nanocore | c3fb8b20af40e3a6905a1190d657bd725c241efa3d91d0c0e1546f2b8ae8a2ff

General

Target

PAYMENTTRF889020022.exe
Size

355KB
MD5

1d00728cbb02b69a8cad3f032be410c8
SHA1

a803d959e77cdbec645288fe922d12e6888a209a
SHA256

c3fb8b20af40e3a6905a1190d657bd725c241efa3d91d0c0e1546f2b8ae8a2ff
SHA512

8858475d2f17f2f6786cbcd33f64bcb1515c931fd095d7d1828b1765dca3d47e454ef961c3ce4e41c9087494530694ede7475c8f31d4d549a9b2d913cc5d7257
SSDEEP

6144:HNeZmLE2rXehVTdEMLjtEkzKJg5/mnc52iOu0anAU5hvrBAVGFryDgvMar819nYk:HNl9KhVTtLjmkzufc5D0aBvrXVkgzr85

Score

10^/10

nanocore evasion keylogger spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Executes dropped EXE 1 IoCs

Processes:

bglfezp.exe

pid process

2184 bglfezp.exe
Loads dropped DLL 1 IoCs

Processes:

bglfezp.exe

pid process

4548 bglfezp.exe
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

bglfezp.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bglfezp.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

bglfezp.exe

description pid process target process

PID 2184 set thread context of 4548 2184 bglfezp.exe bglfezp.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3024 2184 WerFault.exe bglfezp.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

bglfezp.exe

pid process

4548 bglfezp.exe
4548 bglfezp.exe
4548 bglfezp.exe
4548 bglfezp.exe
4548 bglfezp.exe
4548 bglfezp.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

bglfezp.exe

pid process

4548 bglfezp.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

bglfezp.exe

description pid process

Token: SeDebugPrivilege 4548 bglfezp.exe

pid	process
2184	bglfezp.exe

pid	process
4548	bglfezp.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bglfezp.exe

description	pid	process	target process
PID 2184 set thread context of 4548	2184	bglfezp.exe	bglfezp.exe

pid	pid_target	process	target process
3024	2184	WerFault.exe	bglfezp.exe

pid	process
4548	bglfezp.exe
4548	bglfezp.exe
4548	bglfezp.exe
4548	bglfezp.exe
4548	bglfezp.exe
4548	bglfezp.exe

pid	process
4548	bglfezp.exe

description	pid	process
Token: SeDebugPrivilege	4548	bglfezp.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

PAYMENTTRF889020022.exebglfezp.exe

description	pid	process	target process
PID 2264 wrote to memory of 2184	2264	PAYMENTTRF889020022.exe	bglfezp.exe
PID 2264 wrote to memory of 2184	2264	PAYMENTTRF889020022.exe	bglfezp.exe
PID 2264 wrote to memory of 2184	2264	PAYMENTTRF889020022.exe	bglfezp.exe
PID 2184 wrote to memory of 4548	2184	bglfezp.exe	bglfezp.exe
PID 2184 wrote to memory of 4548	2184	bglfezp.exe	bglfezp.exe
PID 2184 wrote to memory of 4548	2184	bglfezp.exe	bglfezp.exe
PID 2184 wrote to memory of 4548	2184	bglfezp.exe	bglfezp.exe

C:\Users\Admin\AppData\Local\Temp\PAYMENTTRF889020022.exe
"C:\Users\Admin\AppData\Local\Temp\PAYMENTTRF889020022.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2264

C:\Users\Admin\AppData\Local\Temp\bglfezp.exe
"C:\Users\Admin\AppData\Local\Temp\bglfezp.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2184

C:\Users\Admin\AppData\Local\Temp\bglfezp.exe
"C:\Users\Admin\AppData\Local\Temp\bglfezp.exe"
3⤵
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 560
3⤵
- Program crash
PID:3024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2184 -ip 2184
1⤵
PID:4860

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bglfezp.exe
Filesize
125KB

MD5
8dca1faf45a7de90e2a67b3c724d9c14

SHA1
a48123b3a5e70f484566e55d92f2772e34393b92

SHA256
0b0f985c493696c622017a28c979417c5be084d91b7976eab2397e9ac5bbfeb8

SHA512
b54f138c7e432ea1ef14f8594a5e379f703d88d63d9ce69b2415cf88fb7cdea657e5a3b3d57bb2bfda0fc24c730cedc4dbe789a5b3e1b2089fa7b32807ea6d3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bglfezp.exe
Filesize
125KB

MD5
8dca1faf45a7de90e2a67b3c724d9c14

SHA1
a48123b3a5e70f484566e55d92f2772e34393b92

SHA256
0b0f985c493696c622017a28c979417c5be084d91b7976eab2397e9ac5bbfeb8

SHA512
b54f138c7e432ea1ef14f8594a5e379f703d88d63d9ce69b2415cf88fb7cdea657e5a3b3d57bb2bfda0fc24c730cedc4dbe789a5b3e1b2089fa7b32807ea6d3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bglfezp.exe
Filesize
125KB

MD5
8dca1faf45a7de90e2a67b3c724d9c14

SHA1
a48123b3a5e70f484566e55d92f2772e34393b92

SHA256
0b0f985c493696c622017a28c979417c5be084d91b7976eab2397e9ac5bbfeb8

SHA512
b54f138c7e432ea1ef14f8594a5e379f703d88d63d9ce69b2415cf88fb7cdea657e5a3b3d57bb2bfda0fc24c730cedc4dbe789a5b3e1b2089fa7b32807ea6d3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\lrlhc.kev
Filesize
280KB

MD5
4fa4f199d63df6ed8ab5185bd28acef5

SHA1
8021bc2518851cd10202c3923a6de177c830d09f

SHA256
03062221476d82fd59234117006236c4d88bc247c5b38894393c28caba795399

SHA512
84d2a9021282d702cc951819c886c6dd8db4cad2ae8b5a3b609c64af6a1e2b5c3643c68e3bcad7a49db8a364e83626ea5867614e81c45e37fcc3be511e06f30a

Download Submit
C:\Users\Admin\AppData\Local\Temp\soocvvyw.hsf
Filesize
4KB

MD5
1a8c85947e15b903b353a69704452e22

SHA1
93941b1e770b673698b1ae338156d16257d94db4

SHA256
06f20357f36314fb82d550011bdbbdef7e9ce4ceac791c133e537cafe3b62c83

SHA512
b9ae1d779e8e2ff999073477765df2bf665219e670d250727c6177de039ff7cef800f9590084dd5d1d1bc02cad3895ea9e9f2b6068229a755ef8609e3e022318

Download Submit
memory/2184-132-0x0000000000000000-mapping.dmp

Download
memory/4548-137-0x0000000000000000-mapping.dmp

Download
memory/4548-139-0x0000000005DC0000-0x0000000006364000-memory.dmp

Filesize
5.6MB

Download
memory/4548-140-0x0000000005750000-0x00000000057E2000-memory.dmp

Filesize
584KB

Download
memory/4548-141-0x00000000058B0000-0x000000000594C000-memory.dmp

Filesize
624KB

Download
memory/4548-142-0x0000000005820000-0x000000000582A000-memory.dmp

Filesize
40KB

Download
memory/4548-143-0x0000000007200000-0x0000000007266000-memory.dmp

Filesize
408KB

Download

Analysis

Sharing