Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

f22478abb9...72.exe

windows7-x64

10

f22478abb9...72.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    138s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/09/2024, 14:53 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f22478abb9f74da96c1d0b69eb1e0326f4a882de03711d29be2fe286fc6e2572.exe

  • Size

    234KB

  • MD5

    74c354622f46923bee5182ca63fc1143

  • SHA1

    6da3cb0a0fc7f16d9dccb864215ccaf3f840129d

  • SHA256

    f22478abb9f74da96c1d0b69eb1e0326f4a882de03711d29be2fe286fc6e2572

  • SHA512

    f4232ee760c73db6158a4dd67a212e49d6d9b76d030be95b6089d3229551215efcb68c705b2fe2fa7ce8609a6f11381bfc70a054d55555ec36a4c993a0ec66f5

  • SSDEEP

    6144:E7M9XS2Sf+57gXUYtltyOfYRd3UXon7qI8P5uwwW8oDLNxg:E4VB4UUlZYRd3UC7P+fwW8oDLP

Score
10/10
nanocorediscoveryevasionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

91.233.116.105:3389

127.0.0.1:3389
Mutex

810685ff-01a4-43b6-a373-41359790eaeb

Attributes
  • activate_away_mode

    false

  • backup_connection_host

    127.0.0.1

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2018-08-07T14:02:20.733284136Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    false

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    3389

  • default_group

    Default

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    810685ff-01a4-43b6-a373-41359790eaeb

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    91.233.116.105

  • primary_dns_server

    8.8.8.8

  • request_elevation

    false

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    false

  • set_critical_process

    false

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f22478abb9f74da96c1d0b69eb1e0326f4a882de03711d29be2fe286fc6e2572.exe
    "C:\Users\Admin\AppData\Local\Temp\f22478abb9f74da96c1d0b69eb1e0326f4a882de03711d29be2fe286fc6e2572.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3016
    • C:\Users\Admin\AppData\Local\Temp\f22478abb9f74da96c1d0b69eb1e0326f4a882de03711d29be2fe286fc6e2572.exe
      C:\Users\Admin\AppData\Local\Temp\f22478abb9f74da96c1d0b69eb1e0326f4a882de03711d29be2fe286fc6e2572.exe
      2⤵
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      PID:2552

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    196.249.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    196.249.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    73.144.22.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    73.144.22.2.in-addr.arpa
    IN PTR
    Response
    73.144.22.2.in-addr.arpa
    IN PTR
    a2-22-144-73deploystaticakamaitechnologiescom
  • flag-us
    DNS
    69.31.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    69.31.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    232.168.11.51.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    232.168.11.51.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    157.123.68.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    157.123.68.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    15.164.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    15.164.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    18.134.221.88.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.134.221.88.in-addr.arpa
    IN PTR
    Response
    18.134.221.88.in-addr.arpa
    IN PTR
    a88-221-134-18deploystaticakamaitechnologiescom
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    14.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    14.227.111.52.in-addr.arpa
    IN PTR
    Response
  • 91.233.116.105:3389
    f22478abb9f74da96c1d0b69eb1e0326f4a882de03711d29be2fe286fc6e2572.exe
    208 B
     4
  • 91.233.116.105:3389
    f22478abb9f74da96c1d0b69eb1e0326f4a882de03711d29be2fe286fc6e2572.exe
    208 B
     4
  • 91.233.116.105:3389
    f22478abb9f74da96c1d0b69eb1e0326f4a882de03711d29be2fe286fc6e2572.exe
    208 B
     4
  • 127.0.0.1:3389
    f22478abb9f74da96c1d0b69eb1e0326f4a882de03711d29be2fe286fc6e2572.exe
  • 127.0.0.1:3389
    f22478abb9f74da96c1d0b69eb1e0326f4a882de03711d29be2fe286fc6e2572.exe
  • 127.0.0.1:3389
    f22478abb9f74da96c1d0b69eb1e0326f4a882de03711d29be2fe286fc6e2572.exe
  • 91.233.116.105:3389
    f22478abb9f74da96c1d0b69eb1e0326f4a882de03711d29be2fe286fc6e2572.exe
    208 B
     4
  • 91.233.116.105:3389
    f22478abb9f74da96c1d0b69eb1e0326f4a882de03711d29be2fe286fc6e2572.exe
    208 B
     4
  • 91.233.116.105:3389
    f22478abb9f74da96c1d0b69eb1e0326f4a882de03711d29be2fe286fc6e2572.exe
    208 B
     4
  • 127.0.0.1:3389
    f22478abb9f74da96c1d0b69eb1e0326f4a882de03711d29be2fe286fc6e2572.exe
  • 127.0.0.1:3389
    f22478abb9f74da96c1d0b69eb1e0326f4a882de03711d29be2fe286fc6e2572.exe
  • 127.0.0.1:3389
    f22478abb9f74da96c1d0b69eb1e0326f4a882de03711d29be2fe286fc6e2572.exe
  • 91.233.116.105:3389
    f22478abb9f74da96c1d0b69eb1e0326f4a882de03711d29be2fe286fc6e2572.exe
    208 B
     4
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
     90 B
     1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    196.249.167.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    196.249.167.52.in-addr.arpa

  • 8.8.8.8:53
    73.144.22.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    73.144.22.2.in-addr.arpa

  • 8.8.8.8:53
    69.31.126.40.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    69.31.126.40.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    232.168.11.51.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    232.168.11.51.in-addr.arpa

  • 8.8.8.8:53
    157.123.68.40.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    157.123.68.40.in-addr.arpa

  • 8.8.8.8:53
    15.164.165.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    15.164.165.52.in-addr.arpa

  • 8.8.8.8:53
    18.134.221.88.in-addr.arpa
    dns
    72 B
     137 B
     1
    1

    DNS Request

    18.134.221.88.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    14.227.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    14.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\f22478abb9f74da96c1d0b69eb1e0326f4a882de03711d29be2fe286fc6e2572.exe.log
    Filesize

    42B

    MD5

    84cfdb4b995b1dbf543b26b86c863adc

    SHA1

    d2f47764908bf30036cf8248b9ff5541e2711fa2

    SHA256

    d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b

    SHA512

    485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce

    Download Submit

  • memory/2552-9-0x00000000058E0000-0x000000000597C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/2552-12-0x00000000057A0000-0x00000000057AA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2552-21-0x0000000074570000-0x0000000074D20000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2552-3-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2552-20-0x0000000074570000-0x0000000074D20000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2552-7-0x0000000005D50000-0x00000000062F4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2552-8-0x0000000005840000-0x00000000058D2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2552-18-0x0000000005D40000-0x0000000005D4A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2552-17-0x0000000005B40000-0x0000000005B5E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2552-10-0x0000000074570000-0x0000000074D20000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2552-11-0x0000000074570000-0x0000000074D20000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2552-15-0x0000000005830000-0x000000000583A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2552-16-0x0000000005820000-0x000000000582C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/3016-2-0x0000000004FD0000-0x0000000004FD6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/3016-0-0x000000007457E000-0x000000007457F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3016-19-0x0000000074570000-0x0000000074D20000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3016-6-0x0000000074570000-0x0000000074D20000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3016-1-0x0000000000670000-0x00000000006B4000-memory.dmp

    Filesize

    272KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.