nanocore | 29800b7d8e8c3c60918a37c992a2890b4ccf9e4e0c949accd48821302d0f2891

General

Target

DINTEC PO.exe
Size

842KB
MD5

f1d00b68162820d29eb884a91b9e6a09
SHA1

406621cc2e30d19645513296fe1c5f50dd6c3848
SHA256

29800b7d8e8c3c60918a37c992a2890b4ccf9e4e0c949accd48821302d0f2891
SHA512

b9098f02c929f9a59b4adb846b47152d8ee69261d14558b3c2bf3bafd35ac2a81e690c02c1f5dc6f6bef694e4f79f668fbc16a20ab747914c570abe8f22901fe

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

mnvh54254.ddns.net:6653

Mutex

ffdfcbd2-3989-4236-a47d-b9533fb19ad2

Attributes

activate_away_mode
true
backup_connection_host
mnvh54254.ddns.net
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2020-10-23T12:25:44.065726836Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
false
clear_zone_identifier
true
connect_delay
4000
connection_port
6653
default_group
AMMAGEDOM001
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
ffdfcbd2-3989-4236-a47d-b9533fb19ad2
mutex_timeout
5000
prevent_system_sleep
true
primary_connection_host
mnvh54254.ddns.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Executes dropped EXE 2 IoCs

Processes:

a.exeInstallUtil.exe

pid process

308 a.exe
616 InstallUtil.exe
Drops startup file 1 IoCs

Processes:

DINTEC PO.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.lnk DINTEC PO.exe
Loads dropped DLL 2 IoCs

Processes:

DINTEC PO.exea.exe

pid process

1824 DINTEC PO.exe
308 a.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
308	a.exe
616	InstallUtil.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.lnk	DINTEC PO.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

InstallUtil.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WPA Host = "C:\\Program Files (x86)\\WPA Host\\wpahost.exe"	InstallUtil.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

InstallUtil.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA InstallUtil.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	InstallUtil.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

a.exeInstallUtil.exe

description	pid	process	target process
PID 308 set thread context of 616	308	a.exe	InstallUtil.exe
PID 616 set thread context of 884	616	InstallUtil.exe	vbc.exe
PID 616 set thread context of 1348	616	InstallUtil.exe	vbc.exe

Drops file in Program Files directory 2 IoCs

Processes:

InstallUtil.exe

description	ioc	process
File created	C:\Program Files (x86)\WPA Host\wpahost.exe	InstallUtil.exe
File opened for modification	C:\Program Files (x86)\WPA Host\wpahost.exe	InstallUtil.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

DINTEC PO.exea.exeInstallUtil.exe

pid	process
1824	DINTEC PO.exe
1824	DINTEC PO.exe
1824	DINTEC PO.exe
1824	DINTEC PO.exe
1824	DINTEC PO.exe
308	a.exe
308	a.exe
616	InstallUtil.exe
616	InstallUtil.exe
616	InstallUtil.exe
616	InstallUtil.exe
616	InstallUtil.exe
616	InstallUtil.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

InstallUtil.exe

pid process

616 InstallUtil.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

DINTEC PO.exea.exeInstallUtil.exe

description pid process

Token: SeDebugPrivilege 1824 DINTEC PO.exe
Token: SeDebugPrivilege 308 a.exe
Token: SeDebugPrivilege 616 InstallUtil.exe

pid	process
616	InstallUtil.exe

description	pid	process
Token: SeDebugPrivilege	1824	DINTEC PO.exe
Token: SeDebugPrivilege	308	a.exe
Token: SeDebugPrivilege	616	InstallUtil.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

DINTEC PO.exea.exeInstallUtil.exe

description	pid	process	target process
PID 1824 wrote to memory of 308	1824	DINTEC PO.exe	a.exe
PID 1824 wrote to memory of 308	1824	DINTEC PO.exe	a.exe
PID 1824 wrote to memory of 308	1824	DINTEC PO.exe	a.exe
PID 1824 wrote to memory of 308	1824	DINTEC PO.exe	a.exe
PID 308 wrote to memory of 616	308	a.exe	InstallUtil.exe
PID 308 wrote to memory of 616	308	a.exe	InstallUtil.exe
PID 308 wrote to memory of 616	308	a.exe	InstallUtil.exe
PID 308 wrote to memory of 616	308	a.exe	InstallUtil.exe
PID 308 wrote to memory of 616	308	a.exe	InstallUtil.exe
PID 308 wrote to memory of 616	308	a.exe	InstallUtil.exe
PID 308 wrote to memory of 616	308	a.exe	InstallUtil.exe
PID 308 wrote to memory of 616	308	a.exe	InstallUtil.exe
PID 308 wrote to memory of 616	308	a.exe	InstallUtil.exe
PID 308 wrote to memory of 616	308	a.exe	InstallUtil.exe
PID 308 wrote to memory of 616	308	a.exe	InstallUtil.exe
PID 308 wrote to memory of 616	308	a.exe	InstallUtil.exe
PID 616 wrote to memory of 884	616	InstallUtil.exe	vbc.exe
PID 616 wrote to memory of 884	616	InstallUtil.exe	vbc.exe
PID 616 wrote to memory of 884	616	InstallUtil.exe	vbc.exe
PID 616 wrote to memory of 884	616	InstallUtil.exe	vbc.exe
PID 616 wrote to memory of 884	616	InstallUtil.exe	vbc.exe
PID 616 wrote to memory of 884	616	InstallUtil.exe	vbc.exe
PID 616 wrote to memory of 884	616	InstallUtil.exe	vbc.exe
PID 616 wrote to memory of 884	616	InstallUtil.exe	vbc.exe
PID 616 wrote to memory of 884	616	InstallUtil.exe	vbc.exe
PID 616 wrote to memory of 884	616	InstallUtil.exe	vbc.exe
PID 616 wrote to memory of 1348	616	InstallUtil.exe	vbc.exe
PID 616 wrote to memory of 1348	616	InstallUtil.exe	vbc.exe
PID 616 wrote to memory of 1348	616	InstallUtil.exe	vbc.exe
PID 616 wrote to memory of 1348	616	InstallUtil.exe	vbc.exe
PID 616 wrote to memory of 1348	616	InstallUtil.exe	vbc.exe
PID 616 wrote to memory of 1348	616	InstallUtil.exe	vbc.exe
PID 616 wrote to memory of 1348	616	InstallUtil.exe	vbc.exe
PID 616 wrote to memory of 1348	616	InstallUtil.exe	vbc.exe
PID 616 wrote to memory of 1348	616	InstallUtil.exe	vbc.exe
PID 616 wrote to memory of 1348	616	InstallUtil.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\DINTEC PO.exe
"C:\Users\Admin\AppData\Local\Temp\DINTEC PO.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1824

C:\Users\Admin\AppData\Roaming\a.exe
"C:\Users\Admin\AppData\Roaming\a.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:308

C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
"C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:616

\??\c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe
"c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe" /shtml "C:\Users\Admin\AppData\Local\Temp\pn5ubd5l.pcm"
4⤵
PID:884

\??\c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe
"c:\windows\microsoft.net\framework\v4.0.30319\vbc.exe" /shtml "C:\Users\Admin\AppData\Local\Temp\dx3mumjx.ltl"
4⤵
PID:1348

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
C:\Users\Admin\AppData\Local\Temp\dx3mumjx.ltl
MD5
919e671c3d5959a91ef2d4c377d2b2ff

SHA1
b1202b19512bbd390d3d5164792501c87bb42c41

SHA256
d2e079df7cf6388315368ba79bf099ad2ff5428af51bf5abf2d99a2d7c5eb651

SHA512
f3298256372beab8efe81b2e08d3b3869281f625de1ee13189c6b95eb2134d223df6f64cc9e490dd6b52a53aa936adc17bd5dfe4e50ee0fe420f3ebae276381c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pn5ubd5l.pcm
MD5
69b2a2e17e78d24abee9f1de2f04811a

SHA1
d19c109704e83876ab3527457f9418a7d053aa33

SHA256
1b1491f21e64681f8fdc27b2265e2274fb7813eecb6ad8b446d2e431f6300edd

SHA512
eb7269979bc4187520636fe3d7b3089f2c7c02e81c4ce2a738ade680f72c61c67fe9577eeaa09d3ca93f34b60be8c434d2cfbfed6566e783f6611279f056150f

Download Submit
C:\Users\Admin\AppData\Roaming\a.exe
MD5
f1d00b68162820d29eb884a91b9e6a09

SHA1
406621cc2e30d19645513296fe1c5f50dd6c3848

SHA256
29800b7d8e8c3c60918a37c992a2890b4ccf9e4e0c949accd48821302d0f2891

SHA512
b9098f02c929f9a59b4adb846b47152d8ee69261d14558b3c2bf3bafd35ac2a81e690c02c1f5dc6f6bef694e4f79f668fbc16a20ab747914c570abe8f22901fe

Download Submit
C:\Users\Admin\AppData\Roaming\a.exe
MD5
f1d00b68162820d29eb884a91b9e6a09

SHA1
406621cc2e30d19645513296fe1c5f50dd6c3848

SHA256
29800b7d8e8c3c60918a37c992a2890b4ccf9e4e0c949accd48821302d0f2891

SHA512
b9098f02c929f9a59b4adb846b47152d8ee69261d14558b3c2bf3bafd35ac2a81e690c02c1f5dc6f6bef694e4f79f668fbc16a20ab747914c570abe8f22901fe

Download Submit
\Users\Admin\AppData\Local\Temp\InstallUtil.exe
MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
\Users\Admin\AppData\Roaming\a.exe
MD5
f1d00b68162820d29eb884a91b9e6a09

SHA1
406621cc2e30d19645513296fe1c5f50dd6c3848

SHA256
29800b7d8e8c3c60918a37c992a2890b4ccf9e4e0c949accd48821302d0f2891

SHA512
b9098f02c929f9a59b4adb846b47152d8ee69261d14558b3c2bf3bafd35ac2a81e690c02c1f5dc6f6bef694e4f79f668fbc16a20ab747914c570abe8f22901fe

Download Submit
memory/308-8-0x0000000000000000-mapping.dmp

Download
memory/308-11-0x0000000073980000-0x000000007406E000-memory.dmp

Filesize
6.9MB

Download
memory/308-12-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/308-16-0x00000000006E0000-0x00000000006EB000-memory.dmp

Filesize
44KB

Download
memory/308-17-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/616-30-0x00000000006E0000-0x00000000006E3000-memory.dmp

Filesize
12KB

Download
memory/616-36-0x00000000008D0000-0x00000000008D6000-memory.dmp

Filesize
24KB

Download
memory/616-21-0x000000000041E792-mapping.dmp

Download
memory/616-40-0x0000000000990000-0x000000000099A000-memory.dmp

Filesize
40KB

Download
memory/616-23-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/616-24-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/616-25-0x0000000073980000-0x000000007406E000-memory.dmp

Filesize
6.9MB

Download
memory/616-28-0x0000000000660000-0x0000000000665000-memory.dmp

Filesize
20KB

Download
memory/616-29-0x00000000006B0000-0x00000000006C9000-memory.dmp

Filesize
100KB

Download
memory/616-41-0x00000000021E0000-0x0000000002209000-memory.dmp

Filesize
164KB

Download
memory/616-31-0x00000000007D0000-0x00000000007DD000-memory.dmp

Filesize
52KB

Download
memory/616-32-0x00000000007E0000-0x00000000007F5000-memory.dmp

Filesize
84KB

Download
memory/616-35-0x00000000008C0000-0x00000000008C7000-memory.dmp

Filesize
28KB

Download
memory/616-38-0x0000000000970000-0x0000000000979000-memory.dmp

Filesize
36KB

Download
memory/616-37-0x0000000000920000-0x000000000092D000-memory.dmp

Filesize
52KB

Download
memory/616-20-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/616-34-0x0000000000870000-0x000000000087C000-memory.dmp

Filesize
48KB

Download
memory/616-33-0x0000000000850000-0x0000000000856000-memory.dmp

Filesize
24KB

Download
memory/616-39-0x0000000000980000-0x000000000098F000-memory.dmp

Filesize
60KB

Download
memory/616-42-0x0000000000AA0000-0x0000000000AAF000-memory.dmp

Filesize
60KB

Download
memory/884-43-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/884-44-0x0000000000411654-mapping.dmp

Download
memory/884-45-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1348-47-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1348-48-0x0000000000442628-mapping.dmp

Download
memory/1348-49-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1824-2-0x0000000073980000-0x000000007406E000-memory.dmp

Filesize
6.9MB

Download
memory/1824-6-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/1824-5-0x0000000000370000-0x000000000038E000-memory.dmp

Filesize
120KB

Download
memory/1824-50-0x000007FEF5D50000-0x000007FEF5FCA000-memory.dmp

Filesize
2.5MB

Download
memory/1824-3-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads