nanocore | ff250126dfd7ff3a392a93375d08db10968ff1332a591d709714c48bac438499

General

Target

Shiping Doc BL.exe
Size

346KB
MD5

9fabc05566bd91e093cd1446e0674093
SHA1

08032e4c0d9b2385cdd3f50b25cbd29565687981
SHA256

ff250126dfd7ff3a392a93375d08db10968ff1332a591d709714c48bac438499
SHA512

1cb9135b0cc065ebb88a4d05a9a5017896337119710649063b9aa1efe4aa73a2311978ecfc199c215e33d251d85ed4644be3b6a42eb7ae48f24f23e47ba876ee

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

chinomso.duckdns.org:7688

Mutex

5c856c52-5125-42de-9ed3-2389e16da064

Attributes

activate_away_mode
true
backup_connection_host
chinomso.duckdns.org
backup_dns_server
chinomso.duckdns.org
buffer_size
65535
build_time
2020-10-13T03:36:21.868380136Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
7688
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
5c856c52-5125-42de-9ed3-2389e16da064
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
chinomso.duckdns.org
primary_dns_server
chinomso.duckdns.org
request_elevation
false
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Shiping Doc BL.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WPA Host = "C:\\Program Files (x86)\\WPA Host\\wpahost.exe"	Shiping Doc BL.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Shiping Doc BL.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Shiping Doc BL.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Shiping Doc BL.exe

description pid process target process

PID 1680 set thread context of 1340 1680 Shiping Doc BL.exe Shiping Doc BL.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Shiping Doc BL.exe

description	pid	process	target process
PID 1680 set thread context of 1340	1680	Shiping Doc BL.exe	Shiping Doc BL.exe

Drops file in Program Files directory 2 IoCs

Processes:

Shiping Doc BL.exe

description	ioc	process
File created	C:\Program Files (x86)\WPA Host\wpahost.exe	Shiping Doc BL.exe
File opened for modification	C:\Program Files (x86)\WPA Host\wpahost.exe	Shiping Doc BL.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

1744 schtasks.exe
1348 schtasks.exe
1904 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Shiping Doc BL.exe

pid process

1340 Shiping Doc BL.exe
1340 Shiping Doc BL.exe
1340 Shiping Doc BL.exe
1340 Shiping Doc BL.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Shiping Doc BL.exe

pid process

1340 Shiping Doc BL.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

Shiping Doc BL.exe

pid process

1680 Shiping Doc BL.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Shiping Doc BL.exe

description pid process

Token: SeDebugPrivilege 1340 Shiping Doc BL.exe

pid	process
1744	schtasks.exe
1348	schtasks.exe
1904	schtasks.exe

pid	process
1340	Shiping Doc BL.exe
1340	Shiping Doc BL.exe
1340	Shiping Doc BL.exe
1340	Shiping Doc BL.exe

pid	process
1340	Shiping Doc BL.exe

pid	process
1680	Shiping Doc BL.exe

description	pid	process
Token: SeDebugPrivilege	1340	Shiping Doc BL.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

Shiping Doc BL.execmd.exeShiping Doc BL.exe

description	pid	process	target process
PID 1680 wrote to memory of 1220	1680	Shiping Doc BL.exe	cmd.exe
PID 1680 wrote to memory of 1220	1680	Shiping Doc BL.exe	cmd.exe
PID 1680 wrote to memory of 1220	1680	Shiping Doc BL.exe	cmd.exe
PID 1680 wrote to memory of 1220	1680	Shiping Doc BL.exe	cmd.exe
PID 1680 wrote to memory of 1340	1680	Shiping Doc BL.exe	Shiping Doc BL.exe
PID 1680 wrote to memory of 1340	1680	Shiping Doc BL.exe	Shiping Doc BL.exe
PID 1680 wrote to memory of 1340	1680	Shiping Doc BL.exe	Shiping Doc BL.exe
PID 1680 wrote to memory of 1340	1680	Shiping Doc BL.exe	Shiping Doc BL.exe
PID 1680 wrote to memory of 1340	1680	Shiping Doc BL.exe	Shiping Doc BL.exe
PID 1220 wrote to memory of 1348	1220	cmd.exe	schtasks.exe
PID 1220 wrote to memory of 1348	1220	cmd.exe	schtasks.exe
PID 1220 wrote to memory of 1348	1220	cmd.exe	schtasks.exe
PID 1220 wrote to memory of 1348	1220	cmd.exe	schtasks.exe
PID 1340 wrote to memory of 1904	1340	Shiping Doc BL.exe	schtasks.exe
PID 1340 wrote to memory of 1904	1340	Shiping Doc BL.exe	schtasks.exe
PID 1340 wrote to memory of 1904	1340	Shiping Doc BL.exe	schtasks.exe
PID 1340 wrote to memory of 1904	1340	Shiping Doc BL.exe	schtasks.exe
PID 1340 wrote to memory of 1744	1340	Shiping Doc BL.exe	schtasks.exe
PID 1340 wrote to memory of 1744	1340	Shiping Doc BL.exe	schtasks.exe
PID 1340 wrote to memory of 1744	1340	Shiping Doc BL.exe	schtasks.exe
PID 1340 wrote to memory of 1744	1340	Shiping Doc BL.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\Shiping Doc BL.exe
"C:\Users\Admin\AppData\Local\Temp\Shiping Doc BL.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\SysWOW64\cmd.exe
cmd /c schtasks /Create /TN oldfilesx /XML "C:\Users\Admin\AppData\Local\Temp\1870d64946154a9ba46c3d6e410e682e.xml"
2⤵
- Suspicious use of WriteProcessMemory
PID:1220

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /TN oldfilesx /XML "C:\Users\Admin\AppData\Local\Temp\1870d64946154a9ba46c3d6e410e682e.xml"
3⤵
- Creates scheduled task(s)
PID:1348

C:\Users\Admin\AppData\Local\Temp\Shiping Doc BL.exe
"C:\Users\Admin\AppData\Local\Temp\Shiping Doc BL.exe"
2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1340

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "WPA Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmp1EB7.tmp"
3⤵
- Creates scheduled task(s)
PID:1904

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "WPA Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp1F64.tmp"
3⤵
- Creates scheduled task(s)
PID:1744

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1870d64946154a9ba46c3d6e410e682e.xml
MD5
ffcce3b4970738357e139a21b7ced9d8

SHA1
9e7cccef21473ec1a84f7e78749bd56ce2fb7e03

SHA256
0e796eec994e5059eb41ab16136df2185a4cddcf4e29f40d5f8622f101074a4d

SHA512
146da1e88eb3109dde62a891301a5f4447efba2db5c0f87cfda49ef1884fcab366478c872493984a9054fcb83ea2c0f90850758acff88d9d912a89bedce670dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1EB7.tmp
MD5
e5b205ff4752a7179b051abd1cb3a3d5

SHA1
bb1aed8d8e1553088f6d682e02f969885d184483

SHA256
6b4ea6c52f73ac31be1cff5fde2171a3c8edba6344db1dc4da0aff974d449bc9

SHA512
b540e223683d33c16152162ae957628ecabe07067c314abad2a691c1918bfcb89ca59ede6e6156957ccc83c5c4869ca3f16bb48603d3b59908b6dfdee5b11613

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1F64.tmp
MD5
819bdbdac3be050783d203020e6c4c30

SHA1
a373521fceb21cac8b93e55ee48578e40a6e740b

SHA256
0e5dedca6d0d3c50ebcedb5bbf51ef3d434eb6b43da46764205de7636131f053

SHA512
cece1c4d8b4db79fc6e3cd225efaccdf9d2493f28991b1d48439944af38aaa61a215bd00a0beedcbdecc4f1ec5be0843774375a483f3d4a573a3980c54798cbd

Download Submit
memory/1220-2-0x0000000000000000-mapping.dmp

Download
memory/1340-15-0x0000000001E10000-0x0000000001E15000-memory.dmp

Filesize
20KB

Download
memory/1340-24-0x0000000004200000-0x000000000420D000-memory.dmp

Filesize
52KB

Download
memory/1340-8-0x00000000741A0000-0x000000007488E000-memory.dmp

Filesize
6.9MB

Download
memory/1340-9-0x00000000003C0000-0x00000000003F3000-memory.dmp

Filesize
204KB

Download
memory/1340-29-0x0000000004760000-0x000000000476F000-memory.dmp

Filesize
60KB

Download
memory/1340-5-0x000000000040188B-mapping.dmp

Download
memory/1340-27-0x0000000004740000-0x000000000474A000-memory.dmp

Filesize
40KB

Download
memory/1340-3-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1340-28-0x0000000004D10000-0x0000000004D39000-memory.dmp

Filesize
164KB

Download
memory/1340-16-0x0000000001E40000-0x0000000001E59000-memory.dmp

Filesize
100KB

Download
memory/1340-17-0x0000000001E20000-0x0000000001E23000-memory.dmp

Filesize
12KB

Download
memory/1340-18-0x0000000001E80000-0x0000000001E8D000-memory.dmp

Filesize
52KB

Download
memory/1340-19-0x0000000001EE0000-0x0000000001EF5000-memory.dmp

Filesize
84KB

Download
memory/1340-20-0x0000000001F00000-0x0000000001F06000-memory.dmp

Filesize
24KB

Download
memory/1340-21-0x0000000001FA0000-0x0000000001FAC000-memory.dmp

Filesize
48KB

Download
memory/1340-22-0x00000000020A0000-0x00000000020A7000-memory.dmp

Filesize
28KB

Download
memory/1340-6-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1340-23-0x00000000041F0000-0x00000000041F6000-memory.dmp

Filesize
24KB

Download
memory/1340-25-0x0000000004310000-0x0000000004319000-memory.dmp

Filesize
36KB

Download
memory/1340-26-0x0000000004730000-0x000000000473F000-memory.dmp

Filesize
60KB

Download
memory/1348-4-0x0000000000000000-mapping.dmp

Download
memory/1744-13-0x0000000000000000-mapping.dmp

Download
memory/1904-11-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads