Analysis

  • max time kernel
    59s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    05-02-2023 21:11

General

  • Target

    bbe4ba566d229a405da3af72193d297f.exe

  • Size

    1.3MB

  • MD5

    bbe4ba566d229a405da3af72193d297f

  • SHA1

    ffb73821d698bc2e32f1a32c7adf95e66520c7a8

  • SHA256

    aeb8e080b996a75f85bb82e2e7a42d0302735713f34fb95fff1bfb97a030e107

  • SHA512

    a3ba9225b2719f482f807fe91217cdccbb9c415d54a8cd4531960bf20456868ba7fb1be2e473c26f306c33b74615a6f5192f0c852dca25c66e6d63a4cbb25529

  • SSDEEP

    24576:8ixNAopnJcU4TgHosbIY95AcS1h9VOzYJ0Natxb:8iFpnx4TUosbIYEcSGQ06

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

rcontrol4sec.ddnsgeek.com:5080

127.0.0.1:5080

Mutex

19b525d2-02f6-47c5-b606-1d038212d191

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    127.0.0.1

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2022-11-12T11:11:53.819338936Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    5080

  • default_group

    Set

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    19b525d2-02f6-47c5-b606-1d038212d191

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    rcontrol4sec.ddnsgeek.com

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    true

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Signatures

  • Detect PureCrypter injector 1 IoCs
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

  • PureCrypter

    PureCrypter is a .NET malware loader first seen in early 2021.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bbe4ba566d229a405da3af72193d297f.exe
    "C:\Users\Admin\AppData\Local\Temp\bbe4ba566d229a405da3af72193d297f.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2032
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1500
    • C:\Users\Admin\AppData\Local\Temp\bbe4ba566d229a405da3af72193d297f.exe
      C:\Users\Admin\AppData\Local\Temp\bbe4ba566d229a405da3af72193d297f.exe
      2⤵
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      PID:904

Network

  • flag-us
    DNS
    rcontrol4sec.ddnsgeek.com
    bbe4ba566d229a405da3af72193d297f.exe
    Remote address:
    8.8.8.8:53
    Request
    rcontrol4sec.ddnsgeek.com
    IN A
    Response
    rcontrol4sec.ddnsgeek.com
    IN A
    185.81.157.236
  • 185.81.157.236:5080
    rcontrol4sec.ddnsgeek.com
    bbe4ba566d229a405da3af72193d297f.exe
    11.5kB
    381.6kB
    212
    363
  • 8.8.8.8:53
    rcontrol4sec.ddnsgeek.com
    dns
    bbe4ba566d229a405da3af72193d297f.exe
    71 B
    87 B
    1
    1

    DNS Request

    rcontrol4sec.ddnsgeek.com

    DNS Response

    185.81.157.236

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/904-76-0x0000000000650000-0x000000000065A000-memory.dmp

    Filesize

    40KB

  • memory/904-89-0x0000000004BB0000-0x0000000004BBE000-memory.dmp

    Filesize

    56KB

  • memory/904-72-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

  • memory/904-90-0x0000000004CD0000-0x0000000004CFE000-memory.dmp

    Filesize

    184KB

  • memory/904-74-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

  • memory/904-88-0x0000000004B90000-0x0000000004BA4000-memory.dmp

    Filesize

    80KB

  • memory/904-87-0x0000000004B80000-0x0000000004B90000-memory.dmp

    Filesize

    64KB

  • memory/904-86-0x0000000004B70000-0x0000000004B7C000-memory.dmp

    Filesize

    48KB

  • memory/904-63-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

  • memory/904-64-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

  • memory/904-66-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

  • memory/904-67-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

  • memory/904-69-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

  • memory/904-91-0x0000000004D00000-0x0000000004D14000-memory.dmp

    Filesize

    80KB

  • memory/904-85-0x0000000004840000-0x0000000004854000-memory.dmp

    Filesize

    80KB

  • memory/904-84-0x0000000004830000-0x000000000483C000-memory.dmp

    Filesize

    48KB

  • memory/904-77-0x0000000000660000-0x000000000067E000-memory.dmp

    Filesize

    120KB

  • memory/904-78-0x0000000000680000-0x000000000068A000-memory.dmp

    Filesize

    40KB

  • memory/904-79-0x0000000000B00000-0x0000000000B12000-memory.dmp

    Filesize

    72KB

  • memory/904-80-0x0000000000B50000-0x0000000000B6A000-memory.dmp

    Filesize

    104KB

  • memory/904-81-0x0000000000B80000-0x0000000000B8E000-memory.dmp

    Filesize

    56KB

  • memory/904-82-0x0000000000CE0000-0x0000000000CF2000-memory.dmp

    Filesize

    72KB

  • memory/904-83-0x0000000004820000-0x000000000482E000-memory.dmp

    Filesize

    56KB

  • memory/1500-61-0x0000000070010000-0x00000000705BB000-memory.dmp

    Filesize

    5.7MB

  • memory/1500-60-0x0000000070010000-0x00000000705BB000-memory.dmp

    Filesize

    5.7MB

  • memory/1500-59-0x0000000070010000-0x00000000705BB000-memory.dmp

    Filesize

    5.7MB

  • memory/2032-55-0x0000000004D30000-0x0000000004FB2000-memory.dmp

    Filesize

    2.5MB

  • memory/2032-62-0x00000000045E0000-0x0000000004646000-memory.dmp

    Filesize

    408KB

  • memory/2032-54-0x0000000000CF0000-0x0000000000E40000-memory.dmp

    Filesize

    1.3MB

  • memory/2032-56-0x00000000767B1000-0x00000000767B3000-memory.dmp

    Filesize

    8KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.