nanocore | dd647e98e0bd3b1627a0385970c38cd046883967f39dbf9fe416d5300e8e310a

General

Target

Scan002.exe.exe
Size

889KB
MD5

8e2315d05c47fefdddf0a686bf9e353e
SHA1

e56fe197d61518b5ea20696677c3fb444e39860e
SHA256

dd647e98e0bd3b1627a0385970c38cd046883967f39dbf9fe416d5300e8e310a
SHA512

d052fadfe382f2910992677f65bfdd1c5cdabd50837925b6b5ea14038026ec49e30112de25d3e88a78ce832cee7d79ae66a0821c2570276c12fbcad2676050cc

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

innocentbooii.hopto.org:55420

172.111.249.15:55420

Mutex

f54d19ad-33bd-4372-9241-49940a512cfd

Attributes

activate_away_mode
false
backup_connection_host
172.111.249.15
backup_dns_server
buffer_size
65538
build_time
2020-10-21T16:20:24.090592536Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
false
clear_zone_identifier
false
connect_delay
4000
connection_port
55420
default_group
2021
enable_debug_mode
true
gc_threshold
1.0485772e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.0485772e+07
mutex
f54d19ad-33bd-4372-9241-49940a512cfd
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
innocentbooii.hopto.org
primary_dns_server
request_elevation
false
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
false
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8009

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Scan002.exe.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WAN Service = "C:\\Program Files (x86)\\WAN Service\\wansv.exe"	Scan002.exe.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Scan002.exe.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Scan002.exe.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Scan002.exe.exe

description pid process target process

PID 4776 set thread context of 4424 4776 Scan002.exe.exe Scan002.exe.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Scan002.exe.exe

description	pid	process	target process
PID 4776 set thread context of 4424	4776	Scan002.exe.exe	Scan002.exe.exe

Drops file in Program Files directory 2 IoCs

Processes:

Scan002.exe.exe

description	ioc	process
File created	C:\Program Files (x86)\WAN Service\wansv.exe	Scan002.exe.exe
File opened for modification	C:\Program Files (x86)\WAN Service\wansv.exe	Scan002.exe.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

1664 schtasks.exe
3452 schtasks.exe
4496 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Scan002.exe.exeScan002.exe.exe

pid process

4776 Scan002.exe.exe
4424 Scan002.exe.exe
4424 Scan002.exe.exe
4424 Scan002.exe.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Scan002.exe.exe

pid process

4424 Scan002.exe.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Scan002.exe.exeScan002.exe.exe

description pid process

Token: SeDebugPrivilege 4776 Scan002.exe.exe
Token: SeDebugPrivilege 4424 Scan002.exe.exe
Token: SeDebugPrivilege 4424 Scan002.exe.exe

pid	process
1664	schtasks.exe
3452	schtasks.exe
4496	schtasks.exe

pid	process
4776	Scan002.exe.exe
4424	Scan002.exe.exe
4424	Scan002.exe.exe
4424	Scan002.exe.exe

pid	process
4424	Scan002.exe.exe

description	pid	process
Token: SeDebugPrivilege	4776	Scan002.exe.exe
Token: SeDebugPrivilege	4424	Scan002.exe.exe
Token: SeDebugPrivilege	4424	Scan002.exe.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

Scan002.exe.exeScan002.exe.exe

description	pid	process	target process
PID 4776 wrote to memory of 1664	4776	Scan002.exe.exe	schtasks.exe
PID 4776 wrote to memory of 1664	4776	Scan002.exe.exe	schtasks.exe
PID 4776 wrote to memory of 1664	4776	Scan002.exe.exe	schtasks.exe
PID 4776 wrote to memory of 4424	4776	Scan002.exe.exe	Scan002.exe.exe
PID 4776 wrote to memory of 4424	4776	Scan002.exe.exe	Scan002.exe.exe
PID 4776 wrote to memory of 4424	4776	Scan002.exe.exe	Scan002.exe.exe
PID 4776 wrote to memory of 4424	4776	Scan002.exe.exe	Scan002.exe.exe
PID 4776 wrote to memory of 4424	4776	Scan002.exe.exe	Scan002.exe.exe
PID 4776 wrote to memory of 4424	4776	Scan002.exe.exe	Scan002.exe.exe
PID 4776 wrote to memory of 4424	4776	Scan002.exe.exe	Scan002.exe.exe
PID 4776 wrote to memory of 4424	4776	Scan002.exe.exe	Scan002.exe.exe
PID 4424 wrote to memory of 3452	4424	Scan002.exe.exe	schtasks.exe
PID 4424 wrote to memory of 3452	4424	Scan002.exe.exe	schtasks.exe
PID 4424 wrote to memory of 3452	4424	Scan002.exe.exe	schtasks.exe
PID 4424 wrote to memory of 4496	4424	Scan002.exe.exe	schtasks.exe
PID 4424 wrote to memory of 4496	4424	Scan002.exe.exe	schtasks.exe
PID 4424 wrote to memory of 4496	4424	Scan002.exe.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\Scan002.exe.exe
"C:\Users\Admin\AppData\Local\Temp\Scan002.exe.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4776

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UbebSiSIKndjd" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCAC8.tmp"
2⤵
- Creates scheduled task(s)
PID:1664

C:\Users\Admin\AppData\Local\Temp\Scan002.exe.exe
"{path}"
2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4424

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "WAN Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmpCEA0.tmp"
3⤵
- Creates scheduled task(s)
PID:3452

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "WAN Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpCEE0.tmp"
3⤵
- Creates scheduled task(s)
PID:4496

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Scan002.exe.exe.log
MD5
ef140ef600b2463c9e7dbf064a104046

SHA1
c08fd1853877be95575ea2e860dd8cafef31f54c

SHA256
ad8ae97fdeb174b20f02c7ddf9466981856d77d51133599b5954f48f78a1b616

SHA512
bf16df0994080bdc832cb39a312e0095de57608256fcf0d04d589e0bdf3283f918fb0d6ec86ea28a4b1af6db12813c52a724028f02330ebc3a9d32a4fcda706c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCAC8.tmp
MD5
c0c2dd8f323651f85289a710de8117b3

SHA1
df84465082664dd04b020fc0623ff4244b983987

SHA256
530589b946336af62254190a3705b0fe34487e7588c0929a002cb4b429b56a43

SHA512
c0f2706a781a9fe6cbd5fe8b3db5ff14387332055afbadba6dc6d0f3c01c0879d3967360e437eef8f33f883858320a2eb37cde27eee2135d02267d04f513d0e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCEA0.tmp
MD5
d0012a18a14a6cd74aed7e51145359ae

SHA1
e0bf7fd2cf291fe3ac6f28a3c6bddf82574d1a9a

SHA256
27193526db5391802b5b885ae0a04ea244164dc7e3407b83000e69efcb6a9998

SHA512
e9dc0e040cac08f476251ffc5eab8e2981b867c555b0728f165427eccd6970261ea3896ffc3f450a1c9d4aee6fe646fca8fcdbbd8ebf8670aead6401368d54aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCEE0.tmp
MD5
eb527779d4a920bac8c3c59e8f4b4b4c

SHA1
4c9c48fd4ab89a983c87d810577133dc281160b4

SHA256
97a200adfccc855ed435941fe1453a6add1a66b8390d033279c2f1a6a64c26a2

SHA512
a48c1ca2310a4bceacca90d3b8748fdecc0169738905e0bc62a665ab048c1ae6bb801dc99f0f04d85287993c27bfd0a4e7f59d27a1c233b6662d6ba3ca586da0

Download Submit
memory/1664-2-0x0000000000000000-mapping.dmp

Download
memory/3452-7-0x0000000000000000-mapping.dmp

Download
memory/4424-4-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4424-5-0x000000000041E792-mapping.dmp

Download
memory/4496-9-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads