nanocore | 1676e36eec12118ae10d1f090b6bf269d3f3c3ff771ecb0422231946415b2b13

General

Target

Payment Note.jpg.bat.exe
Size

3.5MB
MD5

0a58823cf240ad64edd991a378a3190d
SHA1

37f333ef38ec5b0befea8082ee5f915ede76f9a6
SHA256

1676e36eec12118ae10d1f090b6bf269d3f3c3ff771ecb0422231946415b2b13
SHA512

5b0713b9b07f0fb6cd7f26fc154b85cd9ba66a7cc5223d8181e07dc2018addd45dbea243fff155c0d20d20f6013301e0938ffa638974402522d023bcfb650134

Score

10^/10

evasion trojan keylogger stealer spyware nanocore persistence

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

3.tcp.ngrok.io:20027

20027:20027

Mutex

65111e8c-ec9f-4460-8960-7d4302c6de1c

Attributes

activate_away_mode
true
backup_connection_host
20027
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2020-04-20T18:37:01.695556536Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
false
clear_zone_identifier
true
connect_delay
4000
connection_port
20027
default_group
NLH
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
65111e8c-ec9f-4460-8960-7d4302c6de1c
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
3.tcp.ngrok.io
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

Executes dropped EXE 1 IoCs

Processes:

Bin.exe

pid process

1996 Bin.exe

pid	process
1996	Bin.exe

Drops file in Program Files directory 2 IoCs

Processes:

Bin.exe

description	ioc	process
File created	C:\Program Files (x86)\WAN Subsystem\wanss.exe	Bin.exe
File opened for modification	C:\Program Files (x86)\WAN Subsystem\wanss.exe	Bin.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

Payment Note.jpg.bat.exePayment Note.jpg.bat.exePayment Note.jpg.bat.exe

description	pid	process	target process
PID 1544 wrote to memory of 1692	1544	Payment Note.jpg.bat.exe	Payment Note.jpg.bat.exe
PID 1544 wrote to memory of 1692	1544	Payment Note.jpg.bat.exe	Payment Note.jpg.bat.exe
PID 1544 wrote to memory of 1692	1544	Payment Note.jpg.bat.exe	Payment Note.jpg.bat.exe
PID 1544 wrote to memory of 1692	1544	Payment Note.jpg.bat.exe	Payment Note.jpg.bat.exe
PID 1544 wrote to memory of 1692	1544	Payment Note.jpg.bat.exe	Payment Note.jpg.bat.exe
PID 1544 wrote to memory of 1692	1544	Payment Note.jpg.bat.exe	Payment Note.jpg.bat.exe
PID 1544 wrote to memory of 1692	1544	Payment Note.jpg.bat.exe	Payment Note.jpg.bat.exe
PID 1544 wrote to memory of 1692	1544	Payment Note.jpg.bat.exe	Payment Note.jpg.bat.exe
PID 1544 wrote to memory of 1692	1544	Payment Note.jpg.bat.exe	Payment Note.jpg.bat.exe
PID 1692 wrote to memory of 1580	1692	Payment Note.jpg.bat.exe	Payment Note.jpg.bat.exe
PID 1692 wrote to memory of 1580	1692	Payment Note.jpg.bat.exe	Payment Note.jpg.bat.exe
PID 1692 wrote to memory of 1580	1692	Payment Note.jpg.bat.exe	Payment Note.jpg.bat.exe
PID 1692 wrote to memory of 1580	1692	Payment Note.jpg.bat.exe	Payment Note.jpg.bat.exe
PID 1692 wrote to memory of 1580	1692	Payment Note.jpg.bat.exe	Payment Note.jpg.bat.exe
PID 1692 wrote to memory of 1580	1692	Payment Note.jpg.bat.exe	Payment Note.jpg.bat.exe
PID 1692 wrote to memory of 1580	1692	Payment Note.jpg.bat.exe	Payment Note.jpg.bat.exe
PID 1692 wrote to memory of 1580	1692	Payment Note.jpg.bat.exe	Payment Note.jpg.bat.exe
PID 1692 wrote to memory of 1580	1692	Payment Note.jpg.bat.exe	Payment Note.jpg.bat.exe
PID 1580 wrote to memory of 1996	1580	Payment Note.jpg.bat.exe	Bin.exe
PID 1580 wrote to memory of 1996	1580	Payment Note.jpg.bat.exe	Bin.exe
PID 1580 wrote to memory of 1996	1580	Payment Note.jpg.bat.exe	Bin.exe
PID 1580 wrote to memory of 1996	1580	Payment Note.jpg.bat.exe	Bin.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Payment Note.jpg.bat.exePayment Note.jpg.bat.exe

description	pid	process	target process
PID 1544 set thread context of 1692	1544	Payment Note.jpg.bat.exe	Payment Note.jpg.bat.exe
PID 1692 set thread context of 1580	1692	Payment Note.jpg.bat.exe	Payment Note.jpg.bat.exe

Loads dropped DLL 2 IoCs

Processes:

Payment Note.jpg.bat.exe

pid process

1580 Payment Note.jpg.bat.exe
1580 Payment Note.jpg.bat.exe
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Bin.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Bin.exe
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

pid	process
1580	Payment Note.jpg.bat.exe
1580	Payment Note.jpg.bat.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Bin.exe

Adds Run entry to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Bin.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WAN Subsystem = "C:\\Program Files (x86)\\WAN Subsystem\\wanss.exe"	Bin.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Payment Note.jpg.bat.exePayment Note.jpg.bat.exeBin.exe

description	pid	process
Token: SeDebugPrivilege	1544	Payment Note.jpg.bat.exe
Token: SeDebugPrivilege	1692	Payment Note.jpg.bat.exe
Token: SeDebugPrivilege	1996	Bin.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

Payment Note.jpg.bat.exePayment Note.jpg.bat.exeBin.exe

pid	process
1544	Payment Note.jpg.bat.exe
1544	Payment Note.jpg.bat.exe
1544	Payment Note.jpg.bat.exe
1692	Payment Note.jpg.bat.exe
1692	Payment Note.jpg.bat.exe
1692	Payment Note.jpg.bat.exe
1996	Bin.exe
1996	Bin.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Bin.exe

pid process

1996 Bin.exe

pid	process
1996	Bin.exe

C:\Users\Admin\AppData\Local\Temp\Payment Note.jpg.bat.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Note.jpg.bat.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1544

C:\Users\Admin\AppData\Local\Temp\Payment Note.jpg.bat.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Note.jpg.bat.exe"
2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1692

C:\Users\Admin\AppData\Local\Temp\Payment Note.jpg.bat.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Note.jpg.bat.exe"
3⤵
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
PID:1580

C:\Users\Admin\AppData\Roaming\Bin.exe
"C:\Users\Admin\AppData\Roaming\Bin.exe"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Checks whether UAC is enabled
- Adds Run entry to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:1996

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Bin.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Bin.exe

Download Submit
\Users\Admin\AppData\Roaming\Bin.exe

Download Submit
\Users\Admin\AppData\Roaming\Bin.exe

Download Submit
memory/1544-1-0x0000000000000000-0x0000000000000000-disk.dmp

Download
memory/1580-10-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/1580-11-0x00000000004EA3CE-mapping.dmp

Download
memory/1580-12-0x0000000000560000-0x0000000000650000-memory.dmp

Filesize
960KB

Download
memory/1580-13-0x0000000000560000-0x0000000000650000-memory.dmp

Filesize
960KB

Download
memory/1692-6-0x00000000006D0000-0x00000000008A8000-memory.dmp

Filesize
1.8MB

Download
memory/1692-5-0x00000000006D0000-0x00000000008A8000-memory.dmp

Filesize
1.8MB

Download
memory/1692-4-0x00000000005D2D3E-mapping.dmp

Download
memory/1996-16-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads