Analysis
-
max time kernel
151s -
max time network
180s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
-
submitted
12/10/2023, 16:26
General
-
Target
F0096900000987789.exe
-
Size
416KB
-
MD5
264e01e9cae9c9e1967ea892288bc9ae
-
SHA1
6353515cd0642b46cb95bd028a3d44f273d5e5e9
-
SHA256
2bdbe25f715e65a6ae288750c0d3236b7edf55b4f43fce3a88b779f01b6101da
-
SHA512
79985475851347c86ae6e150a045e197f9aaa960a8910694098a550b17d684adafbfabf2f6a55470e31bce8a93707e86991b4ba17a618864b147e0d533243277
-
SSDEEP
6144:PYa6dVyAI4xoWOgNAIccFhsNCzYK9cnr43CGbhJb+sfQCbZzsPpP8gUnSiGQYsL:PYRrfofg2Uhsycn8YWyPpPbKGVsL
Malware Config
Extracted
nanocore
1.2.2.0
79.110.62.170:4445
cb222388-60cd-45a6-86e9-345ab11492c9
-
activate_away_mode
true
- backup_connection_host
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2023-06-30T07:50:17.873975236Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
4445
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
cb222388-60cd-45a6-86e9-345ab11492c9
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
79.110.62.170
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\F0096900000987789.exe"C:\Users\Admin\AppData\Local\Temp\F0096900000987789.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\hevnhrxazn.exe"C:\Users\Admin\AppData\Local\Temp\hevnhrxazn.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\hevnhrxazn.exe"C:\Users\Admin\AppData\Local\Temp\hevnhrxazn.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
201KB
MD5bc17e821b2bf7340c20dabf82a5edbee
SHA138089a83bc5dea7ad162b3c0b3e32eb2239e291d
SHA2566eac0348b8012f2927c8afc32975096e941ff033f72b1369aeb6f85c507cd717
SHA512fd0f1868dc49d42a4408bd4a85404e0a17a271697937445c65d4c8e8cdab01bebdfd81d0f58814d24a1deff18f7b6ee17b9b4933611fb461ec61e694c6736ca8
-
Filesize
201KB
MD5bc17e821b2bf7340c20dabf82a5edbee
SHA138089a83bc5dea7ad162b3c0b3e32eb2239e291d
SHA2566eac0348b8012f2927c8afc32975096e941ff033f72b1369aeb6f85c507cd717
SHA512fd0f1868dc49d42a4408bd4a85404e0a17a271697937445c65d4c8e8cdab01bebdfd81d0f58814d24a1deff18f7b6ee17b9b4933611fb461ec61e694c6736ca8
-
Filesize
201KB
MD5bc17e821b2bf7340c20dabf82a5edbee
SHA138089a83bc5dea7ad162b3c0b3e32eb2239e291d
SHA2566eac0348b8012f2927c8afc32975096e941ff033f72b1369aeb6f85c507cd717
SHA512fd0f1868dc49d42a4408bd4a85404e0a17a271697937445c65d4c8e8cdab01bebdfd81d0f58814d24a1deff18f7b6ee17b9b4933611fb461ec61e694c6736ca8
-
Filesize
201KB
MD5bc17e821b2bf7340c20dabf82a5edbee
SHA138089a83bc5dea7ad162b3c0b3e32eb2239e291d
SHA2566eac0348b8012f2927c8afc32975096e941ff033f72b1369aeb6f85c507cd717
SHA512fd0f1868dc49d42a4408bd4a85404e0a17a271697937445c65d4c8e8cdab01bebdfd81d0f58814d24a1deff18f7b6ee17b9b4933611fb461ec61e694c6736ca8
-
Filesize
300KB
MD5238a3b33f9625d9ab33fdfbfa1b52c9b
SHA1d5fa3eef63f6a133a1eb7ef37871ce363e0de63b
SHA25648bfecaa62d330e814755c6bb4878c65107446156ecbe95309ef413c4aedaeab
SHA5128caaa1a17cc989ce565ce410b99e634151e5b5df2fa214fee7caccc67af833ee3c916a14b97338034a0f4eef6e75dc25c6743c41c007d2c8b2a5919a418a8e58
-
Filesize
201KB
MD5bc17e821b2bf7340c20dabf82a5edbee
SHA138089a83bc5dea7ad162b3c0b3e32eb2239e291d
SHA2566eac0348b8012f2927c8afc32975096e941ff033f72b1369aeb6f85c507cd717
SHA512fd0f1868dc49d42a4408bd4a85404e0a17a271697937445c65d4c8e8cdab01bebdfd81d0f58814d24a1deff18f7b6ee17b9b4933611fb461ec61e694c6736ca8
-
Filesize
201KB
MD5bc17e821b2bf7340c20dabf82a5edbee
SHA138089a83bc5dea7ad162b3c0b3e32eb2239e291d
SHA2566eac0348b8012f2927c8afc32975096e941ff033f72b1369aeb6f85c507cd717
SHA512fd0f1868dc49d42a4408bd4a85404e0a17a271697937445c65d4c8e8cdab01bebdfd81d0f58814d24a1deff18f7b6ee17b9b4933611fb461ec61e694c6736ca8
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
296KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
296KB
-
Filesize
256KB
-
Filesize
296KB
-
Filesize
256KB
-
Filesize
296KB
-
Filesize
5.7MB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
8KB