Overview

overview

10

Static

static

3

Mille rais...cr.exe

windows7-x64

10

Mille rais...cr.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/07/2024, 14:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Mille raisons de venir.scr.exe

  • Size

    2.2MB

  • MD5

    ebb76f0ad42d838df23137b3321d79ff

  • SHA1

    946ea76180d53a3049ea7a3b07403ee628b9fac2

  • SHA256

    79f7fa86d8dba1349208fa8c36663deb9d6c91a2be54b43d2fc6b7cb78039023

  • SHA512

    6ae67476a9442ab9b81765e5fd2a43f68f90139568494eac590a95763ba4ed92281994b63a4ad54e0a79c7149550a3bbf329705fa8537847343c148dfdaf61a3

  • SSDEEP

    49152:G+78xSwy+c0Hq9rm2ZHosBnsKXdniYM48E/pa/ZOovp/:Gs8xAJ0K95HBdlM1yQxOoB

Score
10/10
nanocoreevasionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

e-businessloader.mywire.org:5230

127.0.0.1:5230
Mutex

0be0e5d9-4209-4f88-b4fe-27e7b678a0b5

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    127.0.0.1

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2024-03-16T21:32:38.702958636Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    5230

  • default_group

    e-business

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    0be0e5d9-4209-4f88-b4fe-27e7b678a0b5

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    e-businessloader.mywire.org

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    true

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 22 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 35 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 29 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 31 IoCs
  • Suspicious use of FindShellTrayWindow 49 IoCs
  • Suspicious use of SendNotifyMessage 21 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\Mille raisons de venir.scr.exe
    "C:\Users\Admin\AppData\Local\Temp\Mille raisons de venir.scr.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1540
    • C:\Users\Admin\AppData\Local\Temp\START UP56571 HVNCmultipleonlinegahiddenzonline.organiccrap.com.exe
      "C:\Users\Admin\AppData\Local\Temp\START UP56571 HVNCmultipleonlinegahiddenzonline.organiccrap.com.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2272
      • C:\Windows\explorer.exe
        "C:\Windows\explorer.exe"
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2108
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
        3⤵
          PID:4572
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
          3⤵
            PID:2972
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3360
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "%FileName%" /tr '"C:\Users\Admin\AppData\Local\Temp\%PathName%\%FileName%"' & exit
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:1336
              • C:\Windows\SysWOW64\schtasks.exe
                schtasks /create /f /sc onlogon /rl highest /tn "%FileName%" /tr '"C:\Users\Admin\AppData\Local\Temp\%PathName%\%FileName%"'
                5⤵
                • Scheduled Task/Job: Scheduled Task
                PID:1032
        • C:\Users\Admin\AppData\Local\Temp\Mille raisons de venir.scr.exe
          "C:\Users\Admin\AppData\Local\Temp\Mille raisons de venir.scr.exe"
          2⤵
          • Checks whether UAC is enabled
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          PID:2676
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:2944
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:4396

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133659583417450028.txt
        Filesize

        75KB

        MD5

        b96b088406f9c766e6ddb2de3a01bab4

        SHA1

        cc32ab4f3d315e7b9c8ba0a91833075bfbfd2a45

        SHA256

        da8d6bb0376d7e43a28025181b6ad340e23acbe8c85a19524d6cf3461ea45aed

        SHA512

        a96c2cb1e1c49491be196d0694e5bc5bc8d5d06c82bf45e53518a1a880bc50b5d0d6cff231e3a774395e9fb15681bace9bf67fd827a08b3616c4b08ce4fbad5a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\START UP56571 HVNCmultipleonlinegahiddenzonline.organiccrap.com.exe
        Filesize

        81KB

        MD5

        9b29882a89479f767da3b09801923161

        SHA1

        2bd104943d235848840e77a36fb008f81525fc56

        SHA256

        618bb7302570fb60d0710fbdc2123c5c0f969615587652722e4385fa0b5ed966

        SHA512

        a59240907aa2a12d0d2693f9c8c32a0e4df43d1f7cd5df7d4df5dccf376a618ab280bb8d97a42b3743114710e8a784bea9f0a682b14135fc83b0cdd5c7468b06

        Download Submit

      • memory/1540-0-0x00000000748AE000-0x00000000748AF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1540-1-0x0000000000780000-0x00000000009B0000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/1540-2-0x00000000748A0000-0x0000000075050000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1540-3-0x00000000748A0000-0x0000000075050000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1540-4-0x00000000072E0000-0x000000000752A000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/1540-5-0x00000000748A0000-0x0000000075050000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1540-6-0x00000000748AE000-0x00000000748AF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1540-7-0x00000000748A0000-0x0000000075050000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1540-8-0x00000000072E0000-0x0000000007524000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/1540-11-0x00000000072E0000-0x0000000007524000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/1540-9-0x00000000072E0000-0x0000000007524000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/1540-15-0x00000000072E0000-0x0000000007524000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/1540-23-0x00000000072E0000-0x0000000007524000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/1540-29-0x00000000072E0000-0x0000000007524000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/1540-31-0x00000000072E0000-0x0000000007524000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/1540-39-0x00000000072E0000-0x0000000007524000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/1540-37-0x00000000072E0000-0x0000000007524000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/1540-35-0x00000000072E0000-0x0000000007524000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/1540-33-0x00000000072E0000-0x0000000007524000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/1540-27-0x00000000072E0000-0x0000000007524000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/1540-25-0x00000000072E0000-0x0000000007524000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/1540-19-0x00000000072E0000-0x0000000007524000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/1540-21-0x00000000072E0000-0x0000000007524000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/1540-18-0x00000000072E0000-0x0000000007524000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/1540-13-0x00000000072E0000-0x0000000007524000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/1540-43-0x00000000072E0000-0x0000000007524000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/1540-46-0x00000000072E0000-0x0000000007524000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/1540-55-0x00000000072E0000-0x0000000007524000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/1540-69-0x00000000072E0000-0x0000000007524000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/1540-67-0x00000000072E0000-0x0000000007524000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/1540-71-0x00000000072E0000-0x0000000007524000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/1540-65-0x00000000072E0000-0x0000000007524000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/1540-64-0x00000000072E0000-0x0000000007524000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/1540-59-0x00000000072E0000-0x0000000007524000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/1540-57-0x00000000072E0000-0x0000000007524000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/1540-61-0x00000000072E0000-0x0000000007524000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/1540-53-0x00000000072E0000-0x0000000007524000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/1540-49-0x00000000072E0000-0x0000000007524000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/1540-47-0x00000000072E0000-0x0000000007524000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/1540-51-0x00000000072E0000-0x0000000007524000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/1540-41-0x00000000072E0000-0x0000000007524000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/1540-4882-0x00000000748A0000-0x0000000075050000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1540-4883-0x00000000748A0000-0x0000000075050000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1540-4884-0x0000000007630000-0x00000000076B6000-memory.dmp

        Filesize

        536KB

        Download

      • memory/1540-4885-0x00000000071F0000-0x000000000723C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/1540-4886-0x00000000748A0000-0x0000000075050000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1540-4887-0x00000000748A0000-0x0000000075050000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1540-4899-0x0000000008130000-0x00000000086D4000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/1540-4900-0x00000000011A0000-0x00000000011F4000-memory.dmp

        Filesize

        336KB

        Download

      • memory/1540-4908-0x00000000748A0000-0x0000000075050000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2272-4905-0x00000000748A0000-0x0000000075050000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2272-4904-0x0000000004CD0000-0x0000000004D6C000-memory.dmp

        Filesize

        624KB

        Download

      • memory/2272-4903-0x0000000004C30000-0x0000000004CC2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/2272-4902-0x0000000000320000-0x000000000033A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/2272-4906-0x00000000748A0000-0x0000000075050000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2272-4934-0x00000000748A0000-0x0000000075050000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2676-4909-0x00000000007A0000-0x00000000007D8000-memory.dmp

        Filesize

        224KB

        Download

      • memory/2676-4910-0x00000000748A0000-0x0000000075050000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2676-4911-0x0000000004D90000-0x0000000004D9A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/2676-4913-0x0000000004E10000-0x0000000004E1A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/2676-4914-0x0000000005A50000-0x0000000005A6E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/2676-4915-0x0000000005A90000-0x0000000005A9A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/2676-4918-0x00000000062F0000-0x00000000062FC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2676-4919-0x0000000006300000-0x000000000631A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/2676-4920-0x0000000006330000-0x000000000633E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2676-4921-0x0000000006340000-0x0000000006352000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2676-4924-0x0000000006370000-0x0000000006384000-memory.dmp

        Filesize

        80KB

        Download

      • memory/2676-4923-0x0000000006360000-0x000000000636C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2676-4925-0x0000000006380000-0x0000000006390000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2676-4926-0x00000000063A0000-0x00000000063B4000-memory.dmp

        Filesize

        80KB

        Download

      • memory/2676-4922-0x0000000006350000-0x000000000635E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2676-4927-0x00000000063C0000-0x00000000063CE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2676-4929-0x0000000006400000-0x0000000006414000-memory.dmp

        Filesize

        80KB

        Download

      • memory/2676-4928-0x00000000063D0000-0x00000000063FE000-memory.dmp

        Filesize

        184KB

        Download

      • memory/2676-4930-0x0000000006860000-0x00000000068C6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2676-5105-0x00000000748A0000-0x0000000075050000-memory.dmp

        Filesize

        7.7MB

        Download