Overview

overview

10

Static

static

10

15a83de318...fa.exe

windows7-x64

6

15a83de318...fa.exe

windows10-2004-x64

6

304f9bc7de...1b.exe

windows7-x64

10

304f9bc7de...1b.exe

windows10-2004-x64

10

43087ea949...eb.exe

windows7-x64

10

43087ea949...eb.exe

windows10-2004-x64

10

61bb2c746d...fd.exe

windows7-x64

10

61bb2c746d...fd.exe

windows10-2004-x64

10

78ae7a93d9...b6.exe

windows7-x64

10

78ae7a93d9...b6.exe

windows10-2004-x64

10

878487e25e...53.exe

windows7-x64

10

878487e25e...53.exe

windows10-2004-x64

10

922135a10e...54.exe

windows7-x64

10

922135a10e...54.exe

windows10-2004-x64

10

98e12d1098...ad.exe

windows7-x64

10

98e12d1098...ad.exe

windows10-2004-x64

10

b67bc3d957...8f.exe

windows7-x64

8

b67bc3d957...8f.exe

windows10-2004-x64

8

Resubmissions

07-11-2024 16:29

241107-tzeqvawbpe 10

07-11-2024 06:54

241107-hpd6sazqap 10

Analysis

  • max time kernel
    142s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-11-2024 06:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    304f9bc7de67c32d895d2a005283ae4b7a63e390915463ca0a9aa404a9e29e1b.exe

  • Size

    203KB

  • MD5

    76b5931a8eab2e7e98023a43c489bbbf

  • SHA1

    033e6f5547c62a8650f449fc5b0034424f9b5f85

  • SHA256

    304f9bc7de67c32d895d2a005283ae4b7a63e390915463ca0a9aa404a9e29e1b

  • SHA512

    533f26e6379f35bf8aae578461b538ae891d9c00386476dab2235fc965655b35f0ca5433cd5c9c5c106b66369ef37c9e76c091e9635aad9dc2ca57af033344b1

  • SSDEEP

    3072:szEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HIGXzDtCihaFue8Y1WRFj7KV7i:sLV6Bta6dtJmakIM5/NC5x8Y167Y7i

Score
10/10
nanocorediscoveryevasionkeyloggerpersistencespywarestealertrojan

Malware Config

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • Nanocore family
    nanocore
  • Unexpected DNS network traffic destination 12 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops file in Program Files directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\304f9bc7de67c32d895d2a005283ae4b7a63e390915463ca0a9aa404a9e29e1b.exe
    "C:\Users\Admin\AppData\Local\Temp\304f9bc7de67c32d895d2a005283ae4b7a63e390915463ca0a9aa404a9e29e1b.exe"
    1⤵
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4396
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /create /f /tn "LAN Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmpD9C6.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:3280
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /create /f /tn "LAN Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpDA25.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2216

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpD9C6.tmp
    Filesize

    1KB

    MD5

    f8d94348e9e0b4a67b3be7e5c3e4924f

    SHA1

    b70034fe263152e267998fbed76c06a7e0daf83e

    SHA256

    8049a27b744d605b123011957117d752424135d35e8e3340d2b9b05164fb73f8

    SHA512

    78e9c58bab031123f54057d0bbd9c7dccf8da6e84bd9e32d6b4b0ecbd7737899a4f7a6f27999e38cdfc17b8c26c2ffad2dfde73b72cd38893ceddf7aad287b88

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpDA25.tmp
    Filesize

    1KB

    MD5

    6b30dba7972c92c9a1b881e88c108b15

    SHA1

    f76207985cc5a1f70edb2fb5bd45678f195a4564

    SHA256

    578f5b0ff051f02f8e0a67fc3424dad554fa9489875475ea624fbb63eabfcbf7

    SHA512

    e3dd368937f863cb07453de12173580fb63b8d3983db7119c24860f227c89ded76401c47607f5b1134d215d46fe2b40d4bc3d7299374f1e8abecdeaefc7b9099

    Download Submit

  • memory/4396-0-0x00000000754B2000-0x00000000754B3000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4396-1-0x00000000754B0000-0x0000000075A61000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4396-2-0x00000000754B0000-0x0000000075A61000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4396-10-0x00000000754B0000-0x0000000075A61000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4396-11-0x00000000754B2000-0x00000000754B3000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4396-12-0x00000000754B0000-0x0000000075A61000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4396-13-0x00000000754B0000-0x0000000075A61000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4396-14-0x00000000754B0000-0x0000000075A61000-memory.dmp

    Filesize

    5.7MB

    Download