nanocore | 5f5811cb21014c50382749b17e3fe8a5b46f4f6ffa983ab004dd0ca1557e822a

General

Target

Receipt Copt.exe
Size

1018KB
MD5

edd27e3a78ecf4586be0fd39bbe43644
SHA1

5932c52e32bcfa9c9d74900aa861f770ec93447c
SHA256

5f5811cb21014c50382749b17e3fe8a5b46f4f6ffa983ab004dd0ca1557e822a
SHA512

620299d9e18c4d6fb745c451a05ea541cf936ed031c4882ec210f6a110c23674e53b18736e886c8fb080a375c4a5ea57fac6ea9b0ef8e1e0d81e9ac146476211

Score

10^/10

nanocore evasion keylogger ransomware spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

cool.gotdns.ch:7451

Mutex

4ccbaa8c-6fa6-44e1-aa50-55700a620790

Attributes

activate_away_mode
true
backup_connection_host
cool.gotdns.ch
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2020-11-10T04:03:58.796388136Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
7451
default_group
Apo
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30009
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
4ccbaa8c-6fa6-44e1-aa50-55700a620790
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
cool.gotdns.ch
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Receipt Copt.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Receipt Copt.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
ransomware

System Information Discovery
T1082
Suspicious use of SetThreadContext 1 IoCs

Processes:

Receipt Copt.exe

description pid process target process

PID 4760 set thread context of 704 4760 Receipt Copt.exe Receipt Copt.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

660 schtasks.exe
1340 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Receipt Copt.exeReceipt Copt.exe

pid process

4760 Receipt Copt.exe
704 Receipt Copt.exe
704 Receipt Copt.exe
704 Receipt Copt.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Receipt Copt.exe

pid process

704 Receipt Copt.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Receipt Copt.exeReceipt Copt.exe

description pid process

Token: SeDebugPrivilege 4760 Receipt Copt.exe
Token: SeDebugPrivilege 704 Receipt Copt.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Receipt Copt.exe

description	pid	process	target process
PID 4760 set thread context of 704	4760	Receipt Copt.exe	Receipt Copt.exe

pid	process
660	schtasks.exe
1340	schtasks.exe

pid	process
4760	Receipt Copt.exe
704	Receipt Copt.exe
704	Receipt Copt.exe
704	Receipt Copt.exe

pid	process
704	Receipt Copt.exe

description	pid	process
Token: SeDebugPrivilege	4760	Receipt Copt.exe
Token: SeDebugPrivilege	704	Receipt Copt.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

Receipt Copt.exeReceipt Copt.exe

description	pid	process	target process
PID 4760 wrote to memory of 660	4760	Receipt Copt.exe	schtasks.exe
PID 4760 wrote to memory of 660	4760	Receipt Copt.exe	schtasks.exe
PID 4760 wrote to memory of 660	4760	Receipt Copt.exe	schtasks.exe
PID 4760 wrote to memory of 704	4760	Receipt Copt.exe	Receipt Copt.exe
PID 4760 wrote to memory of 704	4760	Receipt Copt.exe	Receipt Copt.exe
PID 4760 wrote to memory of 704	4760	Receipt Copt.exe	Receipt Copt.exe
PID 4760 wrote to memory of 704	4760	Receipt Copt.exe	Receipt Copt.exe
PID 4760 wrote to memory of 704	4760	Receipt Copt.exe	Receipt Copt.exe
PID 4760 wrote to memory of 704	4760	Receipt Copt.exe	Receipt Copt.exe
PID 4760 wrote to memory of 704	4760	Receipt Copt.exe	Receipt Copt.exe
PID 4760 wrote to memory of 704	4760	Receipt Copt.exe	Receipt Copt.exe
PID 704 wrote to memory of 1340	704	Receipt Copt.exe	schtasks.exe
PID 704 wrote to memory of 1340	704	Receipt Copt.exe	schtasks.exe
PID 704 wrote to memory of 1340	704	Receipt Copt.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\Receipt Copt.exe
"C:\Users\Admin\AppData\Local\Temp\Receipt Copt.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4760

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ghaIgSUgLRQNnf" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5C59.tmp"
2⤵
- Creates scheduled task(s)
PID:660

C:\Users\Admin\AppData\Local\Temp\Receipt Copt.exe
"C:\Users\Admin\AppData\Local\Temp\Receipt Copt.exe"
2⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:704

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "WAN Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp61E7.tmp"
3⤵
- Creates scheduled task(s)
PID:1340

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Receipt Copt.exe.log

MD5
90acfd72f14a512712b1a7380c0faf60

SHA1
40ba4accb8faa75887e84fb8e38d598dc8cf0f12

SHA256
20806822f0c130b340504132c1461b589261fbbc518e468f4f90733ab514cb86

SHA512
29dbf85e14e60868574cb4dc9bda83d3c229fb956733d8d2557f2475ee0e690ac9c2e72f31e02284996da6906ba2dbfa382a29b04c15a2406571d8ee19ad16b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5C59.tmp

MD5
38b8ab9ce758fe398c2f60ba90e7aa27

SHA1
8343905c2a12429cc0b9bdf5834c1de918ef5cdd

SHA256
d6da8b3afeeb44749c5d24bb2c352021e9125918a986c82e49b1e43702dbd0fa

SHA512
bb338fe17486fa566ef279d00d5880494e57e8987af489f43254f9087d7bdd8e9df7c9570356b8f2893bf103a6b3c57c20f89428564ee7cc111af394861cc77e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp61E7.tmp

MD5
011d2bdf174b18899c25fbfe3f259e33

SHA1
7d065481fe972b3487f37e928517e98751a4891a

SHA256
2bbc1661ade4eef9305e75b50b6878997f804db6fcf9198bb0461d87f1a4aa46

SHA512
9a5d9d3a29ec83ce544526955b4193197dfe97b4e86c95a1aafa2ed78ce634d3899eacee296d8db7ec1b54a5cb9d12f30fe753c3492705926692dddc316c14d1

Download Submit
memory/660-13-0x0000000000000000-mapping.dmp

Download
memory/704-18-0x0000000073150000-0x000000007383E000-memory.dmp

Filesize
6.9MB

Download
memory/704-15-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/704-30-0x00000000066A0000-0x00000000066A3000-memory.dmp

Filesize
12KB

Download
memory/704-29-0x0000000006580000-0x0000000006599000-memory.dmp

Filesize
100KB

Download
memory/704-28-0x0000000005630000-0x0000000005635000-memory.dmp

Filesize
20KB

Download
memory/704-24-0x00000000054C0000-0x00000000054C1000-memory.dmp

Filesize
4KB

Download
memory/704-16-0x000000000041E792-mapping.dmp

Download
memory/1340-26-0x0000000000000000-mapping.dmp

Download
memory/4760-6-0x0000000008330000-0x0000000008331000-memory.dmp

Filesize
4KB

Download
memory/4760-7-0x0000000007E30000-0x0000000007E31000-memory.dmp

Filesize
4KB

Download
memory/4760-5-0x0000000007D90000-0x0000000007D91000-memory.dmp

Filesize
4KB

Download
memory/4760-2-0x0000000073150000-0x000000007383E000-memory.dmp

Filesize
6.9MB

Download
memory/4760-12-0x0000000008A90000-0x0000000008B39000-memory.dmp

Filesize
676KB

Download
memory/4760-8-0x0000000007D00000-0x0000000007D01000-memory.dmp

Filesize
4KB

Download
memory/4760-3-0x0000000000F10000-0x0000000000F11000-memory.dmp

Filesize
4KB

Download
memory/4760-11-0x0000000007D60000-0x0000000007D61000-memory.dmp

Filesize
4KB

Download
memory/4760-10-0x0000000007D50000-0x0000000007D53000-memory.dmp

Filesize
12KB

Download
memory/4760-9-0x0000000008030000-0x0000000008031000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads