Analysis

  • max time kernel
    103s
  • max time network
    300s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250619-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250619-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/07/2025, 05:28

General

  • Target

    SWQ7109IR32I.exe

  • Size

    1.2MB

  • MD5

    19754a191f2a765e383ceb20d0ebb716

  • SHA1

    89a82cab08ebcda1125f88b1d423d0fa3551588a

  • SHA256

    2009d690b1953fa11543c8b7003cbab8bd1c84c2ff67947f65fb6d321b8b38f7

  • SHA512

    62677c89a8dd573fb0777ecf9a7336b23a32a9078d2e92a03649f74bd983cdf97c36da83a56b91b28b4b409725068db8e81cf0d16048dc19062849507c3dafa5

  • SSDEEP

    24576:d5EmXFtKaL4/oFe5T9yyXYfP1ijXdaVD2Tj6IfDmLrdjk:dPVt/LZeJbInQRaVDAj1f6Lh

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

196.251.83.44:50050

Mutex

0d1adaa2-a2d2-4c3e-856d-ffe49212022e

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    196.251.83.44

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2025-04-05T23:58:57.854206336Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    50050

  • default_group

    throttle

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    0d1adaa2-a2d2-4c3e-856d-ffe49212022e

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    196.251.83.44

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    true

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

  • Nanocore family
  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SWQ7109IR32I.exe
    "C:\Users\Admin\AppData\Local\Temp\SWQ7109IR32I.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:6064
    • C:\Users\Admin\AppData\Local\translucently\schoollike.exe
      "C:\Users\Admin\AppData\Local\Temp\SWQ7109IR32I.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:3700
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        "C:\Users\Admin\AppData\Local\Temp\SWQ7109IR32I.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:536

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\translucently\schoollike.exe

          Filesize

          1.2MB

          MD5

          19754a191f2a765e383ceb20d0ebb716

          SHA1

          89a82cab08ebcda1125f88b1d423d0fa3551588a

          SHA256

          2009d690b1953fa11543c8b7003cbab8bd1c84c2ff67947f65fb6d321b8b38f7

          SHA512

          62677c89a8dd573fb0777ecf9a7336b23a32a9078d2e92a03649f74bd983cdf97c36da83a56b91b28b4b409725068db8e81cf0d16048dc19062849507c3dafa5

        • memory/536-20-0x0000000000400000-0x0000000000438000-memory.dmp

          Filesize

          224KB

        • memory/536-21-0x00000000015A0000-0x00000000015B0000-memory.dmp

          Filesize

          64KB

        • memory/536-22-0x0000000075442000-0x0000000075444000-memory.dmp

          Filesize

          8KB

        • memory/536-24-0x0000000075440000-0x00000000759F1000-memory.dmp

          Filesize

          5.7MB

        • memory/536-28-0x00000000015A0000-0x00000000015B0000-memory.dmp

          Filesize

          64KB

        • memory/536-29-0x0000000075442000-0x0000000075444000-memory.dmp

          Filesize

          8KB

        • memory/536-30-0x0000000075440000-0x00000000759F1000-memory.dmp

          Filesize

          5.7MB

        • memory/3700-18-0x0000000000AA0000-0x0000000000EA0000-memory.dmp

          Filesize

          4.0MB

        • memory/6064-6-0x00000000017D0000-0x0000000001BD0000-memory.dmp

          Filesize

          4.0MB