Resubmissions

05-08-2024 18:52

240805-xjempavemr 10

05-08-2024 18:51

240805-xhhyqayejf 10

Analysis

  • max time kernel
    46s
  • max time network
    49s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    05-08-2024 18:52

General

  • Target

    waveTool.exe

  • Size

    544KB

  • MD5

    a1d84d4f688025921352cd3d9f100461

  • SHA1

    6d905fa87c926af0ba5ded4b6585417449fc5b1a

  • SHA256

    5e7118d4d85c86fe2f3b98541694f1fcecb4cfc3c5de57ba2e9fffed7335a41f

  • SHA512

    2a492172d3db0669eff0ac8c1f358638c38578c72d1311e3a80d3614d969728187c62643e0b53956f8cd86adf2d2383d91e74d51234f5c2f5cbde32a80a77ee6

  • SSDEEP

    12288:2QnZ4kCDyG3HvxPUHLoSOaKjCObx3DXHcvPX1KeE9YJ:9nZ4kCTPxhDEOFzHc3X0eZ

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

127.0.0.1:54984

Mutex

c2061050-265f-4002-913c-ea1f49d7f810

Attributes
  • activate_away_mode

    false

  • backup_connection_host

    127.0.0.1

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2024-05-17T20:07:09.307958536Z

  • bypass_user_account_control

    false

  • bypass_user_account_control_data

    PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+

  • clear_access_control

    false

  • clear_zone_identifier

    false

  • connect_delay

    3814

  • connection_port

    54984

  • default_group

    Default

  • enable_debug_mode

    false

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    29991

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    c2061050-265f-4002-913c-ea1f49d7f810

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    127.0.0.1

  • primary_dns_server

    8.8.8.8

  • request_elevation

    false

  • restart_delay

    4997

  • run_delay

    0

  • run_on_startup

    false

  • set_critical_process

    false

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 32 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\waveTool.exe
    "C:\Users\Admin\AppData\Local\Temp\waveTool.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2764
    • C:\Users\Admin\AppData\Local\Temp\waveTool.exe
      "C:\Users\Admin\AppData\Local\Temp\waveTool.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2708
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=waveTool.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2932
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2932 CREDAT:275457 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2552

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6B2043001D270792DFFD725518EAFE2C

    Filesize

    579B

    MD5

    f55da450a5fb287e1e0f0dcc965756ca

    SHA1

    7e04de896a3e666d00e687d33ffad93be83d349e

    SHA256

    31ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d0

    SHA512

    19bd9a319dfdaad7c13a6b085e51c67c0f9cb1eb4babc4c2b5cdf921c13002ca324e62dfa05f344e340d0d100aa4d6fac0683552162ccc7c0321a8d146da0630

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6B2043001D270792DFFD725518EAFE2C

    Filesize

    252B

    MD5

    7afcbdd0a0f8782023c993d0013c8f23

    SHA1

    3ec6c646d278821f2eaadec1c9259b00641dfc58

    SHA256

    7d868fdfc103299bbed0f63bab6971e8cadffd16e6b5748a957ca70bfbed8cd2

    SHA512

    c717688a5198843503ecf0948394893240fe3d2f43988ef7b013c428c87daad0f413700124fd5eb49e2326d32627198d3bd9f886e7105cd53a15339a71c9853c

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    c2eee54b4deafcb7999bd6d9411fd86c

    SHA1

    6fd647eb7e1b0347e626853c588d3f37d1d76866

    SHA256

    a7c72d68e5eb636af0109156b1686157b29c9aa05e1055cbc00b203e3a99462c

    SHA512

    d18e51c0471d2130aef2ad9d2defca2a3eb697a34eff420b6eeeb1273378ddf9801667e293b79e2479181697a5e12ccdaf80949e759edf7c5a87130571c0d1df

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    e76f1c4a4f2719956e5d2460094190aa

    SHA1

    753906431408789f75b5cb8134729985d909e1f8

    SHA256

    34c6fa4807ebd9ea6a2950f99bb4e3a23d0c2e60088892f542ae081298688eae

    SHA512

    54a1a627e9a6bbeccb7fcb6c218324019daece7168bf9176bf9370da6947b1bd65ecf3976f231e0ed86e90f072607a353c6f7d05add8f173e07169c007c1e08d

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    0f126badc429808f3b84b5c5451d2d1a

    SHA1

    0cfe9da1f7adab868b0e5e93f350bcc604d8f8fc

    SHA256

    a9859f48d9224c3b26ab80b5b275fff26aec67258e473e2d79ca8a7e8c53c9fc

    SHA512

    e7621cc2129ffe5a1b30f26dbe8986abd77652dd590e0095ad00818d35330c10bf38cf4eeb8bb0d63f424442ac4fa71de5eaf8b57c4df886c6dfbcc7e23cdef2

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    9c33821d74b9021d238063da3f897326

    SHA1

    206f3d27cdf8d55b392c0286e122cf3417ef3540

    SHA256

    39f1721fabdc0ad9909af9d0e5d1f12c5225f4bd3fd9833cbd0b649795f721d0

    SHA512

    5049dc29aa7744fef1969c81e337ab7d6a1391e08aa1c15ac8999139c1fd07ce1269ac556606fa746585dbf6eb6ec6a662f1c570d9ff4ca25e39f663d4d17270

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    b120f918c2c241a08d910a1120541f50

    SHA1

    9a008720029fe99a7e7255a938ed3eb59844c5dc

    SHA256

    960aa08cdf0ea6458bbfc13f43397645d4c2477dbb8f8e1daf61441247729d00

    SHA512

    4ebe43819d45d92e7ddf8a1a5bcf8e9659c09cba31241f16313e09f4d856f818281e588a7e8a1cc80a85061ea1f3b296787d5008c07749858988e28f428b7233

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    05ed9ad8bf76c70e39fe05a2f4f8e6c0

    SHA1

    6eb428126d89c842d128a9115ddba47d98e2dfad

    SHA256

    3ae5f636af02d02fb09295ccd034eb5f90dae6f4996c256498054181a516a023

    SHA512

    2c98205c10174c352269d1230076f3d2c0fbfa3f8ae69a5b09c46d897143d47e30117d468fb5da9df2b0e0776d212eec2ce8a8fe8eabe622875a991a0c455ee3

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    6d1497c148906e5fefa7af762e269c0d

    SHA1

    c2298945ccba4e21fd8f78d6cdb1e441074c0e71

    SHA256

    f13dd82a595cce6321a17c7efb26784c4a05f28267626338d32788a5001380da

    SHA512

    54028ae2ecfb4268c834c09cc1f5cba0058f86b85e459d8e2b007e3bfb447608a0675855ac2a36182b28aec183c7dcd906b57068af70a74b07df38030362655a

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    1eed9e1454efbbee9527675dd93d85f7

    SHA1

    2dab5b3d6a394e2fa17d266889fd1cb6e5459c30

    SHA256

    a65f922532ff169d44fe715ff8e6b5e46ba61fbf44eeda393dc099c50f1b1d68

    SHA512

    8c28fe5791a0c9e64528dface0406f7abf5930cc932b0a8f837962ffbcdade7af464e67921554c3499cd377e440c00cb2f211a7c5c3e89589b5004ccc2a11bdb

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    b037e637a689857888c0bda46d4845ce

    SHA1

    c4d19f250d84dc1e27a9c201b1473da6f3f40b41

    SHA256

    bfb024c30be4320b0afb21ccafafed2fb120cfe5ab5eab5660ecc0136fb21fc5

    SHA512

    c0ec1db84c509731a70716e168ec0348bfa85acf0f2799d421feabd7036a0d96854f9f05f1629b8ac696d951d78c20922af16808e09013616ba38b0841586d80

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    44018e901969ad1cd71162002428c0f2

    SHA1

    2cd62d2a382aa6c8b16e964e379b3094efbc63e9

    SHA256

    67142526e8390691052af91a5dec22b1b0684ba2a7dca72ab07b509f482f0e57

    SHA512

    5817ebf46056ce7c98a39a9ba257ebc1b02533c2cef5c1940fc98e85f5592b09f6212896888c69007a6e6edabf7edf23d8957dbfd8a0a62542f5731400758e71

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    508d42503f3d200881a86ffa4c96a92f

    SHA1

    a3d913ae314810fa21ef756a6d8bbeb588a8b3a7

    SHA256

    d8ea19c6076faaee992f732f23195e7056a0ffd3d300af3ffc6f26d5f67b2943

    SHA512

    1e8131b1ca0e45b6c3d5f34db1d63ea42466ce303bcd1979687222e18d3bbc4676775d24a4cbf80591e3b9b72609f4158f2731e5298484463a8ee5e1e5915bc4

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    0d06efa8c902e84a7f66083480505c78

    SHA1

    6f3455cbe80210d6a18ac67de492ade8403ba5b2

    SHA256

    ed04ab2bd0cdad6dad99ce3fa87de9263467917f992c8896e856a2e3893630b5

    SHA512

    b77d5193657bc456eb506866ad844f0185575349db11b091e7470b1815c49a5624f5e93d049866656cb5f56ab6be7eaf4e6033020135dbd5ca1c193433773d8e

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    db055a42dcdf72ff8f72d0995ed6b5d9

    SHA1

    c89f905c94afd647d19ccebc4420e660287e1290

    SHA256

    a2c127d50ad2e5b517e3fd07241ea4b4ea686d19189e4c09384024b57b677bb3

    SHA512

    2976c2dc8242de61a825bd94f8dcd00b2872bc4ebaebc5ee6de9c2d07cc6dcf34faf0f4ca4a95800e1056c340bf369ed09c51e04a9783b2502d15e29f8e104b5

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    bd39d230ba640834a3bafcada1fd5ee8

    SHA1

    f309c08c0d41b87b3993722e7ad8f1bc207d90a9

    SHA256

    6cf9357ae92c3a8bce1abfba32ad5d008e4ce6330b441a7c9a17b40079a4ea48

    SHA512

    9cafdfa01fbe338f7ccc35d141d0e8a33c5903061cd9350eb3b9cd0adf40e5727126ba5edc14b4cac467882637dad5d2df3e7abe8fb69a200123027bd887d3a5

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    3e5ff8f3f7363e58739c6a8abedfc7f0

    SHA1

    472471a9b13b56f4d68d4e8ce903aa21f897fa83

    SHA256

    9985a207cedd2502438880cb78bb0a16b038776db535c010acbd8434cbcebcdf

    SHA512

    ae5917ba8526e54ad0673d346db68f8b24c1136ebc8da7bcc0fc990016008a06a5d80ada50b6f3e151e69bf19ce4d43a7bfd9e2affc058b56c9aae6032645afb

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    df535605fddfc72f787407b25f16a02b

    SHA1

    a1d7e56b54f40d45dc94b2ed51802a934f327d9b

    SHA256

    c37bc8df28c475ff34e487fc8ac8b255cf65fe41bfb03e0164e88b083a2fffef

    SHA512

    4a32ad69ef3486b2ccc80e078b1bcd9e3763cbb6c850175807e76df1a6cc2454294a2280f4f1a9d86ea23c22ed39d0f84cc4f54ade275911343b907a394858ae

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    477490dd7e4e47896aaaebd6bd35e39c

    SHA1

    615c69b584158c123602406d6d3044a26d6404cb

    SHA256

    0910af98595bc39a0ef10783da86704b5b5e635d0d8fd598ac17db5fd9a11460

    SHA512

    517801d347b9d96a5c9361ceee5481b8939305879efcc72a2588d84513f48c0a5d52db604037f67cd80a6cb1045f5e1b35539e94f528ee65414b3ac861b0f7f1

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    14a97eb0b6faae37c6c14297c6e4c905

    SHA1

    c5652e51215a980f2fd2ff101da02025b4d8262d

    SHA256

    7e49a25ecbdadee13f957d61d3a40d4e8658d5478d51a254e67706ace32752f0

    SHA512

    240193edd36e48bbd8d2e73133058dd1349dda2d2963019ed8e574c7548a2e873a843a88e91de78872ca7d3084a3cf8f276f2328f3477cc04008f3076eea4e90

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    415e8ec01d28cc0d11c716b03d1ea85b

    SHA1

    9dabc4b6d97157c0353a94beae9fd5c957917ee6

    SHA256

    2f6b5d8cef9175b8e3c0f00fb02a1ab0186e4e44e264d835fdade54f1d9fd45c

    SHA512

    6b6d8b8930140d8764c1b6a838c5d46b069905fe315a172ddc6744d52264aa64ef2d14a498fbb1c945d5bef26b370d57655f135467662c1f10609c4b692dae13

  • C:\Users\Admin\AppData\Local\Temp\Cab3E79.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\Tar3F37.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • memory/2708-4-0x0000000000400000-0x0000000000490000-memory.dmp

    Filesize

    576KB

  • memory/2708-1-0x0000000000400000-0x0000000000490000-memory.dmp

    Filesize

    576KB

  • memory/2708-9-0x0000000000400000-0x0000000000490000-memory.dmp

    Filesize

    576KB

  • memory/2708-7-0x0000000000400000-0x0000000000490000-memory.dmp

    Filesize

    576KB

  • memory/2708-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2764-5-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB