Overview

overview

10

Static

static

3

Quotation_...33.exe

windows7-x64

10

Quotation_...33.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-06-2024 08:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Quotation_Request_Sheet_0089600090944833933.exe

  • Size

    437KB

  • MD5

    700cedae278fb3092153285d13bafbfe

  • SHA1

    8e291c02383b22a4baa40fe09fa9bccc8a21b689

  • SHA256

    8397aac7952f0432c2aff655eb67d09f849e41389f00a663d6e8cb681f21c2dd

  • SHA512

    99671a59e3a45b81a0ee557adb97360e02f51eb1c8d9830e4e16fe7a0c7cd171249d21c87777e215a5cdd6f4b3a8f3c1f864cbb1a209c55068774206b1604de3

  • SSDEEP

    6144:n1UuE2wWm+f6hmQPUDQcFBZUKi1+OO7x3t0omda:4o1QmUB10x3ON

Score
10/10
nanocoreevasionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

185.125.205.71:6789

omada1.ddns.net:6789
Mutex

1e6a039e-ec2c-48e8-b50f-442df5e4a007

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    omada1.ddns.net

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2018-04-28T10:38:03.742178936Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    true

  • connect_delay

    4000

  • connection_port

    6789

  • default_group

    15 star

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    1e6a039e-ec2c-48e8-b50f-442df5e4a007

  • mutex_timeout

    5000

  • prevent_system_sleep

    true

  • primary_connection_host

    185.125.205.71

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    true

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • Drops startup file 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Quotation_Request_Sheet_0089600090944833933.exe
    "C:\Users\Admin\AppData\Local\Temp\Quotation_Request_Sheet_0089600090944833933.exe"
    1⤵
    • Drops startup file
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2788
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\m1sgfq54\m1sgfq54.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2268
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5AA3.tmp" "c:\Users\Admin\AppData\Local\Temp\m1sgfq54\CSC7786421CE6DD4D13BBBAE94F74E7AED3.TMP"
        3⤵
          PID:2240
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
        2⤵
        • Checks whether UAC is enabled
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:4664

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RES5AA3.tmp
      Filesize

      1KB

      MD5

      6a7ede554626bc89b5449aea51ac30a2

      SHA1

      15448cad99e9d3ac8c6dee6d20c80035ea47643d

      SHA256

      573c567345a69b8aea7bcfe6bf6466ccf34f598d985ee7649c61f243fce9c25d

      SHA512

      7bfb63794f8212b9ee74e9bf71b3775e0f9c7e3cad82213333ac2710c596cd0ee3d5a7aae6cfc9375a1de0299d70442cdddd4e9efbc92702ebdea4f59bd9476a

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\m1sgfq54\m1sgfq54.dll
      Filesize

      9KB

      MD5

      c071d4f6e54067ca5fd0020323ed4e55

      SHA1

      257c16016ced36a5169fee3b4b1d554f5eabcae5

      SHA256

      fb1f63a2d6fcc00fb16978330432f6ca8095db3edf2951a911a2bb4f9023a3e5

      SHA512

      4058ff041cf50d009b3763839c667cd311defc2b853513c58c4af21a031e273433d038d53994a87bd2255ac395d3be7f4dba1edb1cfd8504ac6c8766df8a12ca

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\m1sgfq54\m1sgfq54.pdb
      Filesize

      29KB

      MD5

      b4e5767686085c3af5669990e031eb84

      SHA1

      9008cb404353f92ceee308312474d8f13bec8ced

      SHA256

      6a56011e3d499f0f9fa9023f41ff49bc9e4894437eb7ab5311d08077573106a8

      SHA512

      f1c419fb91ac51c52f0e5fc1d6133fd8814716b45ceffc1b925601536b37fdd20333c4318d7fc61cf8a4c477f61447ba0e708af38ac2838521618ac40339f243

      Download Submit
    • \??\c:\Users\Admin\AppData\Local\Temp\m1sgfq54\CSC7786421CE6DD4D13BBBAE94F74E7AED3.TMP
      Filesize

      1KB

      MD5

      6e9e83ab90a3d2ba703b2d7ebff38aab

      SHA1

      835e39cdb3812b5e36764d9885c2dfe59e2e1224

      SHA256

      6ac75578afca75f1cd097f3f3e6d96c121b37a5bd008239f1c472019522a9b0d

      SHA512

      7352fab09f2ab5ce091134ef56f57e26cf0a7a8f96ff2ad80fb84bf2326e3a372ac012daa452a07e99a0f780cc9eee2756194e8cff1d2edc0831e3eace6fadbc

      Download Submit
    • \??\c:\Users\Admin\AppData\Local\Temp\m1sgfq54\m1sgfq54.0.cs
      Filesize

      10KB

      MD5

      4801a7d3498045d0e79c845b4750557d

      SHA1

      479bae8d7b735b8d24225d173bdbf47b940e4da0

      SHA256

      e724633ba5babd87fd8d3a24cca85f213e0c8827ddc44aba0e470d42ae3f5e31

      SHA512

      4f0aa3c16cf13ab8c071dd5bc2176861216ba51cebe9bf6f4bd94ca23af7c1e629238afc829cecd493ae02a06b3e1213edefc78c42a4941be9958feb10db7e36

      Download Submit
    • \??\c:\Users\Admin\AppData\Local\Temp\m1sgfq54\m1sgfq54.cmdline
      Filesize

      312B

      MD5

      948abdf6f2a35c87d3a1fea5b11c83c6

      SHA1

      fbf47c5c95119c6dc1d18b007f00e68066a46f8f

      SHA256

      f86c2e237248a04015180ff38e8a3a03e002b7ab1179ff32def1839b9c424847

      SHA512

      9dca84a65ada7add43fbbe66f8f0dff9f7f2570b526f6594d25888073b560a4977c2736b115bac3c39cf6411d74cbcfc9fca0d39d2be3980f186ed9a996ac412

      Download Submit
    • memory/2788-19-0x00000000058A0000-0x0000000005932000-memory.dmp
      Filesize

      584KB

      Download
    • memory/2788-24-0x0000000005DF0000-0x0000000005E28000-memory.dmp
      Filesize

      224KB

      Download
    • memory/2788-1-0x0000000000E30000-0x0000000000EA4000-memory.dmp
      Filesize

      464KB

      Download
    • memory/2788-17-0x0000000005770000-0x0000000005778000-memory.dmp
      Filesize

      32KB

      Download
    • memory/2788-0-0x000000007492E000-0x000000007492F000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2788-20-0x0000000005D80000-0x0000000005DC2000-memory.dmp
      Filesize

      264KB

      Download
    • memory/2788-21-0x0000000005DD0000-0x0000000005DDC000-memory.dmp
      Filesize

      48KB

      Download
    • memory/2788-5-0x0000000074920000-0x00000000750D0000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/2788-25-0x0000000005ED0000-0x0000000005F6C000-memory.dmp
      Filesize

      624KB

      Download
    • memory/2788-28-0x0000000074920000-0x00000000750D0000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/4664-26-0x0000000000400000-0x0000000000438000-memory.dmp
      Filesize

      224KB

      Download
    • memory/4664-29-0x0000000074B12000-0x0000000074B13000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4664-30-0x0000000074B10000-0x00000000750C1000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/4664-31-0x0000000074B10000-0x00000000750C1000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/4664-33-0x0000000074B12000-0x0000000074B13000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4664-34-0x0000000074B10000-0x00000000750C1000-memory.dmp
      Filesize

      5.7MB

      Download