\REG.exe
      REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "run" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\msconfg\cmd.exe"
      2⤵
      • Adds Run key to start application
      PID:1732
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\\cvtres.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:936
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=cvtres.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1256
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1256 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1504

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\9PI4CI6A.txt
    Filesize

    608B

    MD5

    31961d2397ec9103e8aa002041416d63

    SHA1

    df8a0777e496acb4d7748222290693472ad1b170

    SHA256

    e419932fd243139f4c0c5e3f28c871842d029f0784b730e775c8d8c98616dd8a

    SHA512

    9c414275db14f67ad2aa5389733be0df1d812fa1e049aacee6c448fdf7fb415ce11d1214dc44863a6028abdca2ace1e4ce2f32b81701f054abd6b5f77e1f6255

    Download Submit

  • memory/936-61-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/936-57-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/936-58-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/936-60-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/936-63-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/936-64-0x000000000041C01E-mapping.dmp

    Download

  • memory/936-67-0x0000000000402000-0x000000000041C200-memory.dmp

    Filesize

    104KB

    Download

  • memory/936-66-0x0000000000402000-0x000000000041C200-memory.dmp

    Filesize

    104KB

    Download

  • memory/1488-54-0x0000000074AB1000-0x0000000074AB3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1488-68-0x0000000073E20000-0x00000000743CB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1488-55-0x0000000073E20000-0x00000000743CB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1732-56-0x0000000000000000-mapping.dmp

    Download