Analysis

  • max time kernel
    150s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    26/11/2022, 23:37

General

  • Target

    a028f14dde5e1cf076c6d180edc994cf385a91a7b0e858156bec56bc00877256.exe

  • Size

    270KB

  • MD5

    2cb181105e8d2aff82b0e4ffa1b9c0a3

  • SHA1

    e80ed3c708459baeeb65ba143e4a87b83869df55

  • SHA256

    a028f14dde5e1cf076c6d180edc994cf385a91a7b0e858156bec56bc00877256

  • SHA512

    a7973fd5c8403dfd4e3504e5ebf908aab1ba87dcb31c1e13de2c8fe8bed26c4989dbcad6105dce9c7215f1cc3d9309f934f7cfca8f2a05a0b85e91bea4d252b3

  • SSDEEP

    3072:UBixpea+2WPGOqsm7GMwU51cuFzLe02owBqRK6gb8ekFCgGbCuCE0TYB9JPpJJUw:gib+Hmp1QhBqRKH4GOExB9tJUZs+PVPe

Malware Config

Extracted

Family

nanocore

Attributes
  • activate_away_mode

    false

  • backup_connection_host

  • backup_dns_server

  • buffer_size

    0

  • build_time

    0001-01-01T00:00:00Z

  • bypass_user_account_control

    false

  • bypass_user_account_control_data

  • clear_access_control

    false

  • clear_zone_identifier

    false

  • connect_delay

    0

  • connection_port

    0

  • default_group

  • enable_debug_mode

    false

  • gc_threshold

    0

  • keep_alive_timeout

    0

  • keyboard_logging

    false

  • lan_timeout

    0

  • max_packet_size

    0

  • mutex

  • mutex_timeout

    0

  • prevent_system_sleep

    false

  • primary_connection_host

  • primary_dns_server

  • request_elevation

    false

  • restart_delay

    0

  • run_delay

    0

  • run_on_startup

    false

  • set_critical_process

    false

  • timeout_interval

    0

  • use_custom_dns_server

    false

  • version

  • wan_timeout

    0

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a028f14dde5e1cf076c6d180edc994cf385a91a7b0e858156bec56bc00877256.exe
    "C:\Users\Admin\AppData\Local\Temp\a028f14dde5e1cf076c6d180edc994cf385a91a7b0e858156bec56bc00877256.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1632
    • C:\Users\Admin\AppData\Local\Temp\ce6Katu8cP.exe
      "C:\Users\Admin\AppData\Local\Temp\ce6Katu8cP.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in Program Files directory
      PID:2040

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\ce6Katu8cP.exe

          Filesize

          117KB

          MD5

          27ddcce8f1fce61204719d271f240aae

          SHA1

          7684d14fe04f0865fa1bdcb539f1223b1a17a194

          SHA256

          7c6403534a369f4f1184ed6283b89913b67c597facfeac7b18daf2685e08a879

          SHA512

          37f6b5cd8e8c65e1fbf1ec8115d97cabdf10a1882fb33db27508be0d3337214f08b89b69017ff2c6368538c4f76c992ac55914ed2b0d06cb3d40d6012466516b

        • C:\Users\Admin\AppData\Local\Temp\ce6Katu8cP.exe

          Filesize

          117KB

          MD5

          27ddcce8f1fce61204719d271f240aae

          SHA1

          7684d14fe04f0865fa1bdcb539f1223b1a17a194

          SHA256

          7c6403534a369f4f1184ed6283b89913b67c597facfeac7b18daf2685e08a879

          SHA512

          37f6b5cd8e8c65e1fbf1ec8115d97cabdf10a1882fb33db27508be0d3337214f08b89b69017ff2c6368538c4f76c992ac55914ed2b0d06cb3d40d6012466516b

        • \Users\Admin\AppData\Local\Temp\ce6Katu8cP.exe

          Filesize

          117KB

          MD5

          27ddcce8f1fce61204719d271f240aae

          SHA1

          7684d14fe04f0865fa1bdcb539f1223b1a17a194

          SHA256

          7c6403534a369f4f1184ed6283b89913b67c597facfeac7b18daf2685e08a879

          SHA512

          37f6b5cd8e8c65e1fbf1ec8115d97cabdf10a1882fb33db27508be0d3337214f08b89b69017ff2c6368538c4f76c992ac55914ed2b0d06cb3d40d6012466516b

        • \Users\Admin\AppData\Local\Temp\ce6Katu8cP.exe

          Filesize

          117KB

          MD5

          27ddcce8f1fce61204719d271f240aae

          SHA1

          7684d14fe04f0865fa1bdcb539f1223b1a17a194

          SHA256

          7c6403534a369f4f1184ed6283b89913b67c597facfeac7b18daf2685e08a879

          SHA512

          37f6b5cd8e8c65e1fbf1ec8115d97cabdf10a1882fb33db27508be0d3337214f08b89b69017ff2c6368538c4f76c992ac55914ed2b0d06cb3d40d6012466516b

        • memory/1632-54-0x0000000000BD0000-0x0000000000BFC000-memory.dmp

          Filesize

          176KB

        • memory/1632-55-0x0000000076BA1000-0x0000000076BA3000-memory.dmp

          Filesize

          8KB

        • memory/1632-56-0x0000000000300000-0x0000000000312000-memory.dmp

          Filesize

          72KB

        • memory/2040-63-0x000000006F9A0000-0x000000006FF4B000-memory.dmp

          Filesize

          5.7MB

        • memory/2040-64-0x000000006F9A0000-0x000000006FF4B000-memory.dmp

          Filesize

          5.7MB