Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

tmp.exe

windows7-x64

10

tmp.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    89s
  • max time network
    159s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    11/06/2023, 10:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tmp.exe

  • Size

    1006KB

  • MD5

    f2b39cd2a53dc9ee05fb9ae60f2f39d4

  • SHA1

    47aa15669e2b4bf1b494d10d5b0d80b5303c5fd3

  • SHA256

    1238f48f4e4b01c29ce390b9156ab6e9c4d3a57a7142510a4750539e92bc7886

  • SHA512

    c6d35da2307d83a248b1303f33912e498d4173e223bd4f5d232348d30a375f249d64e74fd945eb712e11f7102e2183184ffc9fcf201d68b353c9f68cbaa35d92

  • SSDEEP

    12288:krRqO6vKuaqrG6O8tjCowhf+Nn95kCMarnDpkDO/VYdU2nVESkTLwrJ:rdraqrG6qVitTDGDvOBSdN

Score
10/10
nanocorekeyloggerspywarestealertrojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

muna001.duckdns.org:3637

melionx.duckdns.org:3637
Mutex

589f5987-ea24-4bf9-bdfc-6819b0945699

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    melionx.duckdns.org

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2022-11-25T16:37:57.631844936Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    3637

  • default_group

    13FEB

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    589f5987-ea24-4bf9-bdfc-6819b0945699

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    muna001.duckdns.org

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    true

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1160
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\LHADBnfp.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1904
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LHADBnfp" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEC72.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:680
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      PID:604

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpEC72.tmp
    Filesize

    1KB

    MD5

    9a6645afc6dc8669857b562494568cc8

    SHA1

    b8cbfb3243402a6bab8812d6185c7039c792d9b2

    SHA256

    e32e93470062d303938699b26fbc6d2da8a3e4a31c6436a4c81ea48a66fa06c3

    SHA512

    d65f09b84d83e2437e2ccd2696936c55effe8458e0b345b82be2980353588674361e34b7b76f2fcfd18c86a052f51201d155dce2f61cd8c7392925053fcc359f

    Download Submit

  • memory/604-81-0x00000000003E0000-0x00000000003EA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/604-91-0x0000000000B60000-0x0000000000B6E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/604-101-0x0000000000A60000-0x0000000000AA0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/604-99-0x0000000004450000-0x0000000004464000-memory.dmp

    Filesize

    80KB

    Download

  • memory/604-98-0x0000000004420000-0x000000000444E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/604-97-0x0000000002120000-0x000000000212E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/604-96-0x0000000002110000-0x0000000002124000-memory.dmp

    Filesize

    80KB

    Download

  • memory/604-95-0x00000000020C0000-0x00000000020D4000-memory.dmp

    Filesize

    80KB

    Download

  • memory/604-69-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/604-70-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/604-71-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/604-72-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/604-73-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/604-74-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/604-94-0x00000000020B0000-0x00000000020BE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/604-77-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/604-93-0x0000000002060000-0x000000000206C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/604-92-0x0000000002010000-0x0000000002022000-memory.dmp

    Filesize

    72KB

    Download

  • memory/604-82-0x00000000003F0000-0x00000000003FC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/604-83-0x00000000009C0000-0x00000000009DE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/604-84-0x0000000000A30000-0x0000000000A3A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/604-79-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/604-87-0x0000000000A60000-0x0000000000AA0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/604-89-0x0000000000AA0000-0x0000000000AB2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/604-90-0x0000000000B40000-0x0000000000B5A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1160-54-0x0000000000140000-0x0000000000242000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1160-56-0x0000000000370000-0x0000000000384000-memory.dmp

    Filesize

    80KB

    Download

  • memory/1160-68-0x0000000004FD0000-0x000000000500E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1160-65-0x0000000004720000-0x0000000004726000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1160-55-0x00000000004C0000-0x0000000000500000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1160-59-0x0000000005570000-0x00000000055F2000-memory.dmp

    Filesize

    520KB

    Download

  • memory/1160-58-0x0000000000490000-0x000000000049C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1160-57-0x00000000004C0000-0x0000000000500000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1904-86-0x0000000002050000-0x0000000002090000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1904-76-0x0000000002050000-0x0000000002090000-memory.dmp

    Filesize

    256KB

    Download