nanocore | e0eda326c434151194985647835bd82ead40104bb7c210e7721868b280c74c23

General

Target

UNPAID BILLING INVOICE APRIL 2020.PDF.exe
Size

1.1MB
MD5

2c51d508e952e74dff3622fce3067988
SHA1

8f4e9008be3b4332d21eff90965c8abf7f82a088
SHA256

a94d174668553fbeb3c27e3194f9cef33d0d24ca56891658911bfdd7451ae9f8
SHA512

b93642b5feb79d2230130d8e4bffc073a449bd6bf96aa25e9a7cf506e6df1c7ff93bffa74978338dabea985b6cf3dc762c0b2ffddaf8c5fc567aea43b4ed054b

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

aashkanani22.casacam.net:54985

aashkanani22.ddns.net:54985

Mutex

81f9209a-84c0-4e4f-8b18-1c30549233d2

Attributes

activate_away_mode
true
backup_connection_host
aashkanani22.ddns.net
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2020-03-22T05:36:42.462642636Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
54985
default_group
JUNE-2020
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
81f9209a-84c0-4e4f-8b18-1c30549233d2
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
aashkanani22.casacam.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Executes dropped EXE 2 IoCs

Processes:

puxshtsj.pifRegSvcs.exe

pid process

4764 puxshtsj.pif
212 RegSvcs.exe

pid	process
4764	puxshtsj.pif
212	RegSvcs.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

UNPAID BILLING INVOICE APRIL 2020.PDF.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	UNPAID BILLING INVOICE APRIL 2020.PDF.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

puxshtsj.pif

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	puxshtsj.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "0\\81302821\\puxshtsj.pif 0\\81302821\\lujmrbtsow.gpe"	puxshtsj.pif

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

RegSvcs.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegSvcs.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

puxshtsj.pif

description pid process target process

PID 4764 set thread context of 212 4764 puxshtsj.pif RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4432 schtasks.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegSvcs.exe

description	pid	process	target process
PID 4764 set thread context of 212	4764	puxshtsj.pif	RegSvcs.exe

pid	process
4432	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

RegSvcs.exepuxshtsj.pif

pid	process
212	RegSvcs.exe
212	RegSvcs.exe
212	RegSvcs.exe
212	RegSvcs.exe
4764	puxshtsj.pif
4764	puxshtsj.pif
4764	puxshtsj.pif
4764	puxshtsj.pif
4764	puxshtsj.pif
4764	puxshtsj.pif
4764	puxshtsj.pif
4764	puxshtsj.pif
4764	puxshtsj.pif
4764	puxshtsj.pif
212	RegSvcs.exe
212	RegSvcs.exe
212	RegSvcs.exe
4764	puxshtsj.pif
4764	puxshtsj.pif
4764	puxshtsj.pif
4764	puxshtsj.pif
4764	puxshtsj.pif
4764	puxshtsj.pif
4764	puxshtsj.pif
4764	puxshtsj.pif
4764	puxshtsj.pif
4764	puxshtsj.pif
4764	puxshtsj.pif
4764	puxshtsj.pif
4764	puxshtsj.pif
4764	puxshtsj.pif
4764	puxshtsj.pif
4764	puxshtsj.pif
4764	puxshtsj.pif
4764	puxshtsj.pif
4764	puxshtsj.pif
4764	puxshtsj.pif
4764	puxshtsj.pif
4764	puxshtsj.pif
4764	puxshtsj.pif
4764	puxshtsj.pif
4764	puxshtsj.pif
4764	puxshtsj.pif
4764	puxshtsj.pif
4764	puxshtsj.pif
4764	puxshtsj.pif
4764	puxshtsj.pif
4764	puxshtsj.pif
4764	puxshtsj.pif
4764	puxshtsj.pif
4764	puxshtsj.pif
4764	puxshtsj.pif
4764	puxshtsj.pif
4764	puxshtsj.pif
4764	puxshtsj.pif
4764	puxshtsj.pif
4764	puxshtsj.pif
4764	puxshtsj.pif
4764	puxshtsj.pif
4764	puxshtsj.pif
4764	puxshtsj.pif
4764	puxshtsj.pif
4764	puxshtsj.pif
4764	puxshtsj.pif

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

RegSvcs.exe

pid process

212 RegSvcs.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegSvcs.exe

description pid process

Token: SeDebugPrivilege 212 RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	212	RegSvcs.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

UNPAID BILLING INVOICE APRIL 2020.PDF.exepuxshtsj.pifRegSvcs.exe

description	pid	process	target process
PID 1544 wrote to memory of 4764	1544	UNPAID BILLING INVOICE APRIL 2020.PDF.exe	puxshtsj.pif
PID 1544 wrote to memory of 4764	1544	UNPAID BILLING INVOICE APRIL 2020.PDF.exe	puxshtsj.pif
PID 1544 wrote to memory of 4764	1544	UNPAID BILLING INVOICE APRIL 2020.PDF.exe	puxshtsj.pif
PID 4764 wrote to memory of 212	4764	puxshtsj.pif	RegSvcs.exe
PID 4764 wrote to memory of 212	4764	puxshtsj.pif	RegSvcs.exe
PID 4764 wrote to memory of 212	4764	puxshtsj.pif	RegSvcs.exe
PID 4764 wrote to memory of 212	4764	puxshtsj.pif	RegSvcs.exe
PID 4764 wrote to memory of 212	4764	puxshtsj.pif	RegSvcs.exe
PID 212 wrote to memory of 4432	212	RegSvcs.exe	schtasks.exe
PID 212 wrote to memory of 4432	212	RegSvcs.exe	schtasks.exe
PID 212 wrote to memory of 4432	212	RegSvcs.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\UNPAID BILLING INVOICE APRIL 2020.PDF.exe
"C:\Users\Admin\AppData\Local\Temp\UNPAID BILLING INVOICE APRIL 2020.PDF.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1544

C:\Users\Admin\81302821\puxshtsj.pif
"C:\Users\Admin\81302821\puxshtsj.pif" lujmrbtsow.gpe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4764

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:212

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "WPA Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp39CD.tmp"
4⤵
- Creates scheduled task(s)
PID:4432

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\81302821\lujmrbtsow.gpe
Filesize
214.4MB

MD5
c364085ef46c97d0b3d5846976de7d69

SHA1
2cb1760323891da3d1e92aa649e9856029b6a962

SHA256
084aa55282acba4c34db3424ec94ed8a3c8016ba7eb75af64b76cf08fd67f46f

SHA512
c9507a1d0ad3021db91245998c42921c7eeb636773ee51ed92d534798707409ecf036fcb41ae29c97aaa1cc16b01d9ff59ab77612d3b96d89cacf59b89d257c1

Download Submit
C:\Users\Admin\81302821\puxshtsj.pif
Filesize
655KB

MD5
a75bc752c50fb74f7597c2bb59b93d43

SHA1
d2dcd3d104b6b04f0828844aeda188798669b41f

SHA256
877365dfcbe9d4896e9ca544c7d19e106ab78339edbc1bd410f2e11bd32cd2ee

SHA512
e856238e3cb519786365faf17d0d590692fa991d9ca81e2fb8ce094cd090583f4ed1823b7ca9c0f702320398054ba682644a02f8d99d4e0f53733564611d3f97

Download Submit
C:\Users\Admin\81302821\puxshtsj.pif
Filesize
655KB

MD5
a75bc752c50fb74f7597c2bb59b93d43

SHA1
d2dcd3d104b6b04f0828844aeda188798669b41f

SHA256
877365dfcbe9d4896e9ca544c7d19e106ab78339edbc1bd410f2e11bd32cd2ee

SHA512
e856238e3cb519786365faf17d0d590692fa991d9ca81e2fb8ce094cd090583f4ed1823b7ca9c0f702320398054ba682644a02f8d99d4e0f53733564611d3f97

Download Submit
C:\Users\Admin\81302821\ufcppr.txt
Filesize
459KB

MD5
ce7e39ca5dacbc7de06f3784a5f965e7

SHA1
6377a22c9532af6b1ad6f591b3907d2a17d6dca1

SHA256
400a340a3746e8f52d7251d8f82852844f71d728ee6050abc3990c7296e15642

SHA512
c88ed4e779b5e6154117012a136df4d539f480ee70abe65cf2a64f9dcbedb1ce90f8b8e0297eb1bc36d51d658138deaa10c09945bdb7ae7cf1c6a8fbb31b13d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp39CD.tmp
Filesize
1KB

MD5
95aceabc58acad5d73372b0966ee1b35

SHA1
2293b7ad4793cf574b1a5220e85f329b5601040a

SHA256
8d9642e1c3cd1e0b5d1763de2fb5e605ba593e5a918b93eec15acbc5dcc48fd4

SHA512
00760dfc9d8caf357f0cee5336e5448a4cca18e32cc63e1a69c16e34fe00ea29acd5b2cf278e86c6f9c3e66a1b176d27ed927361848212e6bf1fade7d3d06e74

Download Submit
memory/212-139-0x000000000131E792-mapping.dmp

Download
memory/212-138-0x0000000001300000-0x00000000017AA000-memory.dmp

Filesize
4.7MB

Download
memory/212-142-0x0000000001300000-0x0000000001338000-memory.dmp

Filesize
224KB

Download
memory/212-143-0x00000000063A0000-0x0000000006944000-memory.dmp

Filesize
5.6MB

Download
memory/212-144-0x0000000005D10000-0x0000000005DA2000-memory.dmp

Filesize
584KB

Download
memory/212-145-0x0000000005E90000-0x0000000005F2C000-memory.dmp

Filesize
624KB

Download
memory/212-146-0x0000000005DC0000-0x0000000005DCA000-memory.dmp

Filesize
40KB

Download
memory/4432-147-0x0000000000000000-mapping.dmp

Download
memory/4764-133-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads