nanocore | 5ea05da316667fada821298f5b8fb8f18c0698924fcfc0e8c31f8e6def6f5b42

General

Target

PAYMENT_SWIFT_DETAIL_ORDPAY_911_5.exe
Size

936KB
MD5

eba49d349d1d71f31270380179c4d88c
SHA1

dd6af373b9d6671d3c6762567ec962040e3afefc
SHA256

2a6626eb860702da5f9cd211f8ed7b8d6a030fbc2ad03d7c012297d8b62653fc
SHA512

42ce5fbf900694402dbf03f3a16bb863493b00be3893ba257c96874facbd17414f442aa609e89897a41fd18ddc6c33a0991a2e7389f63e7128e5a9934f99ccc7
SSDEEP

12288:zPNR/4veociDOVJHuQJsi7Nu5pRMezATUrVmL+aX:TL4veniC3uQP7cbRDUTU8

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

victorycolum.ddns.net:8282

127.0.0.1:8282

Mutex

acd95a4f-ecb5-4c5e-943c-b646c4948a96

Attributes

activate_away_mode
true
backup_connection_host
127.0.0.1
backup_dns_server
37.235.1.177
buffer_size
65535
build_time
2022-07-15T08:03:40.313202836Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
8282
default_group
colum
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
acd95a4f-ecb5-4c5e-943c-b646c4948a96
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
victorycolum.ddns.net
primary_dns_server
37.235.1.174
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

PAYMENT_SWIFT_DETAIL_ORDPAY_911_5.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions PAYMENT_SWIFT_DETAIL_ORDPAY_911_5.exe
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

PAYMENT_SWIFT_DETAIL_ORDPAY_911_5.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools PAYMENT_SWIFT_DETAIL_ORDPAY_911_5.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions	PAYMENT_SWIFT_DETAIL_ORDPAY_911_5.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools	PAYMENT_SWIFT_DETAIL_ORDPAY_911_5.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

PAYMENT_SWIFT_DETAIL_ORDPAY_911_5.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	PAYMENT_SWIFT_DETAIL_ORDPAY_911_5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	PAYMENT_SWIFT_DETAIL_ORDPAY_911_5.exe

Unexpected DNS network traffic destination 6 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	37.235.1.177
Destination IP	37.235.1.177
Destination IP	37.235.1.174
Destination IP	37.235.1.174
Destination IP	37.235.1.174
Destination IP	37.235.1.177

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

PAYMENT_SWIFT_DETAIL_ORDPAY_911_5.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NTFS Monitor = "C:\\Program Files (x86)\\NTFS Monitor\\ntfsmon.exe"	PAYMENT_SWIFT_DETAIL_ORDPAY_911_5.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

PAYMENT_SWIFT_DETAIL_ORDPAY_911_5.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	PAYMENT_SWIFT_DETAIL_ORDPAY_911_5.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

PAYMENT_SWIFT_DETAIL_ORDPAY_911_5.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	PAYMENT_SWIFT_DETAIL_ORDPAY_911_5.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	PAYMENT_SWIFT_DETAIL_ORDPAY_911_5.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

PAYMENT_SWIFT_DETAIL_ORDPAY_911_5.exe

description pid process target process

PID 2000 set thread context of 1068 2000 PAYMENT_SWIFT_DETAIL_ORDPAY_911_5.exe PAYMENT_SWIFT_DETAIL_ORDPAY_911_5.exe

description	pid	process	target process
PID 2000 set thread context of 1068	2000	PAYMENT_SWIFT_DETAIL_ORDPAY_911_5.exe	PAYMENT_SWIFT_DETAIL_ORDPAY_911_5.exe

Drops file in Program Files directory 2 IoCs

Processes:

PAYMENT_SWIFT_DETAIL_ORDPAY_911_5.exe

description	ioc	process
File created	C:\Program Files (x86)\NTFS Monitor\ntfsmon.exe	PAYMENT_SWIFT_DETAIL_ORDPAY_911_5.exe
File opened for modification	C:\Program Files (x86)\NTFS Monitor\ntfsmon.exe	PAYMENT_SWIFT_DETAIL_ORDPAY_911_5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

364 schtasks.exe

pid	process
364	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exePAYMENT_SWIFT_DETAIL_ORDPAY_911_5.exe

pid	process
1764	powershell.exe
336	powershell.exe
1068	PAYMENT_SWIFT_DETAIL_ORDPAY_911_5.exe
1068	PAYMENT_SWIFT_DETAIL_ORDPAY_911_5.exe
1068	PAYMENT_SWIFT_DETAIL_ORDPAY_911_5.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

PAYMENT_SWIFT_DETAIL_ORDPAY_911_5.exe

pid process

1068 PAYMENT_SWIFT_DETAIL_ORDPAY_911_5.exe

pid	process
1068	PAYMENT_SWIFT_DETAIL_ORDPAY_911_5.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exePAYMENT_SWIFT_DETAIL_ORDPAY_911_5.exe

description	pid	process
Token: SeDebugPrivilege	1764	powershell.exe
Token: SeDebugPrivilege	336	powershell.exe
Token: SeDebugPrivilege	1068	PAYMENT_SWIFT_DETAIL_ORDPAY_911_5.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

PAYMENT_SWIFT_DETAIL_ORDPAY_911_5.exe

description	pid	process	target process
PID 2000 wrote to memory of 1764	2000	PAYMENT_SWIFT_DETAIL_ORDPAY_911_5.exe	powershell.exe
PID 2000 wrote to memory of 1764	2000	PAYMENT_SWIFT_DETAIL_ORDPAY_911_5.exe	powershell.exe
PID 2000 wrote to memory of 1764	2000	PAYMENT_SWIFT_DETAIL_ORDPAY_911_5.exe	powershell.exe
PID 2000 wrote to memory of 1764	2000	PAYMENT_SWIFT_DETAIL_ORDPAY_911_5.exe	powershell.exe
PID 2000 wrote to memory of 336	2000	PAYMENT_SWIFT_DETAIL_ORDPAY_911_5.exe	powershell.exe
PID 2000 wrote to memory of 336	2000	PAYMENT_SWIFT_DETAIL_ORDPAY_911_5.exe	powershell.exe
PID 2000 wrote to memory of 336	2000	PAYMENT_SWIFT_DETAIL_ORDPAY_911_5.exe	powershell.exe
PID 2000 wrote to memory of 336	2000	PAYMENT_SWIFT_DETAIL_ORDPAY_911_5.exe	powershell.exe
PID 2000 wrote to memory of 364	2000	PAYMENT_SWIFT_DETAIL_ORDPAY_911_5.exe	schtasks.exe
PID 2000 wrote to memory of 364	2000	PAYMENT_SWIFT_DETAIL_ORDPAY_911_5.exe	schtasks.exe
PID 2000 wrote to memory of 364	2000	PAYMENT_SWIFT_DETAIL_ORDPAY_911_5.exe	schtasks.exe
PID 2000 wrote to memory of 364	2000	PAYMENT_SWIFT_DETAIL_ORDPAY_911_5.exe	schtasks.exe
PID 2000 wrote to memory of 1068	2000	PAYMENT_SWIFT_DETAIL_ORDPAY_911_5.exe	PAYMENT_SWIFT_DETAIL_ORDPAY_911_5.exe
PID 2000 wrote to memory of 1068	2000	PAYMENT_SWIFT_DETAIL_ORDPAY_911_5.exe	PAYMENT_SWIFT_DETAIL_ORDPAY_911_5.exe
PID 2000 wrote to memory of 1068	2000	PAYMENT_SWIFT_DETAIL_ORDPAY_911_5.exe	PAYMENT_SWIFT_DETAIL_ORDPAY_911_5.exe
PID 2000 wrote to memory of 1068	2000	PAYMENT_SWIFT_DETAIL_ORDPAY_911_5.exe	PAYMENT_SWIFT_DETAIL_ORDPAY_911_5.exe
PID 2000 wrote to memory of 1068	2000	PAYMENT_SWIFT_DETAIL_ORDPAY_911_5.exe	PAYMENT_SWIFT_DETAIL_ORDPAY_911_5.exe
PID 2000 wrote to memory of 1068	2000	PAYMENT_SWIFT_DETAIL_ORDPAY_911_5.exe	PAYMENT_SWIFT_DETAIL_ORDPAY_911_5.exe
PID 2000 wrote to memory of 1068	2000	PAYMENT_SWIFT_DETAIL_ORDPAY_911_5.exe	PAYMENT_SWIFT_DETAIL_ORDPAY_911_5.exe
PID 2000 wrote to memory of 1068	2000	PAYMENT_SWIFT_DETAIL_ORDPAY_911_5.exe	PAYMENT_SWIFT_DETAIL_ORDPAY_911_5.exe
PID 2000 wrote to memory of 1068	2000	PAYMENT_SWIFT_DETAIL_ORDPAY_911_5.exe	PAYMENT_SWIFT_DETAIL_ORDPAY_911_5.exe

C:\Users\Admin\AppData\Local\Temp\PAYMENT_SWIFT_DETAIL_ORDPAY_911_5.exe
"C:\Users\Admin\AppData\Local\Temp\PAYMENT_SWIFT_DETAIL_ORDPAY_911_5.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PAYMENT_SWIFT_DETAIL_ORDPAY_911_5.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1764

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\XFPyaKtca.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:336

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XFPyaKtca" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA130.tmp"
2⤵
- Creates scheduled task(s)
PID:364

C:\Users\Admin\AppData\Local\Temp\PAYMENT_SWIFT_DETAIL_ORDPAY_911_5.exe
"C:\Users\Admin\AppData\Local\Temp\PAYMENT_SWIFT_DETAIL_ORDPAY_911_5.exe"
2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1068

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

4

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

4

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpA130.tmp
Filesize
1KB

MD5
84ef3a2ac69dfe1077991fc8449456e7

SHA1
b873228e85e09abd8f8d48cb4b3a0cb80d768522

SHA256
241980166b13f9f6bfe6ec2a7981697a6bc342194de86f5af13473a2e3b5ec28

SHA512
ad177102a1085dd057ff9d2c8f738ef25a77a1980ef0a961d8f62dff908c10d32fcc73f64883254819627d6a8899186510e683e04047565e80953af7a3db50c6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
e5488e62b46c7926eb0fc8f4c8c9a6a1

SHA1
272f0c2d2cc9a6f2a7d0cf408e3e46bf26a0a933

SHA256
6e983bbc8429524e43bf4e5c6bb721630754e195e95f4cfe5ff368291aedbd68

SHA512
04e28ca81ba5f7a6b6399d355d3b0f2711704775b270d07e2faf5aa434daf5fa39ddad76a35912e41820c1b67e3b049249722dae7dd77b525c7d25002b06f9aa

Download Submit
memory/336-61-0x0000000000000000-mapping.dmp

Download
memory/336-86-0x000000006F370000-0x000000006F91B000-memory.dmp

Filesize
5.7MB

Download
memory/336-85-0x000000006F370000-0x000000006F91B000-memory.dmp

Filesize
5.7MB

Download
memory/364-62-0x0000000000000000-mapping.dmp

Download
memory/1068-68-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1068-79-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1068-84-0x0000000000770000-0x000000000077A000-memory.dmp

Filesize
40KB

Download
memory/1068-83-0x00000000003E0000-0x00000000003FE000-memory.dmp

Filesize
120KB

Download
memory/1068-81-0x00000000003D0000-0x00000000003DA000-memory.dmp

Filesize
40KB

Download
memory/1068-77-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1068-75-0x000000000041E792-mapping.dmp

Download
memory/1068-69-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1068-71-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1068-72-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1068-74-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1764-59-0x0000000000000000-mapping.dmp

Download
memory/1764-82-0x000000006F370000-0x000000006F91B000-memory.dmp

Filesize
5.7MB

Download
memory/1764-66-0x000000006F370000-0x000000006F91B000-memory.dmp

Filesize
5.7MB

Download
memory/2000-54-0x0000000000DC0000-0x0000000000EAA000-memory.dmp

Filesize
936KB

Download
memory/2000-67-0x0000000005D00000-0x0000000005D3A000-memory.dmp

Filesize
232KB

Download
memory/2000-57-0x0000000000C60000-0x0000000000C6C000-memory.dmp

Filesize
48KB

Download
memory/2000-58-0x0000000005300000-0x0000000005394000-memory.dmp

Filesize
592KB

Download
memory/2000-56-0x0000000000B90000-0x0000000000BAC000-memory.dmp

Filesize
112KB

Download
memory/2000-55-0x0000000075501000-0x0000000075503000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads