nanocore | 45c4c7350970052a201b3982897ff0247a9c461c60ecf52cd9fdc60aed38ffd7

General

Target

PROOF OF PAYMENT.exe
Size

888KB
MD5

5e5604114794f468c813d4d935a4cdbe
SHA1

84c54efd50e143c3aaaa260f66ae6841246b4582
SHA256

45c4c7350970052a201b3982897ff0247a9c461c60ecf52cd9fdc60aed38ffd7
SHA512

4ef4173d012a7337fb95a2e3dc1e40e82ad9dd8b3778cf4c4b8f2ccb75f14f742d523e2e5add49b23bc277d5819af8f66583e37517c2c58be2695cde5afd9660

Score

10^/10

nanocore evasion keylogger persistence ransomware spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

amechi.duckdns.org:3190

Mutex

88214ee8-a10b-488a-b7ab-62beb82df06b

Attributes

activate_away_mode
true
backup_connection_host
amechi.duckdns.org
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2020-11-12T19:59:26.466993536Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
3190
default_group
BST FREEDOM COLLECT
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
88214ee8-a10b-488a-b7ab-62beb82df06b
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
amechi.duckdns.org
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

PROOF OF PAYMENT.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SMTP Manager = "C:\\Program Files (x86)\\SMTP Manager\\smtpmgr.exe"	PROOF OF PAYMENT.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

PROOF OF PAYMENT.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA PROOF OF PAYMENT.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
ransomware

System Information Discovery
T1082
Suspicious use of SetThreadContext 1 IoCs

Processes:

PROOF OF PAYMENT.exe

description pid process target process

PID 732 set thread context of 2716 732 PROOF OF PAYMENT.exe PROOF OF PAYMENT.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	PROOF OF PAYMENT.exe

description	pid	process	target process
PID 732 set thread context of 2716	732	PROOF OF PAYMENT.exe	PROOF OF PAYMENT.exe

Drops file in Program Files directory 2 IoCs

Processes:

PROOF OF PAYMENT.exe

description	ioc	process
File created	C:\Program Files (x86)\SMTP Manager\smtpmgr.exe	PROOF OF PAYMENT.exe
File opened for modification	C:\Program Files (x86)\SMTP Manager\smtpmgr.exe	PROOF OF PAYMENT.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2172 schtasks.exe

pid	process
2172	schtasks.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

PROOF OF PAYMENT.exePROOF OF PAYMENT.exe

pid	process
732	PROOF OF PAYMENT.exe
2716	PROOF OF PAYMENT.exe
2716	PROOF OF PAYMENT.exe
2716	PROOF OF PAYMENT.exe
2716	PROOF OF PAYMENT.exe
2716	PROOF OF PAYMENT.exe
2716	PROOF OF PAYMENT.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

PROOF OF PAYMENT.exe

pid process

2716 PROOF OF PAYMENT.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

PROOF OF PAYMENT.exePROOF OF PAYMENT.exe

description pid process

Token: SeDebugPrivilege 732 PROOF OF PAYMENT.exe
Token: SeDebugPrivilege 2716 PROOF OF PAYMENT.exe

pid	process
2716	PROOF OF PAYMENT.exe

description	pid	process
Token: SeDebugPrivilege	732	PROOF OF PAYMENT.exe
Token: SeDebugPrivilege	2716	PROOF OF PAYMENT.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

PROOF OF PAYMENT.exe

description	pid	process	target process
PID 732 wrote to memory of 2172	732	PROOF OF PAYMENT.exe	schtasks.exe
PID 732 wrote to memory of 2172	732	PROOF OF PAYMENT.exe	schtasks.exe
PID 732 wrote to memory of 2172	732	PROOF OF PAYMENT.exe	schtasks.exe
PID 732 wrote to memory of 2716	732	PROOF OF PAYMENT.exe	PROOF OF PAYMENT.exe
PID 732 wrote to memory of 2716	732	PROOF OF PAYMENT.exe	PROOF OF PAYMENT.exe
PID 732 wrote to memory of 2716	732	PROOF OF PAYMENT.exe	PROOF OF PAYMENT.exe
PID 732 wrote to memory of 2716	732	PROOF OF PAYMENT.exe	PROOF OF PAYMENT.exe
PID 732 wrote to memory of 2716	732	PROOF OF PAYMENT.exe	PROOF OF PAYMENT.exe
PID 732 wrote to memory of 2716	732	PROOF OF PAYMENT.exe	PROOF OF PAYMENT.exe
PID 732 wrote to memory of 2716	732	PROOF OF PAYMENT.exe	PROOF OF PAYMENT.exe
PID 732 wrote to memory of 2716	732	PROOF OF PAYMENT.exe	PROOF OF PAYMENT.exe

C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.exe
"C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:732

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AIVwTQrYvQpnV" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE228.tmp"
2⤵
- Creates scheduled task(s)
PID:2172

C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.exe
"{path}"
2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2716

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PROOF OF PAYMENT.exe.log
MD5
0c2899d7c6746f42d5bbe088c777f94c

SHA1
622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1

SHA256
5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458

SHA512
ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE228.tmp
MD5
e91be2dc2f451a3a6391a215aa19b860

SHA1
885f315fc6f7f96cd29cf86586d6430a7dd5f709

SHA256
da8bf6146cccd384f3583e146877147a610242c4d26afed50e9d43773ca14f83

SHA512
11077116f340ee980653eb512492345d697740d7f1072a5d9519bb4076d6e8e98b4c3d8a697386d58c62b291cc2e7700c2c084af8ae96c7dc9d62147a0bd7a43

Download Submit
memory/732-3-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/732-5-0x0000000005620000-0x0000000005621000-memory.dmp

Filesize
4KB

Download
memory/732-6-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/732-7-0x00000000051D0000-0x00000000051D1000-memory.dmp

Filesize
4KB

Download
memory/732-8-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/732-9-0x00000000051C0000-0x00000000051C4000-memory.dmp

Filesize
16KB

Download
memory/732-10-0x0000000008590000-0x0000000008591000-memory.dmp

Filesize
4KB

Download
memory/732-11-0x0000000008820000-0x00000000088EC000-memory.dmp

Filesize
816KB

Download
memory/732-2-0x00000000730E0000-0x00000000737CE000-memory.dmp

Filesize
6.9MB

Download
memory/2172-12-0x0000000000000000-mapping.dmp

Download
memory/2716-25-0x0000000005360000-0x0000000005365000-memory.dmp

Filesize
20KB

Download
memory/2716-30-0x0000000006780000-0x0000000006786000-memory.dmp

Filesize
24KB

Download
memory/2716-15-0x000000000041E792-mapping.dmp

Download
memory/2716-24-0x00000000055E0000-0x00000000055E1000-memory.dmp

Filesize
4KB

Download
memory/2716-14-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2716-26-0x0000000005550000-0x0000000005569000-memory.dmp

Filesize
100KB

Download
memory/2716-27-0x00000000055D0000-0x00000000055D3000-memory.dmp

Filesize
12KB

Download
memory/2716-28-0x0000000005FE0000-0x0000000005FED000-memory.dmp

Filesize
52KB

Download
memory/2716-29-0x0000000006750000-0x0000000006765000-memory.dmp

Filesize
84KB

Download
memory/2716-17-0x00000000730E0000-0x00000000737CE000-memory.dmp

Filesize
6.9MB

Download
memory/2716-31-0x0000000006790000-0x000000000679C000-memory.dmp

Filesize
48KB

Download
memory/2716-32-0x00000000067A0000-0x00000000067A6000-memory.dmp

Filesize
24KB

Download
memory/2716-33-0x00000000067B0000-0x00000000067B7000-memory.dmp

Filesize
28KB

Download
memory/2716-34-0x00000000067C0000-0x00000000067CD000-memory.dmp

Filesize
52KB

Download
memory/2716-35-0x00000000067D0000-0x00000000067D9000-memory.dmp

Filesize
36KB

Download
memory/2716-36-0x00000000067E0000-0x00000000067EF000-memory.dmp

Filesize
60KB

Download
memory/2716-37-0x0000000006800000-0x000000000680A000-memory.dmp

Filesize
40KB

Download
memory/2716-38-0x0000000006810000-0x0000000006839000-memory.dmp

Filesize
164KB

Download
memory/2716-39-0x0000000006850000-0x000000000685F000-memory.dmp

Filesize
60KB

Download
memory/2716-40-0x0000000006A20000-0x0000000006A21000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads