Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
109s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
-
submitted
25/08/2024, 03:55
General
-
Target
544edf100b10c476b64a94d57bcdb420N.exe
-
Size
263KB
-
MD5
544edf100b10c476b64a94d57bcdb420
-
SHA1
4b079dcf9c9cb9b5d83c8b851452d6167c513ee8
-
SHA256
6bd8752721961021fe3356cc8d86fe4eb0a047da99d7a12a6b259bc8a8e8a69c
-
SHA512
f62c34a13839c7dbc057488968cf66709271b16d6bc677c9e4454ec8d04aef37eb8b0a4f95b295516626f82e4027d6d20088ae30a7593d036f1e9c9eedd6aa52
-
SSDEEP
6144:DsJgrxS5aqAO3dRgCP2whbyrIq/jWPbO46sLcLOfj:uglS5aJO3YCPfhbyrX/mbObrOfj
Malware Config
Extracted
nanocore
1.2.2.0
justinalwhitedd554.duckdns.org:7632
paymentmaba.sinsincity.com:7632
6a8cfd5d-4b59-4ef3-89b5-b939bcb234ae
-
activate_away_mode
true
-
backup_connection_host
paymentmaba.sinsincity.com
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-01-27T18:21:44.903118536Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
7632
-
default_group
Faggy
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
6a8cfd5d-4b59-4ef3-89b5-b939bcb234ae
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
justinalwhitedd554.duckdns.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 5 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\544edf100b10c476b64a94d57bcdb420N.exe"C:\Users\Admin\AppData\Local\Temp\544edf100b10c476b64a94d57bcdb420N.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"C:\Users\Admin\AppData\Local\Temp\544edf100b10c476b64a94d57bcdb420N.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5fccff8cb7a1067e23fd2e2b63971a8e1
SHA130e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA2566fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c
-
Filesize
224KB
-
Filesize
224KB
-
Filesize
224KB
-
Filesize
4KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB