Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
26/03/2025, 14:38
General
-
Target
Sigmanly_87c8ea7512267fb8ac2b2456745d45963f2dc9ab982542655df3ef89e18a84a6.exe
-
Size
10.8MB
-
MD5
f095eb0f4362f8cce158e4c51678323a
-
SHA1
fc173a677bab9675f21fc008b723d1432ffd3207
-
SHA256
87c8ea7512267fb8ac2b2456745d45963f2dc9ab982542655df3ef89e18a84a6
-
SHA512
c5d08b6ec63efcbf71b11025e61985045e541bd908e91e95c9c8638374d0764e3757d9197263f4b8785dab4490682a33020dde5f6547320b832184667acd2737
-
SSDEEP
196608:k4VIJ7hNkHzI2cE++jj0dMfSrPfa7xWRacj2W9wpSDVj6yoO1tdqM9NSQxzaB:k4yJPJ+jPSO9WRauDVj3osR9NSZB
Malware Config
Extracted
nanocore
1.2.2.0
4.tcp.eu.ngrok.io:15992
24d79ee3-5a63-4154-b01d-dcb492d86e40
-
activate_away_mode
true
-
backup_connection_host
4.tcp.eu.ngrok.io
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2021-12-28T00:32:11.299554136Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
15992
-
default_group
Tisane
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
24d79ee3-5a63-4154-b01d-dcb492d86e40
-
mutex_timeout
5000
-
prevent_system_sleep
false
- primary_connection_host
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Nanocore family
-
UAC bypass 3 TTPs 2 IoCs
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 16 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 26 IoCs
-
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
-
System policy modification 1 TTPs 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Sigmanly_87c8ea7512267fb8ac2b2456745d45963f2dc9ab982542655df3ef89e18a84a6.exe"C:\Users\Admin\AppData\Local\Temp\Sigmanly_87c8ea7512267fb8ac2b2456745d45963f2dc9ab982542655df3ef89e18a84a6.exe"1⤵
- UAC bypass
- Loads dropped DLL
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\4021\4021.exe"C:\Users\Admin\AppData\Local\Temp\4021\4021.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2103\2103.exe"C:\Users\Admin\AppData\Local\Temp\2103\2103.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3333\3333.exe"C:\Users\Admin\AppData\Local\Temp\3333\3333.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\876\876.exe"C:\Users\Admin\AppData\Local\Temp\876\876.exe"5⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.0MB
MD5f4d77906eb34614289ea66c9683e96bd
SHA17887c38f6e4c64f09a5c47488f65cc3be07553ee
SHA2567244395aef72261cece9b858266a3751656a01c4fd96f25ea7e4fc6b77aa313a
SHA5121c41bc8ab340b952cc0b9b2d0095b224af6c9caf13c7d796ca285a08513fbfaf105ec3f591e697283420c390a1e0bbf7bb091614a657443245a3f673330970cc
-
Filesize
1.4MB
MD535fd584d7e57ab0bde1537453d6130bb
SHA10c719bec10d0b2e284415db59b3a3a741d8ab476
SHA256bebbaed06e2f55881175eb24a97bc73141ea40382c61930463abde1e94e527ba
SHA51273aeb1c8b2bae5702cca51d0ad8c3c2bad4085faef4b477ca7a16af65ea90bb70b62f04889f3ed3e6d3093357c1bedb4ce65f775b1fc10f9f671ad9e2f85f726
-
Filesize
5.7MB
MD544c78cb29ab3a0f083f5dda87e287b0d
SHA10ed686d3bb5ce3c687589db4dd2efbe55f2c88c2
SHA2560194a7dba29d62fe979b70e944ca6ace74beb02c29aa3217099e6db896c768f8
SHA512df211f4983883f15e3b065513750dd9c9208424b38044918d48d49d1e33c62283bc2f4340611be20554c15dd963c8be5b98f6902710bdb688ce38c3ba684f6e3
-
Filesize
202KB
MD51823024b574fcbed0ffd70e80f4a9831
SHA1d5ce92ca3b6e39b0ab6f6deb8fa860ed0e31db8a
SHA256ef4b4ff5cdcd1f5b95ce9af0b43b34e9584d6d4a1fcff4b5b18619c0e0c2477a
SHA512513088b27f36170be85d1174e956e76da26d721d144322188586eeb2bff965bd43cf4c51d8f0386c15c50670bed3fadd8aeb9989568503309365c4ba077ffe35