Overview

overview

10

Static

static

H1GC5Z4C39...PT.exe

windows7_x64

10

H1GC5Z4C39...PT.exe

windows10_x64

10

Analysis

  • max time kernel
    121s
  • max time network
    150s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    23-10-2021 18:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    H1GC5Z4C39PAYMENTRECEIPT.exe

  • Size

    1.7MB

  • MD5

    33c1ebab9ea309a6c217404373190bea

  • SHA1

    8349bdbc19687cf3baf7167562fc7e5febc0b088

  • SHA256

    8948abf5e6d357805d72b6d05015e70c705e2a7bbd58704d63fcdb1a9b2116dd

  • SHA512

    44817a63c1b2a4943683c19b2a9e22641a2a364a1ed1436e0d3561450b9c549b78964d61c813fc85635dfc599f7f27f42704bb548d0ddb288ec4c952d543bbc3

Score
10/10
nanocoreevasionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

kenimaf.duckdns.org:8090

Mutex

543e7469-d950-4ec2-a110-de54f8d16167

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    kenimaf.duckdns.org

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2021-08-01T06:39:50.225932136Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    8090

  • default_group

    kenn

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    543e7469-d950-4ec2-a110-de54f8d16167

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    kenimaf.duckdns.org

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    true

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • Windows security bypass 2 TTPs
    evasiontrojan
  • Windows security modification 2 TTPs 4 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 15 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 37 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\H1GC5Z4C39PAYMENTRECEIPT.exe
    "C:\Users\Admin\AppData\Local\Temp\H1GC5Z4C39PAYMENTRECEIPT.exe"
    1⤵
    • Windows security modification
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1960
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\㟋㟙㟉㞻㟊㞞㟈㞳㟊㞞㞖㟇㞙㟟㞰\svchost.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1176
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\H1GC5Z4C39PAYMENTRECEIPT.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3700
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\㟋㟙㟉㞻㟊㞞㟈㞳㟊㞞㞖㟇㞙㟟㞰\svchost.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2960
    • C:\Users\Admin\AppData\Local\Temp\H1GC5Z4C39PAYMENTRECEIPT.exe
      "C:\Users\Admin\AppData\Local\Temp\H1GC5Z4C39PAYMENTRECEIPT.exe"
      2⤵
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      PID:2428
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 2052
      2⤵
      • Program crash
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2068

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Disabling Security Tools

2
T1089

Modify Registry

2
T1112

Credential Access

Discovery

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    MD5

    1c19c16e21c97ed42d5beabc93391fc5

    SHA1

    8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

    SHA256

    1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

    SHA512

    7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
    MD5

    7247129cd0644457905b7d6bf17fd078

    SHA1

    dbf9139b5a1b72141f170d2eae911bbbe7e128c8

    SHA256

    dfa6e0d79449f29310b2a0400dc7fa5a3a6b08182233147a81902d1f80a0f8e4

    SHA512

    9b1ebd7fe485811f10ec02778d90a7f7eccafa0231027b640b94eaed8408107051da7fcc4f17a9aa0eef900fa2595f44be7fd115331fb6da9b10076f5fcf87e0

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
    MD5

    0b5d94d20be9eecbaed3dddd04143f07

    SHA1

    c677d0355f4cc7301075a554adc889bce502e15a

    SHA256

    3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

    SHA512

    395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    MD5

    409bb16ba408ec88366988e5a4b9d131

    SHA1

    dfe350614dc3fb9ad4460f27d06c5134ceeaa233

    SHA256

    47dfa519aee089106fd9651614704978b30fe98cf3328236ace807905483cf3d

    SHA512

    22dd0d6857f25483ae59748e1ef1162b0be486729014a99df2372e88276fbd648d8c035dad2522f20b2f562520b4759212e38654a23aa392c3c02628a784dcb4

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    MD5

    0301ddbb769909de6a417471da1b0f20

    SHA1

    e5ed5edf666065cd5728107a174697a9114619b7

    SHA256

    b4ee6765bd01cf7f99e3bfea70d3b0cb625710f8ac95efd2462bf8b0da4a6ef0

    SHA512

    b08b053b58056cb153074c3ea37d9e854284922e7f833dedf1cb28b54c7968b5c3741fca8608ac41618d73b1bd05d1b34b550f4ba2ff0b1d93ceb7969f413281

    Download Submit
  • memory/1176-135-0x0000000006FD0000-0x0000000006FD1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1176-227-0x000000007F980000-0x000000007F981000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1176-166-0x0000000007E70000-0x0000000007E71000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1176-181-0x00000000049D0000-0x00000000049D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1176-156-0x0000000006FD2000-0x0000000006FD3000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1176-125-0x0000000000000000-mapping.dmp
    Download
  • memory/1176-130-0x00000000049D0000-0x00000000049D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1176-128-0x00000000049D0000-0x00000000049D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1176-261-0x0000000006FD3000-0x0000000006FD4000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1960-129-0x00000000086D0000-0x00000000086D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1960-124-0x000000000BE00000-0x000000000BE01000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1960-123-0x00000000029A0000-0x0000000002A2F000-memory.dmp
    Filesize

    572KB

    Download
  • memory/1960-117-0x0000000005050000-0x0000000005051000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1960-119-0x0000000002AE0000-0x0000000002AE3000-memory.dmp
    Filesize

    12KB

    Download
  • memory/1960-118-0x0000000005130000-0x0000000005131000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1960-115-0x0000000000610000-0x0000000000611000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1960-144-0x0000000007230000-0x0000000007231000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2428-169-0x0000000005020000-0x0000000005025000-memory.dmp
    Filesize

    20KB

    Download
  • memory/2428-189-0x00000000064E0000-0x00000000064E6000-memory.dmp
    Filesize

    24KB

    Download
  • memory/2428-190-0x00000000064F0000-0x00000000064FC000-memory.dmp
    Filesize

    48KB

    Download
  • memory/2428-187-0x0000000006490000-0x000000000649D000-memory.dmp
    Filesize

    52KB

    Download
  • memory/2428-188-0x00000000064A0000-0x00000000064B5000-memory.dmp
    Filesize

    84KB

    Download
  • memory/2428-160-0x0000000004F90000-0x000000000548E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2428-146-0x000000000041E792-mapping.dmp
    Download
  • memory/2428-171-0x0000000005D30000-0x0000000005D33000-memory.dmp
    Filesize

    12KB

    Download
  • memory/2428-170-0x0000000005C10000-0x0000000005C29000-memory.dmp
    Filesize

    100KB

    Download
  • memory/2428-145-0x0000000000400000-0x000000000043A000-memory.dmp
    Filesize

    232KB

    Download
  • memory/2960-134-0x0000000003060000-0x0000000003061000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2960-259-0x00000000049B3000-0x00000000049B4000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2960-165-0x00000000049B2000-0x00000000049B3000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2960-172-0x0000000008230000-0x0000000008231000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2960-175-0x0000000008270000-0x0000000008271000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2960-127-0x0000000000000000-mapping.dmp
    Download
  • memory/2960-161-0x0000000007BD0000-0x0000000007BD1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2960-133-0x0000000003060000-0x0000000003061000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2960-183-0x0000000003060000-0x0000000003061000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2960-157-0x0000000007B60000-0x0000000007B61000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2960-236-0x000000007EAB0000-0x000000007EAB1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2960-137-0x00000000049B0000-0x00000000049B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3700-138-0x0000000004E60000-0x0000000004E61000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3700-141-0x0000000007A10000-0x0000000007A11000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3700-230-0x000000007F070000-0x000000007F071000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3700-150-0x00000000077A0000-0x00000000077A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3700-155-0x00000000073D2000-0x00000000073D3000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3700-260-0x00000000073D3000-0x00000000073D4000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3700-136-0x00000000073D0000-0x00000000073D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3700-132-0x00000000034D0000-0x00000000034D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3700-185-0x00000000034D0000-0x00000000034D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3700-131-0x00000000034D0000-0x00000000034D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3700-178-0x0000000008940000-0x0000000008941000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3700-126-0x0000000000000000-mapping.dmp
    Download