Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

5662fcdd92...7d.exe

windows7-x64

10

5662fcdd92...7d.exe

windows10-2004-x64

10

Resubmissions

26/09/2024, 23:25 UTC

240926-3ee1jswend 10

26/09/2024, 22:37 UTC

240926-2j6tdsvakb 10

Analysis

  • max time kernel
    142s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/09/2024, 22:37 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5662fcdd92b61586c76444eff1eb05941748fc399e2b2dd2daf35f1a8e47217d.exe

  • Size

    413KB

  • MD5

    0f7528228f5f1f403241747bd489b283

  • SHA1

    d5448b701a5350e87f9c2e2e3a142af4e85c307b

  • SHA256

    5662fcdd92b61586c76444eff1eb05941748fc399e2b2dd2daf35f1a8e47217d

  • SHA512

    a010752dd12a3af64475e08235c49ec9db433da0fbbb61429e5da45a4582458a070160011063de565b4788cac52032c3e507eee3757774021972d1ca40c2d8a8

  • SSDEEP

    6144:ITNE3ZRrnaBVlvphVxmP+6CiejgcME1cwYfU+va+RUm:ITNYrnE3bm/CiejewY5vl

Score
10/10
nanocorediscoveryevasionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

asporturizm@ddns.net:46218

178.32.224.116:46218
Mutex

4af74541-e3f1-469c-8af7-efe4071b81cf

Attributes
  • activate_away_mode

    false

  • backup_connection_host

    178.32.224.116

  • backup_dns_server

  • buffer_size

    65535

  • build_time

    2018-07-28T12:59:38.488799236Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    false

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    46218

  • default_group

    tourex

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    4af74541-e3f1-469c-8af7-efe4071b81cf

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    asporturizm@ddns.net

  • primary_dns_server

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    true

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5662fcdd92b61586c76444eff1eb05941748fc399e2b2dd2daf35f1a8e47217d.exe
    "C:\Users\Admin\AppData\Local\Temp\5662fcdd92b61586c76444eff1eb05941748fc399e2b2dd2daf35f1a8e47217d.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1808
    • C:\Users\Admin\AppData\Roaming\c5e4gxfvd4v\ximo2ubzn1i.exe
      "C:\Users\Admin\AppData\Roaming\c5e4gxfvd4v\ximo2ubzn1i.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4648
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
        3⤵
        • Checks whether UAC is enabled
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:744
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4248,i,3387628439405076340,17957358341235678872,262144 --variations-seed-version --mojo-platform-channel-handle=2152 /prefetch:8
    1⤵
      PID:5116

    Network

    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
      Response
      8.8.8.8.in-addr.arpa
      IN PTR
      dnsgoogle
    • flag-us
      DNS
      97.17.167.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      97.17.167.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      67.31.126.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      67.31.126.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      88.210.23.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      88.210.23.2.in-addr.arpa
      IN PTR
      Response
      88.210.23.2.in-addr.arpa
      IN PTR
      a2-23-210-88deploystaticakamaitechnologiescom
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      28.118.140.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      28.118.140.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      86.23.85.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      86.23.85.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      206.23.85.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      206.23.85.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      172.210.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.210.232.199.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      30.243.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      30.243.111.52.in-addr.arpa
      IN PTR
      Response
    • 178.32.224.116:46218
      regasm.exe
      208 B
       4
    • 178.32.224.116:46218
      regasm.exe
      208 B
       4
    • 178.32.224.116:46218
      regasm.exe
      208 B
       4
    • 178.32.224.116:46218
      regasm.exe
      208 B
       4
    • 178.32.224.116:46218
      regasm.exe
      208 B
       4
    • 178.32.224.116:46218
      regasm.exe
      208 B
       4
    • 178.32.224.116:46218
      regasm.exe
      208 B
       4
    • 8.8.8.8:53
      8.8.8.8.in-addr.arpa
      dns
      66 B
       90 B
       1
      1

      DNS Request

      8.8.8.8.in-addr.arpa

    • 8.8.8.8:53
      97.17.167.52.in-addr.arpa
      dns
      71 B
       145 B
       1
      1

      DNS Request

      97.17.167.52.in-addr.arpa

    • 8.8.8.8:53
      88.210.23.2.in-addr.arpa
      dns
      70 B
       133 B
       1
      1

      DNS Request

      88.210.23.2.in-addr.arpa

    • 8.8.8.8:53
      67.31.126.40.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      67.31.126.40.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
       144 B
       1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      28.118.140.52.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      28.118.140.52.in-addr.arpa

    • 8.8.8.8:53
      86.23.85.13.in-addr.arpa
      dns
      70 B
       144 B
       1
      1

      DNS Request

      86.23.85.13.in-addr.arpa

    • 8.8.8.8:53
      206.23.85.13.in-addr.arpa
      dns
      71 B
       145 B
       1
      1

      DNS Request

      206.23.85.13.in-addr.arpa

    • 8.8.8.8:53
      172.210.232.199.in-addr.arpa
      dns
      74 B
       128 B
       1
      1

      DNS Request

      172.210.232.199.in-addr.arpa

    • 8.8.8.8:53
      30.243.111.52.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      30.243.111.52.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\c5e4gxfvd4v\ximo2ubzn1i.exe
      Filesize

      413KB

      MD5

      d6677c77ab83fbf47d17d0229bcb894e

      SHA1

      a3466ddef1cb873edf00d45cacb0861a2d971607

      SHA256

      b7724cdefcab13219a639c748d043a51691d84138e5daafa9de4e9c52aee63bc

      SHA512

      2e32bb700332d3350252c5b58541c32600fc98abd94dd4f7f6c2950b4a0c87f560e71c7cab5acc6b032886f3dc670e473862160217dbcc843e1e3eed9532b6bf

      Download Submit

    • memory/744-24-0x0000000000400000-0x0000000000438000-memory.dmp

      Filesize

      224KB

      Download

    • memory/744-36-0x0000000074500000-0x0000000074CB0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/744-32-0x0000000005F50000-0x0000000005F5A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/744-31-0x0000000005440000-0x000000000545E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/744-30-0x00000000050C0000-0x00000000050CA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/744-28-0x00000000050E0000-0x000000000517C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/744-27-0x0000000074500000-0x0000000074CB0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/744-23-0x0000000000400000-0x0000000000438000-memory.dmp

      Filesize

      224KB

      Download

    • memory/744-25-0x0000000000400000-0x0000000000438000-memory.dmp

      Filesize

      224KB

      Download

    • memory/1808-5-0x0000000074500000-0x0000000074CB0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1808-20-0x0000000074500000-0x0000000074CB0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1808-6-0x0000000005370000-0x00000000053AC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/1808-0-0x000000007450E000-0x000000007450F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1808-4-0x00000000050B0000-0x00000000050BA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1808-3-0x0000000005100000-0x0000000005192000-memory.dmp

      Filesize

      584KB

      Download

    • memory/1808-2-0x00000000056B0000-0x0000000005C54000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/1808-1-0x0000000000650000-0x00000000006BE000-memory.dmp

      Filesize

      440KB

      Download

    • memory/4648-22-0x0000000074500000-0x0000000074CB0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4648-21-0x0000000074500000-0x0000000074CB0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4648-33-0x0000000074500000-0x0000000074CB0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4648-35-0x0000000074500000-0x0000000074CB0000-memory.dmp

      Filesize

      7.7MB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.