Analysis

  • max time kernel
    144s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    06/01/2024, 10:50

General

  • Target

    605c35366b7c51d33746d7173b9a5169.exe

  • Size

    1.1MB

  • MD5

    605c35366b7c51d33746d7173b9a5169

  • SHA1

    f75fb8bb1b086ad55461ab18227d35811b4cc5d6

  • SHA256

    4a67899d740ecd593679a000e4fd663474307306640d8862a2d986ba4ce3b189

  • SHA512

    1459976dbc4fc81ace18c90e87cf39149971ed1e796c4e2997e1cb760d7dd299bad8bbef53c6ae7e6ee67e38dcb94c6768e1f7469b0890c28e48f4450c50f5f6

  • SSDEEP

    24576:IxVxBeKif9i/ylluneUyxcaMep/ahpka:I/xBfyPfuneP1Mepy

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

1116.hopto.org:1116

185.140.53.9:1116

Mutex

909dcd33-e0d7-4bd0-87b2-b7fd2611b6b9

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    185.140.53.9

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2021-02-16T08:43:19.524585136Z

  • bypass_user_account_control

    false

  • bypass_user_account_control_data

    PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    1116

  • default_group

    1116

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    909dcd33-e0d7-4bd0-87b2-b7fd2611b6b9

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    1116.hopto.org

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    false

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\605c35366b7c51d33746d7173b9a5169.exe
    "C:\Users\Admin\AppData\Local\Temp\605c35366b7c51d33746d7173b9a5169.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2780
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sjxNYmz" /XML "C:\Users\Admin\AppData\Local\Temp\tmp65E4.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:560
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
      • Adds Run key to start application
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:440
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks.exe" /create /f /tn "LAN Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmp6D63.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:2440
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks.exe" /create /f /tn "LAN Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp6EEA.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:952

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\tmp65E4.tmp

          Filesize

          1KB

          MD5

          76008acf5c08aa64e40a96ba1cd5e783

          SHA1

          f506f4d5e4743b2c33f3a4d93260c93d7b838245

          SHA256

          8aab931900a539ffb3d82d6c0e3d9d165bd9fe55eac5bff2c13081c7e0528b16

          SHA512

          15615c34dd626a51dd8b4ee54e52a909c773f72341c8d8b4ad070ff8ef36a8e0e27a11747b5b1e3cb2a11d5952c5a54bf268028f718b2e81a97af422285c31cd

        • C:\Users\Admin\AppData\Local\Temp\tmp6D63.tmp

          Filesize

          1KB

          MD5

          8cad1b41587ced0f1e74396794f31d58

          SHA1

          11054bf74fcf5e8e412768035e4dae43aa7b710f

          SHA256

          3086d914f6b23268f8a12cb1a05516cd5465c2577e1d1e449f1b45c8e5e8f83c

          SHA512

          99c2ef89029de51a866df932841684b7fc912df21e10e2dd0d09e400203bbdc6cba6319a31780b7bf8b286d2cea8ea3fc7d084348bf2f002ab4f5a34218ccbef

        • C:\Users\Admin\AppData\Local\Temp\tmp6EEA.tmp

          Filesize

          1KB

          MD5

          ecf141ec69adbb2a5c3dd5c85cd0ec39

          SHA1

          0ad224632fa58d103142c05c44a142f3d7208291

          SHA256

          64d8cfa0b25afee269839cd5fc0b66e5643bc318e5f4d3ce1b9dba2456c83316

          SHA512

          4821b062d6672f3ed07833cfd7ab9abb533850b451b632d781fbfad8238fcd5ac52855f1f239547ae2d1c1477959f022430302a75cfd3c19a8473af72a1ef201

        • memory/440-23-0x0000000000400000-0x0000000000438000-memory.dmp

          Filesize

          224KB

        • memory/440-27-0x0000000000400000-0x0000000000438000-memory.dmp

          Filesize

          224KB

        • memory/440-44-0x0000000004C00000-0x0000000004C40000-memory.dmp

          Filesize

          256KB

        • memory/440-43-0x0000000004C00000-0x0000000004C40000-memory.dmp

          Filesize

          256KB

        • memory/440-42-0x0000000074310000-0x00000000749FE000-memory.dmp

          Filesize

          6.9MB

        • memory/440-41-0x0000000004C00000-0x0000000004C40000-memory.dmp

          Filesize

          256KB

        • memory/440-13-0x0000000000400000-0x0000000000438000-memory.dmp

          Filesize

          224KB

        • memory/440-15-0x0000000000400000-0x0000000000438000-memory.dmp

          Filesize

          224KB

        • memory/440-17-0x0000000000400000-0x0000000000438000-memory.dmp

          Filesize

          224KB

        • memory/440-19-0x0000000000400000-0x0000000000438000-memory.dmp

          Filesize

          224KB

        • memory/440-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

        • memory/440-40-0x0000000000460000-0x000000000046A000-memory.dmp

          Filesize

          40KB

        • memory/440-25-0x0000000000400000-0x0000000000438000-memory.dmp

          Filesize

          224KB

        • memory/440-39-0x0000000000440000-0x000000000045E000-memory.dmp

          Filesize

          120KB

        • memory/440-29-0x0000000074310000-0x00000000749FE000-memory.dmp

          Filesize

          6.9MB

        • memory/440-38-0x00000000003F0000-0x00000000003FA000-memory.dmp

          Filesize

          40KB

        • memory/440-30-0x0000000004C00000-0x0000000004C40000-memory.dmp

          Filesize

          256KB

        • memory/2780-2-0x0000000004D70000-0x0000000004DB0000-memory.dmp

          Filesize

          256KB

        • memory/2780-1-0x0000000074310000-0x00000000749FE000-memory.dmp

          Filesize

          6.9MB

        • memory/2780-28-0x0000000074310000-0x00000000749FE000-memory.dmp

          Filesize

          6.9MB

        • memory/2780-4-0x0000000074310000-0x00000000749FE000-memory.dmp

          Filesize

          6.9MB

        • memory/2780-0-0x0000000001360000-0x000000000147E000-memory.dmp

          Filesize

          1.1MB

        • memory/2780-3-0x0000000000580000-0x00000000005A2000-memory.dmp

          Filesize

          136KB

        • memory/2780-7-0x00000000011A0000-0x00000000011DA000-memory.dmp

          Filesize

          232KB

        • memory/2780-6-0x0000000004F20000-0x0000000004FA2000-memory.dmp

          Filesize

          520KB

        • memory/2780-5-0x0000000004D70000-0x0000000004DB0000-memory.dmp

          Filesize

          256KB