nanocore | 373e294fccf1cbc447469aeb6fc86678efbfd072b5035a295d1fc74ce6e9fd79

General

Target

PROOF OF PAYMENT.exe
Size

1.1MB
MD5

dcf168394ef0a6d6774b099dd8493b75
SHA1

565c77fa9f7f22229ff5aabad52f6f9e0c5fbce0
SHA256

373e294fccf1cbc447469aeb6fc86678efbfd072b5035a295d1fc74ce6e9fd79
SHA512

6f19bd8c1ce255848fc9e60b92b758ac960c81e3cb4c3c7bc5e520de5b03cfc0a2244891150b50ecc179fc35a9d7f9477e567bdd275b32b4873fe640dafe7ac9

Score

10^/10

nanocore evasion keylogger persistence ransomware spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

amechi.duckdns.org:3190

Mutex

c3f2ffac-72ce-4a70-9d04-4f6a62cc4c81

Attributes

activate_away_mode
true
backup_connection_host
amechi.duckdns.org
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2020-11-02T13:48:01.329593636Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
3190
default_group
OJO 202111111111
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
c3f2ffac-72ce-4a70-9d04-4f6a62cc4c81
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
amechi.duckdns.org
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

PROOF OF PAYMENT.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WPA Host = "C:\\Program Files (x86)\\WPA Host\\wpahost.exe"	PROOF OF PAYMENT.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

PROOF OF PAYMENT.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA PROOF OF PAYMENT.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
ransomware

System Information Discovery
T1082
Suspicious use of SetThreadContext 1 IoCs

Processes:

PROOF OF PAYMENT.exe

description pid process target process

PID 1924 set thread context of 1072 1924 PROOF OF PAYMENT.exe PROOF OF PAYMENT.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	PROOF OF PAYMENT.exe

description	pid	process	target process
PID 1924 set thread context of 1072	1924	PROOF OF PAYMENT.exe	PROOF OF PAYMENT.exe

Drops file in Program Files directory 2 IoCs

Processes:

PROOF OF PAYMENT.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\WPA Host\wpahost.exe	PROOF OF PAYMENT.exe
File created	C:\Program Files (x86)\WPA Host\wpahost.exe	PROOF OF PAYMENT.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1628 schtasks.exe

pid	process
1628	schtasks.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

PROOF OF PAYMENT.exePROOF OF PAYMENT.exe

pid	process
1924	PROOF OF PAYMENT.exe
1924	PROOF OF PAYMENT.exe
1924	PROOF OF PAYMENT.exe
1924	PROOF OF PAYMENT.exe
1072	PROOF OF PAYMENT.exe
1072	PROOF OF PAYMENT.exe
1072	PROOF OF PAYMENT.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

PROOF OF PAYMENT.exe

pid process

1072 PROOF OF PAYMENT.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

PROOF OF PAYMENT.exePROOF OF PAYMENT.exe

description pid process

Token: SeDebugPrivilege 1924 PROOF OF PAYMENT.exe
Token: SeDebugPrivilege 1072 PROOF OF PAYMENT.exe

pid	process
1072	PROOF OF PAYMENT.exe

description	pid	process
Token: SeDebugPrivilege	1924	PROOF OF PAYMENT.exe
Token: SeDebugPrivilege	1072	PROOF OF PAYMENT.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

PROOF OF PAYMENT.exe

description	pid	process	target process
PID 1924 wrote to memory of 1628	1924	PROOF OF PAYMENT.exe	schtasks.exe
PID 1924 wrote to memory of 1628	1924	PROOF OF PAYMENT.exe	schtasks.exe
PID 1924 wrote to memory of 1628	1924	PROOF OF PAYMENT.exe	schtasks.exe
PID 1924 wrote to memory of 1628	1924	PROOF OF PAYMENT.exe	schtasks.exe
PID 1924 wrote to memory of 1072	1924	PROOF OF PAYMENT.exe	PROOF OF PAYMENT.exe
PID 1924 wrote to memory of 1072	1924	PROOF OF PAYMENT.exe	PROOF OF PAYMENT.exe
PID 1924 wrote to memory of 1072	1924	PROOF OF PAYMENT.exe	PROOF OF PAYMENT.exe
PID 1924 wrote to memory of 1072	1924	PROOF OF PAYMENT.exe	PROOF OF PAYMENT.exe
PID 1924 wrote to memory of 1072	1924	PROOF OF PAYMENT.exe	PROOF OF PAYMENT.exe
PID 1924 wrote to memory of 1072	1924	PROOF OF PAYMENT.exe	PROOF OF PAYMENT.exe
PID 1924 wrote to memory of 1072	1924	PROOF OF PAYMENT.exe	PROOF OF PAYMENT.exe
PID 1924 wrote to memory of 1072	1924	PROOF OF PAYMENT.exe	PROOF OF PAYMENT.exe
PID 1924 wrote to memory of 1072	1924	PROOF OF PAYMENT.exe	PROOF OF PAYMENT.exe

C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.exe
"C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1924

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pJrVfPIhXgkUp" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA9D6.tmp"
2⤵
- Creates scheduled task(s)
PID:1628

C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.exe
"{path}"
2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1072

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpA9D6.tmp
MD5
2e390643630702f6edd5dc6a81f25673

SHA1
55beb4afe68a3114e5153a7a41b1d28e488de8cd

SHA256
b44b150ff9764c86ede532b3854e49b9409b667ba0cd979bc8d9f181ea8fd2f2

SHA512
bfe690ac7e4ad79a9fb32a5ad0d9422a3c20904425db02c9c58cedb1429c96a5a768df182ab8f72873fa2ffaa03b705fa495daf75e1da94a47befe57d8e2812a

Download Submit
memory/1072-16-0x00000000004C0000-0x00000000004C5000-memory.dmp

Filesize
20KB

Download
memory/1072-14-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1072-19-0x0000000000550000-0x0000000000553000-memory.dmp

Filesize
12KB

Download
memory/1072-18-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/1072-17-0x0000000000600000-0x0000000000619000-memory.dmp

Filesize
100KB

Download
memory/1072-11-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1072-13-0x00000000742C0000-0x00000000749AE000-memory.dmp

Filesize
6.9MB

Download
memory/1072-12-0x000000000041E792-mapping.dmp

Download
memory/1628-9-0x0000000000000000-mapping.dmp

Download
memory/1924-3-0x0000000001350000-0x0000000001351000-memory.dmp

Filesize
4KB

Download
memory/1924-5-0x0000000006E80000-0x0000000006F77000-memory.dmp

Filesize
988KB

Download
memory/1924-2-0x00000000742C0000-0x00000000749AE000-memory.dmp

Filesize
6.9MB

Download
memory/1924-8-0x0000000004C10000-0x0000000004CA1000-memory.dmp

Filesize
580KB

Download
memory/1924-7-0x00000000003A0000-0x00000000003AE000-memory.dmp

Filesize
56KB

Download
memory/1924-6-0x0000000000A50000-0x0000000000A51000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads