nanocore | 17b4666d69c4c82a89ee9208dfe8ebb84e3f7acdd81dfb2320ed00efcce33134

General

Target

PAYMENT COPY RECEIPT.exe
Size

434KB
MD5

c3da28de257b1b534110d8697563a743
SHA1

b127eb700d37a8b027fe67b78b0afa35975ffff9
SHA256

17b4666d69c4c82a89ee9208dfe8ebb84e3f7acdd81dfb2320ed00efcce33134
SHA512

747ab809f36efd6df6153ed1c3100a7e376677397ab7c23c4f2de2ef89d0dc17e25cbe9ab3180cece43f1188f62a56fca78b2779456cb23c276e20500422cf4a

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

chinomso.duckdns.org:7688

Mutex

5c856c52-5125-42de-9ed3-2389e16da064

Attributes

activate_away_mode
true
backup_connection_host
chinomso.duckdns.org
backup_dns_server
chinomso.duckdns.org
buffer_size
65535
build_time
2020-10-13T03:36:21.868380136Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
7688
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
5c856c52-5125-42de-9ed3-2389e16da064
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
chinomso.duckdns.org
primary_dns_server
chinomso.duckdns.org
request_elevation
false
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

PAYMENT COPY RECEIPT.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WPA Host = "C:\\Program Files (x86)\\WPA Host\\wpahost.exe"	PAYMENT COPY RECEIPT.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

PAYMENT COPY RECEIPT.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA PAYMENT COPY RECEIPT.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

PAYMENT COPY RECEIPT.exe

description pid process target process

PID 2028 set thread context of 1620 2028 PAYMENT COPY RECEIPT.exe PAYMENT COPY RECEIPT.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	PAYMENT COPY RECEIPT.exe

description	pid	process	target process
PID 2028 set thread context of 1620	2028	PAYMENT COPY RECEIPT.exe	PAYMENT COPY RECEIPT.exe

Drops file in Program Files directory 2 IoCs

Processes:

PAYMENT COPY RECEIPT.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\WPA Host\wpahost.exe	PAYMENT COPY RECEIPT.exe
File created	C:\Program Files (x86)\WPA Host\wpahost.exe	PAYMENT COPY RECEIPT.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1972 schtasks.exe
1772 schtasks.exe

pid	process
1972	schtasks.exe
1772	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

PAYMENT COPY RECEIPT.exe

pid	process
1620	PAYMENT COPY RECEIPT.exe
1620	PAYMENT COPY RECEIPT.exe
1620	PAYMENT COPY RECEIPT.exe
1620	PAYMENT COPY RECEIPT.exe
1620	PAYMENT COPY RECEIPT.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

PAYMENT COPY RECEIPT.exe

pid process

1620 PAYMENT COPY RECEIPT.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

PAYMENT COPY RECEIPT.exe

pid process

2028 PAYMENT COPY RECEIPT.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

PAYMENT COPY RECEIPT.exe

description pid process

Token: SeDebugPrivilege 1620 PAYMENT COPY RECEIPT.exe

pid	process
2028	PAYMENT COPY RECEIPT.exe

description	pid	process
Token: SeDebugPrivilege	1620	PAYMENT COPY RECEIPT.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

PAYMENT COPY RECEIPT.exePAYMENT COPY RECEIPT.exe

description	pid	process	target process
PID 2028 wrote to memory of 1620	2028	PAYMENT COPY RECEIPT.exe	PAYMENT COPY RECEIPT.exe
PID 2028 wrote to memory of 1620	2028	PAYMENT COPY RECEIPT.exe	PAYMENT COPY RECEIPT.exe
PID 2028 wrote to memory of 1620	2028	PAYMENT COPY RECEIPT.exe	PAYMENT COPY RECEIPT.exe
PID 2028 wrote to memory of 1620	2028	PAYMENT COPY RECEIPT.exe	PAYMENT COPY RECEIPT.exe
PID 2028 wrote to memory of 1620	2028	PAYMENT COPY RECEIPT.exe	PAYMENT COPY RECEIPT.exe
PID 1620 wrote to memory of 1972	1620	PAYMENT COPY RECEIPT.exe	schtasks.exe
PID 1620 wrote to memory of 1972	1620	PAYMENT COPY RECEIPT.exe	schtasks.exe
PID 1620 wrote to memory of 1972	1620	PAYMENT COPY RECEIPT.exe	schtasks.exe
PID 1620 wrote to memory of 1972	1620	PAYMENT COPY RECEIPT.exe	schtasks.exe
PID 1620 wrote to memory of 1772	1620	PAYMENT COPY RECEIPT.exe	schtasks.exe
PID 1620 wrote to memory of 1772	1620	PAYMENT COPY RECEIPT.exe	schtasks.exe
PID 1620 wrote to memory of 1772	1620	PAYMENT COPY RECEIPT.exe	schtasks.exe
PID 1620 wrote to memory of 1772	1620	PAYMENT COPY RECEIPT.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\PAYMENT COPY RECEIPT.exe
"C:\Users\Admin\AppData\Local\Temp\PAYMENT COPY RECEIPT.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Users\Admin\AppData\Local\Temp\PAYMENT COPY RECEIPT.exe
  "C:\Users\Admin\AppData\Local\Temp\PAYMENT COPY RECEIPT.exe"
  2⤵
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1620
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /create /f /tn "WPA Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmp1239.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:1972
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /create /f /tn "WPA Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp1391.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:1772

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp1239.tmp

MD5
7b5f0c95e2d79859228267ea42895694

SHA1
3df34c5687efde4141225094d39ff7cae08d1e51

SHA256
3a1ac8d74e73caa86ecb8928327f7a3a53b21d19da46ba7b93c3ed48cb9db66a

SHA512
42b483614109ed944880265cf097e914c771b24d99ae85afec93936e04cfd1e1ec9635689e5ee324d91b86fa26d58a4ffe86958447da0b095e050dcde806b342

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1391.tmp

MD5
819bdbdac3be050783d203020e6c4c30

SHA1
a373521fceb21cac8b93e55ee48578e40a6e740b

SHA256
0e5dedca6d0d3c50ebcedb5bbf51ef3d434eb6b43da46764205de7636131f053

SHA512
cece1c4d8b4db79fc6e3cd225efaccdf9d2493f28991b1d48439944af38aaa61a215bd00a0beedcbdecc4f1ec5be0843774375a483f3d4a573a3980c54798cbd

Download Submit
memory/1620-17-0x00000000007D0000-0x00000000007E9000-memory.dmp

Filesize
100KB

Download
memory/1620-24-0x0000000000C40000-0x0000000000C46000-memory.dmp

Filesize
24KB

Download
memory/1620-18-0x00000000004B0000-0x00000000004B3000-memory.dmp

Filesize
12KB

Download
memory/1620-19-0x0000000000A50000-0x0000000000A5D000-memory.dmp

Filesize
52KB

Download
memory/1620-11-0x0000000004944000-0x0000000004945000-memory.dmp

Filesize
4KB

Download
memory/1620-9-0x0000000004942000-0x0000000004943000-memory.dmp

Filesize
4KB

Download
memory/1620-8-0x0000000004941000-0x0000000004942000-memory.dmp

Filesize
4KB

Download
memory/1620-2-0x000000000040188B-mapping.dmp

Download
memory/1620-4-0x0000000074EE0000-0x00000000755CE000-memory.dmp

Filesize
6.9MB

Download
memory/1620-29-0x0000000000F30000-0x0000000000F59000-memory.dmp

Filesize
164KB

Download
memory/1620-3-0x0000000075C31000-0x0000000075C33000-memory.dmp

Filesize
8KB

Download
memory/1620-16-0x0000000000460000-0x0000000000465000-memory.dmp

Filesize
20KB

Download
memory/1620-30-0x0000000000E20000-0x0000000000E2F000-memory.dmp

Filesize
60KB

Download
memory/1620-6-0x00000000003A0000-0x00000000003D3000-memory.dmp

Filesize
204KB

Download
memory/1620-10-0x0000000004943000-0x0000000004944000-memory.dmp

Filesize
4KB

Download
memory/1620-20-0x0000000000B50000-0x0000000000B65000-memory.dmp

Filesize
84KB

Download
memory/1620-21-0x0000000000AB0000-0x0000000000AB6000-memory.dmp

Filesize
24KB

Download
memory/1620-22-0x0000000000C20000-0x0000000000C2C000-memory.dmp

Filesize
48KB

Download
memory/1620-23-0x0000000000C30000-0x0000000000C37000-memory.dmp

Filesize
28KB

Download
memory/1620-5-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1620-25-0x0000000000D90000-0x0000000000D9D000-memory.dmp

Filesize
52KB

Download
memory/1620-26-0x0000000000DA0000-0x0000000000DA9000-memory.dmp

Filesize
36KB

Download
memory/1620-27-0x0000000000DF0000-0x0000000000DFF000-memory.dmp

Filesize
60KB

Download
memory/1620-28-0x0000000000E00000-0x0000000000E0A000-memory.dmp

Filesize
40KB

Download
memory/1772-14-0x0000000000000000-mapping.dmp

Download
memory/1972-12-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads