nanocore | 9d41101cd1d384aa0fb3b2bf1ae720af44623bb3bcf6ccd9697a88489801eb1b

General

Target

HSBC Payment Transfer CopyPDF.exe
Size

323KB
MD5

adc177e2f5d7228446d98dcb388da1c9
SHA1

3e7228d6d8e664c18e7f7e4ffe4b0845ff97cc1b
SHA256

9d41101cd1d384aa0fb3b2bf1ae720af44623bb3bcf6ccd9697a88489801eb1b
SHA512

a47fd211e63db2a4a0b788782fad728745ffa02a187f1bae3694ff08a86ef2c824a972bc61c7698d7484bf2754a31c757608fad0831f84f6dd110c2d70b52c3b

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

gentle.duckdns.org:8709

Mutex

8ad4cc0f-3c30-4e60-a5e5-4ad7e6204002

Attributes

activate_away_mode
true
backup_connection_host
gentle.duckdns.org
backup_dns_server
gentle.duckdns.org
buffer_size
65535
build_time
2021-01-24T18:45:28.005456836Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
8709
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
8ad4cc0f-3c30-4e60-a5e5-4ad7e6204002
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
gentle.duckdns.org
primary_dns_server
gentle.duckdns.org
request_elevation
false
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Loads dropped DLL 1 IoCs

Processes:

HSBC Payment Transfer CopyPDF.exe

pid process

3176 HSBC Payment Transfer CopyPDF.exe

pid	process
3176	HSBC Payment Transfer CopyPDF.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

HSBC Payment Transfer CopyPDF.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ISS Manager = "C:\\Program Files (x86)\\ISS Manager\\issmgr.exe"	HSBC Payment Transfer CopyPDF.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

HSBC Payment Transfer CopyPDF.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	HSBC Payment Transfer CopyPDF.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

HSBC Payment Transfer CopyPDF.exe

description pid process target process

PID 3176 set thread context of 1140 3176 HSBC Payment Transfer CopyPDF.exe HSBC Payment Transfer CopyPDF.exe

description	pid	process	target process
PID 3176 set thread context of 1140	3176	HSBC Payment Transfer CopyPDF.exe	HSBC Payment Transfer CopyPDF.exe

Drops file in Program Files directory 2 IoCs

Processes:

HSBC Payment Transfer CopyPDF.exe

description	ioc	process
File created	C:\Program Files (x86)\ISS Manager\issmgr.exe	HSBC Payment Transfer CopyPDF.exe
File opened for modification	C:\Program Files (x86)\ISS Manager\issmgr.exe	HSBC Payment Transfer CopyPDF.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2372 schtasks.exe
2812 schtasks.exe

pid	process
2372	schtasks.exe
2812	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

HSBC Payment Transfer CopyPDF.exe

pid	process
1140	HSBC Payment Transfer CopyPDF.exe
1140	HSBC Payment Transfer CopyPDF.exe
1140	HSBC Payment Transfer CopyPDF.exe
1140	HSBC Payment Transfer CopyPDF.exe
1140	HSBC Payment Transfer CopyPDF.exe
1140	HSBC Payment Transfer CopyPDF.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

HSBC Payment Transfer CopyPDF.exe

pid process

1140 HSBC Payment Transfer CopyPDF.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

HSBC Payment Transfer CopyPDF.exe

pid process

3176 HSBC Payment Transfer CopyPDF.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

HSBC Payment Transfer CopyPDF.exe

description pid process

Token: SeDebugPrivilege 1140 HSBC Payment Transfer CopyPDF.exe

pid	process
3176	HSBC Payment Transfer CopyPDF.exe

description	pid	process
Token: SeDebugPrivilege	1140	HSBC Payment Transfer CopyPDF.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

HSBC Payment Transfer CopyPDF.exeHSBC Payment Transfer CopyPDF.exe

description	pid	process	target process
PID 3176 wrote to memory of 1140	3176	HSBC Payment Transfer CopyPDF.exe	HSBC Payment Transfer CopyPDF.exe
PID 3176 wrote to memory of 1140	3176	HSBC Payment Transfer CopyPDF.exe	HSBC Payment Transfer CopyPDF.exe
PID 3176 wrote to memory of 1140	3176	HSBC Payment Transfer CopyPDF.exe	HSBC Payment Transfer CopyPDF.exe
PID 3176 wrote to memory of 1140	3176	HSBC Payment Transfer CopyPDF.exe	HSBC Payment Transfer CopyPDF.exe
PID 1140 wrote to memory of 2372	1140	HSBC Payment Transfer CopyPDF.exe	schtasks.exe
PID 1140 wrote to memory of 2372	1140	HSBC Payment Transfer CopyPDF.exe	schtasks.exe
PID 1140 wrote to memory of 2372	1140	HSBC Payment Transfer CopyPDF.exe	schtasks.exe
PID 1140 wrote to memory of 2812	1140	HSBC Payment Transfer CopyPDF.exe	schtasks.exe
PID 1140 wrote to memory of 2812	1140	HSBC Payment Transfer CopyPDF.exe	schtasks.exe
PID 1140 wrote to memory of 2812	1140	HSBC Payment Transfer CopyPDF.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\HSBC Payment Transfer CopyPDF.exe
"C:\Users\Admin\AppData\Local\Temp\HSBC Payment Transfer CopyPDF.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3176

C:\Users\Admin\AppData\Local\Temp\HSBC Payment Transfer CopyPDF.exe
"C:\Users\Admin\AppData\Local\Temp\HSBC Payment Transfer CopyPDF.exe"
2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1140

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "ISS Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmp14C6.tmp"
3⤵
- Creates scheduled task(s)
PID:2372

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "ISS Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp1573.tmp"
3⤵
- Creates scheduled task(s)
PID:2812

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp14C6.tmp
MD5
9d2ca538050190b22592ee40baf669c2

SHA1
fae87df756aa0f4bf13ce83cebbff5cf5b41caa0

SHA256
b36d16d4811b204d76e5657729a4ee94e381ecba0cbf1f75aa5590747373342a

SHA512
7b3b6852688252a5ff38acda6cd47c0f83ec04597d28c8579b195d5155eece82682cbe4441490b0f1e431afc15bed9dd0146495c043fe9cc483f8cfbd24f23d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1573.tmp
MD5
ea7095fa975a5ac043c9de2899ce61d0

SHA1
ba4e21d0728fb1b4b87006c2e8ceb6109c9046a3

SHA256
5a1ba7b1b91e0bb7aedcfa82dc687972abb31f72ae1613ac586938ef0843f30f

SHA512
b52c8f1b58f263a3d1ad1ef9939167853a5f55033d9ad8976130174c7118407711a0703266c7d2d542bc2ca8119f875e35cc791b9dd70ef83b5310ac1e7cd1cb

Download Submit
\Users\Admin\AppData\Local\Temp\nssDA4.tmp\x8jhsg4r.dll
MD5
b5a88f4bcf2d4465d9408931b028778c

SHA1
5b1c7d0a8d63f7b95026b49d41989f337008c0f0

SHA256
b51382d07aee1b35e0ed65d4dac771e35e51b7095303552f654312494f756cc3

SHA512
07a1b3cc1fcb990f8fc8d0af0387fb66ff167d6e66f75c02ce0289cc87b8e163e633c9f21bb714bdf192b3e072afc201ad7e4652696e87e3da3150465f56df01

Download Submit
memory/1140-123-0x0000000004983000-0x0000000004984000-memory.dmp

Filesize
4KB

Download
memory/1140-148-0x0000000006350000-0x0000000006351000-memory.dmp

Filesize
4KB

Download
memory/1140-132-0x0000000005660000-0x0000000005665000-memory.dmp

Filesize
20KB

Download
memory/1140-133-0x00000000056F0000-0x0000000005709000-memory.dmp

Filesize
100KB

Download
memory/1140-122-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1140-118-0x0000000004990000-0x0000000004991000-memory.dmp

Filesize
4KB

Download
memory/1140-124-0x0000000004980000-0x0000000004981000-memory.dmp

Filesize
4KB

Download
memory/1140-126-0x0000000004E90000-0x0000000004E91000-memory.dmp

Filesize
4KB

Download
memory/1140-125-0x0000000004982000-0x0000000004983000-memory.dmp

Filesize
4KB

Download
memory/1140-127-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/1140-147-0x00000000060A0000-0x00000000060AF000-memory.dmp

Filesize
60KB

Download
memory/1140-116-0x00000000047D0000-0x0000000004803000-memory.dmp

Filesize
204KB

Download
memory/1140-146-0x0000000006070000-0x0000000006099000-memory.dmp

Filesize
164KB

Download
memory/1140-115-0x000000000040188B-mapping.dmp

Download
memory/1140-145-0x0000000006050000-0x000000000605A000-memory.dmp

Filesize
40KB

Download
memory/1140-134-0x0000000004984000-0x0000000004985000-memory.dmp

Filesize
4KB

Download
memory/1140-119-0x0000000004850000-0x0000000004851000-memory.dmp

Filesize
4KB

Download
memory/1140-135-0x0000000005820000-0x0000000005823000-memory.dmp

Filesize
12KB

Download
memory/1140-136-0x0000000005830000-0x000000000583D000-memory.dmp

Filesize
52KB

Download
memory/1140-137-0x0000000005840000-0x0000000005855000-memory.dmp

Filesize
84KB

Download
memory/1140-138-0x0000000005FD0000-0x0000000005FD6000-memory.dmp

Filesize
24KB

Download
memory/1140-139-0x0000000005FE0000-0x0000000005FEC000-memory.dmp

Filesize
48KB

Download
memory/1140-140-0x0000000005FF0000-0x0000000005FF7000-memory.dmp

Filesize
28KB

Download
memory/1140-141-0x0000000006000000-0x0000000006006000-memory.dmp

Filesize
24KB

Download
memory/1140-142-0x0000000006010000-0x000000000601D000-memory.dmp

Filesize
52KB

Download
memory/1140-143-0x0000000006020000-0x0000000006029000-memory.dmp

Filesize
36KB

Download
memory/1140-144-0x0000000006030000-0x000000000603F000-memory.dmp

Filesize
60KB

Download
memory/2372-128-0x0000000000000000-mapping.dmp

Download
memory/2812-130-0x0000000000000000-mapping.dmp

Download
memory/3176-120-0x0000000003180000-0x0000000003181000-memory.dmp

Filesize
4KB

Download
memory/3176-121-0x0000000003181000-0x0000000003183000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads