Overview

overview

10

Static

static

PAYMENT_SW..._5.exe

windows7-x64

10

PAYMENT_SW..._5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    05/10/2022, 18:30

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    PAYMENT_SWIFT_DETAIL_ORDPAY_911_5.exe

  • Size

    936KB

  • MD5

    eba49d349d1d71f31270380179c4d88c

  • SHA1

    dd6af373b9d6671d3c6762567ec962040e3afefc

  • SHA256

    2a6626eb860702da5f9cd211f8ed7b8d6a030fbc2ad03d7c012297d8b62653fc

  • SHA512

    42ce5fbf900694402dbf03f3a16bb863493b00be3893ba257c96874facbd17414f442aa609e89897a41fd18ddc6c33a0991a2e7389f63e7128e5a9934f99ccc7

  • SSDEEP

    12288:zPNR/4veociDOVJHuQJsi7Nu5pRMezATUrVmL+aX:TL4veniC3uQP7cbRDUTU8

Score
10/10
nanocoreevasionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

victorycolum.ddns.net:8282

127.0.0.1:8282
Mutex

acd95a4f-ecb5-4c5e-943c-b646c4948a96

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    127.0.0.1

  • backup_dns_server

    37.235.1.177

  • buffer_size

    65535

  • build_time

    2022-07-15T08:03:40.313202836Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    8282

  • default_group

    colum

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    acd95a4f-ecb5-4c5e-943c-b646c4948a96

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    victorycolum.ddns.net

  • primary_dns_server

    37.235.1.174

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    false

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Unexpected DNS network traffic destination 6 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PAYMENT_SWIFT_DETAIL_ORDPAY_911_5.exe
    "C:\Users\Admin\AppData\Local\Temp\PAYMENT_SWIFT_DETAIL_ORDPAY_911_5.exe"
    1⤵
    • Looks for VirtualBox Guest Additions in registry
    • Looks for VMWare Tools registry key
    • Checks BIOS information in registry
    • Maps connected drives based on registry
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2000
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PAYMENT_SWIFT_DETAIL_ORDPAY_911_5.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1764
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\XFPyaKtca.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:336
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XFPyaKtca" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA130.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:364
    • C:\Users\Admin\AppData\Local\Temp\PAYMENT_SWIFT_DETAIL_ORDPAY_911_5.exe
      "C:\Users\Admin\AppData\Local\Temp\PAYMENT_SWIFT_DETAIL_ORDPAY_911_5.exe"
      2⤵
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      PID:1068

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\tmpA130.tmp
          Filesize

          1KB

          MD5

          84ef3a2ac69dfe1077991fc8449456e7

          SHA1

          b873228e85e09abd8f8d48cb4b3a0cb80d768522

          SHA256

          241980166b13f9f6bfe6ec2a7981697a6bc342194de86f5af13473a2e3b5ec28

          SHA512

          ad177102a1085dd057ff9d2c8f738ef25a77a1980ef0a961d8f62dff908c10d32fcc73f64883254819627d6a8899186510e683e04047565e80953af7a3db50c6

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
          Filesize

          7KB

          MD5

          e5488e62b46c7926eb0fc8f4c8c9a6a1

          SHA1

          272f0c2d2cc9a6f2a7d0cf408e3e46bf26a0a933

          SHA256

          6e983bbc8429524e43bf4e5c6bb721630754e195e95f4cfe5ff368291aedbd68

          SHA512

          04e28ca81ba5f7a6b6399d355d3b0f2711704775b270d07e2faf5aa434daf5fa39ddad76a35912e41820c1b67e3b049249722dae7dd77b525c7d25002b06f9aa

          Download Submit

        • memory/336-86-0x000000006F370000-0x000000006F91B000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/336-85-0x000000006F370000-0x000000006F91B000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/1068-68-0x0000000000400000-0x0000000000438000-memory.dmp

          Filesize

          224KB

          Download

        • memory/1068-79-0x0000000000400000-0x0000000000438000-memory.dmp

          Filesize

          224KB

          Download

        • memory/1068-84-0x0000000000770000-0x000000000077A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/1068-83-0x00000000003E0000-0x00000000003FE000-memory.dmp

          Filesize

          120KB

          Download

        • memory/1068-81-0x00000000003D0000-0x00000000003DA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/1068-77-0x0000000000400000-0x0000000000438000-memory.dmp

          Filesize

          224KB

          Download

        • memory/1068-69-0x0000000000400000-0x0000000000438000-memory.dmp

          Filesize

          224KB

          Download

        • memory/1068-71-0x0000000000400000-0x0000000000438000-memory.dmp

          Filesize

          224KB

          Download

        • memory/1068-72-0x0000000000400000-0x0000000000438000-memory.dmp

          Filesize

          224KB

          Download

        • memory/1068-74-0x0000000000400000-0x0000000000438000-memory.dmp

          Filesize

          224KB

          Download

        • memory/1764-82-0x000000006F370000-0x000000006F91B000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/1764-66-0x000000006F370000-0x000000006F91B000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2000-54-0x0000000000DC0000-0x0000000000EAA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/2000-67-0x0000000005D00000-0x0000000005D3A000-memory.dmp

          Filesize

          232KB

          Download

        • memory/2000-57-0x0000000000C60000-0x0000000000C6C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/2000-58-0x0000000005300000-0x0000000005394000-memory.dmp

          Filesize

          592KB

          Download

        • memory/2000-56-0x0000000000B90000-0x0000000000BAC000-memory.dmp

          Filesize

          112KB

          Download

        • memory/2000-55-0x0000000075501000-0x0000000075503000-memory.dmp

          Filesize

          8KB

          Download