Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
-
submitted
28/03/2025, 12:49
General
-
Target
Trisinuated.exe
-
Size
915KB
-
MD5
cee57b8b0cea61718f31edbb78e4cf9b
-
SHA1
9192d57da663cd8dc472963547126d92661b9470
-
SHA256
01b878cd44f69305765044518167ec69f6307895b4a410c11e6af7013c0142e6
-
SHA512
0afdd04fed237868a76bd0ddc12f4b44fd34778d83f94658d7a6c49ef864d67595972483c6c8991eb51969a60fef9b166d65fba1f55663c3f2f389fc106e8fd5
-
SSDEEP
24576:TG+bOPYKWw9ID1zCSlplMDisLI37SK/cksH6aR:aVCwi1Go6DidrZkksHb
Malware Config
Extracted
nanocore
1.2.2.0
matic2230.duckdns.org:54385
matic2230.ddnsfree.com:54385
5c7e0b9f-f6ea-4396-8dae-43ab0c6b4e6e
-
activate_away_mode
false
-
backup_connection_host
matic2230.ddnsfree.com
- backup_dns_server
-
buffer_size
65538
-
build_time
2025-01-05T23:34:02.856802636Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
false
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
54385
-
default_group
MATIC
-
enable_debug_mode
true
-
gc_threshold
1.0485772e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.0485772e+07
-
mutex
5c7e0b9f-f6ea-4396-8dae-43ab0c6b4e6e
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
matic2230.duckdns.org
- primary_dns_server
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
false
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8009
Signatures
-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Nanocore family
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Blocklisted process makes network request 11 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Drops file in Windows directory 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
-
Suspicious use of WriteProcessMemory 13 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Trisinuated.exe"C:\Users\Admin\AppData\Local\Temp\Trisinuated.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -windowstyle 1 "$Outflung=GC -raw 'C:\Users\Admin\AppData\Local\paraded\Boltr.Exc';$Forpulet=$Outflung.SubString(50153,3);.$Forpulet($Outflung)"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"3⤵
- Adds Run key to start application
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "SMTP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmpF405.tmp"4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "SMTP Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpF463.tmp"4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Program Files (x86)\SMTP Subsystem\smtpss.exe1⤵
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD577683897ef243c9e0d03d51f65501514
SHA10f0be106af8dbeb708a01116af6161a51d48857c
SHA25633e541c2e3be2d0a74f2460d1de4913ee636f0838413cde7e3c1b99880584b31
SHA5129ea49d3b0a0d719012a9fc6bd4bcd048f3482e16caf99ae971b42f8bf82a4114f11e64bc7b0966a2473a444016fb27cc6e6c7cb0470cde1d15a6a97cdf050fe6
-
Filesize
1KB
MD50339b45ef206f4becc88be0d65e24b9e
SHA16503a1851f4ccd8c80a31f96bd7ae40d962c9fad
SHA2563d568a47a8944a47f4aed6982755ac7ff7dda469cc1c81c213ecaa5d89de1f83
SHA512c98f4513db34d50510dd986e0d812545c442bd5bef26932032b165759627fab4e00c95fe907ab3416a8a1042bfa77aa516c479f1ff7d1ec2f21ae66df8f72551
-
Filesize
49KB
MD5758fcebca9c76199ceb2bee26486ec96
SHA192fc783b6eb8d9fe272d07d8a088bc7cb373bb06
SHA256ea165a5dc77d79cecac4a203298889d0212be6e912fad514e0c39615d3c1d012
SHA512ebe002bb3f6830d56ca9170de5ae4989d118a5315c1fab0e6fc721f094df4b9317217cd80d86e540d71cad88f8de03bf5fc000ce73bdf9bf32b10379585b3c23
-
Filesize
395KB
MD5ddac47e3ae0bb1ba79535f1b0c873c43
SHA1a5d912a1cbab76d442c14829becee11e854c6e33
SHA256f941eebeffa6ac602ba6c3fd5ba284edf2d51a408712e4df0cb19a8f2c11e385
SHA512c81dc4116f81307576981f0f03b83c05be8b1fc937f6458c0c51de24de4a37a66ed32692537b863d09dafbd2a2c147a949406fad1bfb834c3051b2293cfbb853
-
Filesize
48KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
120KB
-
Filesize
624KB
-
Filesize
584KB
-
Filesize
232KB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
40KB
-
Filesize
32KB
-
Filesize
40.7MB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
200KB
-
Filesize
652KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
40KB
-
Filesize
68KB
-
Filesize
56KB
-
Filesize
80KB
-
Filesize
104KB
-
Filesize
4KB
-
Filesize
168KB
-
Filesize
144KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
5.6MB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
6.5MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
136KB
-
Filesize
104KB
-
Filesize
600KB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
3.3MB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
136KB
-
Filesize
6.2MB
-
Filesize
7.7MB
-
Filesize
216KB