nanocore | 40fe69be55041a8607bf2596d0fa649ab26f6d6bd6973fb955f14f4e8a066b6c

General

Target

Receipt#502.exe
Size

680KB
MD5

e2e26573196fd444c8845d29e73a6b00
SHA1

8a2fc9e82c11d234e74846451b12c73d69dea955
SHA256

40fe69be55041a8607bf2596d0fa649ab26f6d6bd6973fb955f14f4e8a066b6c
SHA512

02906faffe3bb49e0a936f5d07215ffe8b7cc28b2f65536e17b1b6204aa7966998b4a70bb09bf5a1fdfaa6efef6f729fbeabb1a2e3c540cd1965f73edabc8b78

Score

10^/10

nanocore keylogger spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

without.duckdns.org:2078

Mutex

17fd7e7e-3990-4c53-9987-94767303fd64

Attributes

activate_away_mode
true
backup_connection_host
without.duckdns.org
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2020-09-03T20:18:47.158112236Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
2078
default_group
without
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
17fd7e7e-3990-4c53-9987-94767303fd64
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
without.duckdns.org
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Suspicious use of SetThreadContext 1 IoCs

Processes:

Receipt#502.exe

description pid process target process

PID 4756 set thread context of 568 4756 Receipt#502.exe RegSvcs.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2796 schtasks.exe
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

Receipt#502.exeRegSvcs.exe

pid process

4756 Receipt#502.exe
568 RegSvcs.exe
568 RegSvcs.exe
568 RegSvcs.exe
568 RegSvcs.exe
568 RegSvcs.exe
568 RegSvcs.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

RegSvcs.exe

pid process

568 RegSvcs.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Receipt#502.exeRegSvcs.exe

description pid process

Token: SeDebugPrivilege 4756 Receipt#502.exe
Token: SeDebugPrivilege 568 RegSvcs.exe

description	pid	process	target process
PID 4756 set thread context of 568	4756	Receipt#502.exe	RegSvcs.exe

pid	process
2796	schtasks.exe

pid	process
4756	Receipt#502.exe
568	RegSvcs.exe
568	RegSvcs.exe
568	RegSvcs.exe
568	RegSvcs.exe
568	RegSvcs.exe
568	RegSvcs.exe

pid	process
568	RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	4756	Receipt#502.exe
Token: SeDebugPrivilege	568	RegSvcs.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

Receipt#502.exe

description	pid	process	target process
PID 4756 wrote to memory of 2796	4756	Receipt#502.exe	schtasks.exe
PID 4756 wrote to memory of 2796	4756	Receipt#502.exe	schtasks.exe
PID 4756 wrote to memory of 2796	4756	Receipt#502.exe	schtasks.exe
PID 4756 wrote to memory of 568	4756	Receipt#502.exe	RegSvcs.exe
PID 4756 wrote to memory of 568	4756	Receipt#502.exe	RegSvcs.exe
PID 4756 wrote to memory of 568	4756	Receipt#502.exe	RegSvcs.exe
PID 4756 wrote to memory of 568	4756	Receipt#502.exe	RegSvcs.exe
PID 4756 wrote to memory of 568	4756	Receipt#502.exe	RegSvcs.exe
PID 4756 wrote to memory of 568	4756	Receipt#502.exe	RegSvcs.exe
PID 4756 wrote to memory of 568	4756	Receipt#502.exe	RegSvcs.exe
PID 4756 wrote to memory of 568	4756	Receipt#502.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\Receipt#502.exe
"C:\Users\Admin\AppData\Local\Temp\Receipt#502.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4756

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NeKPJNb" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3384.tmp"
2⤵
- Creates scheduled task(s)
PID:2796

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"{path}"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:568

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp3384.tmp
MD5
e887b7d304b7d57eaf3c07086dbd102f

SHA1
2758ce37d82e2ddf2a662b96175ff5babf7d9b51

SHA256
18a376a5a0775c1bec582a0f0d5ca3393912e678413b9a8319d75a3530018df7

SHA512
ebec00a5f6105b1ec8376129fc5c6488b4d7b4c510f5e72bc2c99da94be1eb924b02d91ab85601ac87d49c390263d5b31d046630b89ee16cfa72f0d825821fdc

Download Submit
memory/568-2-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/568-3-0x000000000041E792-mapping.dmp

Download
memory/2796-0-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads