Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

0efa683996...c7.exe

windows7-x64

10

0efa683996...c7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    27/11/2022, 11:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0efa68399642ad4d08bec00830a7262877925c79429eaf03545c8deedd185dc7.exe

  • Size

    914KB

  • MD5

    d712200bcf78ff5e33266826b4de4854

  • SHA1

    e91b83ec20598e314a5482648fc973735596b674

  • SHA256

    0efa68399642ad4d08bec00830a7262877925c79429eaf03545c8deedd185dc7

  • SHA512

    7dbb5833e131675af30f65ea9ff38b34138958940c0c04e844a00b843c7ee4caaf3b182318803af80a867d2f2af85ba2e821afde065eb9c0fcaf68ca65aa635b

  • SSDEEP

    24576:WISfTWxk9D2Q+3h0l0G0psK+Z83wHxaaGWn:WISfTjDFOG8J+ZmwIaGWn

Score
10/10
nanocorekeyloggerspywarestealertrojan

Malware Config

Extracted

Family

nanocore

Version

1.2.1.1

C2

lyfoon.ddns.net:4555

Mutex

e202a9ec-81d2-4e38-88e4-e95b37170f2c

Attributes
  • activate_away_mode

    false

  • backup_connection_host

  • backup_dns_server

  • buffer_size

    65535

  • build_time

    2014-10-08T04:53:28.813769236Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    4555

  • default_group

    Default

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    e202a9ec-81d2-4e38-88e4-e95b37170f2c

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    lyfoon.ddns.net

  • primary_dns_server

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    false

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.1.1

  • wan_timeout

    8000

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 55 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0efa68399642ad4d08bec00830a7262877925c79429eaf03545c8deedd185dc7.exe
    "C:\Users\Admin\AppData\Local\Temp\0efa68399642ad4d08bec00830a7262877925c79429eaf03545c8deedd185dc7.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1536
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\WeUYqq.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\WeUYqq.exe" "KMMEcn"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1000
      • C:\Windows\SysWOW64\svchost.exe
        "C:\Windows\System32\svchost.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2028
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /delete /tn WindowsUpdatekmmecn0x8429524
          4⤵
            PID:468
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /sc minute /mo 1 /tn WindowsUpdatekmmecn0x8429525 /tr "C:\ProgramData\kmmecn\Project1.exe" /RL HIGHEST
            4⤵
            • Creates scheduled task(s)
            PID:1832
          • C:\Windows\SysWOW64\svchost.exe
            "C:\Windows\SysWOW64\svchost.exe"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1128
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:932
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:932 CREDAT:275457 /prefetch:2
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:1968
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:932 CREDAT:275460 /prefetch:2
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:832
          • C:\Windows\SysWOW64\svchost.exe
            "C:\Windows\SysWOW64\svchost.exe"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1944
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
              5⤵
                PID:876
      • C:\Windows\SysWOW64\DllHost.exe
        C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
        1⤵
        • Suspicious use of FindShellTrayWindow
        PID:1032
      • C:\Windows\system32\taskeng.exe
        taskeng.exe {EB39C172-E253-4FB5-B9B3-ACF85BA2608C} S-1-5-21-3845472200-3839195424-595303356-1000:ZERMMMDR\Admin:Interactive:[1]
        1⤵
          PID:1956

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\KMMEcn
          Filesize

          12KB

          MD5

          3b492abfde9e70a07ad496a8b6f7860f

          SHA1

          63a3665bfb8d0c1bf02e9d375d26170e7addcdfd

          SHA256

          af836725d618a02ec466ecdf4a327f267afef75c83c98a7c152656be238bd680

          SHA512

          c9a411e2d48a6b6ee7b9118a208541d826a785a40c0ded8c9d51e7414808170cbfdcd2dfe52ee791378fc6d0e2fd13af0f90107b823a4eb572525b516d90c9cf

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\LbwoAH.exe
          Filesize

          102KB

          MD5

          69cc50e5fbed40bad9df38f921ac9a26

          SHA1

          5a82638902f3d48935aba96a1cc3de82f6f99853

          SHA256

          e75ce2acbc8f0e61cf40ecf0918de2d81df22c3b30c8e3eead4cfb0227578515

          SHA512

          0ca63d82766659feeeee7a17fc1479f760e84636e4f76c91c2f5505eb18b596a4f2094c8f2c023d726eec54cf5b8e4f5f610a4a95ea1d90e33ec4f0cb5d85f1f

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\KMMEcn
          Filesize

          12KB

          MD5

          3b492abfde9e70a07ad496a8b6f7860f

          SHA1

          63a3665bfb8d0c1bf02e9d375d26170e7addcdfd

          SHA256

          af836725d618a02ec466ecdf4a327f267afef75c83c98a7c152656be238bd680

          SHA512

          c9a411e2d48a6b6ee7b9118a208541d826a785a40c0ded8c9d51e7414808170cbfdcd2dfe52ee791378fc6d0e2fd13af0f90107b823a4eb572525b516d90c9cf

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\LbwoAH.exe
          Filesize

          102KB

          MD5

          69cc50e5fbed40bad9df38f921ac9a26

          SHA1

          5a82638902f3d48935aba96a1cc3de82f6f99853

          SHA256

          e75ce2acbc8f0e61cf40ecf0918de2d81df22c3b30c8e3eead4cfb0227578515

          SHA512

          0ca63d82766659feeeee7a17fc1479f760e84636e4f76c91c2f5505eb18b596a4f2094c8f2c023d726eec54cf5b8e4f5f610a4a95ea1d90e33ec4f0cb5d85f1f

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\WeUYqq.exe
          Filesize

          510KB

          MD5

          01d151ccd2a75bd713b8ce81d6509eb8

          SHA1

          c751680d504bece45dc84e363e9e976fe77a8eac

          SHA256

          a4d4dbf9e9124dbd055115706f2a2bfc8816b66cc5f52a148602f9fb0203b801

          SHA512

          8d49a4d97ef38fe5c6bb875d3bc387fade75f9a5d06a494b6a8c9d87840aa3d7cd87343e6aad268a27a9a33390bef7cd8e10d8ebe1df9f7d1ba6a68fe844107d

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\WeUYqq.exe
          Filesize

          510KB

          MD5

          01d151ccd2a75bd713b8ce81d6509eb8

          SHA1

          c751680d504bece45dc84e363e9e976fe77a8eac

          SHA256

          a4d4dbf9e9124dbd055115706f2a2bfc8816b66cc5f52a148602f9fb0203b801

          SHA512

          8d49a4d97ef38fe5c6bb875d3bc387fade75f9a5d06a494b6a8c9d87840aa3d7cd87343e6aad268a27a9a33390bef7cd8e10d8ebe1df9f7d1ba6a68fe844107d

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\xteJOK.txt
          Filesize

          1.4MB

          MD5

          061e443f2ff63ebf54601d4bf39aac35

          SHA1

          082fb11cc04a818d9e279cfd62cccc7ca5083b28

          SHA256

          616b53c6351c2349c2859e8e7c5a17a7ca28f79c5c741ec5ce14cf7ec4180907

          SHA512

          7b48ddeef7cdeacc4c6fa723680fc1a165688e201e1e071e98384b8d2486ec0e44577a5589b30f850d4c1efa5a602be5f5a1024107e6b57138b5b9e9cb6fd227

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\WeUYqq.exe
          Filesize

          510KB

          MD5

          01d151ccd2a75bd713b8ce81d6509eb8

          SHA1

          c751680d504bece45dc84e363e9e976fe77a8eac

          SHA256

          a4d4dbf9e9124dbd055115706f2a2bfc8816b66cc5f52a148602f9fb0203b801

          SHA512

          8d49a4d97ef38fe5c6bb875d3bc387fade75f9a5d06a494b6a8c9d87840aa3d7cd87343e6aad268a27a9a33390bef7cd8e10d8ebe1df9f7d1ba6a68fe844107d

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\xteJOK.txt
          Filesize

          1.4MB

          MD5

          061e443f2ff63ebf54601d4bf39aac35

          SHA1

          082fb11cc04a818d9e279cfd62cccc7ca5083b28

          SHA256

          616b53c6351c2349c2859e8e7c5a17a7ca28f79c5c741ec5ce14cf7ec4180907

          SHA512

          7b48ddeef7cdeacc4c6fa723680fc1a165688e201e1e071e98384b8d2486ec0e44577a5589b30f850d4c1efa5a602be5f5a1024107e6b57138b5b9e9cb6fd227

          Download Submit

        • C:\Users\Admin\AppData\Roaming\2637.jpg
          Filesize

          98KB

          MD5

          d2058152d3afc6aad186d244f673b297

          SHA1

          4daeafc036e8cf09cd64aa271ba9ccb2364643e0

          SHA256

          c8b572fb80f522d0f4a57d0ac8f62595db551d3532ffb480aede271c126a34e3

          SHA512

          91cbb80737ecb4c00774fd6de25ca05349b8a36a63228df733cd9210c21a25a7291c9e97eb395f22eb99b4a6890e214287f89e8c689161f4bc49e9c1d9a2cc30

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\4T503HNC.txt
          Filesize

          608B

          MD5

          015f6ecad1c87d3994321492ccc84354

          SHA1

          057547d38bd34a556548fdb183c4bf4eb6b54a74

          SHA256

          cbc7cd6f6aed2c9aa1bdc8fc127897715d1864c51c78cd4b61ca20827bcd838c

          SHA512

          1e96666c5b1b32910785a0112d00163339f2dc43d373daf8da9911269c2666d49d6b8f7101b5baff089df39984648e29ed1fc13075f9a69813dbb8e652a5718c

          Download Submit

        • \Users\Admin\AppData\Local\Temp\RarSFX0\WeUYqq.exe
          Filesize

          510KB

          MD5

          01d151ccd2a75bd713b8ce81d6509eb8

          SHA1

          c751680d504bece45dc84e363e9e976fe77a8eac

          SHA256

          a4d4dbf9e9124dbd055115706f2a2bfc8816b66cc5f52a148602f9fb0203b801

          SHA512

          8d49a4d97ef38fe5c6bb875d3bc387fade75f9a5d06a494b6a8c9d87840aa3d7cd87343e6aad268a27a9a33390bef7cd8e10d8ebe1df9f7d1ba6a68fe844107d

          Download Submit

        • memory/1128-89-0x0000000000400000-0x0000000000438000-memory.dmp

          Filesize

          224KB

          Download

        • memory/1128-92-0x0000000000400000-0x0000000000438000-memory.dmp

          Filesize

          224KB

          Download

        • memory/1128-97-0x0000000000400000-0x0000000000438000-memory.dmp

          Filesize

          224KB

          Download

        • memory/1128-95-0x0000000000400000-0x0000000000438000-memory.dmp

          Filesize

          224KB

          Download

        • memory/1128-90-0x0000000000400000-0x0000000000438000-memory.dmp

          Filesize

          224KB

          Download

        • memory/1128-87-0x0000000000400000-0x0000000000438000-memory.dmp

          Filesize

          224KB

          Download

        • memory/1128-86-0x0000000000400000-0x0000000000438000-memory.dmp

          Filesize

          224KB

          Download

        • memory/1536-54-0x0000000076871000-0x0000000076873000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2028-64-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

          Download

        • memory/2028-66-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

          Download

        • memory/2028-69-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

          Download

        • memory/2028-79-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

          Download

        • memory/2028-75-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

          Download

        • memory/2028-63-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

          Download