Overview

overview

10

Static

static

1

7ba9294f10...32.exe

windows7-x64

10

7ba9294f10...32.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-04-2023 01:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7ba9294f10f99747124f01c3564c8a127057507932edda9806476f186e534c32.exe

  • Size

    762KB

  • MD5

    129940eb6b4747b1569e7da5f37157db

  • SHA1

    833dbea5d5f6f2b6bf1f24d9ca2c6d807804b6d9

  • SHA256

    7ba9294f10f99747124f01c3564c8a127057507932edda9806476f186e534c32

  • SHA512

    3272119368abc30454d2ff1f4430aa30b2f0e71999f4c32dceae7b28d925210f3d79d1f50ae797270f2641c5d5f8344cb6728fdbbfb4654cf829778e68086d68

  • SSDEEP

    12288:z1VLXCxGmsXPqiPnXkATcCPqcPRh17SMJU9fkPCldfKVWjzDYRw6gXZjZ81GidIL:RVLXkGXPqiPnXkAICx5hxSM68ydSqHp7

Score
10/10
nanocoreevasionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

iyhto.ddns.net:3531

Mutex

42c7bb0d-2a49-4c9a-b8e7-5ee248f484c7

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    iyhto.ddns.net

  • backup_dns_server

  • buffer_size

    65535

  • build_time

    2020-08-18T04:21:38.557873036Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    3531

  • default_group

    Default

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    42c7bb0d-2a49-4c9a-b8e7-5ee248f484c7

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    iyhto.ddns.net

  • primary_dns_server

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    false

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7ba9294f10f99747124f01c3564c8a127057507932edda9806476f186e534c32.exe
    "C:\Users\Admin\AppData\Local\Temp\7ba9294f10f99747124f01c3564c8a127057507932edda9806476f186e534c32.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2128
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\QDciObviIKfRDf.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1708
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QDciObviIKfRDf" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3558.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:4540
    • C:\Users\Admin\AppData\Local\Temp\7ba9294f10f99747124f01c3564c8a127057507932edda9806476f186e534c32.exe
      "C:\Users\Admin\AppData\Local\Temp\7ba9294f10f99747124f01c3564c8a127057507932edda9806476f186e534c32.exe"
      2⤵
        PID:4432
      • C:\Users\Admin\AppData\Local\Temp\7ba9294f10f99747124f01c3564c8a127057507932edda9806476f186e534c32.exe
        "C:\Users\Admin\AppData\Local\Temp\7ba9294f10f99747124f01c3564c8a127057507932edda9806476f186e534c32.exe"
        2⤵
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:4560

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    3
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\7ba9294f10f99747124f01c3564c8a127057507932edda9806476f186e534c32.exe.log
      Filesize

      1KB

      MD5

      36049bae97bba745c793444373453cb0

      SHA1

      eb6e9a822944e8e207abba1a5e53f0183a1684f1

      SHA256

      839fa1f9725719938ffa24533587b168bae2768f23ac09dccb3ad4ab8ae6abcd

      SHA512

      a6584b7b435afeffb6becfbed82517087030eb23534fa50deecd02330bf36d633ba22e979e36b9c27e35885f9cc1cc9481dadc53cc265be61391e11a7c2c7cdb

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pp3xlpb0.k2f.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\tmp3558.tmp
      Filesize

      1KB

      MD5

      1603c9a89a8f1880e7f3bf9e0024af42

      SHA1

      0093d631f0c8c8f954610edcc7c480c026b4af91

      SHA256

      b937baa0491dac9ff6696698054ba831285ec26d4d13337557381c9c1e6a0249

      SHA512

      89947ca4e2e63177676c021f6e3e7f5f51c9d53e4aebd77fa80e76a7b70288c927ffb211893ca7611f81551933c8b0ca846ea02e6b2b6ca2d192d83bb0727456

      Download Submit
    • memory/1708-162-0x00000000056E0000-0x0000000005746000-memory.dmp
      Filesize

      408KB

      Download
    • memory/1708-184-0x00000000061C0000-0x00000000061DE000-memory.dmp
      Filesize

      120KB

      Download
    • memory/1708-192-0x0000000007250000-0x0000000007258000-memory.dmp
      Filesize

      32KB

      Download
    • memory/1708-190-0x0000000007160000-0x000000000716E000-memory.dmp
      Filesize

      56KB

      Download
    • memory/1708-189-0x00000000071B0000-0x0000000007246000-memory.dmp
      Filesize

      600KB

      Download
    • memory/1708-145-0x0000000002330000-0x0000000002366000-memory.dmp
      Filesize

      216KB

      Download
    • memory/1708-165-0x0000000004900000-0x0000000004910000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1708-147-0x0000000004F40000-0x0000000005568000-memory.dmp
      Filesize

      6.2MB

      Download
    • memory/1708-188-0x0000000006FA0000-0x0000000006FAA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/1708-187-0x000000007EF40000-0x000000007EF50000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1708-186-0x0000000006F30000-0x0000000006F4A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/1708-151-0x0000000004CE0000-0x0000000004D02000-memory.dmp
      Filesize

      136KB

      Download
    • memory/1708-161-0x0000000005670000-0x00000000056D6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/1708-185-0x0000000007570000-0x0000000007BEA000-memory.dmp
      Filesize

      6.5MB

      Download
    • memory/1708-174-0x0000000070FE0000-0x000000007102C000-memory.dmp
      Filesize

      304KB

      Download
    • memory/1708-191-0x0000000007270000-0x000000000728A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/1708-173-0x00000000061E0000-0x0000000006212000-memory.dmp
      Filesize

      200KB

      Download
    • memory/1708-166-0x0000000004900000-0x0000000004910000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1708-169-0x0000000005C20000-0x0000000005C3E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/1708-171-0x0000000004900000-0x0000000004910000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2128-136-0x0000000007340000-0x00000000073D2000-memory.dmp
      Filesize

      584KB

      Download
    • memory/2128-137-0x0000000007250000-0x0000000007260000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2128-133-0x0000000000220000-0x00000000002E4000-memory.dmp
      Filesize

      784KB

      Download
    • memory/2128-134-0x0000000007250000-0x0000000007260000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2128-135-0x0000000007810000-0x0000000007DB4000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/2128-140-0x000000000C510000-0x000000000C5AC000-memory.dmp
      Filesize

      624KB

      Download
    • memory/2128-139-0x0000000007250000-0x0000000007260000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2128-138-0x0000000007250000-0x0000000007260000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4560-196-0x00000000055F0000-0x0000000005600000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4560-148-0x0000000000400000-0x0000000000438000-memory.dmp
      Filesize

      224KB

      Download
    • memory/4560-164-0x00000000055F0000-0x0000000005600000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4560-163-0x0000000005270000-0x000000000527A000-memory.dmp
      Filesize

      40KB

      Download