nanocore | 373e294fccf1cbc447469aeb6fc86678efbfd072b5035a295d1fc74ce6e9fd79

General

Target

PROOF OF PAYMENT.exe
Size

1.1MB
MD5

dcf168394ef0a6d6774b099dd8493b75
SHA1

565c77fa9f7f22229ff5aabad52f6f9e0c5fbce0
SHA256

373e294fccf1cbc447469aeb6fc86678efbfd072b5035a295d1fc74ce6e9fd79
SHA512

6f19bd8c1ce255848fc9e60b92b758ac960c81e3cb4c3c7bc5e520de5b03cfc0a2244891150b50ecc179fc35a9d7f9477e567bdd275b32b4873fe640dafe7ac9

Score

10^/10

nanocore evasion keylogger persistence ransomware spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

amechi.duckdns.org:3190

Mutex

c3f2ffac-72ce-4a70-9d04-4f6a62cc4c81

Attributes

activate_away_mode
true
backup_connection_host
amechi.duckdns.org
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2020-11-02T13:48:01.329593636Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
3190
default_group
OJO 202111111111
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
c3f2ffac-72ce-4a70-9d04-4f6a62cc4c81
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
amechi.duckdns.org
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

PROOF OF PAYMENT.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WAN Service = "C:\\Program Files (x86)\\WAN Service\\wansv.exe"	PROOF OF PAYMENT.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

PROOF OF PAYMENT.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA PROOF OF PAYMENT.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
ransomware

System Information Discovery
T1082
Suspicious use of SetThreadContext 1 IoCs

Processes:

PROOF OF PAYMENT.exe

description pid process target process

PID 988 set thread context of 516 988 PROOF OF PAYMENT.exe PROOF OF PAYMENT.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	PROOF OF PAYMENT.exe

description	pid	process	target process
PID 988 set thread context of 516	988	PROOF OF PAYMENT.exe	PROOF OF PAYMENT.exe

Drops file in Program Files directory 2 IoCs

Processes:

PROOF OF PAYMENT.exe

description	ioc	process
File created	C:\Program Files (x86)\WAN Service\wansv.exe	PROOF OF PAYMENT.exe
File opened for modification	C:\Program Files (x86)\WAN Service\wansv.exe	PROOF OF PAYMENT.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2688 schtasks.exe

pid	process
2688	schtasks.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

PROOF OF PAYMENT.exePROOF OF PAYMENT.exe

pid	process
988	PROOF OF PAYMENT.exe
988	PROOF OF PAYMENT.exe
988	PROOF OF PAYMENT.exe
988	PROOF OF PAYMENT.exe
516	PROOF OF PAYMENT.exe
516	PROOF OF PAYMENT.exe
516	PROOF OF PAYMENT.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

PROOF OF PAYMENT.exe

pid process

516 PROOF OF PAYMENT.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

PROOF OF PAYMENT.exePROOF OF PAYMENT.exe

description pid process

Token: SeDebugPrivilege 988 PROOF OF PAYMENT.exe
Token: SeDebugPrivilege 516 PROOF OF PAYMENT.exe

pid	process
516	PROOF OF PAYMENT.exe

description	pid	process
Token: SeDebugPrivilege	988	PROOF OF PAYMENT.exe
Token: SeDebugPrivilege	516	PROOF OF PAYMENT.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

PROOF OF PAYMENT.exe

description	pid	process	target process
PID 988 wrote to memory of 2688	988	PROOF OF PAYMENT.exe	schtasks.exe
PID 988 wrote to memory of 2688	988	PROOF OF PAYMENT.exe	schtasks.exe
PID 988 wrote to memory of 2688	988	PROOF OF PAYMENT.exe	schtasks.exe
PID 988 wrote to memory of 516	988	PROOF OF PAYMENT.exe	PROOF OF PAYMENT.exe
PID 988 wrote to memory of 516	988	PROOF OF PAYMENT.exe	PROOF OF PAYMENT.exe
PID 988 wrote to memory of 516	988	PROOF OF PAYMENT.exe	PROOF OF PAYMENT.exe
PID 988 wrote to memory of 516	988	PROOF OF PAYMENT.exe	PROOF OF PAYMENT.exe
PID 988 wrote to memory of 516	988	PROOF OF PAYMENT.exe	PROOF OF PAYMENT.exe
PID 988 wrote to memory of 516	988	PROOF OF PAYMENT.exe	PROOF OF PAYMENT.exe
PID 988 wrote to memory of 516	988	PROOF OF PAYMENT.exe	PROOF OF PAYMENT.exe
PID 988 wrote to memory of 516	988	PROOF OF PAYMENT.exe	PROOF OF PAYMENT.exe

C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.exe
"C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:988

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pJrVfPIhXgkUp" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDBFE.tmp"
2⤵
- Creates scheduled task(s)
PID:2688

C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.exe
"{path}"
2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:516

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PROOF OF PAYMENT.exe.log
MD5
b4f7a6a57cb46d94b72410eb6a6d45a9

SHA1
69f3596ffa027202d391444b769ceea0ae14c5f7

SHA256
23994ebe221a48ea16ebad51ae0d4b47ccd415ae10581f9405e588d4f6c2523b

SHA512
be6da516e54c3a5b33ac2603137a2f8cf8445ff5961dd266faedf3627bae8979953d7ef305538df0151c609917a5b99bf5d023bdd32de50fd5c723950f90db5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDBFE.tmp
MD5
686b61541d464dc04945dc86a12246d6

SHA1
c338a26b9bbb487658e06bf4a4f2574e16a25887

SHA256
ddf6e5d11567bd55fa3af9584853a69f86264e7515826b8a6bb7300f3ce84358

SHA512
8a3d5d0062ff3dfc43abd650e4ea2e8c4b81e462d06d58ff4b22b728c608ef77b1ccae32d6a6aad79e5d03ff1080bbaf680e1627469e7568fa68edf21482773c

Download Submit
memory/516-28-0x0000000004E50000-0x0000000004E51000-memory.dmp

Filesize
4KB

Download
memory/516-27-0x0000000005420000-0x0000000005423000-memory.dmp

Filesize
12KB

Download
memory/516-26-0x0000000005B60000-0x0000000005B79000-memory.dmp

Filesize
100KB

Download
memory/516-25-0x00000000051B0000-0x00000000051B5000-memory.dmp

Filesize
20KB

Download
memory/516-18-0x0000000073800000-0x0000000073EEE000-memory.dmp

Filesize
6.9MB

Download
memory/516-16-0x000000000041E792-mapping.dmp

Download
memory/516-15-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/988-8-0x00000000054C0000-0x00000000054C1000-memory.dmp

Filesize
4KB

Download
memory/988-12-0x0000000008160000-0x0000000008161000-memory.dmp

Filesize
4KB

Download
memory/988-11-0x0000000008020000-0x00000000080B1000-memory.dmp

Filesize
580KB

Download
memory/988-10-0x0000000005A00000-0x0000000005A0E000-memory.dmp

Filesize
56KB

Download
memory/988-9-0x00000000057E0000-0x00000000057E1000-memory.dmp

Filesize
4KB

Download
memory/988-2-0x0000000073800000-0x0000000073EEE000-memory.dmp

Filesize
6.9MB

Download
memory/988-7-0x0000000005870000-0x0000000005871000-memory.dmp

Filesize
4KB

Download
memory/988-6-0x0000000005CD0000-0x0000000005CD1000-memory.dmp

Filesize
4KB

Download
memory/988-5-0x0000000007950000-0x0000000007A47000-memory.dmp

Filesize
988KB

Download
memory/988-3-0x0000000000900000-0x0000000000901000-memory.dmp

Filesize
4KB

Download
memory/2688-13-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads