Overview

overview

10

Static

static

Payment Invoice.exe

windows7-x64

10

Payment Invoice.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    92s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-09-2022 15:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Payment Invoice.exe

  • Size

    875KB

  • MD5

    2a7f904046d84e1e7357e1e2a25c4d6a

  • SHA1

    21295c64773194b68011c56239d2f2eaff1bad84

  • SHA256

    5dd503490af8829d84dcf61f1b829b3a26eb0f9fdf807b49d9b606cd6e2ff974

  • SHA512

    5c9e981427fc57aa40a6742fe21bf79b7f84ffaf032a9905d32c960b24566a64ad32753c2688e04221bbe4f4d7016df03e5c25340a3245cea1cb1d3b4d29ff81

  • SSDEEP

    12288:tFnv6yVmzuaXM8FZF61P+XLoykU6hfWxvWVpPOBJl7qZIm:jd0zlzFpkykUmuKPwi

Score
10/10
nanocorecollectionevasionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

story.servepics.com:22

85.31.46.207:22
Mutex

cd820fe9-0080-4a6b-9ac2-42543933ee09

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    85.31.46.207

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2022-07-01T16:11:50.181051836Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    22

  • default_group

    Blessed

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    cd820fe9-0080-4a6b-9ac2-42543933ee09

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    story.servepics.com

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    true

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • NirSoft MailPassView 3 IoCs

    Password recovery tool for various email clients

  • Nirsoft 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe
    "C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4420
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2236
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\edRwRca.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4696
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\edRwRca" /XML "C:\Users\Admin\AppData\Local\Temp\tmp96A2.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1176
    • C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe
      "C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe"
      2⤵
      • Checks whether UAC is enabled
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2544
      • \??\c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe
        "c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe" /shtml "C:\Users\Admin\AppData\Local\Temp\tztrlknr.m32"
        3⤵
          PID:4592
        • \??\c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe
          "c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe" /shtml "C:\Users\Admin\AppData\Local\Temp\tztrlknr.m32"
          3⤵
          • Accesses Microsoft Outlook accounts
          PID:4720
        • \??\c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe
          "c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe" /shtml "C:\Users\Admin\AppData\Local\Temp\0cvr03mj.skw"
          3⤵
            PID:4092
          • \??\c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe
            "c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe" /shtml "C:\Users\Admin\AppData\Local\Temp\0cvr03mj.skw"
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:396

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Scripting

      1
      T1064

      Scheduled Task

      1
      T1053

      Persistence

      Scheduled Task

      1
      T1053

      Privilege Escalation

      Scheduled Task

      1
      T1053

      Defense Evasion

      Scripting

      1
      T1064

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      3
      T1082

      Lateral Movement

      Collection

      Email Collection

      1
      T1114

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\0cvr03mj.skw
        Filesize

        3KB

        MD5

        02524418240369b25b988e9884cd1c54

        SHA1

        42a33322d952edf6d8431d4cd788bbc863d2b890

        SHA256

        80b2a0874c2f734dfe1196d7ae2a7bc6ccb30df2d9281513ac33edc529a71a37

        SHA512

        7c5bbe911f7f0b072d6fdb89ea5759655c2b5cf9ebfddff8f2f67f956141b8ed3697ab0504f60c3992849afbbc79434043a6c04d7cf6ddd958e23354fd3a698f

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\tmp96A2.tmp
        Filesize

        1KB

        MD5

        49d00e2ad890e0a615742851fada653a

        SHA1

        79eaf9ad6b9723df15d412c02e634f31f3ed2141

        SHA256

        6110ed254ca2182778583549a92ae8c67a82d21170e68139d92e7626a12bcd0f

        SHA512

        c2059c04b2217de054a8a2c6a38d71804b558aa7c931d9116586f9506621be0f51e6144e2e6ca53ede00be07fa11e30fdacae229f22538d5e5975804166cceab

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\tztrlknr.m32
        Filesize

        523B

        MD5

        69b2a2e17e78d24abee9f1de2f04811a

        SHA1

        d19c109704e83876ab3527457f9418a7d053aa33

        SHA256

        1b1491f21e64681f8fdc27b2265e2274fb7813eecb6ad8b446d2e431f6300edd

        SHA512

        eb7269979bc4187520636fe3d7b3089f2c7c02e81c4ce2a738ade680f72c61c67fe9577eeaa09d3ca93f34b60be8c434d2cfbfed6566e783f6611279f056150f

        Download Submit
      • memory/396-173-0x0000000000400000-0x0000000000453000-memory.dmp
        Filesize

        332KB

        Download
      • memory/396-172-0x0000000000400000-0x0000000000453000-memory.dmp
        Filesize

        332KB

        Download
      • memory/396-171-0x0000000000400000-0x0000000000453000-memory.dmp
        Filesize

        332KB

        Download
      • memory/396-169-0x0000000000400000-0x0000000000453000-memory.dmp
        Filesize

        332KB

        Download
      • memory/396-168-0x0000000000000000-mapping.dmp
        Download
      • memory/1176-140-0x0000000000000000-mapping.dmp
        Download
      • memory/2236-152-0x00000000066F0000-0x000000000670E000-memory.dmp
        Filesize

        120KB

        Download
      • memory/2236-150-0x0000000070E30000-0x0000000070E7C000-memory.dmp
        Filesize

        304KB

        Download
      • memory/2236-157-0x0000000007680000-0x000000000768E000-memory.dmp
        Filesize

        56KB

        Download
      • memory/2236-141-0x0000000002840000-0x0000000002876000-memory.dmp
        Filesize

        216KB

        Download
      • memory/2236-138-0x0000000000000000-mapping.dmp
        Download
      • memory/2236-146-0x0000000005190000-0x00000000051B2000-memory.dmp
        Filesize

        136KB

        Download
      • memory/2236-154-0x0000000007450000-0x000000000746A000-memory.dmp
        Filesize

        104KB

        Download
      • memory/2236-148-0x0000000006150000-0x000000000616E000-memory.dmp
        Filesize

        120KB

        Download
      • memory/2544-145-0x0000000000400000-0x0000000000438000-memory.dmp
        Filesize

        224KB

        Download
      • memory/2544-144-0x0000000000000000-mapping.dmp
        Download
      • memory/4092-167-0x0000000000000000-mapping.dmp
        Download
      • memory/4420-135-0x0000000005980000-0x000000000598A000-memory.dmp
        Filesize

        40KB

        Download
      • memory/4420-136-0x00000000094D0000-0x000000000956C000-memory.dmp
        Filesize

        624KB

        Download
      • memory/4420-132-0x0000000000F00000-0x0000000000FE0000-memory.dmp
        Filesize

        896KB

        Download
      • memory/4420-137-0x00000000095E0000-0x0000000009646000-memory.dmp
        Filesize

        408KB

        Download
      • memory/4420-134-0x0000000005A00000-0x0000000005A92000-memory.dmp
        Filesize

        584KB

        Download
      • memory/4420-133-0x0000000005F10000-0x00000000064B4000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/4592-160-0x0000000000000000-mapping.dmp
        Download
      • memory/4696-156-0x0000000007860000-0x00000000078F6000-memory.dmp
        Filesize

        600KB

        Download
      • memory/4696-151-0x0000000070E30000-0x0000000070E7C000-memory.dmp
        Filesize

        304KB

        Download
      • memory/4696-143-0x0000000005520000-0x0000000005B48000-memory.dmp
        Filesize

        6.2MB

        Download
      • memory/4696-147-0x0000000005430000-0x0000000005496000-memory.dmp
        Filesize

        408KB

        Download
      • memory/4696-149-0x00000000068D0000-0x0000000006902000-memory.dmp
        Filesize

        200KB

        Download
      • memory/4696-159-0x0000000007900000-0x0000000007908000-memory.dmp
        Filesize

        32KB

        Download
      • memory/4696-139-0x0000000000000000-mapping.dmp
        Download
      • memory/4696-158-0x0000000007920000-0x000000000793A000-memory.dmp
        Filesize

        104KB

        Download
      • memory/4696-155-0x0000000007650000-0x000000000765A000-memory.dmp
        Filesize

        40KB

        Download
      • memory/4696-153-0x0000000007C30000-0x00000000082AA000-memory.dmp
        Filesize

        6.5MB

        Download
      • memory/4720-165-0x0000000000400000-0x000000000041B000-memory.dmp
        Filesize

        108KB

        Download
      • memory/4720-164-0x0000000000400000-0x000000000041B000-memory.dmp
        Filesize

        108KB

        Download
      • memory/4720-162-0x0000000000400000-0x000000000041B000-memory.dmp
        Filesize

        108KB

        Download
      • memory/4720-161-0x0000000000000000-mapping.dmp
        Download