nanocore | c52c1fb415117cce538aa98327a5c9e5adebe60dd26c49dee07d9efcc07a5948

Analysis

max time kernel
150s
max time network
127s
platform
windows7_x64
resource
win7
submitted
30-06-2020 08:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Payment notification-pdf.exe
Size

1.0MB
MD5

55f366df0150172ee321229116917ef9
SHA1

7e8c4c56a6055d01e4d96ddedd5aec9241adcaf1
SHA256

c52c1fb415117cce538aa98327a5c9e5adebe60dd26c49dee07d9efcc07a5948
SHA512

6a368da55f572461d502886c5122a363eb1689ce87d1b3ba2e2a9ad6ff6da3c62d04a8625bd4a7d6aa3989d9924feb91babd14f7174118c4a41aa71c4d0d6afe

Score

10^/10

nanocore netwire botnet keylogger persistence rat spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

NetWire RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1928-11-0x0000000000270000-0x00000000008AB000-memory.dmp	netwire
behavioral1/memory/1928-12-0x0000000000272BCB-mapping.dmp	netwire
behavioral1/memory/1928-14-0x0000000000270000-0x00000000008AB000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

gcfmk.pifRegSvcs.exe

pid process

1892 gcfmk.pif
1928 RegSvcs.exe

Loads dropped DLL 5 IoCs

Processes:

Payment notification-pdf.exegcfmk.pif

pid	process
1612	Payment notification-pdf.exe
1612	Payment notification-pdf.exe
1612	Payment notification-pdf.exe
1612	Payment notification-pdf.exe
1892	gcfmk.pif

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

gcfmk.pif

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	gcfmk.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\98545522\\gcfmk.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\98545522\\bklnpoc.lsg"	gcfmk.pif

Suspicious use of SetThreadContext 1 IoCs

Processes:

gcfmk.pif

description pid process target process

PID 1892 set thread context of 1928 1892 gcfmk.pif RegSvcs.exe

description	pid	process	target process
PID 1892 set thread context of 1928	1892	gcfmk.pif	RegSvcs.exe

Suspicious behavior: EnumeratesProcesses 141 IoCs

Processes:

gcfmk.pif

pid	process
1892	gcfmk.pif
1892	gcfmk.pif
1892	gcfmk.pif
1892	gcfmk.pif
1892	gcfmk.pif
1892	gcfmk.pif
1892	gcfmk.pif
1892	gcfmk.pif
1892	gcfmk.pif
1892	gcfmk.pif
1892	gcfmk.pif
1892	gcfmk.pif
1892	gcfmk.pif
1892	gcfmk.pif
1892	gcfmk.pif
1892	gcfmk.pif
1892	gcfmk.pif
1892	gcfmk.pif
1892	gcfmk.pif
1892	gcfmk.pif
1892	gcfmk.pif
1892	gcfmk.pif
1892	gcfmk.pif
1892	gcfmk.pif
1892	gcfmk.pif
1892	gcfmk.pif
1892	gcfmk.pif
1892	gcfmk.pif
1892	gcfmk.pif
1892	gcfmk.pif
1892	gcfmk.pif
1892	gcfmk.pif
1892	gcfmk.pif
1892	gcfmk.pif
1892	gcfmk.pif
1892	gcfmk.pif
1892	gcfmk.pif
1892	gcfmk.pif
1892	gcfmk.pif
1892	gcfmk.pif
1892	gcfmk.pif
1892	gcfmk.pif
1892	gcfmk.pif
1892	gcfmk.pif
1892	gcfmk.pif
1892	gcfmk.pif
1892	gcfmk.pif
1892	gcfmk.pif
1892	gcfmk.pif
1892	gcfmk.pif
1892	gcfmk.pif
1892	gcfmk.pif
1892	gcfmk.pif
1892	gcfmk.pif
1892	gcfmk.pif
1892	gcfmk.pif
1892	gcfmk.pif
1892	gcfmk.pif
1892	gcfmk.pif
1892	gcfmk.pif
1892	gcfmk.pif
1892	gcfmk.pif
1892	gcfmk.pif
1892	gcfmk.pif

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

Payment notification-pdf.exegcfmk.pif

description	pid	process	target process
PID 1612 wrote to memory of 1892	1612	Payment notification-pdf.exe	gcfmk.pif
PID 1612 wrote to memory of 1892	1612	Payment notification-pdf.exe	gcfmk.pif
PID 1612 wrote to memory of 1892	1612	Payment notification-pdf.exe	gcfmk.pif
PID 1612 wrote to memory of 1892	1612	Payment notification-pdf.exe	gcfmk.pif
PID 1892 wrote to memory of 1928	1892	gcfmk.pif	RegSvcs.exe
PID 1892 wrote to memory of 1928	1892	gcfmk.pif	RegSvcs.exe
PID 1892 wrote to memory of 1928	1892	gcfmk.pif	RegSvcs.exe
PID 1892 wrote to memory of 1928	1892	gcfmk.pif	RegSvcs.exe
PID 1892 wrote to memory of 1928	1892	gcfmk.pif	RegSvcs.exe
PID 1892 wrote to memory of 1928	1892	gcfmk.pif	RegSvcs.exe
PID 1892 wrote to memory of 1928	1892	gcfmk.pif	RegSvcs.exe
PID 1892 wrote to memory of 1928	1892	gcfmk.pif	RegSvcs.exe
PID 1892 wrote to memory of 1928	1892	gcfmk.pif	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\Payment notification-pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Payment notification-pdf.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1612

C:\Users\Admin\AppData\Local\Temp\98545522\gcfmk.pif
"C:\Users\Admin\AppData\Local\Temp\98545522\gcfmk.pif" bklnpoc.lsg
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1892

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
3⤵
- Executes dropped EXE
PID:1928

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\98545522\bklnpoc.lsg
MD5
3e7f2d13332e870998d6ae693927893c

SHA1
d3c84858110d0d6dd407d1cc37ec713f7bd18afb

SHA256
431abca02527bc6dd8271bc4fc03cca481ce7622df63500465389ea83285332b

SHA512
6d7b62489166f18fe135ee052a258c0f4e368959dd840d5143e9f10d2b97d9a23100c3299d08f1bb78c41918202089ae576b529f0711ef032018d9fd0c126f9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\98545522\gcfmk.pif
MD5
8939087523c8c4815680f11d1a29a2bf

SHA1
0159ea905c98f9ac82f8191b5af7a982d39e1e6d

SHA256
11d85bdbae72f2d143952126f2a7d682d9af166349de1b024cca5fcde7b8b551

SHA512
b290eb355e88121650670ce4bf87f19fcc9721ef96d77c31cacf050e58e621c0dacd56628076bf3b3c857a50cb1f7476985888611004008e428c79b19a316735

Download Submit
C:\Users\Admin\AppData\Local\Temp\98545522\lkosdll.ppt
MD5
2098961ff6b10d43c9d4a48c50985419

SHA1
5494ba0b1607eb16154819ee3f7d3d435c0df692

SHA256
a1820d51aab3a6ac3223774c0ce0ee3042434fdd493742845ade14b8d163f53a

SHA512
dcea5854081fd59f79f75412add9058f97a522c4a752e93a77ffa0b6d707e3f4cccac2b7a73086b32133587f11121e486f0bbafdb5349c01109b62256214de61

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
\Users\Admin\AppData\Local\Temp\98545522\gcfmk.pif
MD5
8939087523c8c4815680f11d1a29a2bf

SHA1
0159ea905c98f9ac82f8191b5af7a982d39e1e6d

SHA256
11d85bdbae72f2d143952126f2a7d682d9af166349de1b024cca5fcde7b8b551

SHA512
b290eb355e88121650670ce4bf87f19fcc9721ef96d77c31cacf050e58e621c0dacd56628076bf3b3c857a50cb1f7476985888611004008e428c79b19a316735

Download Submit
\Users\Admin\AppData\Local\Temp\98545522\gcfmk.pif
MD5
8939087523c8c4815680f11d1a29a2bf

SHA1
0159ea905c98f9ac82f8191b5af7a982d39e1e6d

SHA256
11d85bdbae72f2d143952126f2a7d682d9af166349de1b024cca5fcde7b8b551

SHA512
b290eb355e88121650670ce4bf87f19fcc9721ef96d77c31cacf050e58e621c0dacd56628076bf3b3c857a50cb1f7476985888611004008e428c79b19a316735

Download Submit
\Users\Admin\AppData\Local\Temp\98545522\gcfmk.pif
MD5
8939087523c8c4815680f11d1a29a2bf

SHA1
0159ea905c98f9ac82f8191b5af7a982d39e1e6d

SHA256
11d85bdbae72f2d143952126f2a7d682d9af166349de1b024cca5fcde7b8b551

SHA512
b290eb355e88121650670ce4bf87f19fcc9721ef96d77c31cacf050e58e621c0dacd56628076bf3b3c857a50cb1f7476985888611004008e428c79b19a316735

Download Submit
\Users\Admin\AppData\Local\Temp\98545522\gcfmk.pif
MD5
8939087523c8c4815680f11d1a29a2bf

SHA1
0159ea905c98f9ac82f8191b5af7a982d39e1e6d

SHA256
11d85bdbae72f2d143952126f2a7d682d9af166349de1b024cca5fcde7b8b551

SHA512
b290eb355e88121650670ce4bf87f19fcc9721ef96d77c31cacf050e58e621c0dacd56628076bf3b3c857a50cb1f7476985888611004008e428c79b19a316735

Download Submit
\Users\Admin\AppData\Local\Temp\RegSvcs.exe
MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
memory/1612-0-0x00000000024F0000-0x00000000025F1000-memory.dmp

Filesize
1.0MB

Download
memory/1892-6-0x0000000000000000-mapping.dmp

Download
memory/1928-11-0x0000000000270000-0x00000000008AB000-memory.dmp

Filesize
6.2MB

Download
memory/1928-12-0x0000000000272BCB-mapping.dmp

Download
memory/1928-14-0x0000000000270000-0x00000000008AB000-memory.dmp

Filesize
6.2MB

Download