Overview

overview

10

Static

static

5

Sigmanly_8...a6.exe

windows7-x64

10

Sigmanly_8...a6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/03/2025, 14:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Sigmanly_87c8ea7512267fb8ac2b2456745d45963f2dc9ab982542655df3ef89e18a84a6.exe

  • Size

    10.8MB

  • MD5

    f095eb0f4362f8cce158e4c51678323a

  • SHA1

    fc173a677bab9675f21fc008b723d1432ffd3207

  • SHA256

    87c8ea7512267fb8ac2b2456745d45963f2dc9ab982542655df3ef89e18a84a6

  • SHA512

    c5d08b6ec63efcbf71b11025e61985045e541bd908e91e95c9c8638374d0764e3757d9197263f4b8785dab4490682a33020dde5f6547320b832184667acd2737

  • SSDEEP

    196608:k4VIJ7hNkHzI2cE++jj0dMfSrPfa7xWRacj2W9wpSDVj6yoO1tdqM9NSQxzaB:k4yJPJ+jPSO9WRauDVj3osR9NSZB

Score
10/10
nanocoredefense_evasiondiscoverykeyloggerspywarestealertrojan

Malware Config

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • Nanocore family
    nanocore
  • UAC bypass 3 TTPs 2 IoCs
    defense_evasiontrojan
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    defense_evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 20 IoCs
  • AutoIT Executable 3 IoCs

    AutoIT scripts compiled to PE executables.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 3 IoCs
    defense_evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\Sigmanly_87c8ea7512267fb8ac2b2456745d45963f2dc9ab982542655df3ef89e18a84a6.exe
    "C:\Users\Admin\AppData\Local\Temp\Sigmanly_87c8ea7512267fb8ac2b2456745d45963f2dc9ab982542655df3ef89e18a84a6.exe"
    1⤵
    • UAC bypass
    • Checks computer location settings
    • Checks whether UAC is enabled
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1344
    • C:\Users\Admin\AppData\Local\Temp\4021\4021.exe
      "C:\Users\Admin\AppData\Local\Temp\4021\4021.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2812
      • C:\Users\Admin\AppData\Local\Temp\2103\2103.exe
        "C:\Users\Admin\AppData\Local\Temp\2103\2103.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2840
        • C:\Users\Admin\AppData\Local\Temp\3333\3333.exe
          "C:\Users\Admin\AppData\Local\Temp\3333\3333.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4080
          • C:\Users\Admin\AppData\Local\Temp\876\876.exe
            "C:\Users\Admin\AppData\Local\Temp\876\876.exe"
            5⤵
            • Executes dropped EXE
            • Checks whether UAC is enabled
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:3012

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\2103\2103.exe
    Filesize

    3.0MB

    MD5

    f4d77906eb34614289ea66c9683e96bd

    SHA1

    7887c38f6e4c64f09a5c47488f65cc3be07553ee

    SHA256

    7244395aef72261cece9b858266a3751656a01c4fd96f25ea7e4fc6b77aa313a

    SHA512

    1c41bc8ab340b952cc0b9b2d0095b224af6c9caf13c7d796ca285a08513fbfaf105ec3f591e697283420c390a1e0bbf7bb091614a657443245a3f673330970cc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\3333\3333.exe
    Filesize

    1.4MB

    MD5

    35fd584d7e57ab0bde1537453d6130bb

    SHA1

    0c719bec10d0b2e284415db59b3a3a741d8ab476

    SHA256

    bebbaed06e2f55881175eb24a97bc73141ea40382c61930463abde1e94e527ba

    SHA512

    73aeb1c8b2bae5702cca51d0ad8c3c2bad4085faef4b477ca7a16af65ea90bb70b62f04889f3ed3e6d3093357c1bedb4ce65f775b1fc10f9f671ad9e2f85f726

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\4021\4021.exe
    Filesize

    5.7MB

    MD5

    44c78cb29ab3a0f083f5dda87e287b0d

    SHA1

    0ed686d3bb5ce3c687589db4dd2efbe55f2c88c2

    SHA256

    0194a7dba29d62fe979b70e944ca6ace74beb02c29aa3217099e6db896c768f8

    SHA512

    df211f4983883f15e3b065513750dd9c9208424b38044918d48d49d1e33c62283bc2f4340611be20554c15dd963c8be5b98f6902710bdb688ce38c3ba684f6e3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\876\876.exe
    Filesize

    202KB

    MD5

    1823024b574fcbed0ffd70e80f4a9831

    SHA1

    d5ce92ca3b6e39b0ab6f6deb8fa860ed0e31db8a

    SHA256

    ef4b4ff5cdcd1f5b95ce9af0b43b34e9584d6d4a1fcff4b5b18619c0e0c2477a

    SHA512

    513088b27f36170be85d1174e956e76da26d721d144322188586eeb2bff965bd43cf4c51d8f0386c15c50670bed3fadd8aeb9989568503309365c4ba077ffe35

    Download Submit