Overview

overview

10

Static

static

0c43a91203...d5.exe

windows7-x64

10

0c43a91203...d5.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    152s
  • max time network
    183s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    30-11-2022 19:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0c43a9120385afddeb7173a6c93572c50c49b1e0fb44b219e0ee492e70ed14d5.exe

  • Size

    524KB

  • MD5

    b8b75b9d85c2525bf6a279ee38e1fbe3

  • SHA1

    8cd035cc00557063f695569f7156b67634c5f1ae

  • SHA256

    0c43a9120385afddeb7173a6c93572c50c49b1e0fb44b219e0ee492e70ed14d5

  • SHA512

    b2fffd8cfae10bfc15aab7c6792579294ffb6c3209b49f03d8b0e91bea24ffca1b87dc5a7bcf92ab73464d16a1ce8de3388ec935f7959cb1eada1f935df73a9c

  • SSDEEP

    12288:X4uMhMNY9dr8PxljcYeRGkv7TuaOEjIp:OhMNYfQPHOO

Score
10/10
nanocoreevasionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

ella666.duckdns.org:31833

second54321.ddns.net:31833
Mutex

15e30443-b8b9-4837-95fa-542ed5b1078a

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    second54321.ddns.net

  • backup_dns_server

    second54321.ddns.net

  • buffer_size

    65535

  • build_time

    2020-11-07T09:26:13.196540636Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    31833

  • default_group

    31833

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    15e30443-b8b9-4837-95fa-542ed5b1078a

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    ella666.duckdns.org

  • primary_dns_server

    ella666.duckdns.org

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    true

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0c43a9120385afddeb7173a6c93572c50c49b1e0fb44b219e0ee492e70ed14d5.exe
    "C:\Users\Admin\AppData\Local\Temp\0c43a9120385afddeb7173a6c93572c50c49b1e0fb44b219e0ee492e70ed14d5.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1628
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AcGIkkp" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA8CE.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:764
    • C:\Users\Admin\AppData\Local\Temp\0c43a9120385afddeb7173a6c93572c50c49b1e0fb44b219e0ee492e70ed14d5.exe
      "C:\Users\Admin\AppData\Local\Temp\0c43a9120385afddeb7173a6c93572c50c49b1e0fb44b219e0ee492e70ed14d5.exe"
      2⤵
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:580

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpA8CE.tmp
    Filesize

    1KB

    MD5

    439b960e0b71792d1aa82c9a11f85ac3

    SHA1

    6b71dba96809a7db88fa430e67e08989bfb78440

    SHA256

    338e2351f595461862aff9aeda94b32992ef6b16c4531ae3c89f427cb03f7c1e

    SHA512

    bf3a50b9c9124a08313bc9a79b289f73afa010f8e00a9966df2e9a91f5e2088db0ddbcba4042ae7ba922f69c0e7b8b5e5ba9a9e28b44bee4c67156b78ed30fad

    Download Submit
  • memory/580-69-0x0000000000400000-0x0000000000438000-memory.dmp
    Filesize

    224KB

    Download
  • memory/580-61-0x0000000000400000-0x0000000000438000-memory.dmp
    Filesize

    224KB

    Download
  • memory/580-75-0x0000000000450000-0x000000000045A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/580-74-0x0000000000460000-0x000000000047E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/580-64-0x0000000000400000-0x0000000000438000-memory.dmp
    Filesize

    224KB

    Download
  • memory/580-60-0x0000000000400000-0x0000000000438000-memory.dmp
    Filesize

    224KB

    Download
  • memory/580-73-0x0000000000440000-0x000000000044A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/580-63-0x0000000000400000-0x0000000000438000-memory.dmp
    Filesize

    224KB

    Download
  • memory/580-71-0x0000000000400000-0x0000000000438000-memory.dmp
    Filesize

    224KB

    Download
  • memory/580-66-0x0000000000400000-0x0000000000438000-memory.dmp
    Filesize

    224KB

    Download
  • memory/580-67-0x000000000041E792-mapping.dmp
    Download
  • memory/764-58-0x0000000000000000-mapping.dmp
    Download
  • memory/1628-54-0x0000000000B00000-0x0000000000B8A000-memory.dmp
    Filesize

    552KB

    Download
  • memory/1628-55-0x00000000757B1000-0x00000000757B3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1628-56-0x0000000000600000-0x000000000060A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/1628-57-0x0000000004F70000-0x0000000004FD8000-memory.dmp
    Filesize

    416KB

    Download