Overview

overview

10

Static

static

Payment Invoice.exe

windows7-x64

10

Payment Invoice.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    92s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-09-2022 15:56

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Payment Invoice.exe

  • Size

    875KB

  • MD5

    2a7f904046d84e1e7357e1e2a25c4d6a

  • SHA1

    21295c64773194b68011c56239d2f2eaff1bad84

  • SHA256

    5dd503490af8829d84dcf61f1b829b3a26eb0f9fdf807b49d9b606cd6e2ff974

  • SHA512

    5c9e981427fc57aa40a6742fe21bf79b7f84ffaf032a9905d32c960b24566a64ad32753c2688e04221bbe4f4d7016df03e5c25340a3245cea1cb1d3b4d29ff81

  • SSDEEP

    12288:tFnv6yVmzuaXM8FZF61P+XLoykU6hfWxvWVpPOBJl7qZIm:jd0zlzFpkykUmuKPwi

Score
10/10
nanocorecollectionevasionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

story.servepics.com:22

85.31.46.207:22

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    85.31.46.207

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2022-07-01T16:11:50.181051836Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    22

  • default_group

    Blessed

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    cd820fe9-0080-4a6b-9ac2-42543933ee09

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    story.servepics.com

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    true

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • NirSoft MailPassView ⋅ 3 IoCs

    Password recovery tool for various email clients

  • Nirsoft ⋅ 3 IoCs
  • Checks computer location settings ⋅ 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Uses the VBS compiler for execution ⋅ 1 TTPs
  • Accesses Microsoft Outlook accounts ⋅ 1 TTPs 1 IoCs
    collection
  • Checks whether UAC is enabled ⋅ 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext ⋅ 3 IoCs
  • Enumerates physical storage devices ⋅ 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) ⋅ 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses ⋅ 19 IoCs
  • Suspicious behavior: GetForegroundWindowSpam ⋅ 1 IoCs
  • Suspicious use of AdjustPrivilegeToken ⋅ 3 IoCs
  • Suspicious use of WriteProcessMemory ⋅ 41 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe
    "C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe"
    Checks computer location settings
    Suspicious use of SetThreadContext
    Suspicious use of WriteProcessMemory
    PID:4420
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe"
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2236
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\edRwRca.exe"
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4696
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\edRwRca" /XML "C:\Users\Admin\AppData\Local\Temp\tmp96A2.tmp"
      Creates scheduled task(s)
      PID:1176
    • C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe
      "C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe"
      Checks whether UAC is enabled
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2544
      • \??\c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe
        "c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe" /shtml "C:\Users\Admin\AppData\Local\Temp\tztrlknr.m32"
        PID:4592
      • \??\c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe
        "c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe" /shtml "C:\Users\Admin\AppData\Local\Temp\tztrlknr.m32"
        Accesses Microsoft Outlook accounts
        PID:4720
      • \??\c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe
        "c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe" /shtml "C:\Users\Admin\AppData\Local\Temp\0cvr03mj.skw"
        PID:4092
      • \??\c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe
        "c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe" /shtml "C:\Users\Admin\AppData\Local\Temp\0cvr03mj.skw"
        Suspicious behavior: EnumeratesProcesses
        PID:396

Network

MITRE ATT&CK Matrix

Collection

Command and Control

    Credential Access

      Defense Evasion

      Discovery

      Execution

        Exfiltration

          Impact

            Initial Access

              Lateral Movement

                Persistence

                Privilege Escalation

                  Replay Monitor

                  00:00 00:00

                  Downloads

                  • C:\Users\Admin\AppData\Local\Temp\0cvr03mj.skw
                    MD5

                    02524418240369b25b988e9884cd1c54

                    SHA1

                    42a33322d952edf6d8431d4cd788bbc863d2b890

                    SHA256

                    80b2a0874c2f734dfe1196d7ae2a7bc6ccb30df2d9281513ac33edc529a71a37

                    SHA512

                    7c5bbe911f7f0b072d6fdb89ea5759655c2b5cf9ebfddff8f2f67f956141b8ed3697ab0504f60c3992849afbbc79434043a6c04d7cf6ddd958e23354fd3a698f

                    Download Submit
                  • C:\Users\Admin\AppData\Local\Temp\tmp96A2.tmp
                    MD5

                    49d00e2ad890e0a615742851fada653a

                    SHA1

                    79eaf9ad6b9723df15d412c02e634f31f3ed2141

                    SHA256

                    6110ed254ca2182778583549a92ae8c67a82d21170e68139d92e7626a12bcd0f

                    SHA512

                    c2059c04b2217de054a8a2c6a38d71804b558aa7c931d9116586f9506621be0f51e6144e2e6ca53ede00be07fa11e30fdacae229f22538d5e5975804166cceab

                    Download Submit
                  • C:\Users\Admin\AppData\Local\Temp\tztrlknr.m32
                    MD5

                    69b2a2e17e78d24abee9f1de2f04811a

                    SHA1

                    d19c109704e83876ab3527457f9418a7d053aa33

                    SHA256

                    1b1491f21e64681f8fdc27b2265e2274fb7813eecb6ad8b446d2e431f6300edd

                    SHA512

                    eb7269979bc4187520636fe3d7b3089f2c7c02e81c4ce2a738ade680f72c61c67fe9577eeaa09d3ca93f34b60be8c434d2cfbfed6566e783f6611279f056150f

                    Download Submit
                  • memory/396-173-0x0000000000400000-0x0000000000453000-memory.dmp
                    Download
                  • memory/396-172-0x0000000000400000-0x0000000000453000-memory.dmp
                    Download
                  • memory/396-171-0x0000000000400000-0x0000000000453000-memory.dmp
                    Download
                  • memory/396-169-0x0000000000400000-0x0000000000453000-memory.dmp
                    Download
                  • memory/396-168-0x0000000000000000-mapping.dmp
                    Download
                  • memory/1176-140-0x0000000000000000-mapping.dmp
                    Download
                  • memory/2236-152-0x00000000066F0000-0x000000000670E000-memory.dmp
                    Download
                  • memory/2236-150-0x0000000070E30000-0x0000000070E7C000-memory.dmp
                    Download
                  • memory/2236-157-0x0000000007680000-0x000000000768E000-memory.dmp
                    Download
                  • memory/2236-141-0x0000000002840000-0x0000000002876000-memory.dmp
                    Download
                  • memory/2236-138-0x0000000000000000-mapping.dmp
                    Download
                  • memory/2236-146-0x0000000005190000-0x00000000051B2000-memory.dmp
                    Download
                  • memory/2236-154-0x0000000007450000-0x000000000746A000-memory.dmp
                    Download
                  • memory/2236-148-0x0000000006150000-0x000000000616E000-memory.dmp
                    Download
                  • memory/2544-145-0x0000000000400000-0x0000000000438000-memory.dmp
                    Download
                  • memory/2544-144-0x0000000000000000-mapping.dmp
                    Download
                  • memory/4092-167-0x0000000000000000-mapping.dmp
                    Download
                  • memory/4420-135-0x0000000005980000-0x000000000598A000-memory.dmp
                    Download
                  • memory/4420-136-0x00000000094D0000-0x000000000956C000-memory.dmp
                    Download
                  • memory/4420-132-0x0000000000F00000-0x0000000000FE0000-memory.dmp
                    Download
                  • memory/4420-137-0x00000000095E0000-0x0000000009646000-memory.dmp
                    Download
                  • memory/4420-134-0x0000000005A00000-0x0000000005A92000-memory.dmp
                    Download
                  • memory/4420-133-0x0000000005F10000-0x00000000064B4000-memory.dmp
                    Download
                  • memory/4592-160-0x0000000000000000-mapping.dmp
                    Download
                  • memory/4696-156-0x0000000007860000-0x00000000078F6000-memory.dmp
                    Download
                  • memory/4696-151-0x0000000070E30000-0x0000000070E7C000-memory.dmp
                    Download
                  • memory/4696-143-0x0000000005520000-0x0000000005B48000-memory.dmp
                    Download
                  • memory/4696-147-0x0000000005430000-0x0000000005496000-memory.dmp
                    Download
                  • memory/4696-149-0x00000000068D0000-0x0000000006902000-memory.dmp
                    Download
                  • memory/4696-159-0x0000000007900000-0x0000000007908000-memory.dmp
                    Download
                  • memory/4696-139-0x0000000000000000-mapping.dmp
                    Download
                  • memory/4696-158-0x0000000007920000-0x000000000793A000-memory.dmp
                    Download
                  • memory/4696-155-0x0000000007650000-0x000000000765A000-memory.dmp
                    Download
                  • memory/4696-153-0x0000000007C30000-0x00000000082AA000-memory.dmp
                    Download
                  • memory/4720-165-0x0000000000400000-0x000000000041B000-memory.dmp
                    Download
                  • memory/4720-164-0x0000000000400000-0x000000000041B000-memory.dmp
                    Download
                  • memory/4720-162-0x0000000000400000-0x000000000041B000-memory.dmp
                    Download
                  • memory/4720-161-0x0000000000000000-mapping.dmp
                    Download