Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

fa2b8905af...6c.exe

windows7-x64

10

fa2b8905af...6c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/11/2024, 05:17 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fa2b8905afb96c52f7d359f4a20e8503516c88482a56b846021f43984a9b2c6c.exe

  • Size

    255KB

  • MD5

    0fb3c8c8ccb6c70780c93ba34b634301

  • SHA1

    b1e874ee373732b8d60c8fabaadede58a712bed2

  • SHA256

    fa2b8905afb96c52f7d359f4a20e8503516c88482a56b846021f43984a9b2c6c

  • SHA512

    2961dd26638fe153e8d1a4c99a4443e88b5673bd73c5d918c2749f633070ab8eeb8a63d247e6bd8ad876c5c760acd2863e35fe9fd686c799eff4bdf35cae7aa2

  • SSDEEP

    6144:85p178U0MURaGyNXYWQzHazRfXrwSRnWwhrQSd:EeGUA5YZazpXUmZhdd

Score
10/10
nanocorediscoveryevasionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

sysupdate24.ddns.net:45400

Mutex

ae82ab7f-db07-49ee-9d2b-76075d76f37f

Attributes
  • activate_away_mode

    true

  • backup_connection_host

  • backup_dns_server

  • buffer_size

    65535

  • build_time

    2020-04-24T17:41:53.492468936Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    45400

  • default_group

    Default

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    ae82ab7f-db07-49ee-9d2b-76075d76f37f

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    sysupdate24.ddns.net

  • primary_dns_server

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    true

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • Nanocore family
    nanocore
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fa2b8905afb96c52f7d359f4a20e8503516c88482a56b846021f43984a9b2c6c.exe
    "C:\Users\Admin\AppData\Local\Temp\fa2b8905afb96c52f7d359f4a20e8503516c88482a56b846021f43984a9b2c6c.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4080
    • C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
      "C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4984
      • C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
        "C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"
        3⤵
        • Executes dropped EXE
        • Checks whether UAC is enabled
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:4552

Network

  • flag-us
    DNS
    133.211.185.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    133.211.185.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    22.89.16.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    22.89.16.2.in-addr.arpa
    IN PTR
    Response
    22.89.16.2.in-addr.arpa
    IN PTR
    a2-16-89-22deploystaticakamaitechnologiescom
  • flag-us
    DNS
    0.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    0.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    58.55.71.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    58.55.71.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    sysupdate24.ddns.net
    a1punf5t2of.exe
    Remote address:
    8.8.8.8:53
    Request
    sysupdate24.ddns.net
    IN A
    Response
    sysupdate24.ddns.net
    IN A
    0.0.0.0
  • flag-us
    DNS
    56.163.245.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    56.163.245.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    15.164.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    15.164.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    45.89.16.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    45.89.16.2.in-addr.arpa
    IN PTR
    Response
    45.89.16.2.in-addr.arpa
    IN PTR
    a2-16-89-45deploystaticakamaitechnologiescom
  • flag-us
    DNS
    14.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    14.227.111.52.in-addr.arpa
    IN PTR
    Response
No results found
  • 8.8.8.8:53
    133.211.185.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    133.211.185.52.in-addr.arpa

  • 8.8.8.8:53
    22.89.16.2.in-addr.arpa
    dns
    69 B
     131 B
     1
    1

    DNS Request

    22.89.16.2.in-addr.arpa

  • 8.8.8.8:53
    0.159.190.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    0.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    58.55.71.13.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    58.55.71.13.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    sysupdate24.ddns.net
    dns
    a1punf5t2of.exe
    66 B
     82 B
     1
    1

    DNS Request

    sysupdate24.ddns.net

    DNS Response

    0.0.0.0

  • 8.8.8.8:53
    56.163.245.4.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    56.163.245.4.in-addr.arpa

  • 8.8.8.8:53
    15.164.165.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    15.164.165.52.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    45.89.16.2.in-addr.arpa
    dns
    69 B
     131 B
     1
    1

    DNS Request

    45.89.16.2.in-addr.arpa

  • 8.8.8.8:53
    14.227.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    14.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
    Filesize

    255KB

    MD5

    dc0686f30937ed99382038e165f130dc

    SHA1

    9ba1eeab1722405a4923fa9f3c2f46e7e6bab3b5

    SHA256

    5705611be9940d9c05e0d487e79e2931fff08304aaced6b4888510637cd78875

    SHA512

    14830f9bd06fc087663ba402920232360f84b47b2b00493ae26cee9ac865a596cbd7b55ccd109ef8dc84b9213ba9a5649908d3f57dadfab74289edf969b22d8e

    Download Submit

  • memory/4080-21-0x00000000748F0000-0x0000000074EA1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4080-1-0x00000000748F0000-0x0000000074EA1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4080-2-0x00000000748F0000-0x0000000074EA1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4080-3-0x00000000748F0000-0x0000000074EA1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4080-4-0x00000000748F2000-0x00000000748F3000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4080-5-0x00000000748F0000-0x0000000074EA1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4080-6-0x00000000748F0000-0x0000000074EA1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4080-7-0x00000000748F0000-0x0000000074EA1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4080-0-0x00000000748F2000-0x00000000748F3000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4552-28-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

    Download

  • memory/4552-35-0x00000000748F0000-0x0000000074EA1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4552-41-0x00000000748F0000-0x0000000074EA1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4552-38-0x00000000748F0000-0x0000000074EA1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4552-37-0x00000000748F0000-0x0000000074EA1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4552-34-0x00000000748F0000-0x0000000074EA1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4552-29-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

    Download

  • memory/4552-30-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

    Download

  • memory/4552-33-0x00000000748F0000-0x0000000074EA1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4984-22-0x00000000748F0000-0x0000000074EA1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4984-24-0x00000000748F0000-0x0000000074EA1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4984-27-0x00000000748F0000-0x0000000074EA1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4984-26-0x00000000748F0000-0x0000000074EA1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4984-23-0x00000000748F0000-0x0000000074EA1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4984-40-0x00000000748F0000-0x0000000074EA1000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4984-25-0x00000000748F0000-0x0000000074EA1000-memory.dmp

    Filesize

    5.7MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.