nanocore | 00b6b610ff7d07af06a0888ac2095085de70aae5238bb1e876128ed0ede3fb3e

General

Target

RFQEMFA.Elektrik.pdf.exe
Size

951KB
MD5

212b4438b24a7861e987a74aeb6b937e
SHA1

df3c8093317d50ed2463fa96ca681a037123ddcf
SHA256

00b6b610ff7d07af06a0888ac2095085de70aae5238bb1e876128ed0ede3fb3e
SHA512

164beaf6d8d9693a3ab9971fe925cd680c844886acd1caf0ccd9c6f05e15f0c72c4fee867076f15e87a5788363302919751c6d712ee35ce0dc7198c1535e8335

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

79.134.225.17:2050

127.0.0.1:2050

Mutex

faa60493-d519-4c8d-8ff8-8e7cd20e9967

Attributes

activate_away_mode
true
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2021-02-19T18:34:39.325937936Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
2050
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
faa60493-d519-4c8d-8ff8-8e7cd20e9967
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
79.134.225.17
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RFQEMFA.Elektrik.pdf.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UPNP Subsystem = "C:\\Program Files (x86)\\UPNP Subsystem\\upnpss.exe"	RFQEMFA.Elektrik.pdf.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

RFQEMFA.Elektrik.pdf.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RFQEMFA.Elektrik.pdf.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

RFQEMFA.Elektrik.pdf.exe

description pid process target process

PID 804 set thread context of 1312 804 RFQEMFA.Elektrik.pdf.exe RFQEMFA.Elektrik.pdf.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RFQEMFA.Elektrik.pdf.exe

description	pid	process	target process
PID 804 set thread context of 1312	804	RFQEMFA.Elektrik.pdf.exe	RFQEMFA.Elektrik.pdf.exe

Drops file in Program Files directory 2 IoCs

Processes:

RFQEMFA.Elektrik.pdf.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\UPNP Subsystem\upnpss.exe	RFQEMFA.Elektrik.pdf.exe
File created	C:\Program Files (x86)\UPNP Subsystem\upnpss.exe	RFQEMFA.Elektrik.pdf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2256 schtasks.exe

pid	process
2256	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

RFQEMFA.Elektrik.pdf.exe

pid	process
1312	RFQEMFA.Elektrik.pdf.exe
1312	RFQEMFA.Elektrik.pdf.exe
1312	RFQEMFA.Elektrik.pdf.exe
1312	RFQEMFA.Elektrik.pdf.exe
1312	RFQEMFA.Elektrik.pdf.exe
1312	RFQEMFA.Elektrik.pdf.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

RFQEMFA.Elektrik.pdf.exe

pid process

1312 RFQEMFA.Elektrik.pdf.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RFQEMFA.Elektrik.pdf.exe

description pid process

Token: SeDebugPrivilege 1312 RFQEMFA.Elektrik.pdf.exe

description	pid	process
Token: SeDebugPrivilege	1312	RFQEMFA.Elektrik.pdf.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

RFQEMFA.Elektrik.pdf.exe

description	pid	process	target process
PID 804 wrote to memory of 2256	804	RFQEMFA.Elektrik.pdf.exe	schtasks.exe
PID 804 wrote to memory of 2256	804	RFQEMFA.Elektrik.pdf.exe	schtasks.exe
PID 804 wrote to memory of 2256	804	RFQEMFA.Elektrik.pdf.exe	schtasks.exe
PID 804 wrote to memory of 1312	804	RFQEMFA.Elektrik.pdf.exe	RFQEMFA.Elektrik.pdf.exe
PID 804 wrote to memory of 1312	804	RFQEMFA.Elektrik.pdf.exe	RFQEMFA.Elektrik.pdf.exe
PID 804 wrote to memory of 1312	804	RFQEMFA.Elektrik.pdf.exe	RFQEMFA.Elektrik.pdf.exe
PID 804 wrote to memory of 1312	804	RFQEMFA.Elektrik.pdf.exe	RFQEMFA.Elektrik.pdf.exe
PID 804 wrote to memory of 1312	804	RFQEMFA.Elektrik.pdf.exe	RFQEMFA.Elektrik.pdf.exe
PID 804 wrote to memory of 1312	804	RFQEMFA.Elektrik.pdf.exe	RFQEMFA.Elektrik.pdf.exe
PID 804 wrote to memory of 1312	804	RFQEMFA.Elektrik.pdf.exe	RFQEMFA.Elektrik.pdf.exe
PID 804 wrote to memory of 1312	804	RFQEMFA.Elektrik.pdf.exe	RFQEMFA.Elektrik.pdf.exe

C:\Users\Admin\AppData\Local\Temp\RFQEMFA.Elektrik.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\RFQEMFA.Elektrik.pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:804

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UmdaRvNPnl" /XML "C:\Users\Admin\AppData\Local\Temp\tmp492A.tmp"
2⤵
- Creates scheduled task(s)
PID:2256

C:\Users\Admin\AppData\Local\Temp\RFQEMFA.Elektrik.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\RFQEMFA.Elektrik.pdf.exe"
2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1312

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RFQEMFA.Elektrik.pdf.exe.log
MD5
90acfd72f14a512712b1a7380c0faf60

SHA1
40ba4accb8faa75887e84fb8e38d598dc8cf0f12

SHA256
20806822f0c130b340504132c1461b589261fbbc518e468f4f90733ab514cb86

SHA512
29dbf85e14e60868574cb4dc9bda83d3c229fb956733d8d2557f2475ee0e690ac9c2e72f31e02284996da6906ba2dbfa382a29b04c15a2406571d8ee19ad16b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp492A.tmp
MD5
b25b804bcb11b573796086ac9ae552c8

SHA1
eec2e77c14a4779389b99b38424e2da85de1f38c

SHA256
20471a1a1d588733fc59e98e8c3c8701e9e084efc22d83873d45b168031f05e6

SHA512
7b915862df5504dfdd619875bbb4f9a46f603a37d5e13e4f7416b98bb5c498105a29f01e6b523b91c8412600649685d3cae0c2e4ce6d99f5bdbe84f3703ba2a7

Download Submit
memory/804-116-0x0000000005810000-0x0000000005811000-memory.dmp

Filesize
4KB

Download
memory/804-117-0x0000000005DB0000-0x0000000005DB1000-memory.dmp

Filesize
4KB

Download
memory/804-118-0x00000000058B0000-0x00000000058B1000-memory.dmp

Filesize
4KB

Download
memory/804-119-0x00000000031E0000-0x00000000031E1000-memory.dmp

Filesize
4KB

Download
memory/804-120-0x00000000058B0000-0x0000000005DAE000-memory.dmp

Filesize
5.0MB

Download
memory/804-121-0x0000000005780000-0x0000000005781000-memory.dmp

Filesize
4KB

Download
memory/804-122-0x00000000057E0000-0x00000000057E4000-memory.dmp

Filesize
16KB

Download
memory/804-123-0x00000000066B0000-0x000000000677B000-memory.dmp

Filesize
812KB

Download
memory/804-124-0x0000000005CF0000-0x0000000005D7A000-memory.dmp

Filesize
552KB

Download
memory/804-114-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

Filesize
4KB

Download
memory/1312-137-0x00000000051D0000-0x00000000051D5000-memory.dmp

Filesize
20KB

Download
memory/1312-142-0x00000000064E0000-0x00000000064E6000-memory.dmp

Filesize
24KB

Download
memory/1312-127-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1312-136-0x0000000005080000-0x0000000005112000-memory.dmp

Filesize
584KB

Download
memory/1312-152-0x00000000067A0000-0x00000000067A1000-memory.dmp

Filesize
4KB

Download
memory/1312-138-0x00000000056D0000-0x00000000056E9000-memory.dmp

Filesize
100KB

Download
memory/1312-139-0x0000000005E80000-0x0000000005E83000-memory.dmp

Filesize
12KB

Download
memory/1312-140-0x0000000005E90000-0x0000000005E9D000-memory.dmp

Filesize
52KB

Download
memory/1312-141-0x00000000064B0000-0x00000000064C5000-memory.dmp

Filesize
84KB

Download
memory/1312-128-0x000000000041E792-mapping.dmp

Download
memory/1312-143-0x0000000006500000-0x000000000650C000-memory.dmp

Filesize
48KB

Download
memory/1312-144-0x0000000006510000-0x0000000006517000-memory.dmp

Filesize
28KB

Download
memory/1312-145-0x0000000006520000-0x0000000006526000-memory.dmp

Filesize
24KB

Download
memory/1312-146-0x0000000006530000-0x000000000653D000-memory.dmp

Filesize
52KB

Download
memory/1312-147-0x0000000006540000-0x0000000006549000-memory.dmp

Filesize
36KB

Download
memory/1312-148-0x0000000006550000-0x000000000655F000-memory.dmp

Filesize
60KB

Download
memory/1312-149-0x0000000006570000-0x000000000657A000-memory.dmp

Filesize
40KB

Download
memory/1312-150-0x0000000006580000-0x00000000065A9000-memory.dmp

Filesize
164KB

Download
memory/1312-151-0x00000000065C0000-0x00000000065CF000-memory.dmp

Filesize
60KB

Download
memory/2256-125-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads