Loading ...

Play interactive tourEdit tour

Analysis Report Doc_0309_7302020.exe

Overview

General Information

Sample Name:Doc_0309_7302020.exe
Analysis ID:253907
MD5:0e09d45bb1eff84ca0fa83200874e0d9
SHA1:f3e6785264c175f0e107084fde4aa52e3a564f06
SHA256:3bcbadf163bd228438e9094d4be5b79639e501e55bcff4c879ec8fe4ccb71703

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Contains functionality to detect sleep reduction / modifications
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Keylogger Generic
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara signature match

Classification

Startup

  • System is w10x64
  • Doc_0309_7302020.exe (PID: 7096 cmdline: 'C:\Users\user\Desktop\Doc_0309_7302020.exe' MD5: 0E09D45BB1EFF84CA0FA83200874E0D9)
    • Doc_0309_7302020.exe (PID: 7116 cmdline: 'C:\Users\user\Desktop\Doc_0309_7302020.exe' MD5: 0E09D45BB1EFF84CA0FA83200874E0D9)
      • schtasks.exe (PID: 4036 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpA32A.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 5252 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 6220 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpA60A.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • Doc_0309_7302020.exe (PID: 7124 cmdline: 'C:\Users\user\Desktop\Doc_0309_7302020.exe' 2 7116 6004281 MD5: 0E09D45BB1EFF84CA0FA83200874E0D9)
  • Doc_0309_7302020.exe (PID: 6388 cmdline: C:\Users\user\Desktop\Doc_0309_7302020.exe 0 MD5: 0E09D45BB1EFF84CA0FA83200874E0D9)
    • Doc_0309_7302020.exe (PID: 6368 cmdline: C:\Users\user\Desktop\Doc_0309_7302020.exe 0 MD5: 0E09D45BB1EFF84CA0FA83200874E0D9)
    • Doc_0309_7302020.exe (PID: 4600 cmdline: 'C:\Users\user\Desktop\Doc_0309_7302020.exe' 2 6368 6009375 MD5: 0E09D45BB1EFF84CA0FA83200874E0D9)
      • Doc_0309_7302020.exe (PID: 5896 cmdline: C:\Users\user\Desktop\Doc_0309_7302020.exe MD5: 0E09D45BB1EFF84CA0FA83200874E0D9)
        • Doc_0309_7302020.exe (PID: 6872 cmdline: C:\Users\user\Desktop\Doc_0309_7302020.exe MD5: 0E09D45BB1EFF84CA0FA83200874E0D9)
        • Doc_0309_7302020.exe (PID: 6804 cmdline: 'C:\Users\user\Desktop\Doc_0309_7302020.exe' 2 6872 6024937 MD5: 0E09D45BB1EFF84CA0FA83200874E0D9)
          • Doc_0309_7302020.exe (PID: 4968 cmdline: C:\Users\user\Desktop\Doc_0309_7302020.exe MD5: 0E09D45BB1EFF84CA0FA83200874E0D9)
            • Doc_0309_7302020.exe (PID: 1864 cmdline: C:\Users\user\Desktop\Doc_0309_7302020.exe MD5: 0E09D45BB1EFF84CA0FA83200874E0D9)
            • Doc_0309_7302020.exe (PID: 6160 cmdline: 'C:\Users\user\Desktop\Doc_0309_7302020.exe' 2 1864 6042031 MD5: 0E09D45BB1EFF84CA0FA83200874E0D9)
  • dhcpmon.exe (PID: 6396 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 0E09D45BB1EFF84CA0FA83200874E0D9)
    • dhcpmon.exe (PID: 4564 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 0E09D45BB1EFF84CA0FA83200874E0D9)
    • dhcpmon.exe (PID: 4428 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 2 4564 6010015 MD5: 0E09D45BB1EFF84CA0FA83200874E0D9)
      • dhcpmon.exe (PID: 6892 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: 0E09D45BB1EFF84CA0FA83200874E0D9)
        • dhcpmon.exe (PID: 6784 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: 0E09D45BB1EFF84CA0FA83200874E0D9)
        • dhcpmon.exe (PID: 1580 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 2 6784 6027093 MD5: 0E09D45BB1EFF84CA0FA83200874E0D9)
          • dhcpmon.exe (PID: 2736 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: 0E09D45BB1EFF84CA0FA83200874E0D9)
            • dhcpmon.exe (PID: 6172 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: 0E09D45BB1EFF84CA0FA83200874E0D9)
            • dhcpmon.exe (PID: 6080 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 2 6172 6044812 MD5: 0E09D45BB1EFF84CA0FA83200874E0D9)
  • dhcpmon.exe (PID: 6428 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 0E09D45BB1EFF84CA0FA83200874E0D9)
    • dhcpmon.exe (PID: 6584 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 0E09D45BB1EFF84CA0FA83200874E0D9)
    • dhcpmon.exe (PID: 4228 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 2 6584 6022187 MD5: 0E09D45BB1EFF84CA0FA83200874E0D9)
      • dhcpmon.exe (PID: 6164 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: 0E09D45BB1EFF84CA0FA83200874E0D9)
        • dhcpmon.exe (PID: 6232 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: 0E09D45BB1EFF84CA0FA83200874E0D9)
        • dhcpmon.exe (PID: 4956 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 2 6232 6035593 MD5: 0E09D45BB1EFF84CA0FA83200874E0D9)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"C2: ": ["79.134.225.75"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.1294860939.0000000002797000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x101e5:$x1: NanoCore.ClientPluginHost
  • 0x10222:$x2: IClientNetworkHost
  • 0x13d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000008.00000002.1294860939.0000000002797000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000008.00000002.1294860939.0000000002797000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xff4d:$a: NanoCore
    • 0xff5d:$a: NanoCore
    • 0x10191:$a: NanoCore
    • 0x101a5:$a: NanoCore
    • 0x101e5:$a: NanoCore
    • 0xffac:$b: ClientPlugin
    • 0x101ae:$b: ClientPlugin
    • 0x101ee:$b: ClientPlugin
    • 0x100d3:$c: ProjectData
    • 0x10ada:$d: DESCrypto
    • 0x184a6:$e: KeepAlive
    • 0x16494:$g: LogClientMessage
    • 0x1268f:$i: get_Connected
    • 0x10e10:$j: #=q
    • 0x10e40:$j: #=q
    • 0x10e5c:$j: #=q
    • 0x10e8c:$j: #=q
    • 0x10ea8:$j: #=q
    • 0x10ec4:$j: #=q
    • 0x10ef4:$j: #=q
    • 0x10f10:$j: #=q
    0000001D.00000002.1379289331.00000000029E1000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      0000001D.00000002.1379289331.00000000029E1000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0x23ba3:$a: NanoCore
      • 0x23bfc:$a: NanoCore
      • 0x23c39:$a: NanoCore
      • 0x23cb2:$a: NanoCore
      • 0x23c05:$b: ClientPlugin
      • 0x23c42:$b: ClientPlugin
      • 0x24540:$b: ClientPlugin
      • 0x2454d:$b: ClientPlugin
      • 0x1b916:$e: KeepAlive
      • 0x2408d:$g: LogClientMessage
      • 0x2400d:$i: get_Connected
      • 0x15bd5:$j: #=q
      • 0x15c05:$j: #=q
      • 0x15c41:$j: #=q
      • 0x15c69:$j: #=q
      • 0x15c99:$j: #=q
      • 0x15cc9:$j: #=q
      • 0x15cf9:$j: #=q
      • 0x15d29:$j: #=q
      • 0x15d45:$j: #=q
      • 0x15d75:$j: #=q