Analysis
-
max time kernel
152s -
max time network
181s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 18:41
General
-
Target
PROOF OF PAYMENT.exe
-
Size
1.4MB
-
MD5
9a077bd0268cea0a1eea13d7ff75a691
-
SHA1
a4f20bd9e3083afb7dd60d5b06436075591e6619
-
SHA256
522eeb43150a93e0dd1308403baf27e10ca4042330e6405e87913683f3f6a67a
-
SHA512
0165b5e0e41be712ea3ee677cd860488c7154d5bd070f375c4cba78b429921254aae97adc3c4431a1d6f7a0086b0b69bb4707f3d481b0004d0d07fbdb1ebaadb
Malware Config
Extracted
nanocore
1.2.2.0
antonlmcmotor.ddns.net:3190
262bd9a6-fed5-40b1-be60-47588f2277bb
-
activate_away_mode
true
-
backup_connection_host
antonlmcmotor.ddns.net
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-03-06T10:01:36.466293536Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
3190
-
default_group
2020 reformat
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
262bd9a6-fed5-40b1-be60-47588f2277bb
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
antonlmcmotor.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Drops startup file 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.exe"C:\Users\Admin\AppData\Local\Temp\PROOF OF PAYMENT.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\MSBuild.exe"2⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1728-54-0x0000000075AE1000-0x0000000075AE3000-memory.dmpFilesize
8KB
-
memory/1728-64-0x0000000000DF0000-0x0000000000E56000-memory.dmpFilesize
408KB
-
memory/1728-65-0x00000000028F0000-0x0000000002956000-memory.dmpFilesize
408KB
-
memory/1944-55-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1944-57-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1944-62-0x000000000041E792-mapping.dmp
-
memory/1944-63-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1944-66-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1944-68-0x00000000747E0000-0x0000000074D8B000-memory.dmpFilesize
5.7MB
-
memory/1944-69-0x0000000002146000-0x0000000002157000-memory.dmpFilesize
68KB