Analysis

  • max time kernel
    192s
  • max time network
    32s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    26/11/2022, 23:49

General

  • Target

    d7cb77d326fe4234083d91674f2cfae0aacee10c93554d4ca2565ecbe4e39c4b.exe

  • Size

    1.3MB

  • MD5

    756db4e0cf3709be976c2a5a60f46c94

  • SHA1

    1f6f46832eae245197f430a8fad2050da2f289f6

  • SHA256

    d7cb77d326fe4234083d91674f2cfae0aacee10c93554d4ca2565ecbe4e39c4b

  • SHA512

    b80d636c74ffa84e6478a457b091d7f3da1d216593a19e357ce4be3c31c6d4ac1d8c59b0f3fa1548e585e8a5245225177ed83a657eaf3df2eefb72f20336df02

  • SSDEEP

    24576:z2O/Gl3V7aIeMVCDRnrsf7g6zwzMgh/20xt:rMVA25kIx6t

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

apananco.no-ip.biz:1177

5.254.112.21:1177

Mutex

0e1fb9df-1b4f-4517-a8e6-9035c916355d

Attributes
  • activate_away_mode

    false

  • backup_connection_host

    5.254.112.21

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2015-01-24T14:36:48.256723236Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    false

  • clear_zone_identifier

    true

  • connect_delay

    4000

  • connection_port

    1177

  • default_group

    LightCore

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    0e1fb9df-1b4f-4517-a8e6-9035c916355d

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    apananco.no-ip.biz

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    true

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d7cb77d326fe4234083d91674f2cfae0aacee10c93554d4ca2565ecbe4e39c4b.exe
    "C:\Users\Admin\AppData\Local\Temp\d7cb77d326fe4234083d91674f2cfae0aacee10c93554d4ca2565ecbe4e39c4b.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1976
    • C:\Users\Admin\w4kgoi6994\iyrf.exe
      "C:\Users\Admin\w4kgoi6994\iyrf.exe" xqilbqxcfsa
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1040
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
          PID:1172

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\W4KGOI~1\psjr.FCK

            Filesize

            475KB

            MD5

            d0dd7979a608f9f3fe5f659cf5d8d91f

            SHA1

            d024262f5daddf1aec13b0fbb8443d3576fb3291

            SHA256

            64fb9b94c9cc1224f232371fd790ac6ff92cc216e8828d5701acf37415c03222

            SHA512

            0139ec01e90154ea0adef87381677cbe77aeca7d0d5f481862cbfaeface5628a98dd9a497a80038f0056a365857b9a9a781ee4e94e8ca96b0c08ff88dfd8c460

          • C:\Users\Admin\W4KGOI~1\rzzadrap.OWJ

            Filesize

            87B

            MD5

            032a73d538cf904ceb16feb2f316d122

            SHA1

            94c953f3a69836e95172f851ffde4afd788bf31a

            SHA256

            01e4a41502a51e5afaa3ca4d262359c73bc04a23a15479fe60b727e105da7cf2

            SHA512

            9923e2a5a399cd6ad7f969c1515b34ebc9c92203affdcdeff19565abd1b7887ffaf316b6b8097d721239435328f2675f0af02b1ccb61b038b3be65f00aa71d8d

          • C:\Users\Admin\w4kgoi6994\iyrf.exe

            Filesize

            732KB

            MD5

            71d8f6d5dc35517275bc38ebcc815f9f

            SHA1

            cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

            SHA256

            fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

            SHA512

            4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

          • C:\Users\Admin\w4kgoi6994\xqilbqxcfsa

            Filesize

            674.6MB

            MD5

            fc69e314bb5ad845ae2b81d726bd2e19

            SHA1

            fec0b584913e276a692de2599737e2cf0ac506b2

            SHA256

            e56b1f8e00007744395262afb4289d054b3a39b1f313e1a9461032492d44f16e

            SHA512

            d316d7e5f091f4d00b91181c78b3e11e7732ec3442df460749aace73be82eb6d1a2be9207af9668a44f0b7865231e5c1edae827f1ef3f3a2d6d661dabde83b01

          • \Users\Admin\w4kgoi6994\iyrf.exe

            Filesize

            732KB

            MD5

            71d8f6d5dc35517275bc38ebcc815f9f

            SHA1

            cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

            SHA256

            fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

            SHA512

            4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

          • \Users\Admin\w4kgoi6994\iyrf.exe

            Filesize

            732KB

            MD5

            71d8f6d5dc35517275bc38ebcc815f9f

            SHA1

            cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

            SHA256

            fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

            SHA512

            4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

          • \Users\Admin\w4kgoi6994\iyrf.exe

            Filesize

            732KB

            MD5

            71d8f6d5dc35517275bc38ebcc815f9f

            SHA1

            cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

            SHA256

            fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

            SHA512

            4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

          • \Users\Admin\w4kgoi6994\iyrf.exe

            Filesize

            732KB

            MD5

            71d8f6d5dc35517275bc38ebcc815f9f

            SHA1

            cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

            SHA256

            fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

            SHA512

            4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

          • memory/1172-65-0x0000000000090000-0x000000000010C000-memory.dmp

            Filesize

            496KB

          • memory/1172-70-0x0000000000090000-0x000000000010C000-memory.dmp

            Filesize

            496KB

          • memory/1172-67-0x0000000000090000-0x000000000010C000-memory.dmp

            Filesize

            496KB

          • memory/1172-72-0x0000000000090000-0x000000000010C000-memory.dmp

            Filesize

            496KB

          • memory/1976-54-0x00000000760D1000-0x00000000760D3000-memory.dmp

            Filesize

            8KB