Analysis

  • max time kernel
    156s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/11/2022, 23:49

General

  • Target

    d7cb77d326fe4234083d91674f2cfae0aacee10c93554d4ca2565ecbe4e39c4b.exe

  • Size

    1.3MB

  • MD5

    756db4e0cf3709be976c2a5a60f46c94

  • SHA1

    1f6f46832eae245197f430a8fad2050da2f289f6

  • SHA256

    d7cb77d326fe4234083d91674f2cfae0aacee10c93554d4ca2565ecbe4e39c4b

  • SHA512

    b80d636c74ffa84e6478a457b091d7f3da1d216593a19e357ce4be3c31c6d4ac1d8c59b0f3fa1548e585e8a5245225177ed83a657eaf3df2eefb72f20336df02

  • SSDEEP

    24576:z2O/Gl3V7aIeMVCDRnrsf7g6zwzMgh/20xt:rMVA25kIx6t

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

apananco.no-ip.biz:1177

5.254.112.21:1177

Mutex

0e1fb9df-1b4f-4517-a8e6-9035c916355d

Attributes
  • activate_away_mode

    false

  • backup_connection_host

    5.254.112.21

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2015-01-24T14:36:48.256723236Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    false

  • clear_zone_identifier

    true

  • connect_delay

    4000

  • connection_port

    1177

  • default_group

    LightCore

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    0e1fb9df-1b4f-4517-a8e6-9035c916355d

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    apananco.no-ip.biz

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    true

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d7cb77d326fe4234083d91674f2cfae0aacee10c93554d4ca2565ecbe4e39c4b.exe
    "C:\Users\Admin\AppData\Local\Temp\d7cb77d326fe4234083d91674f2cfae0aacee10c93554d4ca2565ecbe4e39c4b.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4216
    • C:\Users\Admin\w4kgoi6994\iyrf.exe
      "C:\Users\Admin\w4kgoi6994\iyrf.exe" xqilbqxcfsa
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4892
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:2508

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\W4KGOI~1\psjr.FCK

          Filesize

          475KB

          MD5

          d0dd7979a608f9f3fe5f659cf5d8d91f

          SHA1

          d024262f5daddf1aec13b0fbb8443d3576fb3291

          SHA256

          64fb9b94c9cc1224f232371fd790ac6ff92cc216e8828d5701acf37415c03222

          SHA512

          0139ec01e90154ea0adef87381677cbe77aeca7d0d5f481862cbfaeface5628a98dd9a497a80038f0056a365857b9a9a781ee4e94e8ca96b0c08ff88dfd8c460

        • C:\Users\Admin\W4KGOI~1\rzzadrap.OWJ

          Filesize

          87B

          MD5

          032a73d538cf904ceb16feb2f316d122

          SHA1

          94c953f3a69836e95172f851ffde4afd788bf31a

          SHA256

          01e4a41502a51e5afaa3ca4d262359c73bc04a23a15479fe60b727e105da7cf2

          SHA512

          9923e2a5a399cd6ad7f969c1515b34ebc9c92203affdcdeff19565abd1b7887ffaf316b6b8097d721239435328f2675f0af02b1ccb61b038b3be65f00aa71d8d

        • C:\Users\Admin\w4kgoi6994\iyrf.exe

          Filesize

          732KB

          MD5

          71d8f6d5dc35517275bc38ebcc815f9f

          SHA1

          cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

          SHA256

          fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

          SHA512

          4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

        • C:\Users\Admin\w4kgoi6994\iyrf.exe

          Filesize

          732KB

          MD5

          71d8f6d5dc35517275bc38ebcc815f9f

          SHA1

          cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

          SHA256

          fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

          SHA512

          4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

        • C:\Users\Admin\w4kgoi6994\xqilbqxcfsa

          Filesize

          674.6MB

          MD5

          fc69e314bb5ad845ae2b81d726bd2e19

          SHA1

          fec0b584913e276a692de2599737e2cf0ac506b2

          SHA256

          e56b1f8e00007744395262afb4289d054b3a39b1f313e1a9461032492d44f16e

          SHA512

          d316d7e5f091f4d00b91181c78b3e11e7732ec3442df460749aace73be82eb6d1a2be9207af9668a44f0b7865231e5c1edae827f1ef3f3a2d6d661dabde83b01

        • memory/2508-139-0x0000000001030000-0x00000000010AC000-memory.dmp

          Filesize

          496KB

        • memory/2508-140-0x0000000005A70000-0x0000000006014000-memory.dmp

          Filesize

          5.6MB

        • memory/2508-141-0x0000000005560000-0x00000000055F2000-memory.dmp

          Filesize

          584KB

        • memory/2508-142-0x00000000056A0000-0x000000000573C000-memory.dmp

          Filesize

          624KB

        • memory/2508-143-0x0000000005610000-0x000000000561A000-memory.dmp

          Filesize

          40KB