nanocore | 5106eff2035cae4bc844f175750857ecffe095b70f7872ddd212bedce7776e80

General

Target

ORDER.exe
Size

341KB
MD5

e5a7afc59157b9b4f86e9ec5fd80d183
SHA1

cd08baa0675e85a9db4db2c712137f475edaa24b
SHA256

5106eff2035cae4bc844f175750857ecffe095b70f7872ddd212bedce7776e80
SHA512

5b19d571fa0f9a49d594245e99b237fae1dedb175ae588edef66b1e3b315939c2e74deb331c73a4888ef832fbe6e0a815a64058b87c3d1cf389a8d9d6132fb83

Score

10^/10

evasion trojan keylogger stealer spyware nanocore persistence

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

muchogroup.ddns.net:4040

Mutex

b40e5e23-4326-4fa7-9cb9-f702f07a05f1

Attributes

activate_away_mode
true
backup_connection_host
muchogroup.ddns.net
backup_dns_server
muchogroup.ddns.net
buffer_size
65535
build_time
2020-04-20T03:01:52.496792136Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
4040
default_group
WEBMAILS
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
b40e5e23-4326-4fa7-9cb9-f702f07a05f1
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
muchogroup.ddns.net
primary_dns_server
muchogroup.ddns.net
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 344 wrote to memory of 3968	344	ORDER.exe	67
PID 344 wrote to memory of 3968	344	ORDER.exe	67
PID 344 wrote to memory of 3968	344	ORDER.exe	67
PID 344 wrote to memory of 3496	344	ORDER.exe	69
PID 344 wrote to memory of 3496	344	ORDER.exe	69
PID 344 wrote to memory of 3496	344	ORDER.exe	69
PID 344 wrote to memory of 3496	344	ORDER.exe	69
PID 344 wrote to memory of 3496	344	ORDER.exe	69
PID 344 wrote to memory of 3496	344	ORDER.exe	69
PID 344 wrote to memory of 3496	344	ORDER.exe	69
PID 344 wrote to memory of 3496	344	ORDER.exe	69
PID 3496 wrote to memory of 4036	3496	ORDER.exe	70
PID 3496 wrote to memory of 4036	3496	ORDER.exe	70
PID 3496 wrote to memory of 4036	3496	ORDER.exe	70
PID 3496 wrote to memory of 3844	3496	ORDER.exe	72
PID 3496 wrote to memory of 3844	3496	ORDER.exe	72
PID 3496 wrote to memory of 3844	3496	ORDER.exe	72

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3496	ORDER.exe
3496	ORDER.exe
3496	ORDER.exe
3496	ORDER.exe
3496	ORDER.exe
3496	ORDER.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ORDER.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DDP Subsystem = "C:\\Program Files (x86)\\DDP Subsystem\\ddpss.exe"	ORDER.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\DDP Subsystem\ddpss.exe	ORDER.exe
File created	C:\Program Files (x86)\DDP Subsystem\ddpss.exe	ORDER.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 344 set thread context of 3496	344	ORDER.exe	69

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3496	ORDER.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3496	ORDER.exe

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3844	schtasks.exe
3968	schtasks.exe
4036	schtasks.exe

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

C:\Users\Admin\AppData\Local\Temp\ORDER.exe
"C:\Users\Admin\AppData\Local\Temp\ORDER.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:344
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qAwrxxk" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA090.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:3968
- C:\Users\Admin\AppData\Local\Temp\ORDER.exe
  "C:\Users\Admin\AppData\Local\Temp\ORDER.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  - Suspicious behavior: EnumeratesProcesses
  - Checks whether UAC is enabled
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: GetForegroundWindowSpam
  PID:3496
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /create /f /tn "DDP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmpA37E.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:4036
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /create /f /tn "DDP Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpA3BE.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:3844