nanocore | 12c5688e077824b181e38335ed2d314c7775c5b31012092e717ba7ba952d36c9

General

Target

PO Order.pdf.exe
Size

344KB
MD5

532dacf2cd445b16dc5d134c3b3b9a44
SHA1

f28b6e11ef47c15ee939beda3772f1d35357fbf0
SHA256

12c5688e077824b181e38335ed2d314c7775c5b31012092e717ba7ba952d36c9
SHA512

d034c19d5122bed3c55be40233f67e19cfd8eb74af3e0e9e8dc44967d03c7eb311dec5275c621328eae813d0df181e0c6cfbd6291e852451681ff35d19f9c398
SSDEEP

6144:mbE/HUbBoBFqB8Bm2NHm9SjEtw2G3PMnS3noAwXZaMey1fPWm2pWW7n4CqbRk:mb/BGqBMtg9SEw13PMandwXUyNPF6lnf

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Executes dropped EXE 1 IoCs

Processes:

xpgyulgf.exe

pid process

1864 xpgyulgf.exe
Loads dropped DLL 1 IoCs

Processes:

xpgyulgf.exe

pid process

1420 xpgyulgf.exe

pid	process
1864	xpgyulgf.exe

pid	process
1420	xpgyulgf.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

xpgyulgf.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vjcvkqh = "C:\\Users\\Admin\\AppData\\Roaming\\ktwysttooghyi\\lrfflxe.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\xpgyulgf.exe\""	xpgyulgf.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

xpgyulgf.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xpgyulgf.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

xpgyulgf.exe

description pid process target process

PID 1864 set thread context of 1420 1864 xpgyulgf.exe xpgyulgf.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3504 1864 WerFault.exe xpgyulgf.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

xpgyulgf.exe

pid process

1420 xpgyulgf.exe
1420 xpgyulgf.exe
1420 xpgyulgf.exe
1420 xpgyulgf.exe
1420 xpgyulgf.exe
1420 xpgyulgf.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

xpgyulgf.exe

pid process

1420 xpgyulgf.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

xpgyulgf.exe

description pid process

Token: SeDebugPrivilege 1420 xpgyulgf.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	xpgyulgf.exe

description	pid	process	target process
PID 1864 set thread context of 1420	1864	xpgyulgf.exe	xpgyulgf.exe

pid	pid_target	process	target process
3504	1864	WerFault.exe	xpgyulgf.exe

pid	process
1420	xpgyulgf.exe
1420	xpgyulgf.exe
1420	xpgyulgf.exe
1420	xpgyulgf.exe
1420	xpgyulgf.exe
1420	xpgyulgf.exe

pid	process
1420	xpgyulgf.exe

description	pid	process
Token: SeDebugPrivilege	1420	xpgyulgf.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

PO Order.pdf.exexpgyulgf.exe

description	pid	process	target process
PID 3112 wrote to memory of 1864	3112	PO Order.pdf.exe	xpgyulgf.exe
PID 3112 wrote to memory of 1864	3112	PO Order.pdf.exe	xpgyulgf.exe
PID 3112 wrote to memory of 1864	3112	PO Order.pdf.exe	xpgyulgf.exe
PID 1864 wrote to memory of 1420	1864	xpgyulgf.exe	xpgyulgf.exe
PID 1864 wrote to memory of 1420	1864	xpgyulgf.exe	xpgyulgf.exe
PID 1864 wrote to memory of 1420	1864	xpgyulgf.exe	xpgyulgf.exe
PID 1864 wrote to memory of 1420	1864	xpgyulgf.exe	xpgyulgf.exe

C:\Users\Admin\AppData\Local\Temp\PO Order.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\PO Order.pdf.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3112

C:\Users\Admin\AppData\Local\Temp\xpgyulgf.exe
"C:\Users\Admin\AppData\Local\Temp\xpgyulgf.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1864

C:\Users\Admin\AppData\Local\Temp\xpgyulgf.exe
"C:\Users\Admin\AppData\Local\Temp\xpgyulgf.exe"
3⤵
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1864 -s 688
3⤵
- Program crash
PID:3504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1864 -ip 1864
1⤵
PID:1852

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hnvmoa.ca

Filesize
280KB

MD5
25881806c8508afe30a354ae2af5347d

SHA1
c65b407a2f9f69f702fc84bdb6c9a189d87e0be0

SHA256
b19d1fc37a65f161444764173bd45910b763cf6117d11ac6d3d64a00f70ec483

SHA512
dc3beb98e22eed576e47234893dd7ffb531e89dc592acee6692d8b2d91f5595eb926cd717557662b0e7e9ae69d46ba8f83a7b346fdbe3013b3e072eaf907d978

Download Submit
C:\Users\Admin\AppData\Local\Temp\jvcllzq.d

Filesize
6KB

MD5
eb9955586c083c89861d9627120297c6

SHA1
3eb394c03d21cd4ceb39e8061b93e2e491638a6c

SHA256
c2510cd245277bf98ff10288901443c3fbabdee2020d45d8b16c03caf80adb1d

SHA512
743317a894582591f8f59e371be8bec5569c67e9c65d036c92f5fa3d5b0d0105d46b20d182db2feff43e8aa3bb12fe50c254de44e942c9163838fe93a0c8bb60

Download Submit
C:\Users\Admin\AppData\Local\Temp\xpgyulgf.exe

Filesize
58KB

MD5
e1d08d3966e34ae8e9016603229c311d

SHA1
34308e175e2b4e98a2e03764de19b3fba136ef9c

SHA256
50d6641bcea26c34b6f8dfbe3780518de13c9f10dfd776224774a9f6b1f92d59

SHA512
441fa5821b11eedd2abba19c65ed1ec14ddbdc81599dec8ffc6ab1100655329326373cc99784fe740bb477cc5d9f4c468216b6cb710993391db4d54a59f5d35f

Download Submit
C:\Users\Admin\AppData\Local\Temp\xpgyulgf.exe

Filesize
58KB

MD5
e1d08d3966e34ae8e9016603229c311d

SHA1
34308e175e2b4e98a2e03764de19b3fba136ef9c

SHA256
50d6641bcea26c34b6f8dfbe3780518de13c9f10dfd776224774a9f6b1f92d59

SHA512
441fa5821b11eedd2abba19c65ed1ec14ddbdc81599dec8ffc6ab1100655329326373cc99784fe740bb477cc5d9f4c468216b6cb710993391db4d54a59f5d35f

Download Submit
C:\Users\Admin\AppData\Local\Temp\xpgyulgf.exe

Filesize
58KB

MD5
e1d08d3966e34ae8e9016603229c311d

SHA1
34308e175e2b4e98a2e03764de19b3fba136ef9c

SHA256
50d6641bcea26c34b6f8dfbe3780518de13c9f10dfd776224774a9f6b1f92d59

SHA512
441fa5821b11eedd2abba19c65ed1ec14ddbdc81599dec8ffc6ab1100655329326373cc99784fe740bb477cc5d9f4c468216b6cb710993391db4d54a59f5d35f

Download Submit
memory/1420-137-0x0000000000000000-mapping.dmp

Download
memory/1420-139-0x0000000005640000-0x0000000005BE4000-memory.dmp

Filesize
5.6MB

Download
memory/1420-140-0x0000000005090000-0x0000000005122000-memory.dmp

Filesize
584KB

Download
memory/1420-141-0x0000000005130000-0x00000000051CC000-memory.dmp

Filesize
624KB

Download
memory/1420-142-0x0000000005030000-0x000000000503A000-memory.dmp

Filesize
40KB

Download
memory/1420-143-0x0000000006BC0000-0x0000000006C26000-memory.dmp

Filesize
408KB

Download
memory/1864-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing