Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
21-09-2024 14:02
General
-
Target
PROFORMA INVOICE5294_EXPO_SCAN DOC_PDF.exe
-
Size
232KB
-
MD5
d07af779817b39b6bcbc1fcdf2975251
-
SHA1
488bfa62a2fd93f5b1be98a3bc47c9bed90bfbf6
-
SHA256
3bd22b44d0b4a141383986eeef066479164316ab6dc14ce6c9c95365784e617b
-
SHA512
40dd24bb9159c21470098eb8272dd7c36f0e6c1b2f5a297bc3a5df53d740d758fc978259b7c6df26835f1bf01568a01e9c07e65316b8fe97506e4c170ad43d33
-
SSDEEP
3072:is7WyoaEZqhKH0oLRLlE/BP2Z1WbYb6VkJxWpFTT/0wmFT/3B5oRtHe8iG9/BPmy:3Roa/hK7X82BblY/T/2J5oRDN9JuftOB
Malware Config
Extracted
nanocore
1.2.2.0
swizz666.ddns.net:4141
127.0.0.1:4141
9e2d87fd-dfa6-4561-95f1-b9bc43662991
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
-
backup_dns_server
37.235.1.177
-
buffer_size
65535
-
build_time
2019-10-18T17:09:04.973830336Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
4141
-
default_group
LORDLORD
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
9e2d87fd-dfa6-4561-95f1-b9bc43662991
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
swizz666.ddns.net
-
primary_dns_server
37.235.1.174
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Unexpected DNS network traffic destination 10 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE5294_EXPO_SCAN DOC_PDF.exe"C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE5294_EXPO_SCAN DOC_PDF.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE5294_EXPO_SCAN DOC_PDF.exe"2⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE5294_EXPO_SCAN DOC_PDF.exe"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
20KB
-
Filesize
4KB
-
Filesize
224KB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
624KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
120KB
-
Filesize
40KB