Analysis

  • max time kernel
    146s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231127-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/11/2023, 16:51

General

  • Target

    87e9f553b96d552b75210d1a5278039153eedc43e2a10b1166f106e9eba60572exe.exe

  • Size

    608KB

  • MD5

    1e864ccd8567053c95a02ca465fa9084

  • SHA1

    46aa417097ba4262d0502e64d241ffab2406c0c1

  • SHA256

    87e9f553b96d552b75210d1a5278039153eedc43e2a10b1166f106e9eba60572

  • SHA512

    d3295b1b37f8f45b8324961ed065ee2a8c70745016a7b9dcb2d56f114d18f798823ed7b167138ad81d338d455d8de76112a372c34db4dd5792d7deb4ed354503

  • SSDEEP

    12288:pTCQmbCpzkh2Ob06/YNYSiF3F6QGP/juNXfl7p64zpDeh8JqM:ZoUO062YSw4upf/1pIkqM

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

rn72836.sytes.net:6696

127.0.0.1:6696

Mutex

3f30b298-001f-4f08-b22c-606b0d3632bd

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    127.0.0.1

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2023-09-08T19:00:17.997607436Z

  • bypass_user_account_control

    false

  • bypass_user_account_control_data

    PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    6696

  • default_group

    rn728

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    3f30b298-001f-4f08-b22c-606b0d3632bd

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    rn72836.sytes.net

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    false

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\87e9f553b96d552b75210d1a5278039153eedc43e2a10b1166f106e9eba60572exe.exe
    "C:\Users\Admin\AppData\Local\Temp\87e9f553b96d552b75210d1a5278039153eedc43e2a10b1166f106e9eba60572exe.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2688
    • C:\Users\Admin\AppData\Local\Temp\87e9f553b96d552b75210d1a5278039153eedc43e2a10b1166f106e9eba60572exe.exe
      "C:\Users\Admin\AppData\Local\Temp\87e9f553b96d552b75210d1a5278039153eedc43e2a10b1166f106e9eba60572exe.exe"
      2⤵
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4752
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks.exe" /create /f /tn "SMTP Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmpD8BC.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:3556
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks.exe" /create /f /tn "SMTP Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpD979.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:3396

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\87e9f553b96d552b75210d1a5278039153eedc43e2a10b1166f106e9eba60572exe.exe.log

          Filesize

          1KB

          MD5

          8ec831f3e3a3f77e4a7b9cd32b48384c

          SHA1

          d83f09fd87c5bd86e045873c231c14836e76a05c

          SHA256

          7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

          SHA512

          26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

        • C:\Users\Admin\AppData\Local\Temp\tmpD8BC.tmp

          Filesize

          1KB

          MD5

          47158b877b6bff2f98a58ab041bec04f

          SHA1

          bfb2da813de1b3f20fa71c2b33ab673fa787c6e0

          SHA256

          4d6d78cb97d61e2a0ac5c407d6b0e42be7d8c2580c41eee67fa0c7de211e7a17

          SHA512

          66a65e28637cac72d75a384cc5f770d762980af6deb5cb7b00d8f6a1b63f7860dbfe0b3f2b62f1abfc0c4909f6aa1ba779b0e7586622dcbc1dba08bd2f68c611

        • C:\Users\Admin\AppData\Local\Temp\tmpD979.tmp

          Filesize

          1KB

          MD5

          b3b017f9df206021717a11f11d895402

          SHA1

          e4ea12823af6550ee634536eec1eb14490580a3b

          SHA256

          654dfce2c28024364e679e1b958f3fb81fc6d29685d534d905d1c83a84351024

          SHA512

          95666cb81aa1fd1ade04a32f63381ce8bff274d7d300c0b59cbb10a294c4d1eebaa3000365a2000b38793de030044995cf23e623c5e3648d9b00501f97ff9343

        • memory/2688-6-0x00000000064C0000-0x00000000064DA000-memory.dmp

          Filesize

          104KB

        • memory/2688-4-0x0000000004D40000-0x0000000004D50000-memory.dmp

          Filesize

          64KB

        • memory/2688-5-0x0000000004BB0000-0x0000000004BBA000-memory.dmp

          Filesize

          40KB

        • memory/2688-3-0x0000000004AF0000-0x0000000004B82000-memory.dmp

          Filesize

          584KB

        • memory/2688-7-0x0000000004DE0000-0x0000000004DE8000-memory.dmp

          Filesize

          32KB

        • memory/2688-8-0x0000000004570000-0x000000000457A000-memory.dmp

          Filesize

          40KB

        • memory/2688-9-0x00000000060B0000-0x0000000006122000-memory.dmp

          Filesize

          456KB

        • memory/2688-10-0x0000000009A70000-0x0000000009B0C000-memory.dmp

          Filesize

          624KB

        • memory/2688-1-0x0000000074660000-0x0000000074E10000-memory.dmp

          Filesize

          7.7MB

        • memory/2688-2-0x00000000051A0000-0x0000000005744000-memory.dmp

          Filesize

          5.6MB

        • memory/2688-15-0x0000000074660000-0x0000000074E10000-memory.dmp

          Filesize

          7.7MB

        • memory/2688-0-0x0000000000090000-0x000000000012E000-memory.dmp

          Filesize

          632KB

        • memory/4752-24-0x0000000005370000-0x000000000537A000-memory.dmp

          Filesize

          40KB

        • memory/4752-34-0x00000000069B0000-0x00000000069BC000-memory.dmp

          Filesize

          48KB

        • memory/4752-16-0x0000000005120000-0x0000000005130000-memory.dmp

          Filesize

          64KB

        • memory/4752-11-0x0000000000400000-0x0000000000438000-memory.dmp

          Filesize

          224KB

        • memory/4752-25-0x0000000005F70000-0x0000000005F8E000-memory.dmp

          Filesize

          120KB

        • memory/4752-26-0x00000000060A0000-0x00000000060AA000-memory.dmp

          Filesize

          40KB

        • memory/4752-29-0x0000000006940000-0x0000000006952000-memory.dmp

          Filesize

          72KB

        • memory/4752-30-0x0000000006950000-0x000000000696A000-memory.dmp

          Filesize

          104KB

        • memory/4752-31-0x0000000006980000-0x000000000698E000-memory.dmp

          Filesize

          56KB

        • memory/4752-32-0x0000000006990000-0x00000000069A2000-memory.dmp

          Filesize

          72KB

        • memory/4752-33-0x00000000069A0000-0x00000000069AE000-memory.dmp

          Filesize

          56KB

        • memory/4752-14-0x0000000074660000-0x0000000074E10000-memory.dmp

          Filesize

          7.7MB

        • memory/4752-35-0x00000000069C0000-0x00000000069D4000-memory.dmp

          Filesize

          80KB

        • memory/4752-36-0x00000000069D0000-0x00000000069E0000-memory.dmp

          Filesize

          64KB

        • memory/4752-37-0x00000000069F0000-0x0000000006A04000-memory.dmp

          Filesize

          80KB

        • memory/4752-38-0x0000000006A10000-0x0000000006A1E000-memory.dmp

          Filesize

          56KB

        • memory/4752-39-0x0000000006A20000-0x0000000006A4E000-memory.dmp

          Filesize

          184KB

        • memory/4752-40-0x0000000006A50000-0x0000000006A64000-memory.dmp

          Filesize

          80KB

        • memory/4752-41-0x0000000006C40000-0x0000000006CA6000-memory.dmp

          Filesize

          408KB

        • memory/4752-48-0x0000000074660000-0x0000000074E10000-memory.dmp

          Filesize

          7.7MB

        • memory/4752-49-0x0000000005120000-0x0000000005130000-memory.dmp

          Filesize

          64KB