Overview

overview

10

Static

static

3

Launcher.exe

windows7-x64

10

Launcher.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2024 17:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Launcher.exe

  • Size

    37.9MB

  • MD5

    2879823979f8b16f80483eb80f38dcaa

  • SHA1

    83846ac4df07519a2fab9952d43ee9be2fdb5794

  • SHA256

    15455df49778d6e1154d788f37171e2e73abc52db4c0b78cde050ad054a23bf7

  • SHA512

    3470ac73d739c805d52ed452bc463f92977d8b606fd4f83e0aab9546e01d55bac27e9faffb20d3f617b6f48476296588e354453d74a32459225c22d716a205b2

  • SSDEEP

    786432:YRrD3/04fhQJc9LUwSwLzL60o48fyEodlWPy1WGTO7icRS7:YRrT04yJzwR60v8fyEoqPyjt

Score
10/10
nanocorediscoveryevasionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

ahmedyassin.ddns.net:1604

103.202.55.183:1604
Mutex

9c669e26-1992-4407-bd85-303bd39cba2d

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    103.202.55.183

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2024-07-17T23:25:55.093433736Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    1604

  • default_group

    Default

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    9c669e26-1992-4407-bd85-303bd39cba2d

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    ahmedyassin.ddns.net

  • primary_dns_server

    8.8.8.8

  • request_elevation

    false

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    false

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • Nanocore family
    nanocore
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Launcher.exe
    "C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2736
    • C:\ProgramData\app.exe
      "C:\ProgramData\app.exe"
      2⤵
      • Executes dropped EXE
      PID:2340
    • C:\ProgramData\App2.exe
      "C:\ProgramData\App2.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      PID:2872

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\App2.exe
    Filesize

    202KB

    MD5

    73f5733f76ac052b15335c1cd985f73f

    SHA1

    8c4be16301b9da6caa774f800104adf5731b55a4

    SHA256

    9cf5e2e0f424e7d3b206b17c262a538b29776c34b3fe11fa38222ce8cf7eaff3

    SHA512

    7acda28d83caf6f27535c0e5e465b6219ba178ad673b0e4af517894c537dd50b7f16d3e83b3ddb7c8c268835eb9fd962902b38e51083a35d0c778aa1600349f5

    Download Submit

  • C:\ProgramData\app.exe
    Filesize

    37.7MB

    MD5

    2b4e3d8483a38b3edb8c5fb6c4ae2377

    SHA1

    97b61d68ecb640b9c80417b6c5ee3940c1d4807f

    SHA256

    0bb4106d06534f26e4b1b74627129c7b614339cc9b0eb948200ae739f38321cb

    SHA512

    737deffa13732a97baa95809b3aa226580c21ad7ceb17ed245244ff7cda0db0e1f0a01a5a9966ea9867b3ef4c6c234b3be76bc90f5bb78c454dc458ced158ba0

    Download Submit

  • memory/2736-0-0x000007FEF5EB3000-0x000007FEF5EB4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2736-1-0x0000000000A40000-0x0000000003036000-memory.dmp

    Filesize

    38.0MB

    Download