nanocore | 39f4239391959ef5526d88982850bfd96cff70800fdab102aa1472c0b279f0af

Analysis

max time kernel
150s
max time network
175s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30-11-2022 13:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

39f4239391959ef5526d88982850bfd96cff70800fdab102aa1472c0b279f0af.exe
Size

1.9MB
MD5

b2edfeaa3ac26d6025aac0b92788ed11
SHA1

4d6a5d91254ef3de3da4db6a399beb1fc2ede177
SHA256

39f4239391959ef5526d88982850bfd96cff70800fdab102aa1472c0b279f0af
SHA512

3528aebd1354a02fdd915be0e4d4b5c146114bc90763744ff8bf090ead15d5bb0a5c7bd94ff4c18b5acb669ee7ffbef3888e596c0e677ab8baf549af0c718234
SSDEEP

12288:X0LQ8daG/UYCCsUF4oYckcQRQo1wwVigOK8USPmnZ385EuL/C6shsyE6kGMgPYzz:XIKuL/CYzOmcJs28PpnuIIdw

Score

10^/10

nanocore netwire botnet evasion keylogger persistence rat spyware stealer trojan

Malware Config

Extracted

Family

netwire

alex419.duckdns.org:60622

178.239.21.185:60622

Attributes

activex_autorun
false
copy_executable
true
delete_original
false
host_id
GRACE101
install_path
%AppData%\Install\file.exe
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
NwgwuGDR
offline_keylogger
true
password
Password
registry_autorun
true
startup_name
Abobex
use_mutex
true

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

NetWire RAT payload 7 IoCs

rat

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\Host.exe	netwire
\Users\Admin\AppData\Local\Temp\Host.exe	netwire
C:\Users\Admin\AppData\Local\Temp\Host.exe	netwire
C:\Users\Admin\AppData\Local\Temp\Host.exe	netwire
\Users\Admin\AppData\Roaming\Install\file.exe	netwire
\Users\Admin\AppData\Roaming\Install\file.exe	netwire
C:\Users\Admin\AppData\Roaming\Install\file.exe	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 4 IoCs

Processes:

Host.exefileremitz.exefile.exefileremitz.exe

pid process

1328 Host.exe
1248 fileremitz.exe
1932 file.exe
1640 fileremitz.exe

pid	process
1328	Host.exe
1248	fileremitz.exe
1932	file.exe
1640	fileremitz.exe

Loads dropped DLL 6 IoCs

Processes:

39f4239391959ef5526d88982850bfd96cff70800fdab102aa1472c0b279f0af.exeHost.exe

pid	process
1752	39f4239391959ef5526d88982850bfd96cff70800fdab102aa1472c0b279f0af.exe
1752	39f4239391959ef5526d88982850bfd96cff70800fdab102aa1472c0b279f0af.exe
1752	39f4239391959ef5526d88982850bfd96cff70800fdab102aa1472c0b279f0af.exe
1752	39f4239391959ef5526d88982850bfd96cff70800fdab102aa1472c0b279f0af.exe
1328	Host.exe
1328	Host.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

file.exeWScript.exefileremitz.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Abobex = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\file.exe"	file.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\fileremitz = "C:\\Users\\Admin\\subfolder\\fileremitz.vbs -VC"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SCSI Service = "C:\\Program Files (x86)\\SCSI Service\\scsisvc.exe"	fileremitz.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	file.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

fileremitz.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fileremitz.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

fileremitz.exe

description pid process target process

PID 1248 set thread context of 1640 1248 fileremitz.exe fileremitz.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fileremitz.exe

description	pid	process	target process
PID 1248 set thread context of 1640	1248	fileremitz.exe	fileremitz.exe

Drops file in Program Files directory 2 IoCs

Processes:

fileremitz.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\SCSI Service\scsisvc.exe	fileremitz.exe
File created	C:\Program Files (x86)\SCSI Service\scsisvc.exe	fileremitz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

fileremitz.exe

pid process

1640 fileremitz.exe
1640 fileremitz.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

fileremitz.exe

pid process

1640 fileremitz.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

fileremitz.exe

description pid process

Token: SeDebugPrivilege 1640 fileremitz.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

39f4239391959ef5526d88982850bfd96cff70800fdab102aa1472c0b279f0af.exefileremitz.exe

pid process

1752 39f4239391959ef5526d88982850bfd96cff70800fdab102aa1472c0b279f0af.exe
1248 fileremitz.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

fileremitz.exe

pid process

1640 fileremitz.exe

pid	process
1640	fileremitz.exe
1640	fileremitz.exe

pid	process
1640	fileremitz.exe

description	pid	process
Token: SeDebugPrivilege	1640	fileremitz.exe

pid	process
1640	fileremitz.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

39f4239391959ef5526d88982850bfd96cff70800fdab102aa1472c0b279f0af.exeHost.exefileremitz.exe

description	pid	process	target process
PID 1752 wrote to memory of 1328	1752	39f4239391959ef5526d88982850bfd96cff70800fdab102aa1472c0b279f0af.exe	Host.exe
PID 1752 wrote to memory of 1328	1752	39f4239391959ef5526d88982850bfd96cff70800fdab102aa1472c0b279f0af.exe	Host.exe
PID 1752 wrote to memory of 1328	1752	39f4239391959ef5526d88982850bfd96cff70800fdab102aa1472c0b279f0af.exe	Host.exe
PID 1752 wrote to memory of 1328	1752	39f4239391959ef5526d88982850bfd96cff70800fdab102aa1472c0b279f0af.exe	Host.exe
PID 1752 wrote to memory of 1404	1752	39f4239391959ef5526d88982850bfd96cff70800fdab102aa1472c0b279f0af.exe	WScript.exe
PID 1752 wrote to memory of 1404	1752	39f4239391959ef5526d88982850bfd96cff70800fdab102aa1472c0b279f0af.exe	WScript.exe
PID 1752 wrote to memory of 1404	1752	39f4239391959ef5526d88982850bfd96cff70800fdab102aa1472c0b279f0af.exe	WScript.exe
PID 1752 wrote to memory of 1404	1752	39f4239391959ef5526d88982850bfd96cff70800fdab102aa1472c0b279f0af.exe	WScript.exe
PID 1752 wrote to memory of 1248	1752	39f4239391959ef5526d88982850bfd96cff70800fdab102aa1472c0b279f0af.exe	fileremitz.exe
PID 1752 wrote to memory of 1248	1752	39f4239391959ef5526d88982850bfd96cff70800fdab102aa1472c0b279f0af.exe	fileremitz.exe
PID 1752 wrote to memory of 1248	1752	39f4239391959ef5526d88982850bfd96cff70800fdab102aa1472c0b279f0af.exe	fileremitz.exe
PID 1752 wrote to memory of 1248	1752	39f4239391959ef5526d88982850bfd96cff70800fdab102aa1472c0b279f0af.exe	fileremitz.exe
PID 1328 wrote to memory of 1932	1328	Host.exe	file.exe
PID 1328 wrote to memory of 1932	1328	Host.exe	file.exe
PID 1328 wrote to memory of 1932	1328	Host.exe	file.exe
PID 1328 wrote to memory of 1932	1328	Host.exe	file.exe
PID 1248 wrote to memory of 1640	1248	fileremitz.exe	fileremitz.exe
PID 1248 wrote to memory of 1640	1248	fileremitz.exe	fileremitz.exe
PID 1248 wrote to memory of 1640	1248	fileremitz.exe	fileremitz.exe
PID 1248 wrote to memory of 1640	1248	fileremitz.exe	fileremitz.exe

C:\Users\Admin\AppData\Local\Temp\39f4239391959ef5526d88982850bfd96cff70800fdab102aa1472c0b279f0af.exe
"C:\Users\Admin\AppData\Local\Temp\39f4239391959ef5526d88982850bfd96cff70800fdab102aa1472c0b279f0af.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1752

C:\Users\Admin\AppData\Local\Temp\Host.exe
"C:\Users\Admin\AppData\Local\Temp\Host.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1328

C:\Users\Admin\AppData\Roaming\Install\file.exe
"C:\Users\Admin\AppData\Roaming\Install\file.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1932

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\subfolder\fileremitz.vbs"
2⤵
- Adds Run key to start application
PID:1404

C:\Users\Admin\subfolder\fileremitz.exe
"C:\Users\Admin\subfolder\fileremitz.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1248

C:\Users\Admin\subfolder\fileremitz.exe
C:\Users\Admin\subfolder\fileremitz.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:1640

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Host.exe
Filesize
148KB

MD5
b50aeef02f35381208f2bdc7536fecb6

SHA1
73197a36a09b21901da085e67c600b5e84606668

SHA256
8f168eecbe8608addbffe143cdcccc4be9ec45a5caf52fa00528a2b14ebe0a47

SHA512
275121d6114a8d22500ddd8ed722ea553084e4b289614484e932af076d52f375f3810191c937dd38f36889788bb07ac4fb4c7c140dd8adeb4cfdafc874c7bff9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Host.exe
Filesize
148KB

MD5
b50aeef02f35381208f2bdc7536fecb6

SHA1
73197a36a09b21901da085e67c600b5e84606668

SHA256
8f168eecbe8608addbffe143cdcccc4be9ec45a5caf52fa00528a2b14ebe0a47

SHA512
275121d6114a8d22500ddd8ed722ea553084e4b289614484e932af076d52f375f3810191c937dd38f36889788bb07ac4fb4c7c140dd8adeb4cfdafc874c7bff9

Download Submit
C:\Users\Admin\AppData\Roaming\Install\file.exe
Filesize
148KB

MD5
b50aeef02f35381208f2bdc7536fecb6

SHA1
73197a36a09b21901da085e67c600b5e84606668

SHA256
8f168eecbe8608addbffe143cdcccc4be9ec45a5caf52fa00528a2b14ebe0a47

SHA512
275121d6114a8d22500ddd8ed722ea553084e4b289614484e932af076d52f375f3810191c937dd38f36889788bb07ac4fb4c7c140dd8adeb4cfdafc874c7bff9

Download Submit
C:\Users\Admin\subfolder\fileremitz.exe
Filesize
1.9MB

MD5
b2edfeaa3ac26d6025aac0b92788ed11

SHA1
4d6a5d91254ef3de3da4db6a399beb1fc2ede177

SHA256
39f4239391959ef5526d88982850bfd96cff70800fdab102aa1472c0b279f0af

SHA512
3528aebd1354a02fdd915be0e4d4b5c146114bc90763744ff8bf090ead15d5bb0a5c7bd94ff4c18b5acb669ee7ffbef3888e596c0e677ab8baf549af0c718234

Download Submit
C:\Users\Admin\subfolder\fileremitz.exe
Filesize
1.9MB

MD5
b2edfeaa3ac26d6025aac0b92788ed11

SHA1
4d6a5d91254ef3de3da4db6a399beb1fc2ede177

SHA256
39f4239391959ef5526d88982850bfd96cff70800fdab102aa1472c0b279f0af

SHA512
3528aebd1354a02fdd915be0e4d4b5c146114bc90763744ff8bf090ead15d5bb0a5c7bd94ff4c18b5acb669ee7ffbef3888e596c0e677ab8baf549af0c718234

Download Submit
C:\Users\Admin\subfolder\fileremitz.exe
Filesize
1.9MB

MD5
b2edfeaa3ac26d6025aac0b92788ed11

SHA1
4d6a5d91254ef3de3da4db6a399beb1fc2ede177

SHA256
39f4239391959ef5526d88982850bfd96cff70800fdab102aa1472c0b279f0af

SHA512
3528aebd1354a02fdd915be0e4d4b5c146114bc90763744ff8bf090ead15d5bb0a5c7bd94ff4c18b5acb669ee7ffbef3888e596c0e677ab8baf549af0c718234

Download Submit
C:\Users\Admin\subfolder\fileremitz.vbs
Filesize
1024B

MD5
84ac02433ae365d34512ee0013da1f93

SHA1
5bbe796a76a1063e8b857457ebfda5ea41222c29

SHA256
a8c6a45b6dc4a8cdd5ae5ed775335c1c7a50cf2fe2f312c1f2d19e9d5c5107c7

SHA512
028c15b847bd30239fb84714c165c430b51a94107ec73951eeac53df8bfef8590f51d62093ecafac47047dd078a18eb98a95ee8ea205a5d9e8625fde26c70ccd

Download Submit
\Users\Admin\AppData\Local\Temp\Host.exe
Filesize
148KB

MD5
b50aeef02f35381208f2bdc7536fecb6

SHA1
73197a36a09b21901da085e67c600b5e84606668

SHA256
8f168eecbe8608addbffe143cdcccc4be9ec45a5caf52fa00528a2b14ebe0a47

SHA512
275121d6114a8d22500ddd8ed722ea553084e4b289614484e932af076d52f375f3810191c937dd38f36889788bb07ac4fb4c7c140dd8adeb4cfdafc874c7bff9

Download Submit
\Users\Admin\AppData\Local\Temp\Host.exe
Filesize
148KB

MD5
b50aeef02f35381208f2bdc7536fecb6

SHA1
73197a36a09b21901da085e67c600b5e84606668

SHA256
8f168eecbe8608addbffe143cdcccc4be9ec45a5caf52fa00528a2b14ebe0a47

SHA512
275121d6114a8d22500ddd8ed722ea553084e4b289614484e932af076d52f375f3810191c937dd38f36889788bb07ac4fb4c7c140dd8adeb4cfdafc874c7bff9

Download Submit
\Users\Admin\AppData\Roaming\Install\file.exe
Filesize
148KB

MD5
b50aeef02f35381208f2bdc7536fecb6

SHA1
73197a36a09b21901da085e67c600b5e84606668

SHA256
8f168eecbe8608addbffe143cdcccc4be9ec45a5caf52fa00528a2b14ebe0a47

SHA512
275121d6114a8d22500ddd8ed722ea553084e4b289614484e932af076d52f375f3810191c937dd38f36889788bb07ac4fb4c7c140dd8adeb4cfdafc874c7bff9

Download Submit
\Users\Admin\AppData\Roaming\Install\file.exe
Filesize
148KB

MD5
b50aeef02f35381208f2bdc7536fecb6

SHA1
73197a36a09b21901da085e67c600b5e84606668

SHA256
8f168eecbe8608addbffe143cdcccc4be9ec45a5caf52fa00528a2b14ebe0a47

SHA512
275121d6114a8d22500ddd8ed722ea553084e4b289614484e932af076d52f375f3810191c937dd38f36889788bb07ac4fb4c7c140dd8adeb4cfdafc874c7bff9

Download Submit
\Users\Admin\subfolder\fileremitz.exe
Filesize
1.9MB

MD5
b2edfeaa3ac26d6025aac0b92788ed11

SHA1
4d6a5d91254ef3de3da4db6a399beb1fc2ede177

SHA256
39f4239391959ef5526d88982850bfd96cff70800fdab102aa1472c0b279f0af

SHA512
3528aebd1354a02fdd915be0e4d4b5c146114bc90763744ff8bf090ead15d5bb0a5c7bd94ff4c18b5acb669ee7ffbef3888e596c0e677ab8baf549af0c718234

Download Submit
\Users\Admin\subfolder\fileremitz.exe
Filesize
1.9MB

MD5
b2edfeaa3ac26d6025aac0b92788ed11

SHA1
4d6a5d91254ef3de3da4db6a399beb1fc2ede177

SHA256
39f4239391959ef5526d88982850bfd96cff70800fdab102aa1472c0b279f0af

SHA512
3528aebd1354a02fdd915be0e4d4b5c146114bc90763744ff8bf090ead15d5bb0a5c7bd94ff4c18b5acb669ee7ffbef3888e596c0e677ab8baf549af0c718234

Download Submit
memory/1248-86-0x0000000077280000-0x0000000077429000-memory.dmp

Filesize
1.7MB

Download
memory/1248-67-0x0000000000000000-mapping.dmp

Download
memory/1248-87-0x0000000077460000-0x00000000775E0000-memory.dmp

Filesize
1.5MB

Download
memory/1328-60-0x0000000000000000-mapping.dmp

Download
memory/1404-64-0x0000000000000000-mapping.dmp

Download
memory/1640-90-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/1640-91-0x0000000077280000-0x0000000077429000-memory.dmp

Filesize
1.7MB

Download
memory/1640-95-0x0000000074240000-0x00000000747EB000-memory.dmp

Filesize
5.7MB

Download
memory/1640-94-0x0000000000220000-0x0000000000227000-memory.dmp

Filesize
28KB

Download
memory/1640-84-0x00000000004BC3AC-mapping.dmp

Download
memory/1640-93-0x0000000074240000-0x00000000747EB000-memory.dmp

Filesize
5.7MB

Download
memory/1640-92-0x0000000008C60000-0x00000000093FC000-memory.dmp

Filesize
7.6MB

Download
memory/1640-89-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1752-72-0x0000000077460000-0x00000000775E0000-memory.dmp

Filesize
1.5MB

Download
memory/1752-68-0x0000000000240000-0x0000000000247000-memory.dmp

Filesize
28KB

Download
memory/1752-63-0x0000000077460000-0x00000000775E0000-memory.dmp

Filesize
1.5MB

Download
memory/1752-56-0x0000000000240000-0x0000000000247000-memory.dmp

Filesize
28KB

Download
memory/1752-57-0x0000000076091000-0x0000000076093000-memory.dmp

Filesize
8KB

Download
memory/1752-62-0x0000000077280000-0x0000000077429000-memory.dmp

Filesize
1.7MB

Download
memory/1932-78-0x0000000000000000-mapping.dmp

Download