nanocore | f01dd589bf6eee71da5d8f1dd99471c0ff2b2e4071147bfcad07d75727258425

General

Target

Payment Advice.exe
Size

1.0MB
MD5

232a09bfbb394ed852834398426a7802
SHA1

800229b32cd515d318fe79a3839783b1339064c1
SHA256

f01dd589bf6eee71da5d8f1dd99471c0ff2b2e4071147bfcad07d75727258425
SHA512

fd6e1f23769d9712d02bb4ff56bb374f22a8c048c0410af1ad5e8cbc1f823007630257d2304b6ed26cd6331deae43899728a610551e5149da41f675dced00acc
SSDEEP

12288:b8mAF94vNMpuKh1O8qrAot6ZMP5CxFBXpAFyDGNOSH+JoDNyADqjJ5nXOc1uqBnt:bWFCvOON6MxgNAsGNOSeWBUjrXOc

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

brewsterchristophe.ddns.net:5899

194,147,5,75:5899

Mutex

b8aebc29-8c64-444f-99e6-dc4122e9bbfc

Attributes

activate_away_mode
true
backup_connection_host
194,147,5,75
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2022-04-29T03:26:40.572298236Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
5899
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
b8aebc29-8c64-444f-99e6-dc4122e9bbfc
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
brewsterchristophe.ddns.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Payment Advice.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AGP Manager = "C:\\Program Files (x86)\\AGP Manager\\agpmgr.exe"	Payment Advice.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Payment Advice.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Payment Advice.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Payment Advice.exe

description pid process target process

PID 1380 set thread context of 2016 1380 Payment Advice.exe Payment Advice.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Payment Advice.exe

description	pid	process	target process
PID 1380 set thread context of 2016	1380	Payment Advice.exe	Payment Advice.exe

Drops file in Program Files directory 2 IoCs

Processes:

Payment Advice.exe

description	ioc	process
File created	C:\Program Files (x86)\AGP Manager\agpmgr.exe	Payment Advice.exe
File opened for modification	C:\Program Files (x86)\AGP Manager\agpmgr.exe	Payment Advice.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

1776 schtasks.exe
1936 schtasks.exe
1364 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

Payment Advice.exePayment Advice.exe

pid process

1380 Payment Advice.exe
1380 Payment Advice.exe
2016 Payment Advice.exe
2016 Payment Advice.exe
2016 Payment Advice.exe
2016 Payment Advice.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Payment Advice.exe

pid process

2016 Payment Advice.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Payment Advice.exePayment Advice.exe

description pid process

Token: SeDebugPrivilege 1380 Payment Advice.exe
Token: SeDebugPrivilege 2016 Payment Advice.exe

pid	process
1776	schtasks.exe
1936	schtasks.exe
1364	schtasks.exe

pid	process
1380	Payment Advice.exe
1380	Payment Advice.exe
2016	Payment Advice.exe
2016	Payment Advice.exe
2016	Payment Advice.exe
2016	Payment Advice.exe

pid	process
2016	Payment Advice.exe

description	pid	process
Token: SeDebugPrivilege	1380	Payment Advice.exe
Token: SeDebugPrivilege	2016	Payment Advice.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

Payment Advice.exePayment Advice.exe

description	pid	process	target process
PID 1380 wrote to memory of 1776	1380	Payment Advice.exe	schtasks.exe
PID 1380 wrote to memory of 1776	1380	Payment Advice.exe	schtasks.exe
PID 1380 wrote to memory of 1776	1380	Payment Advice.exe	schtasks.exe
PID 1380 wrote to memory of 1776	1380	Payment Advice.exe	schtasks.exe
PID 1380 wrote to memory of 2016	1380	Payment Advice.exe	Payment Advice.exe
PID 1380 wrote to memory of 2016	1380	Payment Advice.exe	Payment Advice.exe
PID 1380 wrote to memory of 2016	1380	Payment Advice.exe	Payment Advice.exe
PID 1380 wrote to memory of 2016	1380	Payment Advice.exe	Payment Advice.exe
PID 1380 wrote to memory of 2016	1380	Payment Advice.exe	Payment Advice.exe
PID 1380 wrote to memory of 2016	1380	Payment Advice.exe	Payment Advice.exe
PID 1380 wrote to memory of 2016	1380	Payment Advice.exe	Payment Advice.exe
PID 1380 wrote to memory of 2016	1380	Payment Advice.exe	Payment Advice.exe
PID 1380 wrote to memory of 2016	1380	Payment Advice.exe	Payment Advice.exe
PID 2016 wrote to memory of 1936	2016	Payment Advice.exe	schtasks.exe
PID 2016 wrote to memory of 1936	2016	Payment Advice.exe	schtasks.exe
PID 2016 wrote to memory of 1936	2016	Payment Advice.exe	schtasks.exe
PID 2016 wrote to memory of 1936	2016	Payment Advice.exe	schtasks.exe
PID 2016 wrote to memory of 1364	2016	Payment Advice.exe	schtasks.exe
PID 2016 wrote to memory of 1364	2016	Payment Advice.exe	schtasks.exe
PID 2016 wrote to memory of 1364	2016	Payment Advice.exe	schtasks.exe
PID 2016 wrote to memory of 1364	2016	Payment Advice.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1380

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xWcmbnYoCxCd" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5A32.tmp"
2⤵
- Creates scheduled task(s)
PID:1776

C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe
"{path}"
2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "AGP Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmp5E66.tmp"
3⤵
- Creates scheduled task(s)
PID:1936

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "AGP Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp5F22.tmp"
3⤵
- Creates scheduled task(s)
PID:1364

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp5A32.tmp
Filesize
1KB

MD5
8fc8cb65235a6e03f094b544162c001c

SHA1
e7eeca41621d12122e78a043145e80ac4beb514f

SHA256
794d5a056eae4fab6baa6c25788eb13b818bc38c0bb4b037ada8a298af1ed188

SHA512
db0b95f82dfe5726745f5416c9100d8b47a52693b826573a24b893bac9751707206b0b24f449e87be6cbcbbfde963eb0899ac40fe6d92b85832cfcfe235a9b4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5E66.tmp
Filesize
1KB

MD5
458bd9bd481646fa69a54d107e96c8f9

SHA1
8c13631b59db1efcb6d33a4e40ba38614226d42a

SHA256
e196fc51e235fc106b72fe4258ce43c64b24b344c4781b6d2b0db6ab01f31c34

SHA512
266e4a2752ff6a1c78fad600d9dc74ed0946a7bfc6802bd03783360b7f5ce8ada8be0fbf0f342e81d76f74af62879ffbf2b865160e4b8d0a27c6e15f98f92171

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5F22.tmp
Filesize
1KB

MD5
885d6dd30570594e167fadb59d9ca0ea

SHA1
9981e583644c4eb9cf5056615a0e1c2913c8983b

SHA256
7155bc082d1713d77c2797575ee0ade8467fb7012f5376c1d6f4aa618141a7d2

SHA512
1623218143c2c25a7c85fa9da8e0f251f04a5eb848c4d0aa10bfb78688518b82393a2b3c7f287a9dc06a366ef9f46d0d4e2d246ad4cef4554a74c0bb6ff9dd2a

Download Submit
memory/1364-76-0x0000000000000000-mapping.dmp

Download
memory/1380-55-0x0000000075A11000-0x0000000075A13000-memory.dmp

Filesize
8KB

Download
memory/1380-56-0x0000000000610000-0x0000000000630000-memory.dmp

Filesize
128KB

Download
memory/1380-57-0x0000000005FD0000-0x000000000605C000-memory.dmp

Filesize
560KB

Download
memory/1380-58-0x0000000004810000-0x000000000484C000-memory.dmp

Filesize
240KB

Download
memory/1380-54-0x0000000000A30000-0x0000000000B3A000-memory.dmp

Filesize
1.0MB

Download
memory/1776-59-0x0000000000000000-mapping.dmp

Download
memory/1936-74-0x0000000000000000-mapping.dmp

Download
memory/2016-62-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2016-81-0x0000000000700000-0x0000000000712000-memory.dmp

Filesize
72KB

Download
memory/2016-70-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2016-72-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2016-67-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2016-65-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2016-64-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2016-61-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2016-78-0x0000000000460000-0x000000000046A000-memory.dmp

Filesize
40KB

Download
memory/2016-79-0x0000000000750000-0x000000000076E000-memory.dmp

Filesize
120KB

Download
memory/2016-80-0x0000000000550000-0x000000000055A000-memory.dmp

Filesize
40KB

Download
memory/2016-68-0x000000000041E792-mapping.dmp

Download
memory/2016-82-0x0000000000950000-0x000000000096A000-memory.dmp

Filesize
104KB

Download
memory/2016-83-0x00000000009C0000-0x00000000009CE000-memory.dmp

Filesize
56KB

Download
memory/2016-84-0x00000000009E0000-0x00000000009F2000-memory.dmp

Filesize
72KB

Download
memory/2016-85-0x00000000021D0000-0x00000000021DE000-memory.dmp

Filesize
56KB

Download
memory/2016-86-0x00000000021E0000-0x00000000021EC000-memory.dmp

Filesize
48KB

Download
memory/2016-87-0x00000000022A0000-0x00000000022B4000-memory.dmp

Filesize
80KB

Download
memory/2016-88-0x0000000004510000-0x0000000004520000-memory.dmp

Filesize
64KB

Download
memory/2016-89-0x0000000004520000-0x0000000004534000-memory.dmp

Filesize
80KB

Download
memory/2016-90-0x0000000004530000-0x000000000453E000-memory.dmp

Filesize
56KB

Download
memory/2016-91-0x0000000005370000-0x000000000539E000-memory.dmp

Filesize
184KB

Download
memory/2016-92-0x0000000004D40000-0x0000000004D54000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads