nanocore | ec4a44be83f7d379837e91f10d5ea17fdd9d6ac00dfc125324ee71dc17e17e6f

General

Target

DEMAND.DOC.exe
Size

471KB
MD5

631ca0db7718d5e9b99256ec227f7afb
SHA1

8a2da86dfc5146b9f2dd149f21403f0c74877334
SHA256

ec4a44be83f7d379837e91f10d5ea17fdd9d6ac00dfc125324ee71dc17e17e6f
SHA512

7686cb8ca95f484858e7b091f3582a2195dab0585d825ea1c32dd9e0c4525f8a9dc9d778cfeaf8cac7304dfc6bca0c8c1e1cee20047735607c207cc7e86fe326

Score

10^/10

spyware evasion trojan keylogger stealer nanocore

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

frank3000.ddns.net:4983

Mutex

53dd63cb-dcb6-4eb8-bea2-1c572110bc62

Attributes

activate_away_mode
true
backup_connection_host
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2020-04-10T23:12:52.316007036Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
true
connect_delay
4000
connection_port
4983
default_group
Frank
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
53dd63cb-dcb6-4eb8-bea2-1c572110bc62
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
frank3000.ddns.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3796 schtasks.exe
3472 schtasks.exe
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

MSBuild.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MSBuild.exe

pid	process
3796	schtasks.exe
3472	schtasks.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MSBuild.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

DEMAND.DOC.exeMSBuild.exevbc.exe

pid	process
3588	DEMAND.DOC.exe
3588	DEMAND.DOC.exe
3588	DEMAND.DOC.exe
3908	MSBuild.exe
3908	MSBuild.exe
3908	MSBuild.exe
3908	MSBuild.exe
3908	MSBuild.exe
3908	MSBuild.exe
744	vbc.exe
744	vbc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

DEMAND.DOC.exeMSBuild.exe

description pid process

Token: SeDebugPrivilege 3588 DEMAND.DOC.exe
Token: SeDebugPrivilege 3908 MSBuild.exe

description	pid	process
Token: SeDebugPrivilege	3588	DEMAND.DOC.exe
Token: SeDebugPrivilege	3908	MSBuild.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

DEMAND.DOC.exeMSBuild.exe

description	pid	process	target process
PID 3588 set thread context of 3908	3588	DEMAND.DOC.exe	MSBuild.exe
PID 3908 set thread context of 2568	3908	MSBuild.exe	vbc.exe
PID 3908 set thread context of 744	3908	MSBuild.exe	vbc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

MSBuild.exe

pid process

3908 MSBuild.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

pid	process
3908	MSBuild.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

DEMAND.DOC.exeMSBuild.exe

description	pid	process	target process
PID 3588 wrote to memory of 3796	3588	DEMAND.DOC.exe	schtasks.exe
PID 3588 wrote to memory of 3796	3588	DEMAND.DOC.exe	schtasks.exe
PID 3588 wrote to memory of 3796	3588	DEMAND.DOC.exe	schtasks.exe
PID 3588 wrote to memory of 3888	3588	DEMAND.DOC.exe	MSBuild.exe
PID 3588 wrote to memory of 3888	3588	DEMAND.DOC.exe	MSBuild.exe
PID 3588 wrote to memory of 3888	3588	DEMAND.DOC.exe	MSBuild.exe
PID 3588 wrote to memory of 3908	3588	DEMAND.DOC.exe	MSBuild.exe
PID 3588 wrote to memory of 3908	3588	DEMAND.DOC.exe	MSBuild.exe
PID 3588 wrote to memory of 3908	3588	DEMAND.DOC.exe	MSBuild.exe
PID 3588 wrote to memory of 3908	3588	DEMAND.DOC.exe	MSBuild.exe
PID 3588 wrote to memory of 3908	3588	DEMAND.DOC.exe	MSBuild.exe
PID 3588 wrote to memory of 3908	3588	DEMAND.DOC.exe	MSBuild.exe
PID 3588 wrote to memory of 3908	3588	DEMAND.DOC.exe	MSBuild.exe
PID 3588 wrote to memory of 3908	3588	DEMAND.DOC.exe	MSBuild.exe
PID 3908 wrote to memory of 3472	3908	MSBuild.exe	schtasks.exe
PID 3908 wrote to memory of 3472	3908	MSBuild.exe	schtasks.exe
PID 3908 wrote to memory of 3472	3908	MSBuild.exe	schtasks.exe
PID 3908 wrote to memory of 2568	3908	MSBuild.exe	vbc.exe
PID 3908 wrote to memory of 2568	3908	MSBuild.exe	vbc.exe
PID 3908 wrote to memory of 2568	3908	MSBuild.exe	vbc.exe
PID 3908 wrote to memory of 2568	3908	MSBuild.exe	vbc.exe
PID 3908 wrote to memory of 2568	3908	MSBuild.exe	vbc.exe
PID 3908 wrote to memory of 2568	3908	MSBuild.exe	vbc.exe
PID 3908 wrote to memory of 2568	3908	MSBuild.exe	vbc.exe
PID 3908 wrote to memory of 2568	3908	MSBuild.exe	vbc.exe
PID 3908 wrote to memory of 2568	3908	MSBuild.exe	vbc.exe
PID 3908 wrote to memory of 744	3908	MSBuild.exe	vbc.exe
PID 3908 wrote to memory of 744	3908	MSBuild.exe	vbc.exe
PID 3908 wrote to memory of 744	3908	MSBuild.exe	vbc.exe
PID 3908 wrote to memory of 744	3908	MSBuild.exe	vbc.exe
PID 3908 wrote to memory of 744	3908	MSBuild.exe	vbc.exe
PID 3908 wrote to memory of 744	3908	MSBuild.exe	vbc.exe
PID 3908 wrote to memory of 744	3908	MSBuild.exe	vbc.exe
PID 3908 wrote to memory of 744	3908	MSBuild.exe	vbc.exe
PID 3908 wrote to memory of 744	3908	MSBuild.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\DEMAND.DOC.exe
"C:\Users\Admin\AppData\Local\Temp\DEMAND.DOC.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3588

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UnQWZljPSLttGy" /XML "C:\Users\Admin\AppData\Local\Temp\tmp748F.tmp"
2⤵
- Creates scheduled task(s)
PID:3796

C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
"{path}"
2⤵
PID:3888

C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
"{path}"
2⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3908

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DDP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp7877.tmp"
3⤵
- Creates scheduled task(s)
PID:3472

\??\c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe
"c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe" /shtml "C:\Users\Admin\AppData\Local\Temp\v0bbn1to.nuc"
3⤵
PID:2568

\??\c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe
"c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe" /shtml "C:\Users\Admin\AppData\Local\Temp\ydgccxog.dlt"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:744

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Scripting

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp748F.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7877.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\v0bbn1to.nuc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ydgccxog.dlt

Download Submit
memory/744-12-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/744-11-0x0000000000442628-mapping.dmp

Download
memory/744-10-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2568-7-0x0000000000411654-mapping.dmp

Download
memory/2568-8-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2568-6-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3472-4-0x0000000000000000-mapping.dmp

Download
memory/3796-0-0x0000000000000000-mapping.dmp

Download
memory/3908-3-0x000000000041E792-mapping.dmp

Download
memory/3908-2-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads