Overview

overview

10

Static

static

Proof Of Payment.scr

windows7_x64

10

Proof Of Payment.scr

windows10-2004_x64

10

Analysis

  • max time kernel
    163s
  • max time network
    183s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-05-2022 02:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Proof Of Payment.scr

  • Size

    831KB

  • MD5

    22178eb7c68a50049e957fcf78b6515e

  • SHA1

    4e7788b3983bac98179aa70aaeb8f4e088191b90

  • SHA256

    d0b5b67a47d70659712ff004c3d7e91b5027100bbd84db3407e9668ed6a408f1

  • SHA512

    a6816c5e58519eff11beb22ba87023bbd1b9844fae6b7d23e41a23ce850c77c9643e688fe4a1cf7c509376ff873db6892892ef86ed74cfbeabd86f85edace623

Score
10/10
nanocoreevasionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

harolds.ooguy.com:6051

harold.2waky.com:6051
Mutex

79556390-7150-4551-9067-10cd33e6482e

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    harold.2waky.com

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2020-04-28T08:36:06.976087436Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    6051

  • default_group

    Acandy

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    79556390-7150-4551-9067-10cd33e6482e

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    harolds.ooguy.com

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    true

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Proof Of Payment.scr
    "C:\Users\Admin\AppData\Local\Temp\Proof Of Payment.scr" /S
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4036
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dCjZPel" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA43F.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2120
    • C:\Users\Admin\AppData\Local\Temp\Proof Of Payment.scr
      "{path}"
      2⤵
        PID:4700
      • C:\Users\Admin\AppData\Local\Temp\Proof Of Payment.scr
        "{path}"
        2⤵
          PID:4760
        • C:\Users\Admin\AppData\Local\Temp\Proof Of Payment.scr
          "{path}"
          2⤵
          • Checks whether UAC is enabled
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          PID:4668

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Scheduled Task

      1
      T1053

      Persistence

      Scheduled Task

      1
      T1053

      Privilege Escalation

      Scheduled Task

      1
      T1053

      Defense Evasion

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      3
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Proof Of Payment.scr.log
        Filesize

        507B

        MD5

        ab4c71d3ff6255edd4e5c1e09540f49e

        SHA1

        22e06bf4e258741b5df918061871cba998c50cea

        SHA256

        1690fec628f775dd3c3385b800eed126b37978ef2ffd592b024052724caafb5a

        SHA512

        8fa7d0045796e6cda7c28e2b9a690ef550619828c1b5d0ebf8e8367aff4bf4d9f63121e5b4f199d30cb8006eb584c6767f4c59150749b8256dab9dd0ebd9f1af

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\tmpA43F.tmp
        Filesize

        1KB

        MD5

        eb44c85b5620e1ff7acc9ef4d13b665d

        SHA1

        a18956d23d1fb893789ec7d075616f8328ef47d8

        SHA256

        0d4615d1faed2473561caa05c2ae39cc90e4c523205df3ecc32b161db12e5831

        SHA512

        950c63ce6bf70157aa82f61f407c04f1e6e9d3b720edb566a964e3ba0fbceeecc0f5f2334257460943fb8da8068c24c3648bf6b5d55e5444b593c1f5bfb96f5d

        Download Submit
      • memory/2120-134-0x0000000000000000-mapping.dmp
        Download
      • memory/4036-130-0x0000000000F90000-0x0000000001066000-memory.dmp
        Filesize

        856KB

        Download
      • memory/4036-131-0x0000000005A00000-0x0000000005A9C000-memory.dmp
        Filesize

        624KB

        Download
      • memory/4036-132-0x0000000005AA0000-0x0000000005B32000-memory.dmp
        Filesize

        584KB

        Download
      • memory/4036-133-0x00000000067B0000-0x0000000006D54000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/4668-138-0x0000000000000000-mapping.dmp
        Download
      • memory/4668-139-0x0000000000400000-0x0000000000438000-memory.dmp
        Filesize

        224KB

        Download
      • memory/4668-141-0x00000000056E0000-0x00000000056EA000-memory.dmp
        Filesize

        40KB

        Download
      • memory/4700-136-0x0000000000000000-mapping.dmp
        Download
      • memory/4760-137-0x0000000000000000-mapping.dmp
        Download