Analysis

  • max time kernel
    44s
  • max time network
    147s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    16-04-2021 21:51

General

  • Target

    receipt.exe

  • Size

    878KB

  • MD5

    14e1ad7305a1a922bbfb27648409cece

  • SHA1

    c8dde3f6c66237043e38e666305b103da6869367

  • SHA256

    86059a4b84489fb1b625b1eb2bdabcd88fb4226fb04b769fddfe0fbec40c28b5

  • SHA512

    b5cf896bd1b270db3dead0c15a746a191eb83af62034d96690e0381a9aa2a059d9cf039c6f86f5b8b6e0cc0b507363d41777589c14d2c157fd4ea61d7b9ac1d4

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

cldgr.duckdns.org:8008

127.0.0.1:8008

Mutex

e05d61c5-9a4c-422d-885b-a239d0634e5c

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    127.0.0.1

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2020-12-22T19:42:47.139515236Z

  • bypass_user_account_control

    false

  • bypass_user_account_control_data

    PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    8008

  • default_group

    Default

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    e05d61c5-9a4c-422d-885b-a239d0634e5c

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    cldgr.duckdns.org

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    false

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\receipt.exe
    "C:\Users\Admin\AppData\Local\Temp\receipt.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:624
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uGgdCdbL" /XML "C:\Users\Admin\AppData\Local\Temp\tmp27EB.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:916
    • C:\Users\Admin\AppData\Local\Temp\receipt.exe
      "{path}"
      2⤵
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4028
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks.exe" /create /f /tn "UPNP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp2FAC.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:1160
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks.exe" /create /f /tn "UPNP Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp300B.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:980

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp27EB.tmp

    MD5

    b7453dab2ef6c8ad0f1de075b3b716f5

    SHA1

    1eebf0f34561188f40c2ba6de61ae5cdfdbdc0e4

    SHA256

    e4ed4bb55ec8dca4e63c6f2b9f6fe2bb5fe72e74927f461f42c2167e0e88f8e0

    SHA512

    73a34482db44bb809540cb74ffa9055aab9233f10f612c0b96c69d5420bac547b099c9346875d25abaf2138ab55fdb748b301605bc7f32f3c06193f2d4d61613

  • C:\Users\Admin\AppData\Local\Temp\tmp2FAC.tmp

    MD5

    2237150f6585a5a008578ef40bb32466

    SHA1

    8f5e244b66d1a86a8592d014a817a467db467e49

    SHA256

    a697b23a9e986b47f4f19598de804dfc3e70c411dde186b9510152eb8655a649

    SHA512

    a72830c3d8d7e79567fd0a817f420593fe441104dd7406c5da9c7367363414e875df255ef6eb1142042f83fb15182eaa5fd1ca6d9070f2645c5e7af5c09e578f

  • C:\Users\Admin\AppData\Local\Temp\tmp300B.tmp

    MD5

    af9986f5e128fd8bd3ae748fcba6576d

    SHA1

    8060072c35108b48649a03be91803b97f1ad40a4

    SHA256

    f3242f6480b3d1a8f9285135fdce9a201c4802ce062eee4fb41c488a21d53303

    SHA512

    f35c8e1699905bc972ae48a5a4a9fd33ea04b2d851ffc1cb1d1573a2087121d803b4186a696b2edad10a9c46c388a478e105f5a730020b598aa9f483086dba38

  • memory/624-114-0x0000000002700000-0x0000000002701000-memory.dmp

    Filesize

    4KB

  • memory/916-115-0x0000000000000000-mapping.dmp

  • memory/980-122-0x0000000000000000-mapping.dmp

  • memory/1160-120-0x0000000000000000-mapping.dmp

  • memory/4028-117-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

  • memory/4028-118-0x000000000041E792-mapping.dmp

  • memory/4028-119-0x0000000002CA0000-0x0000000002CA1000-memory.dmp

    Filesize

    4KB