Overview

overview

10

Static

static

10

26321ed18a...d7.exe

windows7-x64

10

26321ed18a...d7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    137s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/06/2024, 01:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe

  • Size

    296KB

  • MD5

    ec03c8da575fa5ee4745506b340968e6

  • SHA1

    357374aa9b28d6571ebcf3b535b3cd8fe85eebba

  • SHA256

    26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7

  • SHA512

    2d01fa27ef375f77db7e3a896877db902ea52578aaa13aaec2aef3ce8a0199b1de56ca70602bac24f4fd2278ed5835e2c373c0626a05e95929deb93abb94137a

  • SSDEEP

    6144:ou+rdxKERB7nPpuU8Dh1tUS/fqLaiU6xVB3Y8TTp6VmSyp7jk:gdxK8B7nAU87tabNNTd6VnypU

Score
10/10
nanocoreevasionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

munan.duckdns.org:3637

munabc.duckdns.org:3637
Mutex

4d5a1bc9-ba60-4ed4-85d1-96a1836c92b0

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    munabc.duckdns.org

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2023-09-24T00:04:44.813706136Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    3637

  • default_group

    MUNA

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    4d5a1bc9-ba60-4ed4-85d1-96a1836c92b0

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    munan.duckdns.org

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    true

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • Detects executables packed with SmartAssembly 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 4 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe
    "C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2576
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      2⤵
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      PID:1312
    • C:\Windows\SysWOW64\cmd.exe
      "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\DDfiles"
      2⤵
        PID:4876
      • C:\Windows\SysWOW64\cmd.exe
        "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe'" /f
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4812
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe'" /f
          3⤵
          • Scheduled Task/Job: Scheduled Task
          PID:1776
      • C:\Windows\SysWOW64\cmd.exe
        "cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe" "C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe"
        2⤵
          PID:4904
      • C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe
        C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4480
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
          2⤵
            PID:4248
          • C:\Windows\SysWOW64\cmd.exe
            "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\DDfiles"
            2⤵
              PID:1548
            • C:\Windows\SysWOW64\cmd.exe
              "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe'" /f
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:4128
              • C:\Windows\SysWOW64\schtasks.exe
                schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe'" /f
                3⤵
                • Scheduled Task/Job: Scheduled Task
                PID:4944
            • C:\Windows\SysWOW64\cmd.exe
              "cmd" /c copy "C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe" "C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe"
              2⤵
                PID:4448
            • C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe
              C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe
              1⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of WriteProcessMemory
              PID:3180
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                2⤵
                  PID:2016
                • C:\Windows\SysWOW64\cmd.exe
                  "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\DDfiles"
                  2⤵
                    PID:2588
                  • C:\Windows\SysWOW64\cmd.exe
                    "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe'" /f
                    2⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3184
                    • C:\Windows\SysWOW64\schtasks.exe
                      schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe'" /f
                      3⤵
                      • Scheduled Task/Job: Scheduled Task
                      PID:4108
                  • C:\Windows\SysWOW64\cmd.exe
                    "cmd" /c copy "C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe" "C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe"
                    2⤵
                      PID:5072
                  • C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe
                    C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe
                    1⤵
                    • Executes dropped EXE
                    • Suspicious use of SetThreadContext
                    • Suspicious use of WriteProcessMemory
                    PID:4484
                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                      2⤵
                        PID:4388
                      • C:\Windows\SysWOW64\cmd.exe
                        "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\DDfiles"
                        2⤵
                          PID:4460
                        • C:\Windows\SysWOW64\cmd.exe
                          "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe'" /f
                          2⤵
                            PID:3940
                            • C:\Windows\SysWOW64\schtasks.exe
                              schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe'" /f
                              3⤵
                              • Scheduled Task/Job: Scheduled Task
                              PID:4504
                          • C:\Windows\SysWOW64\cmd.exe
                            "cmd" /c copy "C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe" "C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe"
                            2⤵
                              PID:4572

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DDfiles.exe.log
                            Filesize

                            520B

                            MD5

                            03febbff58da1d3318c31657d89c8542

                            SHA1

                            c9e017bd9d0a4fe533795b227c855935d86c2092

                            SHA256

                            5164770a37b199a79ccd23b399bb3309228973d9f74c589bc2623dc613b37ac4

                            SHA512

                            3750c372bbca1892e9c1b34681d592c693e725a8b149c3d6938079cd467628cec42c4293b0d886b57a786abf45f5e7229247b3445001774e3e793ff5a3accfa3

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log
                            Filesize

                            1KB

                            MD5

                            84e77a587d94307c0ac1357eb4d3d46f

                            SHA1

                            83cc900f9401f43d181207d64c5adba7a85edc1e

                            SHA256

                            e16024b092a026a9dc00df69d4b9bbcab7b2dc178dc5291fc308a1abc9304a99

                            SHA512

                            aefb5c62200b3ed97718d20a89990954d4d8acdc0a6a73c5a420f1bba619cb79e70c2cd0a579b9f52dc6b09e1de2cea6cd6cac4376cfee92d94e2c01d310f691

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe
                            Filesize

                            296KB

                            MD5

                            ec03c8da575fa5ee4745506b340968e6

                            SHA1

                            357374aa9b28d6571ebcf3b535b3cd8fe85eebba

                            SHA256

                            26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7

                            SHA512

                            2d01fa27ef375f77db7e3a896877db902ea52578aaa13aaec2aef3ce8a0199b1de56ca70602bac24f4fd2278ed5835e2c373c0626a05e95929deb93abb94137a

                            Download Submit

                          • memory/1312-20-0x00000000065B0000-0x00000000065BC000-memory.dmp

                            Filesize

                            48KB

                            Download

                          • memory/1312-23-0x0000000006600000-0x0000000006612000-memory.dmp

                            Filesize

                            72KB

                            Download

                          • memory/1312-6-0x0000000074C00000-0x00000000753B0000-memory.dmp

                            Filesize

                            7.7MB

                            Download

                          • memory/1312-38-0x0000000074C00000-0x00000000753B0000-memory.dmp

                            Filesize

                            7.7MB

                            Download

                          • memory/1312-8-0x0000000004E80000-0x0000000004F12000-memory.dmp

                            Filesize

                            584KB

                            Download

                          • memory/1312-9-0x0000000004F20000-0x0000000004FBC000-memory.dmp

                            Filesize

                            624KB

                            Download

                          • memory/1312-12-0x0000000004E40000-0x0000000004E4A000-memory.dmp

                            Filesize

                            40KB

                            Download

                          • memory/1312-14-0x00000000051C0000-0x00000000051CA000-memory.dmp

                            Filesize

                            40KB

                            Download

                          • memory/1312-16-0x0000000005370000-0x000000000538E000-memory.dmp

                            Filesize

                            120KB

                            Download

                          • memory/1312-15-0x00000000051D0000-0x00000000051DC000-memory.dmp

                            Filesize

                            48KB

                            Download

                          • memory/1312-17-0x0000000005E20000-0x0000000005E2A000-memory.dmp

                            Filesize

                            40KB

                            Download

                          • memory/1312-31-0x0000000006890000-0x00000000068F6000-memory.dmp

                            Filesize

                            408KB

                            Download

                          • memory/1312-21-0x00000000065C0000-0x00000000065DA000-memory.dmp

                            Filesize

                            104KB

                            Download

                          • memory/1312-4-0x0000000000400000-0x000000000043A000-memory.dmp

                            Filesize

                            232KB

                            Download

                          • memory/1312-26-0x0000000006630000-0x0000000006644000-memory.dmp

                            Filesize

                            80KB

                            Download

                          • memory/1312-25-0x0000000006620000-0x000000000662E000-memory.dmp

                            Filesize

                            56KB

                            Download

                          • memory/1312-24-0x0000000006610000-0x000000000661C000-memory.dmp

                            Filesize

                            48KB

                            Download

                          • memory/1312-22-0x00000000065F0000-0x00000000065FE000-memory.dmp

                            Filesize

                            56KB

                            Download

                          • memory/1312-30-0x00000000066B0000-0x00000000066C4000-memory.dmp

                            Filesize

                            80KB

                            Download

                          • memory/1312-29-0x0000000006680000-0x00000000066AE000-memory.dmp

                            Filesize

                            184KB

                            Download

                          • memory/1312-28-0x0000000006670000-0x000000000667E000-memory.dmp

                            Filesize

                            56KB

                            Download

                          • memory/1312-27-0x0000000006640000-0x0000000006654000-memory.dmp

                            Filesize

                            80KB

                            Download

                          • memory/2576-0-0x0000000074C0E000-0x0000000074C0F000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/2576-3-0x0000000074C00000-0x00000000753B0000-memory.dmp

                            Filesize

                            7.7MB

                            Download

                          • memory/2576-7-0x0000000074C00000-0x00000000753B0000-memory.dmp

                            Filesize

                            7.7MB

                            Download

                          • memory/2576-2-0x0000000005480000-0x0000000005A24000-memory.dmp

                            Filesize

                            5.6MB

                            Download

                          • memory/2576-1-0x0000000000580000-0x00000000005D0000-memory.dmp

                            Filesize

                            320KB

                            Download