Analysis
-
max time kernel
41s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
26-02-2021 15:14
General
-
Target
remittance copy.pdf.exe
-
Size
731KB
-
MD5
f287d8b2fe69fec7039f0543b8ffb145
-
SHA1
7824df6f9f5b83703c9cf37f756759b12bb1f4c0
-
SHA256
117a47316ab68fefcd1ab9c8c00a763852cb569fa5a487fe8dd4efdf8702f3aa
-
SHA512
e89813da5fc74c7ac10c685967311633853c85991e97418dc3a8c1510033eaa4dfafa9f23e554bd84b7cc827c35104b1c48f5b7e4a654947e81295f50fccaace
Malware Config
Extracted
nanocore
1.2.2.0
shahzad73.casacam.net:9036
shahzad73.ddns.net:9036
c4cca249-81f6-4232-9f14-01569e09f5f0
-
activate_away_mode
true
-
backup_connection_host
shahzad73.ddns.net
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-11-06T13:23:03.514637236Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
9036
-
default_group
JANUARY
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
c4cca249-81f6-4232-9f14-01569e09f5f0
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
shahzad73.casacam.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\remittance copy.pdf.exe"C:\Users\Admin\AppData\Local\Temp\remittance copy.pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hWjKxDWLtjH" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBCDD.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\remittance copy.pdf.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\remittance copy.pdf.exe"{path}"2⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "WAN Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmpC1FE.tmp"3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpBCDD.tmpMD5
ce45d55f3f152b4ac6a06a9beb367a2e
SHA14a7f4840e545e400b4ca95b791fd3f8dfb26e6bc
SHA2560c148f0d389201de0747fe0745297e7ab6d4dfdf0de8ff04dedb73b230bdaf54
SHA5124113ef72227febe45dff8c5b48b9ab76bd4e5ed3e0e7d93933c1771d7b252b1e7d601a242ebdc5621213ba2050eeab09a29299978856141c1d537ef9d6ad774c
-
C:\Users\Admin\AppData\Local\Temp\tmpC1FE.tmpMD5
69619fa6315922f518446a1051ca75db
SHA1a4737ffda4293a332537a9732e8b6678a6c1ca34
SHA256428269e38ab106d4621b3249db28216f19820c01e0726aec0ba6af5abfa9fa1d
SHA51226f341c9d590bafbf3dd8701d1f9e8dabf3ff8e2eb9d369c33752295a1e95d7eda13b954f3eb46dca2433c118c3f5808635c51b87c04ca7f8a4c257d4c66c889
-
memory/3460-24-0x0000000000000000-mapping.dmp
-
memory/3548-12-0x0000000000000000-mapping.dmp
-
memory/3884-11-0x00000000071A0000-0x0000000007227000-memory.dmpFilesize
540KB
-
memory/3884-5-0x00000000059F0000-0x00000000059F1000-memory.dmpFilesize
4KB
-
memory/3884-9-0x0000000008DA0000-0x0000000008DA1000-memory.dmpFilesize
4KB
-
memory/3884-10-0x00000000057D0000-0x00000000057DB000-memory.dmpFilesize
44KB
-
memory/3884-2-0x0000000073A20000-0x000000007410E000-memory.dmpFilesize
6.9MB
-
memory/3884-7-0x00000000054B0000-0x00000000054B1000-memory.dmpFilesize
4KB
-
memory/3884-6-0x00000000054F0000-0x00000000054F1000-memory.dmpFilesize
4KB
-
memory/3884-8-0x00000000056A0000-0x00000000056A1000-memory.dmpFilesize
4KB
-
memory/3884-3-0x0000000000BB0000-0x0000000000BB1000-memory.dmpFilesize
4KB
-
memory/4072-28-0x0000000005910000-0x0000000005913000-memory.dmpFilesize
12KB
-
memory/4072-31-0x0000000007050000-0x0000000007056000-memory.dmpFilesize
24KB
-
memory/4072-16-0x0000000073A20000-0x000000007410E000-memory.dmpFilesize
6.9MB
-
memory/4072-15-0x000000000041E792-mapping.dmp
-
memory/4072-26-0x0000000005830000-0x0000000005835000-memory.dmpFilesize
20KB
-
memory/4072-27-0x0000000005840000-0x0000000005859000-memory.dmpFilesize
100KB
-
memory/4072-14-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/4072-29-0x00000000068B0000-0x00000000068BD000-memory.dmpFilesize
52KB
-
memory/4072-30-0x0000000007010000-0x0000000007025000-memory.dmpFilesize
84KB
-
memory/4072-23-0x0000000005860000-0x0000000005861000-memory.dmpFilesize
4KB
-
memory/4072-32-0x0000000007060000-0x000000000706C000-memory.dmpFilesize
48KB
-
memory/4072-33-0x0000000007070000-0x0000000007076000-memory.dmpFilesize
24KB
-
memory/4072-34-0x0000000007080000-0x0000000007087000-memory.dmpFilesize
28KB
-
memory/4072-35-0x0000000007090000-0x000000000709D000-memory.dmpFilesize
52KB
-
memory/4072-36-0x00000000070A0000-0x00000000070A9000-memory.dmpFilesize
36KB
-
memory/4072-37-0x00000000070B0000-0x00000000070BF000-memory.dmpFilesize
60KB
-
memory/4072-38-0x00000000070D0000-0x00000000070DA000-memory.dmpFilesize
40KB
-
memory/4072-39-0x00000000070E0000-0x0000000007109000-memory.dmpFilesize
164KB
-
memory/4072-40-0x0000000007120000-0x000000000712F000-memory.dmpFilesize
60KB
-
memory/4072-41-0x0000000007300000-0x0000000007301000-memory.dmpFilesize
4KB