Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    26/09/2024, 03:53 UTC

General

  • Target

    fca06d8a111b6799913d2487f47cbf45cb5f4f89d78165d8621986c563ea0fad.exe

  • Size

    282KB

  • MD5

    52d0c236a13464ea6f28e0bf9989a159

  • SHA1

    8c3d0ce7e30c8f85521e2ede54150ff06e3e84ae

  • SHA256

    fca06d8a111b6799913d2487f47cbf45cb5f4f89d78165d8621986c563ea0fad

  • SHA512

    3a395f6e738b1fa7348db8e4d375adf242454602f59250fda3f19440647561283f97ece1d9b6cb38398f9b184e7700cb8ef19d7ea39ac2f75f4ad474a132cbc5

  • SSDEEP

    6144:boy5p178U0MURaGyNXYWQzHazRfXrwSRnWwhrQ66fKkf1Q:boSeGUA5YZazpXUmZhZ6S3

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

sysupdate24.ddns.net:45400

Mutex

ae82ab7f-db07-49ee-9d2b-76075d76f37f

Attributes
  • activate_away_mode

    true

  • backup_connection_host

  • backup_dns_server

  • buffer_size

    65535

  • build_time

    2020-04-24T17:41:53.492468936Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    45400

  • default_group

    Default

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    ae82ab7f-db07-49ee-9d2b-76075d76f37f

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    sysupdate24.ddns.net

  • primary_dns_server

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    true

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fca06d8a111b6799913d2487f47cbf45cb5f4f89d78165d8621986c563ea0fad.exe
    "C:\Users\Admin\AppData\Local\Temp\fca06d8a111b6799913d2487f47cbf45cb5f4f89d78165d8621986c563ea0fad.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2228
    • C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
      "C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2712
      • C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
        "C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"
        3⤵
        • Executes dropped EXE
        • Checks whether UAC is enabled
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:3012

Network

  • flag-us
    DNS
    sysupdate24.ddns.net
    a1punf5t2of.exe
    Remote address:
    8.8.8.8:53
    Request
    sysupdate24.ddns.net
    IN A
    Response
    sysupdate24.ddns.net
    IN A
    0.0.0.0
No results found
  • 8.8.8.8:53
    sysupdate24.ddns.net
    dns
    a1punf5t2of.exe
    66 B
    82 B
    1
    1

    DNS Request

    sysupdate24.ddns.net

    DNS Response

    0.0.0.0

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe

    Filesize

    282KB

    MD5

    3b78529d4fce1ff8acb002c1a18fcda4

    SHA1

    9044c7e2aee4f5b70a387389b4a7cad983d6b385

    SHA256

    55667f6ea0e0ec002ded4ba9e2b3c85dd75629c65656bc38d4f36224cfccdf2d

    SHA512

    da4e39db6410636eef9ca083f4c3be5a753e562b82d629fcaac4d9133b2bed7b3ff919f0e41f6751d817cf67a2d4b75d49136835d801c3fd57b58437ea4edcb0

  • memory/2228-0-0x0000000074F51000-0x0000000074F52000-memory.dmp

    Filesize

    4KB

  • memory/2228-1-0x0000000074F50000-0x00000000754FB000-memory.dmp

    Filesize

    5.7MB

  • memory/2228-2-0x0000000074F50000-0x00000000754FB000-memory.dmp

    Filesize

    5.7MB

  • memory/2228-3-0x0000000074F50000-0x00000000754FB000-memory.dmp

    Filesize

    5.7MB

  • memory/2228-4-0x0000000074F50000-0x00000000754FB000-memory.dmp

    Filesize

    5.7MB

  • memory/2228-5-0x0000000074F50000-0x00000000754FB000-memory.dmp

    Filesize

    5.7MB

  • memory/2228-14-0x0000000074F50000-0x00000000754FB000-memory.dmp

    Filesize

    5.7MB

  • memory/2712-15-0x0000000074F50000-0x00000000754FB000-memory.dmp

    Filesize

    5.7MB

  • memory/2712-16-0x0000000074F50000-0x00000000754FB000-memory.dmp

    Filesize

    5.7MB

  • memory/2712-17-0x0000000074F50000-0x00000000754FB000-memory.dmp

    Filesize

    5.7MB

  • memory/2712-18-0x0000000074F50000-0x00000000754FB000-memory.dmp

    Filesize

    5.7MB

  • memory/2712-19-0x0000000074F50000-0x00000000754FB000-memory.dmp

    Filesize

    5.7MB

  • memory/2712-20-0x0000000074F50000-0x00000000754FB000-memory.dmp

    Filesize

    5.7MB

  • memory/2712-37-0x0000000074F50000-0x00000000754FB000-memory.dmp

    Filesize

    5.7MB

  • memory/3012-35-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

  • memory/3012-34-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

  • memory/3012-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/3012-28-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

  • memory/3012-26-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

  • memory/3012-24-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

  • memory/3012-23-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

  • memory/3012-22-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.