nanocore | 45c4c7350970052a201b3982897ff0247a9c461c60ecf52cd9fdc60aed38ffd7

General

Target

PROOF OF PAYMENT.exe
Size

888KB
MD5

5e5604114794f468c813d4d935a4cdbe
SHA1

84c54efd50e143c3aaaa260f66ae6841246b4582
SHA256

45c4c7350970052a201b3982897ff0247a9c461c60ecf52cd9fdc60aed38ffd7
SHA512

4ef4173d012a7337fb95a2e3dc1e40e82ad9dd8b3778cf4c4b8f2ccb75f14f742d523e2e5add49b23bc277d5819af8f66583e37517c2c58be2695cde5afd9660

Score

10^/10

nanocore evasion keylogger persistence ransomware spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

amechi.duckdns.org:3190

Mutex

88214ee8-a10b-488a-b7ab-62beb82df06b

Attributes

activate_away_mode
true
backup_connection_host
amechi.duckdns.org
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2020-11-12T19:59:26.466993536Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
3190
default_group
BST FREEDOM COLLECT
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
88214ee8-a10b-488a-b7ab-62beb82df06b
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
amechi.duckdns.org
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/792-31-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral1/memory/792-32-0x0000000000411654-mapping.dmp	MailPassView
behavioral1/memory/792-34-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView

Nirsoft 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/792-31-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral1/memory/792-32-0x0000000000411654-mapping.dmp	Nirsoft
behavioral1/memory/792-34-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

PROOF OF PAYMENT.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WPA Host = "C:\\Program Files (x86)\\WPA Host\\wpahost.exe"	PROOF OF PAYMENT.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

PROOF OF PAYMENT.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA PROOF OF PAYMENT.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
ransomware

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	PROOF OF PAYMENT.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

PROOF OF PAYMENT.exePROOF OF PAYMENT.exe

description	pid	process	target process
PID 744 set thread context of 268	744	PROOF OF PAYMENT.exe	PROOF OF PAYMENT.exe
PID 268 set thread context of 792	268	PROOF OF PAYMENT.exe	vbc.exe

Drops file in Program Files directory 2 IoCs

Processes:

PROOF OF PAYMENT.exe

description	ioc	process
File created	C:\Program Files (x86)\WPA Host\wpahost.exe	PROOF OF PAYMENT.exe
File opened for modification	C:\Program Files (x86)\WPA Host\wpahost.exe	PROOF OF PAYMENT.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

916 schtasks.exe

pid	process
916	schtasks.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

PROOF OF PAYMENT.exePROOF OF PAYMENT.exe

pid	process
744	PROOF OF PAYMENT.exe
268	PROOF OF PAYMENT.exe
268	PROOF OF PAYMENT.exe
268	PROOF OF PAYMENT.exe
268	PROOF OF PAYMENT.exe
268	PROOF OF PAYMENT.exe
268	PROOF OF PAYMENT.exe
268	PROOF OF PAYMENT.exe
268	PROOF OF PAYMENT.exe
268	PROOF OF PAYMENT.exe
268	PROOF OF PAYMENT.exe
268	PROOF OF PAYMENT.exe
268	PROOF OF PAYMENT.exe
268	PROOF OF PAYMENT.exe
268	PROOF OF PAYMENT.exe
268	PROOF OF PAYMENT.exe
268	PROOF OF PAYMENT.exe
268	PROOF OF PAYMENT.exe
268	PROOF OF PAYMENT.exe
268	PROOF OF PAYMENT.exe
268	PROOF OF PAYMENT.exe
268	PROOF OF PAYMENT.exe
268	PROOF OF PAYMENT.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

PROOF OF PAYMENT.exe

pid process

268 PROOF OF PAYMENT.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

PROOF OF PAYMENT.exePROOF OF PAYMENT.exe

description pid process

Token: SeDebugPrivilege 744 PROOF OF PAYMENT.exe
Token: SeDebugPrivilege 268 PROOF OF PAYMENT.exe

pid	process
268	PROOF OF PAYMENT.exe

description	pid	process
Token: SeDebugPrivilege	744	PROOF OF PAYMENT.exe
Token: SeDebugPrivilege	268	PROOF OF PAYMENT.exe

Suspicious use of WriteProcessMemory 55 IoCs

Processes:

PROOF OF PAYMENT.exePROOF OF PAYMENT.exe

description	pid	process	target process
PID 744 wrote to memory of 916	744	PROOF OF PAYMENT.exe	schtasks.exe
PID 744 wrote to memory of 916	744	PROOF OF PAYMENT.exe	schtasks.exe
PID 744 wrote to memory of 916	744	PROOF OF PAYMENT.exe	schtasks.exe
PID 744 wrote to memory of 916	744	PROOF OF PAYMENT.exe	schtasks.exe
PID 744 wrote to memory of 268	744	PROOF OF PAYMENT.exe	PROOF OF PAYMENT.exe
PID 744 wrote to memory of 268	744	PROOF OF PAYMENT.exe	PROOF OF PAYMENT.exe
PID 744 wrote to memory of 268	744	PROOF OF PAYMENT.exe	PROOF OF PAYMENT.exe
PID 744 wrote to memory of 268	744	PROOF OF PAYMENT.exe	PROOF OF PAYMENT.exe
PID 744 wrote to memory of 268	744	PROOF OF PAYMENT.exe	PROOF OF PAYMENT.exe
PID 744 wrote to memory of 268	744	PROOF OF PAYMENT.exe	PROOF OF PAYMENT.exe
PID 744 wrote to memory of 268	744	PROOF OF PAYMENT.exe	PROOF OF PAYMENT.exe
PID 744 wrote to memory of 268	744	PROOF OF PAYMENT.exe	PROOF OF PAYMENT.exe
PID 744 wrote to memory of 268	744	PROOF OF PAYMENT.exe	PROOF OF PAYMENT.exe
PID 268 wrote to memory of 652	268	PROOF OF PAYMENT.exe	vbc.exe
PID 268 wrote to memory of 652	268	PROOF OF PAYMENT.exe	vbc.exe
PID 268 wrote to memory of 652	268	PROOF OF PAYMENT.exe	vbc.exe
PID 268 wrote to memory of 652	268	PROOF OF PAYMENT.exe	vbc.exe
PID 268 wrote to memory of 1828	268	PROOF OF PAYMENT.exe	vbc.exe
PID 268 wrote to memory of 1828	268	PROOF OF PAYMENT.exe	vbc.exe
PID 268 wrote to memory of 1828	268	PROOF OF PAYMENT.exe	vbc.exe
PID 268 wrote to memory of 1828	268	PROOF OF PAYMENT.exe	vbc.exe
PID 268 wrote to memory of 1944	268	PROOF OF PAYMENT.exe	vbc.exe
PID 268 wrote to memory of 1944	268	PROOF OF PAYMENT.exe	vbc.exe
PID 268 wrote to memory of 1944	268	PROOF OF PAYMENT.exe	vbc.exe
PID 268 wrote to memory of 1944	268	PROOF OF PAYMENT.exe	vbc.exe
PID 268 wrote to memory of 792	268	PROOF OF PAYMENT.exe	vbc.exe
PID 268 wrote to memory of 792	268	PROOF OF PAYMENT.exe	vbc.exe
PID 268 wrote to memory of 792	268	PROOF OF PAYMENT.exe	vbc.exe
PID 268 wrote to memory of 792	268	PROOF OF PAYMENT.exe	vbc.exe
PID 268 wrote to memory of 792	268	PROOF OF PAYMENT.exe	vbc.exe
PID 268 wrote to memory of 792	268	PROOF OF PAYMENT.exe	vbc.exe
PID 268 wrote to memory of 792	268	PROOF OF PAYMENT.exe	vbc.exe
PID 268 wrote to memory of 792	268	PROOF OF PAYMENT.exe	vbc.exe
PID 268 wrote to memory of 792	268	PROOF OF PAYMENT.exe	vbc.exe
PID 268 wrote to memory of 792	268	PROOF OF PAYMENT.exe	vbc.exe
PID 268 wrote to memory of 1564	268	PROOF OF PAYMENT.exe	vbc.exe
PID 268 wrote to memory of 1564	268	PROOF OF PAYMENT.exe	vbc.exe
PID 268 wrote to memory of 1564	268	PROOF OF PAYMENT.exe	vbc.exe
PID 268 wrote to memory of 1564	268	PROOF OF PAYMENT.exe	vbc.exe
PID 268 wrote to memory of 1448	268	PROOF OF PAYMENT.exe	vbc.exe
PID 268 wrote to memory of 1448	268	PROOF OF PAYMENT.exe	vbc.exe
PID 268 wrote to memory of 1448	268	PROOF OF PAYMENT.exe	vbc.exe
PID 268 wrote to memory of 1448	268	PROOF OF PAYMENT.exe	vbc.exe
PID 268 wrote to memory of 1760	268	PROOF OF PAYMENT.exe	vbc.exe
PID 268 wrote to memory of 1760	268	PROOF OF PAYMENT.exe	vbc.exe
PID 268 wrote to memory of 1760	268	PROOF OF PAYMENT.exe	vbc.exe
PID 268 wrote to memory of 1760	268	PROOF OF PAYMENT.exe	vbc.exe
PID 268 wrote to memory of 1320	268	PROOF OF PAYMENT.exe	vbc.exe
PID 268 wrote to memory of 1320	268	PROOF OF PAYMENT.exe	vbc.exe
PID 268 wrote to memory of 1320	268	PROOF OF PAYMENT.exe	vbc.exe
PID 268 wrote to memory of 1320	268	PROOF OF PAYMENT.exe	vbc.exe
PID 268 wrote to memory of 1912	268	PROOF OF PAYMENT.exe	vbc.exe
PID 268 wrote to memory of 1912	268	PROOF OF PAYMENT.exe	vbc.exe
PID 268 wrote to memory of 1912	268	PROOF OF PAYMENT.exe	vbc.exe
PID 268 wrote to memory of 1912	268	PROOF OF PAYMENT.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.exe
"C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:744

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AIVwTQrYvQpnV" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB6B2.tmp"
2⤵
- Creates scheduled task(s)
PID:916

C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.exe
"{path}"
2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:268

\??\c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe
"c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe" /shtml "C:\Users\Admin\AppData\Local\Temp\1dlkkya4.uqc"
3⤵
PID:652

\??\c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe
"c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe" /shtml "C:\Users\Admin\AppData\Local\Temp\1dlkkya4.uqc"
3⤵
PID:1828

\??\c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe
"c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe" /shtml "C:\Users\Admin\AppData\Local\Temp\1dlkkya4.uqc"
3⤵
PID:1944

\??\c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe
"c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe" /shtml "C:\Users\Admin\AppData\Local\Temp\1dlkkya4.uqc"
3⤵
PID:792

\??\c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe
"c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe" /shtml "C:\Users\Admin\AppData\Local\Temp\yqi2tpfl.pxc"
3⤵
PID:1564

\??\c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe
"c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe" /shtml "C:\Users\Admin\AppData\Local\Temp\yqi2tpfl.pxc"
3⤵
PID:1448

\??\c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe
"c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe" /shtml "C:\Users\Admin\AppData\Local\Temp\yqi2tpfl.pxc"
3⤵
PID:1760

\??\c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe
"c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe" /shtml "C:\Users\Admin\AppData\Local\Temp\yqi2tpfl.pxc"
3⤵
PID:1320

\??\c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe
"c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe" /shtml "C:\Users\Admin\AppData\Local\Temp\yqi2tpfl.pxc"
3⤵
PID:1912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Scripting

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1dlkkya4.uqc

MD5
69b2a2e17e78d24abee9f1de2f04811a

SHA1
d19c109704e83876ab3527457f9418a7d053aa33

SHA256
1b1491f21e64681f8fdc27b2265e2274fb7813eecb6ad8b446d2e431f6300edd

SHA512
eb7269979bc4187520636fe3d7b3089f2c7c02e81c4ce2a738ade680f72c61c67fe9577eeaa09d3ca93f34b60be8c434d2cfbfed6566e783f6611279f056150f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB6B2.tmp

MD5
bc14f5d404e2dad09579b6cf7532ff1e

SHA1
c6cbd66150fd10f03fd52287cee143fce2543124

SHA256
764d9ba74f3893ee65ac135304b16ae6a66db2f386dc6a0b79b344d763ebddda

SHA512
ec53b2453e2dc3127bc7c4d79cb85ad7a057af591777290e9f312b17b9af480f51137c1fddc80aa7035d4d34410ccea3e5088856d721de4ea8135593d447eec6

Download Submit
memory/268-20-0x0000000000600000-0x0000000000615000-memory.dmp

Filesize
84KB

Download
memory/268-28-0x0000000000E10000-0x0000000000E1A000-memory.dmp

Filesize
40KB

Download
memory/268-21-0x0000000000760000-0x0000000000766000-memory.dmp

Filesize
24KB

Download
memory/268-30-0x0000000002350000-0x000000000235F000-memory.dmp

Filesize
60KB

Download
memory/268-29-0x0000000002320000-0x0000000002349000-memory.dmp

Filesize
164KB

Download
memory/268-10-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/268-11-0x000000000041E792-mapping.dmp

Download
memory/268-12-0x0000000073FF0000-0x00000000746DE000-memory.dmp

Filesize
6.9MB

Download
memory/268-13-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/268-15-0x0000000004FD0000-0x0000000004FD1000-memory.dmp

Filesize
4KB

Download
memory/268-16-0x00000000003E0000-0x00000000003E5000-memory.dmp

Filesize
20KB

Download
memory/268-17-0x00000000004E0000-0x00000000004F9000-memory.dmp

Filesize
100KB

Download
memory/268-18-0x00000000003F0000-0x00000000003F3000-memory.dmp

Filesize
12KB

Download
memory/268-19-0x00000000005A0000-0x00000000005AD000-memory.dmp

Filesize
52KB

Download
memory/268-27-0x0000000000E00000-0x0000000000E0F000-memory.dmp

Filesize
60KB

Download
memory/268-26-0x0000000000DB0000-0x0000000000DB9000-memory.dmp

Filesize
36KB

Download
memory/268-22-0x0000000000830000-0x000000000083C000-memory.dmp

Filesize
48KB

Download
memory/268-23-0x0000000000D40000-0x0000000000D46000-memory.dmp

Filesize
24KB

Download
memory/268-24-0x0000000000D90000-0x0000000000D97000-memory.dmp

Filesize
28KB

Download
memory/268-25-0x0000000000DA0000-0x0000000000DAD000-memory.dmp

Filesize
52KB

Download
memory/744-7-0x0000000005D30000-0x0000000005DFC000-memory.dmp

Filesize
816KB

Download
memory/744-3-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/744-6-0x0000000000360000-0x0000000000364000-memory.dmp

Filesize
16KB

Download
memory/744-5-0x0000000000B60000-0x0000000000B61000-memory.dmp

Filesize
4KB

Download
memory/744-2-0x0000000073FF0000-0x00000000746DE000-memory.dmp

Filesize
6.9MB

Download
memory/792-31-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/792-32-0x0000000000411654-mapping.dmp

Download
memory/792-33-0x0000000075E51000-0x0000000075E53000-memory.dmp

Filesize
8KB

Download
memory/792-34-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/916-8-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads