Overview

overview

10

Static

static

3

sample.exe

windows7-x64

10

sample.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    16/05/2023, 12:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    sample.exe

  • Size

    2.1MB

  • MD5

    ae177e42c4c6e273cb4219fff5e94981

  • SHA1

    9b4c628e9aa7a81ada28dd4ba2490cef3a5ccede

  • SHA256

    562fc3234e53c14974bd59e5008f264438e67849ddaf11f06c4687fdd2da5311

  • SHA512

    b34261b51110f1b055fe6cd283d51620fc1c0d0cd25c87587cc434ea04074aa0ed1ad43f270383453b76b69db3cbf5708a21cf10948f874123d5fef09348ceba

  • SSDEEP

    24576:LE1qXbolTK38T67YCE3DY1oNowiK33tQPtY6Zqx8dYkRQ53Ula4mJ8ZQI+QSD11a:LEMoVl3zWwx0qxnkRGcQI+1ZvWH

Score
10/10
nanocoreevasionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

syoll.duckdns.org:1604

Mutex

91a498dd-ff55-4709-b992-a5ee7715c9a2

Attributes
  • activate_away_mode

    false

  • backup_connection_host

    syoll.duckdns.org

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2020-03-14T21:41:26.733185836Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    false

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    1604

  • default_group

    Default

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    91a498dd-ff55-4709-b992-a5ee7715c9a2

  • mutex_timeout

    4985

  • prevent_system_sleep

    false

  • primary_connection_host

    syoll.duckdns.org

  • primary_dns_server

    8.8.8.8

  • request_elevation

    false

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    false

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\sample.exe
    "C:\Users\Admin\AppData\Local\Temp\sample.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1060
    • C:\Users\Admin\AppData\Local\Temp\XVlBzgbaiC.exe
      C:\Users\Admin\AppData\Local\Temp\XVlBzgbaiC.exe
      2⤵
      • UAC bypass
      • Disables RegEdit via registry modification
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2020
      • C:\Users\Admin\AppData\Local\Temp\XVlBzgbaiC.exe
        "C:\Users\Admin\AppData\Local\Temp\XVlBzgbaiC.exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:1976
      • C:\Users\Admin\AppData\Local\Temp\core.exe
        "C:\Users\Admin\AppData\Local\Temp\core.exe" -woohoo 1976 C:\Users\Admin\AppData\Local\Temp\XVlBzgbaiC.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1052

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\XVlBzgbaiC.exe
    Filesize

    414KB

    MD5

    86ad55d4fc8cbbb78d3f71b9784fffc2

    SHA1

    3f30d552413241e42626aa9372a2bfd9a016e375

    SHA256

    87ea5a682d91c46a58146860d95bb4d704d684324530244c574be21b3981fd7a

    SHA512

    fe4a1599a9b0b9d78a9fadfbce50ab5f8dbc6b5b6199e02bde119af859b63580e6b7f7a7df72692c7d5acee8a2646b9cc57dd64b6be19736e0dbb60433fe3af2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\XVlBzgbaiC.exe
    Filesize

    414KB

    MD5

    86ad55d4fc8cbbb78d3f71b9784fffc2

    SHA1

    3f30d552413241e42626aa9372a2bfd9a016e375

    SHA256

    87ea5a682d91c46a58146860d95bb4d704d684324530244c574be21b3981fd7a

    SHA512

    fe4a1599a9b0b9d78a9fadfbce50ab5f8dbc6b5b6199e02bde119af859b63580e6b7f7a7df72692c7d5acee8a2646b9cc57dd64b6be19736e0dbb60433fe3af2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\XVlBzgbaiC.exe
    Filesize

    414KB

    MD5

    86ad55d4fc8cbbb78d3f71b9784fffc2

    SHA1

    3f30d552413241e42626aa9372a2bfd9a016e375

    SHA256

    87ea5a682d91c46a58146860d95bb4d704d684324530244c574be21b3981fd7a

    SHA512

    fe4a1599a9b0b9d78a9fadfbce50ab5f8dbc6b5b6199e02bde119af859b63580e6b7f7a7df72692c7d5acee8a2646b9cc57dd64b6be19736e0dbb60433fe3af2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\XVlBzgbaiC.exe
    Filesize

    414KB

    MD5

    86ad55d4fc8cbbb78d3f71b9784fffc2

    SHA1

    3f30d552413241e42626aa9372a2bfd9a016e375

    SHA256

    87ea5a682d91c46a58146860d95bb4d704d684324530244c574be21b3981fd7a

    SHA512

    fe4a1599a9b0b9d78a9fadfbce50ab5f8dbc6b5b6199e02bde119af859b63580e6b7f7a7df72692c7d5acee8a2646b9cc57dd64b6be19736e0dbb60433fe3af2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\core.exe
    Filesize

    414KB

    MD5

    86ad55d4fc8cbbb78d3f71b9784fffc2

    SHA1

    3f30d552413241e42626aa9372a2bfd9a016e375

    SHA256

    87ea5a682d91c46a58146860d95bb4d704d684324530244c574be21b3981fd7a

    SHA512

    fe4a1599a9b0b9d78a9fadfbce50ab5f8dbc6b5b6199e02bde119af859b63580e6b7f7a7df72692c7d5acee8a2646b9cc57dd64b6be19736e0dbb60433fe3af2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\core.exe
    Filesize

    414KB

    MD5

    86ad55d4fc8cbbb78d3f71b9784fffc2

    SHA1

    3f30d552413241e42626aa9372a2bfd9a016e375

    SHA256

    87ea5a682d91c46a58146860d95bb4d704d684324530244c574be21b3981fd7a

    SHA512

    fe4a1599a9b0b9d78a9fadfbce50ab5f8dbc6b5b6199e02bde119af859b63580e6b7f7a7df72692c7d5acee8a2646b9cc57dd64b6be19736e0dbb60433fe3af2

    Download Submit

  • \Users\Admin\AppData\Local\Temp\XVlBzgbaiC.exe
    Filesize

    414KB

    MD5

    86ad55d4fc8cbbb78d3f71b9784fffc2

    SHA1

    3f30d552413241e42626aa9372a2bfd9a016e375

    SHA256

    87ea5a682d91c46a58146860d95bb4d704d684324530244c574be21b3981fd7a

    SHA512

    fe4a1599a9b0b9d78a9fadfbce50ab5f8dbc6b5b6199e02bde119af859b63580e6b7f7a7df72692c7d5acee8a2646b9cc57dd64b6be19736e0dbb60433fe3af2

    Download Submit

  • \Users\Admin\AppData\Local\Temp\XVlBzgbaiC.exe
    Filesize

    414KB

    MD5

    86ad55d4fc8cbbb78d3f71b9784fffc2

    SHA1

    3f30d552413241e42626aa9372a2bfd9a016e375

    SHA256

    87ea5a682d91c46a58146860d95bb4d704d684324530244c574be21b3981fd7a

    SHA512

    fe4a1599a9b0b9d78a9fadfbce50ab5f8dbc6b5b6199e02bde119af859b63580e6b7f7a7df72692c7d5acee8a2646b9cc57dd64b6be19736e0dbb60433fe3af2

    Download Submit

  • \Users\Admin\AppData\Local\Temp\XVlBzgbaiC.exe
    Filesize

    414KB

    MD5

    86ad55d4fc8cbbb78d3f71b9784fffc2

    SHA1

    3f30d552413241e42626aa9372a2bfd9a016e375

    SHA256

    87ea5a682d91c46a58146860d95bb4d704d684324530244c574be21b3981fd7a

    SHA512

    fe4a1599a9b0b9d78a9fadfbce50ab5f8dbc6b5b6199e02bde119af859b63580e6b7f7a7df72692c7d5acee8a2646b9cc57dd64b6be19736e0dbb60433fe3af2

    Download Submit

  • \Users\Admin\AppData\Local\Temp\core.exe
    Filesize

    414KB

    MD5

    86ad55d4fc8cbbb78d3f71b9784fffc2

    SHA1

    3f30d552413241e42626aa9372a2bfd9a016e375

    SHA256

    87ea5a682d91c46a58146860d95bb4d704d684324530244c574be21b3981fd7a

    SHA512

    fe4a1599a9b0b9d78a9fadfbce50ab5f8dbc6b5b6199e02bde119af859b63580e6b7f7a7df72692c7d5acee8a2646b9cc57dd64b6be19736e0dbb60433fe3af2

    Download Submit

  • \Users\Admin\AppData\Local\Temp\core.exe
    Filesize

    414KB

    MD5

    86ad55d4fc8cbbb78d3f71b9784fffc2

    SHA1

    3f30d552413241e42626aa9372a2bfd9a016e375

    SHA256

    87ea5a682d91c46a58146860d95bb4d704d684324530244c574be21b3981fd7a

    SHA512

    fe4a1599a9b0b9d78a9fadfbce50ab5f8dbc6b5b6199e02bde119af859b63580e6b7f7a7df72692c7d5acee8a2646b9cc57dd64b6be19736e0dbb60433fe3af2

    Download Submit

  • memory/1052-92-0x0000000000730000-0x0000000000770000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1052-93-0x0000000000730000-0x0000000000770000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1052-95-0x0000000000730000-0x0000000000770000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1976-72-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

    Download

  • memory/1976-78-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

    Download

  • memory/1976-79-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

    Download

  • memory/1976-73-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1976-70-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

    Download

  • memory/1976-68-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

    Download

  • memory/1976-67-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

    Download

  • memory/1976-88-0x00000000009C0000-0x0000000000A00000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1976-66-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

    Download

  • memory/1976-94-0x00000000009C0000-0x0000000000A00000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2020-64-0x0000000000AF0000-0x0000000000B30000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2020-63-0x0000000000AF0000-0x0000000000B30000-memory.dmp

    Filesize

    256KB

    Download