nanocore | 05e7ca50d56d74090b76bde141a5decb07f2fe2d8f564bed1ba814ab4cb4ddf4

General

Target

Proof of Payment.exe
Size

1.0MB
MD5

5ab8ebf954dd5d4a6245fb017314d154
SHA1

b1ae64f01b425f03cd3b8d14783fcf8ad3e8e927
SHA256

05e7ca50d56d74090b76bde141a5decb07f2fe2d8f564bed1ba814ab4cb4ddf4
SHA512

0f93b6f24eaf94c3ce97bf6e8dd5c2ec326f85a1b7e2101029d674963baa33a0fa34ad359b01b33a30ef4e1a0eca5373b3b8fe82c50ac786087239f01cc4443f

Score

10^/10

nanocore netwire botnet keylogger persistence rat spyware stealer trojan

Malware Config

Extracted

Family

netwire

C2

194.5.98.230:3364

194.5.98.230:3368

Attributes

activex_autorun
false
activex_key
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
install_path
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
offline_keylogger
true
password
high1234
registry_autorun
false
startup_name
use_mutex
false

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

NetWire RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2028-122-0x0000000000F9242D-mapping.dmp	netwire
behavioral2/memory/2028-121-0x0000000000F90000-0x000000000153B000-memory.dmp	netwire
behavioral2/memory/2028-125-0x0000000000F90000-0x000000000153B000-memory.dmp	netwire
behavioral2/memory/2028-126-0x0000000000F90000-0x000000000153B000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 2 IoCs

Processes:

vgivbtuvbl.pifRegSvcs.exe

pid process

1844 vgivbtuvbl.pif
2028 RegSvcs.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

vgivbtuvbl.pif

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	vgivbtuvbl.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\04893448\\VGIVBT~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\04893448\\SOIMPG~1.AIX"	vgivbtuvbl.pif

Suspicious use of SetThreadContext 1 IoCs

Processes:

vgivbtuvbl.pif

description pid process target process

PID 1844 set thread context of 2028 1844 vgivbtuvbl.pif RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 1844 set thread context of 2028	1844	vgivbtuvbl.pif	RegSvcs.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

vgivbtuvbl.pif

pid	process
1844	vgivbtuvbl.pif
1844	vgivbtuvbl.pif
1844	vgivbtuvbl.pif
1844	vgivbtuvbl.pif
1844	vgivbtuvbl.pif
1844	vgivbtuvbl.pif
1844	vgivbtuvbl.pif
1844	vgivbtuvbl.pif
1844	vgivbtuvbl.pif
1844	vgivbtuvbl.pif
1844	vgivbtuvbl.pif
1844	vgivbtuvbl.pif
1844	vgivbtuvbl.pif
1844	vgivbtuvbl.pif
1844	vgivbtuvbl.pif
1844	vgivbtuvbl.pif
1844	vgivbtuvbl.pif
1844	vgivbtuvbl.pif
1844	vgivbtuvbl.pif
1844	vgivbtuvbl.pif
1844	vgivbtuvbl.pif
1844	vgivbtuvbl.pif
1844	vgivbtuvbl.pif
1844	vgivbtuvbl.pif
1844	vgivbtuvbl.pif
1844	vgivbtuvbl.pif
1844	vgivbtuvbl.pif
1844	vgivbtuvbl.pif
1844	vgivbtuvbl.pif
1844	vgivbtuvbl.pif
1844	vgivbtuvbl.pif
1844	vgivbtuvbl.pif
1844	vgivbtuvbl.pif
1844	vgivbtuvbl.pif
1844	vgivbtuvbl.pif
1844	vgivbtuvbl.pif
1844	vgivbtuvbl.pif
1844	vgivbtuvbl.pif
1844	vgivbtuvbl.pif
1844	vgivbtuvbl.pif
1844	vgivbtuvbl.pif
1844	vgivbtuvbl.pif
1844	vgivbtuvbl.pif
1844	vgivbtuvbl.pif
1844	vgivbtuvbl.pif
1844	vgivbtuvbl.pif
1844	vgivbtuvbl.pif
1844	vgivbtuvbl.pif
1844	vgivbtuvbl.pif
1844	vgivbtuvbl.pif
1844	vgivbtuvbl.pif
1844	vgivbtuvbl.pif
1844	vgivbtuvbl.pif
1844	vgivbtuvbl.pif
1844	vgivbtuvbl.pif
1844	vgivbtuvbl.pif
1844	vgivbtuvbl.pif
1844	vgivbtuvbl.pif
1844	vgivbtuvbl.pif
1844	vgivbtuvbl.pif
1844	vgivbtuvbl.pif
1844	vgivbtuvbl.pif
1844	vgivbtuvbl.pif
1844	vgivbtuvbl.pif

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

Proof of Payment.exevgivbtuvbl.pif

description	pid	process	target process
PID 392 wrote to memory of 1844	392	Proof of Payment.exe	vgivbtuvbl.pif
PID 392 wrote to memory of 1844	392	Proof of Payment.exe	vgivbtuvbl.pif
PID 392 wrote to memory of 1844	392	Proof of Payment.exe	vgivbtuvbl.pif
PID 1844 wrote to memory of 2028	1844	vgivbtuvbl.pif	RegSvcs.exe
PID 1844 wrote to memory of 2028	1844	vgivbtuvbl.pif	RegSvcs.exe
PID 1844 wrote to memory of 2028	1844	vgivbtuvbl.pif	RegSvcs.exe
PID 1844 wrote to memory of 2028	1844	vgivbtuvbl.pif	RegSvcs.exe
PID 1844 wrote to memory of 2028	1844	vgivbtuvbl.pif	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\Proof of Payment.exe
"C:\Users\Admin\AppData\Local\Temp\Proof of Payment.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:392
- C:\Users\Admin\AppData\Local\Temp\04893448\vgivbtuvbl.pif
  "C:\Users\Admin\AppData\Local\Temp\04893448\vgivbtuvbl.pif" soimpgdmae.aix
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1844
- - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
    3⤵
    - Executes dropped EXE
    PID:2028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\04893448\nguxexatli.klt

MD5
6ec23993fc45715a821255281a0db068

SHA1
5e694a1b9431d7814a2c35190265b1cef4375a94

SHA256
b1ed3106da44e9ebc6b3ea2c91ecdb9ae92df509691b77a952ce6b8ea4bf39b4

SHA512
3edfc9c3b1c6c51430aea0355631373d86b31fb3d45de38e944c06acde7fc76c746164eed683190d67b6d5682dc80e07d9d680b35908468b0ccb45d7943e666f

Download Submit
C:\Users\Admin\AppData\Local\Temp\04893448\rjiwsjkgwf.ico

MD5
9674a72f4fb301256dca9e5fe8908e10

SHA1
16decca49318793e0aa5ecd56d62ea76c4b89512

SHA256
5e2fde2ff5faac3907721e3475d0a91eec545f3c543a01ec11df213062a7151d

SHA512
58e770d32a8efdc07a097def6084a821df5604b6f3360550a53adc374017ec5d289cc09edce0b763153992be8628add79b83b57043a8a743a4ed181f06f0c525

Download Submit
C:\Users\Admin\AppData\Local\Temp\04893448\soimpgdmae.aix

MD5
ccea948c90de6297226465bcefc8b261

SHA1
0588a4f3816668fabce36ef88b18b50eaced47ab

SHA256
cd018b929b7f70ab479deb2968231e14c4d1e202da5307937a9fabf9d4c3ae6e

SHA512
46e42d8c1f96aead7ff4645ddbd74c4febde164cc1d43bc36d976974bb2563f74a1e1d7d7298e31c322bb0d06e0d5a6bbcd21d30daf87f1bbd8e79cfc823ff48

Download Submit
C:\Users\Admin\AppData\Local\Temp\04893448\vgivbtuvbl.pif

MD5
8e699954f6b5d64683412cc560938507

SHA1
8ca6708b0f158eacce3ac28b23c23ed42c168c29

SHA256
c9a2399cc1ce6f71db9da2f16e6c025bf6cb0f4345b427f21449cf927d627a40

SHA512
13035106149c8d336189b4a6bdaf25e10ac0b027baea963b3ec66a815a572426b2e9485258447cf1362802a0f03a2aa257b276057590663161d9d55d5b737b02

Download Submit
C:\Users\Admin\AppData\Local\Temp\04893448\vgivbtuvbl.pif

MD5
8e699954f6b5d64683412cc560938507

SHA1
8ca6708b0f158eacce3ac28b23c23ed42c168c29

SHA256
c9a2399cc1ce6f71db9da2f16e6c025bf6cb0f4345b427f21449cf927d627a40

SHA512
13035106149c8d336189b4a6bdaf25e10ac0b027baea963b3ec66a815a572426b2e9485258447cf1362802a0f03a2aa257b276057590663161d9d55d5b737b02

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
memory/1844-115-0x0000000000000000-mapping.dmp

Download
memory/2028-122-0x0000000000F9242D-mapping.dmp

Download
memory/2028-121-0x0000000000F90000-0x000000000153B000-memory.dmp

Filesize
5.7MB

Download
memory/2028-125-0x0000000000F90000-0x000000000153B000-memory.dmp

Filesize
5.7MB

Download
memory/2028-126-0x0000000000F90000-0x000000000153B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads