Analysis
-
max time kernel
171s -
max time network
193s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
-
submitted
12/10/2023, 16:14
General
-
Target
F09865480 (1).exe
-
Size
615KB
-
MD5
581d9f88bf2bf367e29bab4544111547
-
SHA1
ccc7a7989411b2cbda4f16c5a145ecfc7b1079c4
-
SHA256
02eb438f2b627fcb3a502afd3a4b0f1b0d6f2376ee8279580789b57429f7b1f6
-
SHA512
5b17b52dfd929dbf72bfc5e5b10e89fb3c1245965c3f25c52b9125ba02a86dbc7ed221972ea9a4de67de089fad0ae5514d7b0cc55dbd712efdac0f3e7e0676b9
-
SSDEEP
12288:VYLW0hOVA9kF5dS4jDiyWiS0FLC+xrb1k65yNZ09:VYphOVdF5IAFS5+ZbkZ09
Malware Config
Extracted
nanocore
1.2.2.0
79.110.62.170:4445
cb222388-60cd-45a6-86e9-345ab11492c9
-
activate_away_mode
true
- backup_connection_host
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2023-06-30T07:50:17.873975236Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
4445
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
cb222388-60cd-45a6-86e9-345ab11492c9
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
79.110.62.170
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\F09865480 (1).exe"C:\Users\Admin\AppData\Local\Temp\F09865480 (1).exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\cdzezwtdgl.exe"C:\Users\Admin\AppData\Local\Temp\cdzezwtdgl.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\cdzezwtdgl.exe"C:\Users\Admin\AppData\Local\Temp\cdzezwtdgl.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
201KB
MD5593b9c50b4128b7d0c3b138d6ed111a9
SHA188749db00be1837adb36d7e68880855df5faca8b
SHA2560f1add8ff7645b4ada844e54262d048195edfdc0461a005ecf77067bec056ea5
SHA5124822c9c87f7f5bc323c5b5e0ba60cc9744700517af0eac5f99b2fea05a9961696986a14852ed8c9b80104eb7c8543e8eabf1647baff92e417bbb2e771263487a
-
Filesize
201KB
MD5593b9c50b4128b7d0c3b138d6ed111a9
SHA188749db00be1837adb36d7e68880855df5faca8b
SHA2560f1add8ff7645b4ada844e54262d048195edfdc0461a005ecf77067bec056ea5
SHA5124822c9c87f7f5bc323c5b5e0ba60cc9744700517af0eac5f99b2fea05a9961696986a14852ed8c9b80104eb7c8543e8eabf1647baff92e417bbb2e771263487a
-
Filesize
201KB
MD5593b9c50b4128b7d0c3b138d6ed111a9
SHA188749db00be1837adb36d7e68880855df5faca8b
SHA2560f1add8ff7645b4ada844e54262d048195edfdc0461a005ecf77067bec056ea5
SHA5124822c9c87f7f5bc323c5b5e0ba60cc9744700517af0eac5f99b2fea05a9961696986a14852ed8c9b80104eb7c8543e8eabf1647baff92e417bbb2e771263487a
-
Filesize
201KB
MD5593b9c50b4128b7d0c3b138d6ed111a9
SHA188749db00be1837adb36d7e68880855df5faca8b
SHA2560f1add8ff7645b4ada844e54262d048195edfdc0461a005ecf77067bec056ea5
SHA5124822c9c87f7f5bc323c5b5e0ba60cc9744700517af0eac5f99b2fea05a9961696986a14852ed8c9b80104eb7c8543e8eabf1647baff92e417bbb2e771263487a
-
Filesize
300KB
MD5c8c1338c7a3d7793a542710fd98ed80d
SHA1fc038363f93cc8ce61b3fbcdfc1413fb83d8c957
SHA2568ca97a4dd338a888fb982d12b1ac4f106bd742611b45e8338a67eb3e0bd117eb
SHA512f2ed2e9a7efa7f11304aa9e5405bc305fdce6e17d9294d9b980c0eba150399700de6a9fb47fc51baeb0ef8925daabc1fdc98921b82eaccbe9b54c7d2faf24cdd
-
Filesize
201KB
MD5593b9c50b4128b7d0c3b138d6ed111a9
SHA188749db00be1837adb36d7e68880855df5faca8b
SHA2560f1add8ff7645b4ada844e54262d048195edfdc0461a005ecf77067bec056ea5
SHA5124822c9c87f7f5bc323c5b5e0ba60cc9744700517af0eac5f99b2fea05a9961696986a14852ed8c9b80104eb7c8543e8eabf1647baff92e417bbb2e771263487a
-
Filesize
201KB
MD5593b9c50b4128b7d0c3b138d6ed111a9
SHA188749db00be1837adb36d7e68880855df5faca8b
SHA2560f1add8ff7645b4ada844e54262d048195edfdc0461a005ecf77067bec056ea5
SHA5124822c9c87f7f5bc323c5b5e0ba60cc9744700517af0eac5f99b2fea05a9961696986a14852ed8c9b80104eb7c8543e8eabf1647baff92e417bbb2e771263487a
-
Filesize
5.7MB
-
Filesize
296KB
-
Filesize
296KB
-
Filesize
296KB
-
Filesize
5.7MB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
8KB