Analysis

  • max time kernel
    117s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    26/11/2022, 23:39

General

  • Target

    742ce52cd8a692158fc20d0df48b688449c432f31a0d1854eda3f83d1324f76d.exe

  • Size

    1.1MB

  • MD5

    75342cdd702056910a3fce3b434cf1b1

  • SHA1

    02728d0ad5e5c1f34ee3bd77bb7af144f83438f9

  • SHA256

    742ce52cd8a692158fc20d0df48b688449c432f31a0d1854eda3f83d1324f76d

  • SHA512

    dd6dc0a07f0ffbbf0793c3e97d86de80720e6dca0216441b3ab46014975e186b975887a8cde3530b7a43fcbc078788ebe8df5fd065c0ac5779b98febaf7409ec

  • SSDEEP

    24576:Ktb20pkaCqT5TBWgNQ7aulZsRTXRDL6nY935ZSS6A:3Vg5tQ7aulZsRTXRD/55

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

moftsvs.ig42.org:9045

212.7.192.242:9045

Mutex

c7bf44a3-7212-4d60-9ee3-f0991c8392f8

Attributes
  • activate_away_mode

    false

  • backup_connection_host

    212.7.192.242

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2015-03-06T14:55:41.478810836Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    false

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    9045

  • default_group

    Default Team

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    c7bf44a3-7212-4d60-9ee3-f0991c8392f8

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    moftsvs.ig42.org

  • primary_dns_server

    8.8.8.8

  • request_elevation

    false

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    false

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
  • Suspicious use of FindShellTrayWindow 7 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\742ce52cd8a692158fc20d0df48b688449c432f31a0d1854eda3f83d1324f76d.exe
    "C:\Users\Admin\AppData\Local\Temp\742ce52cd8a692158fc20d0df48b688449c432f31a0d1854eda3f83d1324f76d.exe"
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1652
    • C:\Users\Admin\AppData\Local\Temp\742ce52cd8a692158fc20d0df48b688449c432f31a0d1854eda3f83d1324f76d.exe
      "C:\Users\Admin\AppData\Local\Temp\742ce52cd8a692158fc20d0df48b688449c432f31a0d1854eda3f83d1324f76d.exe" /AutoIt3ExecuteScript "C:\Users\Admin\AppData\Local\Temp\lf2" "C:\Users\Admin\AppData\Local\Temp\742ce52cd8a692158fc20d0df48b688449c432f31a0d1854eda3f83d1324f76d.exe" "742ce52cd8a692158fc20d0df48b688449c432f31a0d1854eda3f83d1324f76d.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1108
      • C:\Windows\SysWOW64\WerFault.exe
        "C:\Windows\SysWOW64\WerFault.exe"
        3⤵
          PID:960
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=WerFault.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
            4⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:624
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:624 CREDAT:275457 /prefetch:2
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:1192

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\ger

            Filesize

            202KB

            MD5

            62cddffde88715a338548dbfa47b555c

            SHA1

            17d9eed664beee32f9fa62d61daaaac931885e51

            SHA256

            06538639dc35c0781397871581f21949a11afd5080d0f6a69b5c09c8d278cb8a

            SHA512

            0fe70f5fae9ca1fee043b00bd0119dc1c5a7055881c1ed91a725a8cf7476c365e0b0d621ce35b5e6ff9e07687e5fa8901c47c4496297723288b10b39bbaa5442

          • C:\Users\Admin\AppData\Local\Temp\lf2

            Filesize

            5KB

            MD5

            4ff1ccdb9061a9ee17931de9cc506a0f

            SHA1

            18246065474565a991de8b76043dca47c6afb51a

            SHA256

            b513a4cace0f3b588f32baba51b487d774de220503746f56ae9a655737a6d532

            SHA512

            6de408adf1dd625fe2917771aac3fbe5c88b1342382ee608684940e928392752ee4d7917667d25542ce982f2f86c6e06f14c6accdccba14921978ab399750886

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\VKRSBZW2.txt

            Filesize

            603B

            MD5

            2651c96a3257575cb931b8e4fb14ffc7

            SHA1

            6c87e74d8d25ed07049f1accb0ac16ba1f80e5ab

            SHA256

            5a90db3e066ee772457401b1fbbb37fe48f98518eb3d2343546cb4d7bf5fa118

            SHA512

            c7c40294d88d174114653524945e59adf16a65d9ba5ed742eede51e0ebd040136ca20682eab7f8164467dc05f25ffe324dbf8420f1622dee7097acf526442657

          • memory/960-60-0x0000000000400000-0x0000000000438000-memory.dmp

            Filesize

            224KB

          • memory/960-59-0x0000000000400000-0x0000000000438000-memory.dmp

            Filesize

            224KB

          • memory/960-62-0x0000000000400000-0x0000000000438000-memory.dmp

            Filesize

            224KB

          • memory/960-63-0x0000000000400000-0x0000000000438000-memory.dmp

            Filesize

            224KB

          • memory/960-65-0x0000000000400000-0x0000000000438000-memory.dmp

            Filesize

            224KB

          • memory/1652-54-0x00000000758C1000-0x00000000758C3000-memory.dmp

            Filesize

            8KB