nanocore | 6170cf6b8177798371a0a7281d296bd79584a4c8d4aa2f2643cfa7d1c95b238b

General

Target

invoice.exe
Size

395KB
MD5

b9953aa6dc9d54b7c8151ce38ffe655d
SHA1

f007b4441b18466e270afb7d9f3df74b2d0b241a
SHA256

f3226374fbeefb1fcd90ab7d17d4570994dd63f8efb4bf59048eced4a042f0ba
SHA512

5533ad22a0c8c851372414fb93aa53508952844feb510d81fa0270252af90c32e68f6ecadd0659143c6b39919105af8bfcacd8a6db18c396d57c23b1656a6785

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

79.134.225.89:12190

Mutex

4e4951f6-c9ee-4a8b-863c-f53c12df989f

Attributes

activate_away_mode
true
backup_connection_host
79.134.225.89
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2020-02-17T01:50:29.200734436Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
12190
default_group
cpa
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
4e4951f6-c9ee-4a8b-863c-f53c12df989f
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
79.134.225.89
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

invoice.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	invoice.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

invoice.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WPA Service = "C:\\Program Files (x86)\\WPA Service\\wpasv.exe"	invoice.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

invoice.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA invoice.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

invoice.exe

description pid process target process

PID 4344 set thread context of 3668 4344 invoice.exe invoice.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	invoice.exe

description	pid	process	target process
PID 4344 set thread context of 3668	4344	invoice.exe	invoice.exe

Drops file in Program Files directory 2 IoCs

Processes:

invoice.exe

description	ioc	process
File created	C:\Program Files (x86)\WPA Service\wpasv.exe	invoice.exe
File opened for modification	C:\Program Files (x86)\WPA Service\wpasv.exe	invoice.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

224 schtasks.exe
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

invoice.exeinvoice.exe

pid process

4344 invoice.exe
4344 invoice.exe
4344 invoice.exe
4344 invoice.exe
3668 invoice.exe
3668 invoice.exe
3668 invoice.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

invoice.exe

pid process

3668 invoice.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

invoice.exeinvoice.exe

description pid process

Token: SeDebugPrivilege 4344 invoice.exe
Token: SeDebugPrivilege 3668 invoice.exe

pid	process
224	schtasks.exe

pid	process
4344	invoice.exe
4344	invoice.exe
4344	invoice.exe
4344	invoice.exe
3668	invoice.exe
3668	invoice.exe
3668	invoice.exe

pid	process
3668	invoice.exe

description	pid	process
Token: SeDebugPrivilege	4344	invoice.exe
Token: SeDebugPrivilege	3668	invoice.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

invoice.exe

description	pid	process	target process
PID 4344 wrote to memory of 224	4344	invoice.exe	schtasks.exe
PID 4344 wrote to memory of 224	4344	invoice.exe	schtasks.exe
PID 4344 wrote to memory of 224	4344	invoice.exe	schtasks.exe
PID 4344 wrote to memory of 3668	4344	invoice.exe	invoice.exe
PID 4344 wrote to memory of 3668	4344	invoice.exe	invoice.exe
PID 4344 wrote to memory of 3668	4344	invoice.exe	invoice.exe
PID 4344 wrote to memory of 3668	4344	invoice.exe	invoice.exe
PID 4344 wrote to memory of 3668	4344	invoice.exe	invoice.exe
PID 4344 wrote to memory of 3668	4344	invoice.exe	invoice.exe
PID 4344 wrote to memory of 3668	4344	invoice.exe	invoice.exe
PID 4344 wrote to memory of 3668	4344	invoice.exe	invoice.exe

C:\Users\Admin\AppData\Local\Temp\invoice.exe
"C:\Users\Admin\AppData\Local\Temp\invoice.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4344

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hFctIClQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5C58.tmp"
2⤵
- Creates scheduled task(s)
PID:224

C:\Users\Admin\AppData\Local\Temp\invoice.exe
"{path}"
2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3668

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp5C58.tmp
Filesize
1KB

MD5
7bb798cb6a64d822e04020b728c811b1

SHA1
0799b6d8b5d758fdc5920a30d3ac5836d5a8214c

SHA256
d1f2c26c5d13083572ee8c1c87f27caa1679c5e2b13610837e2318d3e4fe7cdb

SHA512
7c8ee3f027462399473a2a1c0e0aa0b6b7597b801533b63c167e555bb94782676f7438f131724ad5af1533eca261362bd46f084a92f1dd6dbb1f16d860ca23a3

Download Submit
memory/224-131-0x0000000000000000-mapping.dmp

Download
memory/3668-133-0x0000000000000000-mapping.dmp

Download
memory/3668-134-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3668-135-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download
memory/4344-130-0x0000000074D20000-0x00000000752D1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads