Overview

overview

10

Static

static

Purchase order.exe

windows7_x64

10

Purchase order.exe

windows10_x64

10

Resubmissions

25-06-2021 19:47

210625-hz8ns8emja 10

17-01-2021 17:11

210117-w9egfeq5ps 10

15-01-2021 13:57

210115-lga56rptas 10

Analysis

  • max time kernel
    1798s
  • max time network
    1812s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    25-06-2021 19:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Purchase order.exe

  • Size

    991KB

  • MD5

    dce3742ba75b044a3d033b09bd8f79aa

  • SHA1

    44dad4aa8fed90d3a64a320f93fab661581eb814

  • SHA256

    e926ec4a14519e184b571d1501e946a7c266e4283af066602c2a1b7c22dcfe19

  • SHA512

    fc655c65fad4c9d78e9d66ffffe0f7082f671b356df385092355a1b31c62deaa2b8ca510c215a84606695535e48b2cc33ba7d9ad9365bacf9f32299234771962

Score
10/10
nanocoreevasionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

kvngnelson007.hopto.org:58931

194.5.98.12:58931
Mutex

50c8cd66-325e-4bad-929c-caf6d8f1f35b

Attributes
  • activate_away_mode

    false

  • backup_connection_host

    194.5.98.12

  • backup_dns_server

  • buffer_size

    65538

  • build_time

    2020-10-19T16:47:10.982906636Z

  • bypass_user_account_control

    false

  • bypass_user_account_control_data

    PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+

  • clear_access_control

    false

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    58931

  • default_group

    070

  • enable_debug_mode

    true

  • gc_threshold

    1.0485772e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.0485772e+07

  • mutex

    50c8cd66-325e-4bad-929c-caf6d8f1f35b

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    kvngnelson007.hopto.org

  • primary_dns_server

  • request_elevation

    false

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    false

  • set_critical_process

    false

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8009

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 7 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of FindShellTrayWindow 62 IoCs
  • Suspicious use of SendNotifyMessage 61 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Purchase order.exe
    "C:\Users\Admin\AppData\Local\Temp\Purchase order.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1852
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FNcoguahShvrL" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDEBD.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2160
    • C:\Users\Admin\AppData\Local\Temp\Purchase order.exe
      "{path}"
      2⤵
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2608
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks.exe" /create /f /tn "ISS Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmpE312.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:2660
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks.exe" /create /f /tn "ISS Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpE381.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:2940
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1112
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3484
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3880
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3880.0.825272848\483654197" -parentBuildID 20200403170909 -prefsHandle 1552 -prefMapHandle 1528 -prefsLen 1 -prefMapSize 219680 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3880 "\\.\pipe\gecko-crash-server-pipe.3880" 1636 gpu
        3⤵
          PID:2268
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3880.3.449194873\1630097743" -childID 1 -isForBrowser -prefsHandle 2228 -prefMapHandle 2224 -prefsLen 156 -prefMapSize 219680 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3880 "\\.\pipe\gecko-crash-server-pipe.3880" 2240 tab
          3⤵
            PID:3512
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3880.13.1180122065\656539840" -childID 2 -isForBrowser -prefsHandle 3476 -prefMapHandle 3472 -prefsLen 7013 -prefMapSize 219680 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3880 "\\.\pipe\gecko-crash-server-pipe.3880" 3484 tab
            3⤵
              PID:3744
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3880.20.1546506549\931465705" -childID 3 -isForBrowser -prefsHandle 4704 -prefMapHandle 4724 -prefsLen 7784 -prefMapSize 219680 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3880 "\\.\pipe\gecko-crash-server-pipe.3880" 4204 tab
              3⤵
                PID:4404
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3880.27.1795466185\1281786426" -parentBuildID 20200403170909 -prefsHandle 4224 -prefMapHandle 6752 -prefsLen 8453 -prefMapSize 219680 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3880 "\\.\pipe\gecko-crash-server-pipe.3880" 6740 rdd
                3⤵
                  PID:4760
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3880.31.384976733\1786070498" -childID 4 -isForBrowser -prefsHandle 8716 -prefMapHandle 8708 -prefsLen 10874 -prefMapSize 219680 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3880 "\\.\pipe\gecko-crash-server-pipe.3880" 4328 tab
                  3⤵
                    PID:4164
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3880.38.1594110719\685558138" -childID 5 -isForBrowser -prefsHandle 8504 -prefMapHandle 8508 -prefsLen 10874 -prefMapSize 219680 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3880 "\\.\pipe\gecko-crash-server-pipe.3880" 8532 tab
                    3⤵
                      PID:4556
                • C:\Windows\system32\AUDIODG.EXE
                  C:\Windows\system32\AUDIODG.EXE 0x428
                  1⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4848

                Network

                MITRE ATT&CK Matrix ATT&CK v6

                Initial Access

                Execution

                Scheduled Task

                1
                T1053

                Persistence

                Registry Run Keys / Startup Folder

                1
                T1060

                Scheduled Task

                1
                T1053

                Privilege Escalation

                Scheduled Task

                1
                T1053

                Defense Evasion

                Modify Registry

                1
                T1112

                Credential Access

                Discovery

                System Information Discovery

                4
                T1082

                Query Registry

                2
                T1012

                Peripheral Device Discovery

                1
                T1120

                Lateral Movement

                Collection

                Exfiltration

                Command and Control

                Impact

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Program Files (x86)\ISS Manager\issmgr.exe
                  MD5

                  dce3742ba75b044a3d033b09bd8f79aa

                  SHA1

                  44dad4aa8fed90d3a64a320f93fab661581eb814

                  SHA256

                  e926ec4a14519e184b571d1501e946a7c266e4283af066602c2a1b7c22dcfe19

                  SHA512

                  fc655c65fad4c9d78e9d66ffffe0f7082f671b356df385092355a1b31c62deaa2b8ca510c215a84606695535e48b2cc33ba7d9ad9365bacf9f32299234771962

                  Download Submit
                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Purchase order.exe.log
                  MD5

                  0c2899d7c6746f42d5bbe088c777f94c

                  SHA1

                  622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1

                  SHA256

                  5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458

                  SHA512

                  ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078

                  Download Submit
                • C:\Users\Admin\AppData\Local\Temp\tmpDEBD.tmp
                  MD5

                  271a5db295515616b681ccd7aeb3d429

                  SHA1

                  f110a8cdf8de4de0fc041f4c67f1e91417e663c1

                  SHA256

                  4b7a8efbcc69daeb2b961a78fc31a77c7ef6bc7011f6d5c7f07b480e6fa79b5a

                  SHA512

                  8e9c324c9b8b8cb3fc3f2620d847e8cf75ab52be34f7a99a490d70f5972fb3122ff369f24c9e42e77658a6d755cc0ec52697920a95e3a69f0384b908c4aff6f5

                  Download Submit
                • C:\Users\Admin\AppData\Local\Temp\tmpE312.tmp
                  MD5

                  f177f21e35c921dc1d144924c4aef639

                  SHA1

                  fdf2ecd0f2e84e98c60c0d76681abbdff3a65ae3

                  SHA256

                  5eff744c6d467554392eb432cbb7bd27f3cdf51e397625d5dfa1d2904304dc30

                  SHA512

                  1a956769784fe68c14331329866cf4a8819e5b47bbed249905720449294d71168d27d0b5f88483674ae0ce44ca21fc16ac563950a8da726b72d296fc3d692e94

                  Download Submit
                • C:\Users\Admin\AppData\Local\Temp\tmpE381.tmp
                  MD5

                  ea7095fa975a5ac043c9de2899ce61d0

                  SHA1

                  ba4e21d0728fb1b4b87006c2e8ceb6109c9046a3

                  SHA256

                  5a1ba7b1b91e0bb7aedcfa82dc687972abb31f72ae1613ac586938ef0843f30f

                  SHA512

                  b52c8f1b58f263a3d1ad1ef9939167853a5f55033d9ad8976130174c7118407711a0703266c7d2d542bc2ca8119f875e35cc791b9dd70ef83b5310ac1e7cd1cb

                  Download Submit
                • memory/1852-118-0x00000000017A0000-0x00000000017A1000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/1852-121-0x0000000006150000-0x00000000061A3000-memory.dmp
                  Filesize

                  332KB

                  Download
                • memory/1852-122-0x0000000006250000-0x0000000006251000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/1852-120-0x0000000003090000-0x0000000003122000-memory.dmp
                  Filesize

                  584KB

                  Download
                • memory/1852-114-0x0000000000B80000-0x0000000000B81000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/1852-119-0x00000000017B0000-0x00000000017BE000-memory.dmp
                  Filesize

                  56KB

                  Download
                • memory/1852-117-0x00000000055B0000-0x00000000055B1000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/1852-116-0x0000000005AB0000-0x0000000005AB1000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/2160-123-0x0000000000000000-mapping.dmp
                  Download
                • memory/2268-146-0x0000000000000000-mapping.dmp
                  Download
                • memory/2608-126-0x000000000041E792-mapping.dmp
                  Download
                • memory/2608-140-0x0000000005780000-0x0000000005785000-memory.dmp
                  Filesize

                  20KB

                  Download
                • memory/2608-139-0x00000000054A0000-0x000000000599E000-memory.dmp
                  Filesize

                  5.0MB

                  Download
                • memory/2608-141-0x00000000063D0000-0x00000000063D6000-memory.dmp
                  Filesize

                  24KB

                  Download
                • memory/2608-142-0x00000000063E0000-0x00000000063F9000-memory.dmp
                  Filesize

                  100KB

                  Download
                • memory/2608-143-0x0000000006510000-0x0000000006513000-memory.dmp
                  Filesize

                  12KB

                  Download
                • memory/2608-125-0x0000000000400000-0x000000000043A000-memory.dmp
                  Filesize

                  232KB

                  Download
                • memory/2660-134-0x0000000000000000-mapping.dmp
                  Download
                • memory/2940-136-0x0000000000000000-mapping.dmp
                  Download
                • memory/3512-151-0x0000000000000000-mapping.dmp
                  Download
                • memory/3744-154-0x0000000000000000-mapping.dmp
                  Download
                • memory/3880-144-0x0000000000000000-mapping.dmp
                  Download
                • memory/4164-165-0x0000000000000000-mapping.dmp
                  Download
                • memory/4404-156-0x0000000000000000-mapping.dmp
                  Download
                • memory/4556-167-0x0000000000000000-mapping.dmp
                  Download
                • memory/4760-158-0x0000000000000000-mapping.dmp
                  Download
                • memory/4760-159-0x00007FF9E1350000-0x00007FF9E1351000-memory.dmp
                  Filesize

                  4KB

                  Download
                • memory/4760-160-0x00007FF9DEF80000-0x00007FF9DEF81000-memory.dmp
                  Filesize

                  4KB

                  Download