Overview

overview

10

Static

static

3

SecuriteIn...59.exe

windows7-x64

10

SecuriteIn...59.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    138s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-11-2024 11:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Win32.DropperX-gen.14327.24859.exe

  • Size

    720KB

  • MD5

    782965f857a2c2dbc179b7e016386f61

  • SHA1

    3d16a97e2733daa4c2313035e134e763497bb948

  • SHA256

    2634af4fb7d0c056e1f96809592bfcd3ee9f3fedf0ad52f9340b67d3b67d9f0a

  • SHA512

    a1c98f6c20b9b5692069ac79d43ed06481faf963da10ad24b83bf4d76c44db2fca87e5237205be1767b83781ea63e0d8993dfc86bb08743e6756482771e01272

  • SSDEEP

    12288:2lx+dhZfm1NjNJrhCByke+7/wrhQUKLxfguWTe/OSzT7Ad9hg7pzm9owtSE3:w+d/f+Njt+7IrylxfguWTelK39oL

Score
10/10
nanocorediscoveryevasionexecutionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

66.63.187.113:1664

Mutex

a376f716-2f77-4943-a431-3a3bcb53b7c0

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    66.63.187.113

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2024-08-05T03:49:33.827385136Z

  • bypass_user_account_control

    false

  • bypass_user_account_control_data

    PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    1664

  • default_group

    CAT

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    a376f716-2f77-4943-a431-3a3bcb53b7c0

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    66.63.187.113

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    false

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • Nanocore family
    nanocore
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.14327.24859.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.14327.24859.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1372
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.14327.24859.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1196
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.14327.24859.exe
      "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.14327.24859.exe"
      2⤵
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4200
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks.exe" /create /f /tn "NTFS Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmpF462.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:512
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks.exe" /create /f /tn "NTFS Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpF5CB.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2180

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mr4dgk5l.0o3.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpF462.tmp
    Filesize

    1KB

    MD5

    9906b2668004a927bad9e50125e75d43

    SHA1

    160ac05daa86ad7b2c9b7b8f8b5697bfe0d439a8

    SHA256

    b1c7c932cde08349b6f242463e49bc2bac287ec15ba87989c4fc8804202edb39

    SHA512

    4843410c8f4db3ff7ef9a416d026b5d22a904562a80de459538deecbcfd60e76eb119c4ee634aaf30b27ce1d07e4749358aef84be27e8f140e14f1995fb3c7a1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpF5CB.tmp
    Filesize

    1KB

    MD5

    41808f05a9aa523d0ef506d4993f1d6c

    SHA1

    5a228145decf63ebbbd673c9b7c08a86236a22d4

    SHA256

    f76bd5da395a725b5998efab9a5d3160657cf2d44a8be83fa24af6ba29acf731

    SHA512

    7cf71f8fd8dccaa8cf2c724afca3178be8b7a6e0cc6e4b44990e96413bd0dac8248e2bcfa1bb82da05efb6c4b46649722c20ce14cf4a44f1720e18732bd9246e

    Download Submit

  • memory/1196-41-0x0000000005FD0000-0x000000000601C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1196-80-0x00000000070B0000-0x00000000070CA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1196-81-0x0000000007090000-0x0000000007098000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1196-79-0x0000000006FB0000-0x0000000006FC4000-memory.dmp

    Filesize

    80KB

    Download

  • memory/1196-78-0x0000000006FA0000-0x0000000006FAE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1196-77-0x0000000006F70000-0x0000000006F81000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1196-76-0x0000000006FF0000-0x0000000007086000-memory.dmp

    Filesize

    600KB

    Download

  • memory/1196-75-0x0000000006DE0000-0x0000000006DEA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1196-74-0x0000000006D70000-0x0000000006D8A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1196-73-0x00000000073B0000-0x0000000007A2A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/1196-72-0x0000000006C80000-0x0000000006D23000-memory.dmp

    Filesize

    652KB

    Download

  • memory/1196-15-0x0000000004480000-0x00000000044B6000-memory.dmp

    Filesize

    216KB

    Download

  • memory/1196-16-0x0000000074AE0000-0x0000000075290000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1196-17-0x0000000004BF0000-0x0000000005218000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/1196-18-0x0000000074AE0000-0x0000000075290000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1196-19-0x0000000074AE0000-0x0000000075290000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1196-71-0x0000000006020000-0x000000000603E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1196-27-0x0000000005390000-0x00000000053F6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1196-28-0x0000000005400000-0x0000000005466000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1196-61-0x0000000070730000-0x000000007077C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1196-21-0x0000000004B80000-0x0000000004BA2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1196-36-0x0000000005470000-0x00000000057C4000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/1196-60-0x0000000006C40000-0x0000000006C72000-memory.dmp

    Filesize

    200KB

    Download

  • memory/1196-40-0x0000000005A40000-0x0000000005A5E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1196-84-0x0000000074AE0000-0x0000000075290000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1372-3-0x0000000004E50000-0x0000000004EE2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1372-0-0x0000000074AEE000-0x0000000074AEF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1372-4-0x0000000004DF0000-0x0000000004DFA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1372-5-0x0000000074AE0000-0x0000000075290000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1372-6-0x0000000005150000-0x00000000051EC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/1372-2-0x0000000005360000-0x0000000005904000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1372-7-0x0000000005100000-0x000000000511C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/1372-1-0x0000000000370000-0x000000000042A000-memory.dmp

    Filesize

    744KB

    Download

  • memory/1372-8-0x0000000074AEE000-0x0000000074AEF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1372-9-0x0000000074AE0000-0x0000000075290000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1372-10-0x00000000026A0000-0x000000000271A000-memory.dmp

    Filesize

    488KB

    Download

  • memory/1372-14-0x0000000074AE0000-0x0000000075290000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4200-52-0x0000000007260000-0x000000000726E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/4200-55-0x0000000007290000-0x00000000072A4000-memory.dmp

    Filesize

    80KB

    Download

  • memory/4200-43-0x0000000006890000-0x000000000689A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4200-48-0x0000000007200000-0x0000000007212000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4200-54-0x0000000007280000-0x0000000007290000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4200-20-0x0000000074AE0000-0x0000000075290000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4200-13-0x0000000074AE0000-0x0000000075290000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4200-56-0x00000000072C0000-0x00000000072CE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/4200-11-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

    Download

  • memory/4200-86-0x0000000074AE0000-0x0000000075290000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4200-45-0x0000000006AA0000-0x0000000006AAA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4200-51-0x0000000007250000-0x0000000007262000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4200-53-0x0000000007270000-0x0000000007284000-memory.dmp

    Filesize

    80KB

    Download

  • memory/4200-49-0x0000000007210000-0x000000000722A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4200-44-0x0000000006A60000-0x0000000006A7E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4200-50-0x0000000007240000-0x000000000724E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/4200-57-0x00000000072D0000-0x00000000072FE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/4200-85-0x0000000074AE0000-0x0000000075290000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4200-58-0x0000000007300000-0x0000000007314000-memory.dmp

    Filesize

    80KB

    Download