Analysis

  • max time kernel
    127s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    05/05/2023, 19:06

General

  • Target

    b3ac1d448ec0c1a677e30b26a02cf525.exe

  • Size

    992KB

  • MD5

    b3ac1d448ec0c1a677e30b26a02cf525

  • SHA1

    7ac37e6d210fd713a350fbc5920d523404397b86

  • SHA256

    b56fcfe2487e1acd67163ca50b4d05d793557d927971675a09f1a5bcfa8464cb

  • SHA512

    6169b2b7520af1898d074b4ecee84c19b070f9e1b05349605e4442d42c183c43b97abb10198893eff6b30dfabe87920ab676c70a300c9682e27ea8dd3e638846

  • SSDEEP

    12288:DtE1YG6m3qToJq0Kw2Yh3ZCZV4upfn98ZQ/O1NL4I3VTK0bOT0NRHl:DtE1xOk4vw2m5o/98S/OfDFOp

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

1116.hopto.org:1116

185.140.53.9:1116

Mutex

909dcd33-e0d7-4bd0-87b2-b7fd2611b6b9

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    185.140.53.9

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2021-02-16T08:43:19.524585136Z

  • bypass_user_account_control

    false

  • bypass_user_account_control_data

    PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    1116

  • default_group

    1116

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    909dcd33-e0d7-4bd0-87b2-b7fd2611b6b9

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    1116.hopto.org

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    false

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b3ac1d448ec0c1a677e30b26a02cf525.exe
    "C:\Users\Admin\AppData\Local\Temp\b3ac1d448ec0c1a677e30b26a02cf525.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1088
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qPUTVS" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD7E9.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:580
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "{path}"
      2⤵
      • Adds Run key to start application
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:460
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks.exe" /create /f /tn "DSL Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmpDD26.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:868
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks.exe" /create /f /tn "DSL Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpDEAD.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:1532

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpD7E9.tmp

    Filesize

    1KB

    MD5

    64878bdfe21ac908ac5396d408027686

    SHA1

    fd02cfb3f027087d56e50542fc20b2731f52fe02

    SHA256

    6a71dc6b9f69a565f7e4e760391067b9160a2e265f7ae0957de5e818e7d251f8

    SHA512

    d7b87b3aaf48cee15e9e896c9b62f9ea5d9a34bee436cdb75f2e68e3195c09bc9d2aa45518d667d90aae8a83fbd8bf52e425083b1893a18097fd915f9629e9b6

  • C:\Users\Admin\AppData\Local\Temp\tmpDD26.tmp

    Filesize

    1KB

    MD5

    8cad1b41587ced0f1e74396794f31d58

    SHA1

    11054bf74fcf5e8e412768035e4dae43aa7b710f

    SHA256

    3086d914f6b23268f8a12cb1a05516cd5465c2577e1d1e449f1b45c8e5e8f83c

    SHA512

    99c2ef89029de51a866df932841684b7fc912df21e10e2dd0d09e400203bbdc6cba6319a31780b7bf8b286d2cea8ea3fc7d084348bf2f002ab4f5a34218ccbef

  • C:\Users\Admin\AppData\Local\Temp\tmpDEAD.tmp

    Filesize

    1KB

    MD5

    cc41562853d473a6d8785f7887ed523f

    SHA1

    5be25b133c7a5cbc1b240822e87f3cbe94aaa312

    SHA256

    a259d5fb27ddfee2968c9b1c1346121934b35bda37f9f446e9470a72cb95c2b7

    SHA512

    678c59e91d604607c7a3576dcab70eac4fb6af40d9f9db799a7a9fee67a1dd306a1a8b3bc4885e46fa6ab75970bb37fd62e6dcc66c61c09413d59991f90f12fd

  • memory/460-66-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

  • memory/460-72-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

  • memory/460-86-0x0000000004C40000-0x0000000004C80000-memory.dmp

    Filesize

    256KB

  • memory/460-85-0x0000000004C40000-0x0000000004C80000-memory.dmp

    Filesize

    256KB

  • memory/460-63-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

  • memory/460-64-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

  • memory/460-65-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

  • memory/460-67-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/460-68-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

  • memory/460-84-0x0000000004C40000-0x0000000004C80000-memory.dmp

    Filesize

    256KB

  • memory/460-70-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

  • memory/460-83-0x0000000000580000-0x000000000058A000-memory.dmp

    Filesize

    40KB

  • memory/460-74-0x0000000004C40000-0x0000000004C80000-memory.dmp

    Filesize

    256KB

  • memory/460-82-0x0000000000590000-0x00000000005AE000-memory.dmp

    Filesize

    120KB

  • memory/460-81-0x0000000000570000-0x000000000057A000-memory.dmp

    Filesize

    40KB

  • memory/1088-55-0x0000000000550000-0x0000000000590000-memory.dmp

    Filesize

    256KB

  • memory/1088-56-0x0000000000520000-0x0000000000534000-memory.dmp

    Filesize

    80KB

  • memory/1088-58-0x0000000005300000-0x000000000538E000-memory.dmp

    Filesize

    568KB

  • memory/1088-54-0x00000000010E0000-0x00000000011DE000-memory.dmp

    Filesize

    1016KB

  • memory/1088-57-0x0000000000550000-0x0000000000590000-memory.dmp

    Filesize

    256KB

  • memory/1088-59-0x0000000001090000-0x00000000010CC000-memory.dmp

    Filesize

    240KB