Overview

overview

10

Static

static

3

DOC-T53429...BL.exe

windows7-x64

10

DOC-T53429...BL.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    20/11/2023, 08:38

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    DOC-T534299200-MTLBS63494-SBLVT8376- MAERSKLINE VOYAGE-BL-20231117.pdf/DOC-T534299200-MTLBS63494-SBL.exe

  • Size

    1.1MB

  • MD5

    5374e59df4173dae04ac7d32c2d86f73

  • SHA1

    6f155523a15cf75da3da4f68497c2bfc193aa697

  • SHA256

    15eb2661ad7f1b8fe7ab9b64b4b1daf4abd3e322a980ed02f474253ea506f243

  • SHA512

    a65615104a467a1b6bc64b3a574acdcad30a1de35aec14701807d6e50892b2603612159841fc1df1c49ba6e1b2e63e936e1dcb36ce73472923d07153a39e10f8

  • SSDEEP

    24576:FHlEonyixAaqs6k2fHta5FPr+mpmNEkLgQVCe1BWC0u:bEonZb6kcH83Pr+mEawgeCejWC0u

Score
10/10
nanocorekeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

slucasanderson.ddns.net:54357

Mutex

51f1b65d-a9f7-49be-866e-8f5e473b37dc

Attributes
  • activate_away_mode

    false

  • backup_connection_host

    slucasanderson.ddns.net

  • backup_dns_server

  • buffer_size

    65538

  • build_time

    2023-04-07T16:12:16.438532636Z

  • bypass_user_account_control

    false

  • bypass_user_account_control_data

    PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+

  • clear_access_control

    false

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    54357

  • default_group

    slucasanderson

  • enable_debug_mode

    true

  • gc_threshold

    1.0485772e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.0485772e+07

  • mutex

    51f1b65d-a9f7-49be-866e-8f5e473b37dc

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    slucasanderson.ddns.net

  • primary_dns_server

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    false

  • set_critical_process

    false

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8009

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\DOC-T534299200-MTLBS63494-SBLVT8376- MAERSKLINE VOYAGE-BL-20231117.pdf\DOC-T534299200-MTLBS63494-SBL.exe
    "C:\Users\Admin\AppData\Local\Temp\DOC-T534299200-MTLBS63494-SBLVT8376- MAERSKLINE VOYAGE-BL-20231117.pdf\DOC-T534299200-MTLBS63494-SBL.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1244
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\DOC-T534299200-MTLBS63494-SBLVT8376- MAERSKLINE VOYAGE-BL-20231117.pdf\DOC-T534299200-MTLBS63494-SBL.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2620
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\NNQXxJO.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2780
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NNQXxJO" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9425.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2632
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
      • Adds Run key to start application
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2516
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks.exe" /create /f /tn "TCP Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmp9FE7.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:2816
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks.exe" /create /f /tn "TCP Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpA14F.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:2900

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\tmp9425.tmp
          Filesize

          1KB

          MD5

          e769ad8a4a6ee578ccdd088eee9b4307

          SHA1

          c4cef7731663ba2139742882743d169da8e8e957

          SHA256

          d7362db07b561a1ccb9f63cc32074a22a39e56343b92169710846f414c814dd7

          SHA512

          6fc5fe45c40eabf7ede2314a05e38b02605affd359d7ece7348d83b68224f086efd681c92105edbad7740bf80dd4390d63bfdb1aeaf35453a67036d40775a185

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\tmp9FE7.tmp
          Filesize

          1KB

          MD5

          8cad1b41587ced0f1e74396794f31d58

          SHA1

          11054bf74fcf5e8e412768035e4dae43aa7b710f

          SHA256

          3086d914f6b23268f8a12cb1a05516cd5465c2577e1d1e449f1b45c8e5e8f83c

          SHA512

          99c2ef89029de51a866df932841684b7fc912df21e10e2dd0d09e400203bbdc6cba6319a31780b7bf8b286d2cea8ea3fc7d084348bf2f002ab4f5a34218ccbef

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\tmpA14F.tmp
          Filesize

          1KB

          MD5

          9ef09eeae52de0c7c7f111b945ba440c

          SHA1

          e5243c92416fd37f7b50c5ea741a97cd2ad9e85e

          SHA256

          8099de047cf1922f883b400d6a032d93e6f88ede5e4f7c12d81cbe66ed5627dc

          SHA512

          89f421d149cab49aa828f2bef79769152001dc8ca3fc65d79a824a9d9d1cfe1a38c3f9ee2f228b079f44cae6ff421a7672e059df13f855061e970b664513d6a2

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PN72V42D49GIPHC63Y3N.temp
          Filesize

          7KB

          MD5

          160ec9fcb1bba24ad365754979eee750

          SHA1

          18b8d939291773b11a9e3fbd2b42e9ef6b35f417

          SHA256

          a9b1627864cb6cce0bf70fb8fc81a4c1d35133f2eb2e05ce8ed2a6497aa38181

          SHA512

          b304130a123f1a4885641e8bd83a8f5f0a1f09f5935d3a6aec56f220135e622311278f593fa64e831dd3a10b8360b5e832fd154ce6d783481fc2418242883974

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
          Filesize

          7KB

          MD5

          160ec9fcb1bba24ad365754979eee750

          SHA1

          18b8d939291773b11a9e3fbd2b42e9ef6b35f417

          SHA256

          a9b1627864cb6cce0bf70fb8fc81a4c1d35133f2eb2e05ce8ed2a6497aa38181

          SHA512

          b304130a123f1a4885641e8bd83a8f5f0a1f09f5935d3a6aec56f220135e622311278f593fa64e831dd3a10b8360b5e832fd154ce6d783481fc2418242883974

          Download Submit

        • memory/1244-31-0x0000000074050000-0x000000007473E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/1244-0-0x0000000000190000-0x00000000002AE000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1244-2-0x0000000004D90000-0x0000000004DD0000-memory.dmp

          Filesize

          256KB

          Download

        • memory/1244-3-0x0000000000380000-0x0000000000396000-memory.dmp

          Filesize

          88KB

          Download

        • memory/1244-4-0x00000000003A0000-0x00000000003AA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/1244-5-0x0000000005570000-0x0000000005618000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1244-1-0x0000000074050000-0x000000007473E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2516-57-0x0000000000790000-0x00000000007AA000-memory.dmp

          Filesize

          104KB

          Download

        • memory/2516-61-0x0000000000880000-0x000000000088C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/2516-26-0x0000000000400000-0x000000000043A000-memory.dmp

          Filesize

          232KB

          Download

        • memory/2516-28-0x0000000000400000-0x000000000043A000-memory.dmp

          Filesize

          232KB

          Download

        • memory/2516-30-0x0000000000400000-0x000000000043A000-memory.dmp

          Filesize

          232KB

          Download

        • memory/2516-22-0x0000000000400000-0x000000000043A000-memory.dmp

          Filesize

          232KB

          Download

        • memory/2516-71-0x0000000000600000-0x0000000000640000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2516-70-0x0000000000600000-0x0000000000640000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2516-69-0x0000000074050000-0x000000007473E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2516-67-0x0000000002240000-0x0000000002254000-memory.dmp

          Filesize

          80KB

          Download

        • memory/2516-66-0x0000000002200000-0x000000000222E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/2516-37-0x0000000074050000-0x000000007473E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2516-65-0x00000000021B0000-0x00000000021BE000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2516-64-0x00000000009E0000-0x00000000009F4000-memory.dmp

          Filesize

          80KB

          Download

        • memory/2516-20-0x0000000000400000-0x000000000043A000-memory.dmp

          Filesize

          232KB

          Download

        • memory/2516-19-0x0000000000400000-0x000000000043A000-memory.dmp

          Filesize

          232KB

          Download

        • memory/2516-47-0x00000000003F0000-0x00000000003FA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/2516-48-0x00000000004F0000-0x00000000004FC000-memory.dmp

          Filesize

          48KB

          Download

        • memory/2516-49-0x0000000000580000-0x000000000059E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/2516-50-0x00000000005A0000-0x00000000005AA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/2516-51-0x0000000000600000-0x0000000000640000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2516-63-0x00000000009D0000-0x00000000009E0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2516-62-0x00000000009C0000-0x00000000009D4000-memory.dmp

          Filesize

          80KB

          Download

        • memory/2516-56-0x0000000000780000-0x0000000000792000-memory.dmp

          Filesize

          72KB

          Download

        • memory/2516-18-0x0000000000400000-0x000000000043A000-memory.dmp

          Filesize

          232KB

          Download

        • memory/2516-58-0x0000000000800000-0x000000000080E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2516-59-0x0000000000860000-0x0000000000872000-memory.dmp

          Filesize

          72KB

          Download

        • memory/2516-60-0x0000000000870000-0x000000000087E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2516-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2620-52-0x000000006EFF0000-0x000000006F59B000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2620-38-0x0000000000350000-0x0000000000390000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2620-33-0x000000006EFF0000-0x000000006F59B000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2780-54-0x000000006EFF0000-0x000000006F59B000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2780-39-0x0000000002530000-0x0000000002570000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2780-36-0x0000000002530000-0x0000000002570000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2780-35-0x000000006EFF0000-0x000000006F59B000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2780-34-0x0000000002530000-0x0000000002570000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2780-32-0x000000006EFF0000-0x000000006F59B000-memory.dmp

          Filesize

          5.7MB

          Download