Overview

overview

10

Static

static

3

f22478abb9...72.exe

windows7-x64

10

f22478abb9...72.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    04-09-2024 14:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f22478abb9f74da96c1d0b69eb1e0326f4a882de03711d29be2fe286fc6e2572.exe

  • Size

    234KB

  • MD5

    74c354622f46923bee5182ca63fc1143

  • SHA1

    6da3cb0a0fc7f16d9dccb864215ccaf3f840129d

  • SHA256

    f22478abb9f74da96c1d0b69eb1e0326f4a882de03711d29be2fe286fc6e2572

  • SHA512

    f4232ee760c73db6158a4dd67a212e49d6d9b76d030be95b6089d3229551215efcb68c705b2fe2fa7ce8609a6f11381bfc70a054d55555ec36a4c993a0ec66f5

  • SSDEEP

    6144:E7M9XS2Sf+57gXUYtltyOfYRd3UXon7qI8P5uwwW8oDLNxg:E4VB4UUlZYRd3UC7P+fwW8oDLP

Score
10/10
nanocorediscoveryevasionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

91.233.116.105:3389

127.0.0.1:3389
Mutex

810685ff-01a4-43b6-a373-41359790eaeb

Attributes
  • activate_away_mode

    false

  • backup_connection_host

    127.0.0.1

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2018-08-07T14:02:20.733284136Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    false

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    3389

  • default_group

    Default

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    810685ff-01a4-43b6-a373-41359790eaeb

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    91.233.116.105

  • primary_dns_server

    8.8.8.8

  • request_elevation

    false

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    false

  • set_critical_process

    false

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f22478abb9f74da96c1d0b69eb1e0326f4a882de03711d29be2fe286fc6e2572.exe
    "C:\Users\Admin\AppData\Local\Temp\f22478abb9f74da96c1d0b69eb1e0326f4a882de03711d29be2fe286fc6e2572.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2968
    • C:\Users\Admin\AppData\Local\Temp\f22478abb9f74da96c1d0b69eb1e0326f4a882de03711d29be2fe286fc6e2572.exe
      C:\Users\Admin\AppData\Local\Temp\f22478abb9f74da96c1d0b69eb1e0326f4a882de03711d29be2fe286fc6e2572.exe
      2⤵
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      PID:2796

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2796-13-0x00000000004B0000-0x00000000004BA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2796-10-0x00000000740C0000-0x00000000747AE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2796-18-0x00000000740C0000-0x00000000747AE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2796-3-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2796-5-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2796-7-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2796-17-0x00000000740C0000-0x00000000747AE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2796-9-0x00000000740C0000-0x00000000747AE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2796-16-0x0000000000550000-0x000000000055A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2796-15-0x00000000004E0000-0x00000000004FE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2796-14-0x00000000004D0000-0x00000000004DC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2968-0-0x00000000740CE000-0x00000000740CF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2968-8-0x00000000740C0000-0x00000000747AE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2968-1-0x0000000001170000-0x00000000011B4000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2968-2-0x0000000000360000-0x0000000000366000-memory.dmp

    Filesize

    24KB

    Download