Overview

overview

10

Static

static

173c0f1229...cf.exe

windows7-x64

10

173c0f1229...cf.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/11/2022, 00:22

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    173c0f122944b95a048f528c1fb2c96e86c5e44bd7f3413099fe8f139d42aecf.exe

  • Size

    657KB

  • MD5

    a858512eec8ab0a31e7ce36d59d7531d

  • SHA1

    2b71be5583c95ed3d689b301a655d9c1f4d2a87b

  • SHA256

    173c0f122944b95a048f528c1fb2c96e86c5e44bd7f3413099fe8f139d42aecf

  • SHA512

    c156958c3b0204ed186f734f668ee4f28f23b6dacfa09092f2cd10cfe8ded04179300b0b1dede3f68f3c2b7e95866abcaf7f938be1ed9f22aa28cd8dd4e3196f

  • SSDEEP

    12288:pAVfb2seNOvvBBcXoFYrMc9nb5B0yIbKlJfKYO7:pAICBxc9ndB0dKJfU

Score
10/10
nanocoreevasionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

nanocore

Version

1.2.1.1

C2

epicryan449.duckdns.org:9033

Mutex

b1f0650b-c862-4cf6-a847-7eebce7241a0

Attributes
  • activate_away_mode

    true

  • backup_connection_host

  • backup_dns_server

  • buffer_size

    65535

  • build_time

    2014-11-06T01:35:23.092012636Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    9033

  • default_group

    TMC H1Z1

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    b1f0650b-c862-4cf6-a847-7eebce7241a0

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    epicryan449.duckdns.org

  • primary_dns_server

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    true

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.1.1

  • wan_timeout

    8000

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • Executes dropped EXE 4 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Delays execution with timeout.exe 3 IoCs
    evasion
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\173c0f122944b95a048f528c1fb2c96e86c5e44bd7f3413099fe8f139d42aecf.exe
    "C:\Users\Admin\AppData\Local\Temp\173c0f122944b95a048f528c1fb2c96e86c5e44bd7f3413099fe8f139d42aecf.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3736
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\svhostsmicrosoft\mata.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2348
      • C:\Windows\SysWOW64\wscript.exe
        wscript.exe "C:\Users\Admin\AppData\Local\Temp\svhostsmicrosoft\invs.vbs" "C:\Users\Admin\AppData\Local\Temp\svhostsmicrosoft\mata2.bat"
        3⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:3304
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svhostsmicrosoft\mata2.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1368
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\svhostsmicrosoft\svhostssearch.exe" /f
            5⤵
            • Modifies WinLogon for persistence
            PID:3652
    • C:\Users\Admin\AppData\Local\Temp\svhost.exe
      C:\Users\Admin\AppData\Local\Temp\svhost.exe
      2⤵
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      PID:3552
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svhostsmicrosoft\svhost.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3496
      • C:\Windows\SysWOW64\timeout.exe
        timeout /t 60
        3⤵
        • Delays execution with timeout.exe
        PID:2164
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist /nh /fi "imagename eq svhost .exe"
        3⤵
        • Enumerates processes with tasklist
        • Suspicious use of AdjustPrivilegeToken
        PID:1684
      • C:\Windows\SysWOW64\find.exe
        find /i "svhost .exe"
        3⤵
          PID:752
        • C:\Users\Admin\AppData\Local\Temp\svhostsmicrosoft\svhostssearch.exe
          "C:\Users\Admin\AppData\Local\Temp\svhostsmicrosoft\svhostssearch.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3992
          • C:\Users\Admin\AppData\Local\Temp\svhost.exe
            C:\Users\Admin\AppData\Local\Temp\svhost.exe
            4⤵
            • Executes dropped EXE
            PID:1480
        • C:\Windows\SysWOW64\timeout.exe
          timeout /t 60
          3⤵
          • Delays execution with timeout.exe
          PID:1956
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist /nh /fi "imagename eq svhost .exe"
          3⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:2868
        • C:\Windows\SysWOW64\find.exe
          find /i "svhost .exe"
          3⤵
            PID:4108
          • C:\Users\Admin\AppData\Local\Temp\svhostsmicrosoft\svhostssearch.exe
            "C:\Users\Admin\AppData\Local\Temp\svhostsmicrosoft\svhostssearch.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1740
            • C:\Users\Admin\AppData\Local\Temp\svhost.exe
              C:\Users\Admin\AppData\Local\Temp\svhost.exe
              4⤵
                PID:3220
            • C:\Windows\SysWOW64\timeout.exe
              timeout /t 60
              3⤵
              • Delays execution with timeout.exe
              PID:1908
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\svhostsmicrosoft\melt.bat
            2⤵
              PID:2208

          Network

                MITRE ATT&CK Enterprise v6

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\svhostssearch.exe.log
                  Filesize

                  408B

                  MD5

                  42157868488d3ef98c00e3fa12f064be

                  SHA1

                  aad391be9ac3f6ce1ced49583690486a5f4186fb

                  SHA256

                  b9520170e84597186ba5cc223b9c2773f70d0cda088950bae2182e3b2237995c

                  SHA512

                  8f4a4bd63ceefc34158ea23f3a73dcc2848eeacdba8355d1251a96b4e0c18e2f3b0c4939be359f874f81fe4ee63283b8be43a70fe2dbaa2e64784333d10a2471

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\svhost.exe
                  Filesize

                  52KB

                  MD5

                  a64daca3cfbcd039df3ec29d3eddd001

                  SHA1

                  eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3

                  SHA256

                  403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36

                  SHA512

                  b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\svhost.exe
                  Filesize

                  52KB

                  MD5

                  a64daca3cfbcd039df3ec29d3eddd001

                  SHA1

                  eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3

                  SHA256

                  403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36

                  SHA512

                  b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\svhost.exe
                  Filesize

                  52KB

                  MD5

                  a64daca3cfbcd039df3ec29d3eddd001

                  SHA1

                  eee8b2573f71e8d5c3ee7e53af3e6772e090d0f3

                  SHA256

                  403752009f29381d5e4036b8be94589c89188f9ce8ef5f86959eaaada019ed36

                  SHA512

                  b6fe2d0ae3fcd4442579ecf10d498d61e0f042813c8fc4be8019da77d849cfcf0b168507139a1b5697227c272de9091788f8e03cf1ce13d5b5077568cfa6a479

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\svhostsmicrosoft\invs.vbs
                  Filesize

                  78B

                  MD5

                  c578d9653b22800c3eb6b6a51219bbb8

                  SHA1

                  a97aa251901bbe179a48dbc7a0c1872e163b1f2d

                  SHA256

                  20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2

                  SHA512

                  3ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\svhostsmicrosoft\mata.bat
                  Filesize

                  82B

                  MD5

                  2c7d21e7ac49249e23d1a91a83c1a117

                  SHA1

                  ca11bfaf886edd2c77eb4c440ef0a54d984ca07c

                  SHA256

                  52d6a82bc1f08c80619e5ac68c8517466886e4045d228f1a2762db49976cd11f

                  SHA512

                  d57ecffeb49fd17663c0c3168ca55187cda28e51cd1296bd26c40c5b01e9e172ee9b6c13332f69f435b320300af496f207c54243eb531f0191f09205bcb84764

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\svhostsmicrosoft\mata2.bat
                  Filesize

                  294B

                  MD5

                  ba3d759c93b10c70c9ea03f2d30f2611

                  SHA1

                  56cebe93e9b86170278949de110cbb2859546a11

                  SHA256

                  b4bdb5460bbc0099583aba3b380478774e8e5eb2974127e68218464ba1734cd7

                  SHA512

                  289e931fac98010e88cd85592c68ea0241b5daedc9096d660169016ee8165173cf18f92e0b4a4c591cb64c761420cb3002cb0532ba5e5a7e6822f3ba522206c4

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\svhostsmicrosoft\melt.bat
                  Filesize

                  120B

                  MD5

                  f87fe72b74786539d6a70c63f85bf973

                  SHA1

                  b150a8c33a65290fa0a5252409736898219d1171

                  SHA256

                  c9070426f2e2cb970017ff252a7a3041cf2e157f1023e216ab617ad833f0471a

                  SHA512

                  cfec863872b8c7e824a3ed5565b6522d310c63f7623f64a4ade389e5c21f9b237005bee8bef449e3871812b938253100e5f735749f10e461b4c92674b3e20749

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\svhostsmicrosoft\svhost.bat
                  Filesize

                  223B

                  MD5

                  be7ec99689ca0530f7875ddce6455ab0

                  SHA1

                  02c6ce3ed72083ec72de5f1db73605a50879581b

                  SHA256

                  71bd9af72ece6513e9869eb1376d9d3ccfd69f808ac50cb8f2a87bd41835a62d

                  SHA512

                  b8576fc4f0a6e70076e0c01269b9bf250f9de57f8a29c3cdad34a57982e2a5c2621928b8046f2a68acdd36d7d849ba1e067892cc7a473b07a0c4b9b35965624a

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\svhostsmicrosoft\svhost.bat
                  Filesize

                  223B

                  MD5

                  be7ec99689ca0530f7875ddce6455ab0

                  SHA1

                  02c6ce3ed72083ec72de5f1db73605a50879581b

                  SHA256

                  71bd9af72ece6513e9869eb1376d9d3ccfd69f808ac50cb8f2a87bd41835a62d

                  SHA512

                  b8576fc4f0a6e70076e0c01269b9bf250f9de57f8a29c3cdad34a57982e2a5c2621928b8046f2a68acdd36d7d849ba1e067892cc7a473b07a0c4b9b35965624a

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\svhostsmicrosoft\svhost.bat
                  Filesize

                  223B

                  MD5

                  be7ec99689ca0530f7875ddce6455ab0

                  SHA1

                  02c6ce3ed72083ec72de5f1db73605a50879581b

                  SHA256

                  71bd9af72ece6513e9869eb1376d9d3ccfd69f808ac50cb8f2a87bd41835a62d

                  SHA512

                  b8576fc4f0a6e70076e0c01269b9bf250f9de57f8a29c3cdad34a57982e2a5c2621928b8046f2a68acdd36d7d849ba1e067892cc7a473b07a0c4b9b35965624a

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\svhostsmicrosoft\svhostssearch.exe
                  Filesize

                  657KB

                  MD5

                  a858512eec8ab0a31e7ce36d59d7531d

                  SHA1

                  2b71be5583c95ed3d689b301a655d9c1f4d2a87b

                  SHA256

                  173c0f122944b95a048f528c1fb2c96e86c5e44bd7f3413099fe8f139d42aecf

                  SHA512

                  c156958c3b0204ed186f734f668ee4f28f23b6dacfa09092f2cd10cfe8ded04179300b0b1dede3f68f3c2b7e95866abcaf7f938be1ed9f22aa28cd8dd4e3196f

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\svhostsmicrosoft\svhostssearch.exe
                  Filesize

                  657KB

                  MD5

                  a858512eec8ab0a31e7ce36d59d7531d

                  SHA1

                  2b71be5583c95ed3d689b301a655d9c1f4d2a87b

                  SHA256

                  173c0f122944b95a048f528c1fb2c96e86c5e44bd7f3413099fe8f139d42aecf

                  SHA512

                  c156958c3b0204ed186f734f668ee4f28f23b6dacfa09092f2cd10cfe8ded04179300b0b1dede3f68f3c2b7e95866abcaf7f938be1ed9f22aa28cd8dd4e3196f

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\svhostsmicrosoft\svhostssearch.exe
                  Filesize

                  657KB

                  MD5

                  a858512eec8ab0a31e7ce36d59d7531d

                  SHA1

                  2b71be5583c95ed3d689b301a655d9c1f4d2a87b

                  SHA256

                  173c0f122944b95a048f528c1fb2c96e86c5e44bd7f3413099fe8f139d42aecf

                  SHA512

                  c156958c3b0204ed186f734f668ee4f28f23b6dacfa09092f2cd10cfe8ded04179300b0b1dede3f68f3c2b7e95866abcaf7f938be1ed9f22aa28cd8dd4e3196f

                  Download Submit

                • memory/1480-166-0x00000000753C0000-0x0000000075971000-memory.dmp

                  Filesize

                  5.7MB

                  Download

                • memory/1480-162-0x00000000753C0000-0x0000000075971000-memory.dmp

                  Filesize

                  5.7MB

                  Download

                • memory/1740-173-0x00000000753C0000-0x0000000075971000-memory.dmp

                  Filesize

                  5.7MB

                  Download

                • memory/1740-174-0x00000000753C0000-0x0000000075971000-memory.dmp

                  Filesize

                  5.7MB

                  Download

                • memory/3552-141-0x00000000753C0000-0x0000000075971000-memory.dmp

                  Filesize

                  5.7MB

                  Download

                • memory/3552-152-0x00000000753C0000-0x0000000075971000-memory.dmp

                  Filesize

                  5.7MB

                  Download

                • memory/3552-135-0x0000000000400000-0x000000000043A000-memory.dmp

                  Filesize

                  232KB

                  Download

                • memory/3736-132-0x00000000753C0000-0x0000000075971000-memory.dmp

                  Filesize

                  5.7MB

                  Download

                • memory/3736-148-0x00000000753C0000-0x0000000075971000-memory.dmp

                  Filesize

                  5.7MB

                  Download

                • memory/3992-163-0x00000000753C0000-0x0000000075971000-memory.dmp

                  Filesize

                  5.7MB

                  Download

                • memory/3992-158-0x00000000753C0000-0x0000000075971000-memory.dmp

                  Filesize

                  5.7MB

                  Download

                • memory/3992-157-0x00000000753C0000-0x0000000075971000-memory.dmp

                  Filesize

                  5.7MB

                  Download