Analysis

  • max time kernel
    116s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-01-2025 21:29

General

  • Target

    5d5efb8b3e0d0212daab126301baa08836121677cea19be16f2eaf0be48636bbN.exe

  • Size

    255KB

  • MD5

    0dc657fa7ab7c78021acf37116d49b90

  • SHA1

    5edb67feea3aa27cd73175fa20d695ea3b15d2d3

  • SHA256

    5d5efb8b3e0d0212daab126301baa08836121677cea19be16f2eaf0be48636bb

  • SHA512

    0a04711e5d17d274deca03cf0515b608ab157cc9d5f8816becdacb6b50d36ed1790f13a9300d55d7b7bd26ad92d6c17afbff3a1cefefed96690d420a265a8f8c

  • SSDEEP

    6144:85p178U0MURaGyNXYWQzHazRfXrwSRnWwhrQSZ:EeGUA5YZazpXUmZhdZ

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

sysupdate24.ddns.net:45400

Mutex

ae82ab7f-db07-49ee-9d2b-76075d76f37f

Attributes
  • activate_away_mode

    true

  • backup_connection_host

  • backup_dns_server

  • buffer_size

    65535

  • build_time

    2020-04-24T17:41:53.492468936Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    45400

  • default_group

    Default

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    ae82ab7f-db07-49ee-9d2b-76075d76f37f

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    sysupdate24.ddns.net

  • primary_dns_server

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    true

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

  • Nanocore family
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5d5efb8b3e0d0212daab126301baa08836121677cea19be16f2eaf0be48636bbN.exe
    "C:\Users\Admin\AppData\Local\Temp\5d5efb8b3e0d0212daab126301baa08836121677cea19be16f2eaf0be48636bbN.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2360
    • C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
      "C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2952
      • C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
        "C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"
        3⤵
        • Executes dropped EXE
        • Checks whether UAC is enabled
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:2596

Network

  • flag-us
    DNS
    228.249.119.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    228.249.119.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    181.129.81.91.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    181.129.81.91.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    71.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    71.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    133.211.185.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    133.211.185.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    sysupdate24.ddns.net
    a1punf5t2of.exe
    Remote address:
    8.8.8.8:53
    Request
    sysupdate24.ddns.net
    IN A
    Response
    sysupdate24.ddns.net
    IN A
    0.0.0.0
  • flag-us
    DNS
    200.163.202.172.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    200.163.202.172.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    171.39.242.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    171.39.242.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    160.50.123.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    160.50.123.104.in-addr.arpa
    IN PTR
    Response
    160.50.123.104.in-addr.arpa
    IN PTR
    a104-123-50-160deploystaticakamaitechnologiescom
  • flag-us
    DNS
    162.50.123.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    162.50.123.104.in-addr.arpa
    IN PTR
    Response
    162.50.123.104.in-addr.arpa
    IN PTR
    a104-123-50-162deploystaticakamaitechnologiescom
  • flag-us
    DNS
    155.50.123.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    155.50.123.104.in-addr.arpa
    IN PTR
    Response
    155.50.123.104.in-addr.arpa
    IN PTR
    a104-123-50-155deploystaticakamaitechnologiescom
  • flag-us
    DNS
    29.243.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    29.243.111.52.in-addr.arpa
    IN PTR
    Response
No results found
  • 8.8.8.8:53
    228.249.119.40.in-addr.arpa
    dns
    73 B
    159 B
    1
    1

    DNS Request

    228.249.119.40.in-addr.arpa

  • 8.8.8.8:53
    181.129.81.91.in-addr.arpa
    dns
    72 B
    147 B
    1
    1

    DNS Request

    181.129.81.91.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    71.159.190.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    71.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    133.211.185.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    133.211.185.52.in-addr.arpa

  • 8.8.8.8:53
    sysupdate24.ddns.net
    dns
    a1punf5t2of.exe
    66 B
    82 B
    1
    1

    DNS Request

    sysupdate24.ddns.net

    DNS Response

    0.0.0.0

  • 8.8.8.8:53
    200.163.202.172.in-addr.arpa
    dns
    74 B
    160 B
    1
    1

    DNS Request

    200.163.202.172.in-addr.arpa

  • 8.8.8.8:53
    171.39.242.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    171.39.242.20.in-addr.arpa

  • 8.8.8.8:53
    160.50.123.104.in-addr.arpa
    dns
    73 B
    139 B
    1
    1

    DNS Request

    160.50.123.104.in-addr.arpa

  • 8.8.8.8:53
    162.50.123.104.in-addr.arpa
    dns
    73 B
    139 B
    1
    1

    DNS Request

    162.50.123.104.in-addr.arpa

  • 8.8.8.8:53
    155.50.123.104.in-addr.arpa
    dns
    73 B
    139 B
    1
    1

    DNS Request

    155.50.123.104.in-addr.arpa

  • 8.8.8.8:53
    29.243.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    29.243.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe

    Filesize

    255KB

    MD5

    9aeafd75edb6e9a37b42ef1c37c0ecd0

    SHA1

    cccc5a7f8c6cd5e4d4e881828d98c9a0232db48d

    SHA256

    89c9099d335f4a5ca10908fcd781d4bacb9b413f31184bf23cd4fdfc3a358771

    SHA512

    79ee288719864eafe573f445562f5fca6ed0bed655d1df0cef50098f2937d7d4889fa4ffadb8d362a90b5e90d94db76a8ca536aaf4f9adabc9dc74a6939b7389

  • memory/2360-22-0x0000000074A50000-0x0000000075001000-memory.dmp

    Filesize

    5.7MB

  • memory/2360-1-0x0000000074A50000-0x0000000075001000-memory.dmp

    Filesize

    5.7MB

  • memory/2360-2-0x0000000074A50000-0x0000000075001000-memory.dmp

    Filesize

    5.7MB

  • memory/2360-3-0x0000000074A50000-0x0000000075001000-memory.dmp

    Filesize

    5.7MB

  • memory/2360-4-0x0000000074A52000-0x0000000074A53000-memory.dmp

    Filesize

    4KB

  • memory/2360-5-0x0000000074A50000-0x0000000075001000-memory.dmp

    Filesize

    5.7MB

  • memory/2360-6-0x0000000074A50000-0x0000000075001000-memory.dmp

    Filesize

    5.7MB

  • memory/2360-7-0x0000000074A50000-0x0000000075001000-memory.dmp

    Filesize

    5.7MB

  • memory/2360-0-0x0000000074A52000-0x0000000074A53000-memory.dmp

    Filesize

    4KB

  • memory/2596-28-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

  • memory/2596-33-0x0000000074A50000-0x0000000075001000-memory.dmp

    Filesize

    5.7MB

  • memory/2596-40-0x0000000074A50000-0x0000000075001000-memory.dmp

    Filesize

    5.7MB

  • memory/2596-37-0x0000000074A50000-0x0000000075001000-memory.dmp

    Filesize

    5.7MB

  • memory/2596-36-0x0000000074A50000-0x0000000075001000-memory.dmp

    Filesize

    5.7MB

  • memory/2596-34-0x0000000074A50000-0x0000000075001000-memory.dmp

    Filesize

    5.7MB

  • memory/2596-29-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

  • memory/2596-30-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

  • memory/2952-21-0x0000000074A50000-0x0000000075001000-memory.dmp

    Filesize

    5.7MB

  • memory/2952-27-0x0000000074A50000-0x0000000075001000-memory.dmp

    Filesize

    5.7MB

  • memory/2952-24-0x0000000074A50000-0x0000000075001000-memory.dmp

    Filesize

    5.7MB

  • memory/2952-26-0x0000000074A50000-0x0000000075001000-memory.dmp

    Filesize

    5.7MB

  • memory/2952-25-0x0000000074A50000-0x0000000075001000-memory.dmp

    Filesize

    5.7MB

  • memory/2952-39-0x0000000074A50000-0x0000000075001000-memory.dmp

    Filesize

    5.7MB

  • memory/2952-23-0x0000000074A50000-0x0000000075001000-memory.dmp

    Filesize

    5.7MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.