Overview

overview

10

Static

static

1

YWjESQ2siMOeTGY.exe

windows7-x64

3

YWjESQ2siMOeTGY.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-03-2023 14:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    YWjESQ2siMOeTGY.exe

  • Size

    1.2MB

  • MD5

    2c9847c76f51b2c6a2fe2abe4a9c91f3

  • SHA1

    e3d0facab5b7671ccdac2476a699ab2f817b4479

  • SHA256

    a8953f2dca5171e14663eefb973c1793decce1dcd6c7baa63081a3d681dbc1c1

  • SHA512

    a85c40c7033a7262cf063f38e845d223701b86d155ed29d12e353487384660dbe06d379de6741e778a939ef47ad8370b809f060108b42967394f8aaa7cd45b73

  • SSDEEP

    24576:9A5IeDQd/XJwtr4Xqfbd3TFZNoDoAyfiF1geG68Nq9H9Z2839Y2YXC8bx7wwI3n2:25/QR5wtr4XEbvA+iF1geG68Nq9Hr286

Score
10/10
nanocoreevasionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

win2020.zapto.org:10123

Mutex

34fa688f-c4d0-419c-ba07-1926952dc2c2

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    win2020.zapto.org

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2023-01-06T07:29:23.375362136Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    10123

  • default_group

    built

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    34fa688f-c4d0-419c-ba07-1926952dc2c2

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    win2020.zapto.org

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    false

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\YWjESQ2siMOeTGY.exe
    "C:\Users\Admin\AppData\Local\Temp\YWjESQ2siMOeTGY.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1628
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\YWjESQ2siMOeTGY.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1264
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\KAmVjfLsWgBU.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1896
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KAmVjfLsWgBU" /XML "C:\Users\Admin\AppData\Local\Temp\tmp598A.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:4532
    • C:\Users\Admin\AppData\Local\Temp\YWjESQ2siMOeTGY.exe
      "C:\Users\Admin\AppData\Local\Temp\YWjESQ2siMOeTGY.exe"
      2⤵
        PID:3304
      • C:\Users\Admin\AppData\Local\Temp\YWjESQ2siMOeTGY.exe
        "C:\Users\Admin\AppData\Local\Temp\YWjESQ2siMOeTGY.exe"
        2⤵
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:2668

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    3
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      968cb9309758126772781b83adb8a28f

      SHA1

      8da30e71accf186b2ba11da1797cf67f8f78b47c

      SHA256

      92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

      SHA512

      4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      18KB

      MD5

      f29c9be6890cd557d9e6c3069dced61e

      SHA1

      6feb05a2b12933e4fc4ed190fb23639a660ef076

      SHA256

      626565a4fb7da9c8d08b6af82d0e9a46d6920327bc33bb811c2efd4ed92e42b7

      SHA512

      49cdb768b122ecaae3424e86bf3a9fdecad691f481afcfdd97293da3d5bef76bb9f05e5e23199167ef6b1f98c7013e6a17260117be5b9145a8a489dadb3cf374

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4cnezok3.v1l.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\tmp598A.tmp
      Filesize

      1KB

      MD5

      359235e9ea8bc99ebaa388069098e2f4

      SHA1

      647b688059cd5e147867fe61842dff38c0529301

      SHA256

      eadd617563cbb2d23ddabe81c145ab5cea31fc19bfc2f8a7521fdf93d8e2306c

      SHA512

      641ff880009c6e331b779a0afc56128d39ea9d985279d6a43e5ac97381b41edbbfcafe4b7baac2dc73e8c56a42f63f70bea9f902bd79f30fa57e54d2e959cb4b

      Download Submit
    • memory/1264-175-0x0000000006270000-0x000000000628E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/1264-203-0x0000000006920000-0x000000000693A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/1264-178-0x0000000070E40000-0x0000000070E8C000-memory.dmp
      Filesize

      304KB

      Download
    • memory/1264-144-0x0000000004CC0000-0x0000000004CF6000-memory.dmp
      Filesize

      216KB

      Download
    • memory/1264-145-0x00000000053D0000-0x00000000059F8000-memory.dmp
      Filesize

      6.2MB

      Download
    • memory/1264-200-0x0000000004D90000-0x0000000004DA0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1264-148-0x0000000005350000-0x00000000053B6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/1264-201-0x000000007F5B0000-0x000000007F5C0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1264-189-0x0000000006830000-0x000000000684E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/1264-207-0x00000000078C0000-0x00000000078DA000-memory.dmp
      Filesize

      104KB

      Download
    • memory/1264-204-0x00000000075F0000-0x00000000075FA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/1264-166-0x0000000004D90000-0x0000000004DA0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1628-136-0x0000000005270000-0x000000000527A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/1628-135-0x00000000052E0000-0x0000000005372000-memory.dmp
      Filesize

      584KB

      Download
    • memory/1628-133-0x0000000000790000-0x00000000008CE000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/1628-134-0x0000000005890000-0x0000000005E34000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/1628-137-0x0000000005490000-0x00000000054A0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1628-138-0x0000000005490000-0x00000000054A0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1628-139-0x0000000006F70000-0x000000000700C000-memory.dmp
      Filesize

      624KB

      Download
    • memory/1896-179-0x0000000070E40000-0x0000000070E8C000-memory.dmp
      Filesize

      304KB

      Download
    • memory/1896-205-0x00000000074C0000-0x0000000007556000-memory.dmp
      Filesize

      600KB

      Download
    • memory/1896-147-0x0000000004F80000-0x0000000004FA2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/1896-199-0x0000000004A10000-0x0000000004A20000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1896-202-0x0000000007880000-0x0000000007EFA000-memory.dmp
      Filesize

      6.5MB

      Download
    • memory/1896-171-0x0000000004A10000-0x0000000004A20000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1896-172-0x0000000004A10000-0x0000000004A20000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1896-177-0x0000000006EE0000-0x0000000006F12000-memory.dmp
      Filesize

      200KB

      Download
    • memory/1896-206-0x0000000007470000-0x000000000747E000-memory.dmp
      Filesize

      56KB

      Download
    • memory/1896-149-0x00000000057E0000-0x0000000005846000-memory.dmp
      Filesize

      408KB

      Download
    • memory/1896-208-0x0000000007560000-0x0000000007568000-memory.dmp
      Filesize

      32KB

      Download
    • memory/2668-150-0x0000000000400000-0x0000000000438000-memory.dmp
      Filesize

      224KB

      Download
    • memory/2668-176-0x0000000005AD0000-0x0000000005AE0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2668-214-0x0000000005AD0000-0x0000000005AE0000-memory.dmp
      Filesize

      64KB

      Download