nanocore | c3fb8b20af40e3a6905a1190d657bd725c241efa3d91d0c0e1546f2b8ae8a2ff

General

Target

PAYMENTTRF889020022.exe
Size

355KB
MD5

1d00728cbb02b69a8cad3f032be410c8
SHA1

a803d959e77cdbec645288fe922d12e6888a209a
SHA256

c3fb8b20af40e3a6905a1190d657bd725c241efa3d91d0c0e1546f2b8ae8a2ff
SHA512

8858475d2f17f2f6786cbcd33f64bcb1515c931fd095d7d1828b1765dca3d47e454ef961c3ce4e41c9087494530694ede7475c8f31d4d549a9b2d913cc5d7257
SSDEEP

6144:HNeZmLE2rXehVTdEMLjtEkzKJg5/mnc52iOu0anAU5hvrBAVGFryDgvMar819nYk:HNl9KhVTtLjmkzufc5D0aBvrXVkgzr85

Score

10^/10

nanocore evasion keylogger spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Executes dropped EXE 1 IoCs

pid	Process
2184	bglfezp.exe

Loads dropped DLL 1 IoCs

pid	Process
4548	bglfezp.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bglfezp.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2184 set thread context of 4548	2184	bglfezp.exe	82

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3024	2184	WerFault.exe	81

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4548	bglfezp.exe
4548	bglfezp.exe
4548	bglfezp.exe
4548	bglfezp.exe
4548	bglfezp.exe
4548	bglfezp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4548	bglfezp.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4548	bglfezp.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 2184	2264	PAYMENTTRF889020022.exe	81
PID 2264 wrote to memory of 2184	2264	PAYMENTTRF889020022.exe	81
PID 2264 wrote to memory of 2184	2264	PAYMENTTRF889020022.exe	81
PID 2184 wrote to memory of 4548	2184	bglfezp.exe	82
PID 2184 wrote to memory of 4548	2184	bglfezp.exe	82
PID 2184 wrote to memory of 4548	2184	bglfezp.exe	82
PID 2184 wrote to memory of 4548	2184	bglfezp.exe	82

C:\Users\Admin\AppData\Local\Temp\PAYMENTTRF889020022.exe
"C:\Users\Admin\AppData\Local\Temp\PAYMENTTRF889020022.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Users\Admin\AppData\Local\Temp\bglfezp.exe
  "C:\Users\Admin\AppData\Local\Temp\bglfezp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Users\Admin\AppData\Local\Temp\bglfezp.exe
    "C:\Users\Admin\AppData\Local\Temp\bglfezp.exe"
    3⤵
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:4548
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 560
    3⤵
    - Program crash
    PID:3024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2184 -ip 2184
1⤵
PID:4860

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bglfezp.exe

Filesize
125KB

MD5
8dca1faf45a7de90e2a67b3c724d9c14

SHA1
a48123b3a5e70f484566e55d92f2772e34393b92

SHA256
0b0f985c493696c622017a28c979417c5be084d91b7976eab2397e9ac5bbfeb8

SHA512
b54f138c7e432ea1ef14f8594a5e379f703d88d63d9ce69b2415cf88fb7cdea657e5a3b3d57bb2bfda0fc24c730cedc4dbe789a5b3e1b2089fa7b32807ea6d3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bglfezp.exe

Filesize
125KB

MD5
8dca1faf45a7de90e2a67b3c724d9c14

SHA1
a48123b3a5e70f484566e55d92f2772e34393b92

SHA256
0b0f985c493696c622017a28c979417c5be084d91b7976eab2397e9ac5bbfeb8

SHA512
b54f138c7e432ea1ef14f8594a5e379f703d88d63d9ce69b2415cf88fb7cdea657e5a3b3d57bb2bfda0fc24c730cedc4dbe789a5b3e1b2089fa7b32807ea6d3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bglfezp.exe

Filesize
125KB

MD5
8dca1faf45a7de90e2a67b3c724d9c14

SHA1
a48123b3a5e70f484566e55d92f2772e34393b92

SHA256
0b0f985c493696c622017a28c979417c5be084d91b7976eab2397e9ac5bbfeb8

SHA512
b54f138c7e432ea1ef14f8594a5e379f703d88d63d9ce69b2415cf88fb7cdea657e5a3b3d57bb2bfda0fc24c730cedc4dbe789a5b3e1b2089fa7b32807ea6d3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\lrlhc.kev

Filesize
280KB

MD5
4fa4f199d63df6ed8ab5185bd28acef5

SHA1
8021bc2518851cd10202c3923a6de177c830d09f

SHA256
03062221476d82fd59234117006236c4d88bc247c5b38894393c28caba795399

SHA512
84d2a9021282d702cc951819c886c6dd8db4cad2ae8b5a3b609c64af6a1e2b5c3643c68e3bcad7a49db8a364e83626ea5867614e81c45e37fcc3be511e06f30a

Download Submit
C:\Users\Admin\AppData\Local\Temp\soocvvyw.hsf

Filesize
4KB

MD5
1a8c85947e15b903b353a69704452e22

SHA1
93941b1e770b673698b1ae338156d16257d94db4

SHA256
06f20357f36314fb82d550011bdbbdef7e9ce4ceac791c133e537cafe3b62c83

SHA512
b9ae1d779e8e2ff999073477765df2bf665219e670d250727c6177de039ff7cef800f9590084dd5d1d1bc02cad3895ea9e9f2b6068229a755ef8609e3e022318

Download Submit
memory/4548-139-0x0000000005DC0000-0x0000000006364000-memory.dmp

Filesize
5.6MB

Download
memory/4548-140-0x0000000005750000-0x00000000057E2000-memory.dmp

Filesize
584KB

Download
memory/4548-141-0x00000000058B0000-0x000000000594C000-memory.dmp

Filesize
624KB

Download
memory/4548-142-0x0000000005820000-0x000000000582A000-memory.dmp

Filesize
40KB

Download
memory/4548-143-0x0000000007200000-0x0000000007266000-memory.dmp

Filesize
408KB

Download

Analysis

Sharing