nanocore | 9d41101cd1d384aa0fb3b2bf1ae720af44623bb3bcf6ccd9697a88489801eb1b

General

Target

HSBC Payment Transfer CopyPDF.exe
Size

323KB
MD5

adc177e2f5d7228446d98dcb388da1c9
SHA1

3e7228d6d8e664c18e7f7e4ffe4b0845ff97cc1b
SHA256

9d41101cd1d384aa0fb3b2bf1ae720af44623bb3bcf6ccd9697a88489801eb1b
SHA512

a47fd211e63db2a4a0b788782fad728745ffa02a187f1bae3694ff08a86ef2c824a972bc61c7698d7484bf2754a31c757608fad0831f84f6dd110c2d70b52c3b

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

gentle.duckdns.org:8709

Mutex

8ad4cc0f-3c30-4e60-a5e5-4ad7e6204002

Attributes

activate_away_mode
true
backup_connection_host
gentle.duckdns.org
backup_dns_server
gentle.duckdns.org
buffer_size
65535
build_time
2021-01-24T18:45:28.005456836Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
8709
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
8ad4cc0f-3c30-4e60-a5e5-4ad7e6204002
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
gentle.duckdns.org
primary_dns_server
gentle.duckdns.org
request_elevation
false
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Loads dropped DLL 1 IoCs

Processes:

HSBC Payment Transfer CopyPDF.exe

pid process

1096 HSBC Payment Transfer CopyPDF.exe

pid	process
1096	HSBC Payment Transfer CopyPDF.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

HSBC Payment Transfer CopyPDF.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DPI Service = "C:\\Program Files (x86)\\DPI Service\\dpisv.exe"	HSBC Payment Transfer CopyPDF.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

HSBC Payment Transfer CopyPDF.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	HSBC Payment Transfer CopyPDF.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

HSBC Payment Transfer CopyPDF.exe

description pid process target process

PID 1096 set thread context of 1944 1096 HSBC Payment Transfer CopyPDF.exe HSBC Payment Transfer CopyPDF.exe

description	pid	process	target process
PID 1096 set thread context of 1944	1096	HSBC Payment Transfer CopyPDF.exe	HSBC Payment Transfer CopyPDF.exe

Drops file in Program Files directory 2 IoCs

Processes:

HSBC Payment Transfer CopyPDF.exe

description	ioc	process
File created	C:\Program Files (x86)\DPI Service\dpisv.exe	HSBC Payment Transfer CopyPDF.exe
File opened for modification	C:\Program Files (x86)\DPI Service\dpisv.exe	HSBC Payment Transfer CopyPDF.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

464 schtasks.exe
1716 schtasks.exe

pid	process
464	schtasks.exe
1716	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

HSBC Payment Transfer CopyPDF.exe

pid	process
1944	HSBC Payment Transfer CopyPDF.exe
1944	HSBC Payment Transfer CopyPDF.exe
1944	HSBC Payment Transfer CopyPDF.exe
1944	HSBC Payment Transfer CopyPDF.exe
1944	HSBC Payment Transfer CopyPDF.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

HSBC Payment Transfer CopyPDF.exe

pid process

1944 HSBC Payment Transfer CopyPDF.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

HSBC Payment Transfer CopyPDF.exe

pid process

1096 HSBC Payment Transfer CopyPDF.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

HSBC Payment Transfer CopyPDF.exe

description pid process

Token: SeDebugPrivilege 1944 HSBC Payment Transfer CopyPDF.exe

pid	process
1096	HSBC Payment Transfer CopyPDF.exe

description	pid	process
Token: SeDebugPrivilege	1944	HSBC Payment Transfer CopyPDF.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

HSBC Payment Transfer CopyPDF.exeHSBC Payment Transfer CopyPDF.exe

description	pid	process	target process
PID 1096 wrote to memory of 1944	1096	HSBC Payment Transfer CopyPDF.exe	HSBC Payment Transfer CopyPDF.exe
PID 1096 wrote to memory of 1944	1096	HSBC Payment Transfer CopyPDF.exe	HSBC Payment Transfer CopyPDF.exe
PID 1096 wrote to memory of 1944	1096	HSBC Payment Transfer CopyPDF.exe	HSBC Payment Transfer CopyPDF.exe
PID 1096 wrote to memory of 1944	1096	HSBC Payment Transfer CopyPDF.exe	HSBC Payment Transfer CopyPDF.exe
PID 1096 wrote to memory of 1944	1096	HSBC Payment Transfer CopyPDF.exe	HSBC Payment Transfer CopyPDF.exe
PID 1944 wrote to memory of 464	1944	HSBC Payment Transfer CopyPDF.exe	schtasks.exe
PID 1944 wrote to memory of 464	1944	HSBC Payment Transfer CopyPDF.exe	schtasks.exe
PID 1944 wrote to memory of 464	1944	HSBC Payment Transfer CopyPDF.exe	schtasks.exe
PID 1944 wrote to memory of 464	1944	HSBC Payment Transfer CopyPDF.exe	schtasks.exe
PID 1944 wrote to memory of 1716	1944	HSBC Payment Transfer CopyPDF.exe	schtasks.exe
PID 1944 wrote to memory of 1716	1944	HSBC Payment Transfer CopyPDF.exe	schtasks.exe
PID 1944 wrote to memory of 1716	1944	HSBC Payment Transfer CopyPDF.exe	schtasks.exe
PID 1944 wrote to memory of 1716	1944	HSBC Payment Transfer CopyPDF.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\HSBC Payment Transfer CopyPDF.exe
"C:\Users\Admin\AppData\Local\Temp\HSBC Payment Transfer CopyPDF.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1096

C:\Users\Admin\AppData\Local\Temp\HSBC Payment Transfer CopyPDF.exe
"C:\Users\Admin\AppData\Local\Temp\HSBC Payment Transfer CopyPDF.exe"
2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1944

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DPI Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp85D3.tmp"
3⤵
- Creates scheduled task(s)
PID:464

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DPI Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp87A8.tmp"
3⤵
- Creates scheduled task(s)
PID:1716

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp85D3.tmp
MD5
9d2ca538050190b22592ee40baf669c2

SHA1
fae87df756aa0f4bf13ce83cebbff5cf5b41caa0

SHA256
b36d16d4811b204d76e5657729a4ee94e381ecba0cbf1f75aa5590747373342a

SHA512
7b3b6852688252a5ff38acda6cd47c0f83ec04597d28c8579b195d5155eece82682cbe4441490b0f1e431afc15bed9dd0146495c043fe9cc483f8cfbd24f23d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp87A8.tmp
MD5
a9af285136db016a568e4a53208f21d0

SHA1
e1afef2b7ee8ae945353315daa19a15574b435b7

SHA256
7dce876e35550f4a5b8ce8a8bbab3b0ccd7c5b8660f9db4b832466b77e3a8b7c

SHA512
80a1f5e463a87cddc0f66336e2dc4262daf98984c6f6c662c3615d615ebe7c58677c3d694edb3bd7816ccee969aae967c7efe8526ba423f274ac1210c0c8bd6e

Download Submit
\Users\Admin\AppData\Local\Temp\nsn75ED.tmp\x8jhsg4r.dll
MD5
b5a88f4bcf2d4465d9408931b028778c

SHA1
5b1c7d0a8d63f7b95026b49d41989f337008c0f0

SHA256
b51382d07aee1b35e0ed65d4dac771e35e51b7095303552f654312494f756cc3

SHA512
07a1b3cc1fcb990f8fc8d0af0387fb66ff167d6e66f75c02ce0289cc87b8e163e633c9f21bb714bdf192b3e072afc201ad7e4652696e87e3da3150465f56df01

Download Submit
memory/464-73-0x0000000000000000-mapping.dmp

Download
memory/1096-62-0x0000000002430000-0x000000000307A000-memory.dmp

Filesize
12.3MB

Download
memory/1096-60-0x0000000075DA1000-0x0000000075DA3000-memory.dmp

Filesize
8KB

Download
memory/1716-75-0x0000000000000000-mapping.dmp

Download
memory/1944-77-0x0000000000710000-0x0000000000715000-memory.dmp

Filesize
20KB

Download
memory/1944-81-0x0000000005140000-0x0000000005155000-memory.dmp

Filesize
84KB

Download
memory/1944-71-0x00000000045D3000-0x00000000045D4000-memory.dmp

Filesize
4KB

Download
memory/1944-70-0x00000000045D2000-0x00000000045D3000-memory.dmp

Filesize
4KB

Download
memory/1944-68-0x0000000004460000-0x0000000004493000-memory.dmp

Filesize
204KB

Download
memory/1944-66-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1944-67-0x00000000045D1000-0x00000000045D2000-memory.dmp

Filesize
4KB

Download
memory/1944-64-0x000000000040188B-mapping.dmp

Download
memory/1944-78-0x0000000004560000-0x0000000004579000-memory.dmp

Filesize
100KB

Download
memory/1944-79-0x0000000004580000-0x0000000004583000-memory.dmp

Filesize
12KB

Download
memory/1944-80-0x0000000005130000-0x000000000513D000-memory.dmp

Filesize
52KB

Download
memory/1944-72-0x00000000045D4000-0x00000000045D5000-memory.dmp

Filesize
4KB

Download
memory/1944-82-0x00000000056B0000-0x00000000056B6000-memory.dmp

Filesize
24KB

Download
memory/1944-83-0x00000000056D0000-0x00000000056DC000-memory.dmp

Filesize
48KB

Download
memory/1944-84-0x00000000056E0000-0x00000000056E7000-memory.dmp

Filesize
28KB

Download
memory/1944-85-0x00000000056F0000-0x00000000056F6000-memory.dmp

Filesize
24KB

Download
memory/1944-86-0x0000000005700000-0x000000000570D000-memory.dmp

Filesize
52KB

Download
memory/1944-87-0x0000000005710000-0x0000000005719000-memory.dmp

Filesize
36KB

Download
memory/1944-88-0x0000000005720000-0x000000000572F000-memory.dmp

Filesize
60KB

Download
memory/1944-89-0x0000000005730000-0x000000000573A000-memory.dmp

Filesize
40KB

Download
memory/1944-90-0x0000000005750000-0x0000000005779000-memory.dmp

Filesize
164KB

Download
memory/1944-91-0x0000000005780000-0x000000000578F000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads