Analysis

  • max time kernel
    121s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    24/09/2024, 01:19 UTC

General

  • Target

    4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe

  • Size

    629KB

  • MD5

    280baa14b25c23e63122a4028928dff0

  • SHA1

    8070c5e450768312a50c64be6edc386b009bea77

  • SHA256

    4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226

  • SHA512

    26b96a7b246c3abaa02a989ea1e90a9ede181133f8a1e1b9605b3812f1505527d4164e14c169c73773e5872881bfa512793cffb381110c4a3b4f160e307f0f6f

  • SSDEEP

    12288:6dbG8Q1q8vDd/e6REdJqTu5XWN62tlN3d8SPzG2gvXqQ4tqXZUwxTJ:n8C7pecAMC5XKvNt8S7Nsy4FlJ

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

pnauco5.ddns.net:1664

Mutex

cde38e58-d99c-4068-b775-59569bc2e8ce

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    pnauco5.ddns.net

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2024-07-03T06:48:27.569053036Z

  • bypass_user_account_control

    false

  • bypass_user_account_control_data

    PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    1664

  • default_group

    NEW

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    cde38e58-d99c-4068-b775-59569bc2e8ce

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    pnauco5.ddns.net

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    false

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe
    "C:\Users\Admin\AppData\Local\Temp\4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2516
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1972
    • C:\Users\Admin\AppData\Local\Temp\4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe
      "C:\Users\Admin\AppData\Local\Temp\4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe"
      2⤵
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2332
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks.exe" /create /f /tn "IMAP Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmp4328.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2808
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks.exe" /create /f /tn "IMAP Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp43D5.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2656

Network

  • flag-us
    DNS
    pnauco5.ddns.net
    4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe
    Remote address:
    8.8.8.8:53
    Request
    pnauco5.ddns.net
    IN A
    Response
    pnauco5.ddns.net
    IN A
    103.207.37.72
  • 103.207.37.72:1664
    pnauco5.ddns.net
    4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe
    15.6kB
    391.3kB
    285
    395
  • 8.8.8.8:53
    pnauco5.ddns.net
    dns
    4a842606d80e5bc30a9817fc11877889b24e3daccc2ba7ea0711d5c259e70226.exe
    62 B
    78 B
    1
    1

    DNS Request

    pnauco5.ddns.net

    DNS Response

    103.207.37.72

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp4328.tmp

    Filesize

    1KB

    MD5

    1ba3298e956e427c9e9e4bd39f6a4769

    SHA1

    29d0b963437e7c25ca335515dc23b8851b62bada

    SHA256

    ef5aaf504b9f3d6bfb28c79e91dec9f212a47971f28a269870c50590a32f00ab

    SHA512

    aa915d74ba0ede9d1c71dc2ae48ac4ea8b29f749b3e484554feb6c37e9481963f55905a15d05e75cb45a9e7889051121edaaa77bcee106160cb82e4619294d08

  • C:\Users\Admin\AppData\Local\Temp\tmp43D5.tmp

    Filesize

    1KB

    MD5

    d2d6911d94b06e405e7687a2437eafec

    SHA1

    9f28f9e7d8d5179d44ddaa6ca266984ed7521dea

    SHA256

    2dc87169ad53fbdd7abb08f49777cb8fb05adbff4e6f6616b4c89942af8cad0f

    SHA512

    b5983de701ff98e944283a25f1770c1e792d52148dc1671f1d19203f8b9d10b056abcf79a17ca536a5f88ccf52f6445d8f3e75fce628666640ad8bad697dcfd1

  • memory/2332-15-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

  • memory/2332-39-0x0000000000CE0000-0x0000000000CEC000-memory.dmp

    Filesize

    48KB

  • memory/2332-49-0x0000000073F20000-0x000000007460E000-memory.dmp

    Filesize

    6.9MB

  • memory/2332-47-0x0000000073F20000-0x000000007460E000-memory.dmp

    Filesize

    6.9MB

  • memory/2332-46-0x0000000001240000-0x0000000001254000-memory.dmp

    Filesize

    80KB

  • memory/2332-18-0x0000000073F20000-0x000000007460E000-memory.dmp

    Filesize

    6.9MB

  • memory/2332-17-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

  • memory/2332-45-0x0000000001210000-0x000000000123E000-memory.dmp

    Filesize

    184KB

  • memory/2332-13-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

  • memory/2332-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2332-10-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

  • memory/2332-9-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

  • memory/2332-8-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

  • memory/2332-7-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

  • memory/2332-44-0x00000000011B0000-0x00000000011BE000-memory.dmp

    Filesize

    56KB

  • memory/2332-20-0x0000000073F20000-0x000000007460E000-memory.dmp

    Filesize

    6.9MB

  • memory/2332-43-0x0000000000FA0000-0x0000000000FB4000-memory.dmp

    Filesize

    80KB

  • memory/2332-42-0x0000000000F90000-0x0000000000FA0000-memory.dmp

    Filesize

    64KB

  • memory/2332-30-0x0000000000480000-0x000000000048A000-memory.dmp

    Filesize

    40KB

  • memory/2332-31-0x0000000000490000-0x00000000004AE000-memory.dmp

    Filesize

    120KB

  • memory/2332-32-0x00000000004F0000-0x00000000004FA000-memory.dmp

    Filesize

    40KB

  • memory/2332-35-0x0000000000660000-0x0000000000672000-memory.dmp

    Filesize

    72KB

  • memory/2332-36-0x0000000000670000-0x000000000068A000-memory.dmp

    Filesize

    104KB

  • memory/2332-37-0x0000000000C30000-0x0000000000C3E000-memory.dmp

    Filesize

    56KB

  • memory/2332-38-0x0000000000C90000-0x0000000000CA2000-memory.dmp

    Filesize

    72KB

  • memory/2332-41-0x0000000000F80000-0x0000000000F94000-memory.dmp

    Filesize

    80KB

  • memory/2332-40-0x0000000000D70000-0x0000000000D7E000-memory.dmp

    Filesize

    56KB

  • memory/2516-2-0x0000000073F20000-0x000000007460E000-memory.dmp

    Filesize

    6.9MB

  • memory/2516-1-0x0000000001260000-0x0000000001304000-memory.dmp

    Filesize

    656KB

  • memory/2516-3-0x0000000000530000-0x0000000000542000-memory.dmp

    Filesize

    72KB

  • memory/2516-19-0x0000000073F20000-0x000000007460E000-memory.dmp

    Filesize

    6.9MB

  • memory/2516-0-0x0000000073F2E000-0x0000000073F2F000-memory.dmp

    Filesize

    4KB

  • memory/2516-6-0x0000000004A30000-0x0000000004AAA000-memory.dmp

    Filesize

    488KB

  • memory/2516-5-0x0000000073F20000-0x000000007460E000-memory.dmp

    Filesize

    6.9MB

  • memory/2516-4-0x0000000073F2E000-0x0000000073F2F000-memory.dmp

    Filesize

    4KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.