nanocore | 44b244b665832f11995d435e978ca9cd406c7bc8816e68c23c4a22a51990b0fb

General

Target

TECHNICAL OFFERS.exe
Size

288KB
MD5

7d5e8d9809ed642c031226dc385f98f3
SHA1

eb5b7f5617e9cac86931c9a6fecff5dce2d975dd
SHA256

44b244b665832f11995d435e978ca9cd406c7bc8816e68c23c4a22a51990b0fb
SHA512

66e35ba5914b03fbe549f61aec7143daca89655faa60c58556b4038b8db1d03452a3e92cb30519a587ae2964de8c2399e992394e326ab7a401d3fffde8baef2d

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

mystupidfriend.duckdns.org:6578

Mutex

32885bce-b113-4152-91c6-9c705cad8fa3

Attributes

activate_away_mode
true
backup_connection_host
mystupidfriend.duckdns.org
backup_dns_server
mystupidfriend.duckdns.org
buffer_size
65535
build_time
2020-10-27T08:44:15.324888036Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
6578
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
32885bce-b113-4152-91c6-9c705cad8fa3
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
mystupidfriend.duckdns.org
primary_dns_server
mystupidfriend.duckdns.org
request_elevation
false
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

TECHNICAL OFFERS.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WPA Host = "C:\\Program Files (x86)\\WPA Host\\wpahost.exe"	TECHNICAL OFFERS.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

TECHNICAL OFFERS.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA TECHNICAL OFFERS.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

TECHNICAL OFFERS.exe

description pid process target process

PID 848 set thread context of 2008 848 TECHNICAL OFFERS.exe TECHNICAL OFFERS.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	TECHNICAL OFFERS.exe

description	pid	process	target process
PID 848 set thread context of 2008	848	TECHNICAL OFFERS.exe	TECHNICAL OFFERS.exe

Drops file in Program Files directory 2 IoCs

Processes:

TECHNICAL OFFERS.exe

description	ioc	process
File created	C:\Program Files (x86)\WPA Host\wpahost.exe	TECHNICAL OFFERS.exe
File opened for modification	C:\Program Files (x86)\WPA Host\wpahost.exe	TECHNICAL OFFERS.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2044 schtasks.exe
1980 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

TECHNICAL OFFERS.exe

pid process

2008 TECHNICAL OFFERS.exe
2008 TECHNICAL OFFERS.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

TECHNICAL OFFERS.exe

pid process

2008 TECHNICAL OFFERS.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

TECHNICAL OFFERS.exe

pid process

848 TECHNICAL OFFERS.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

TECHNICAL OFFERS.exe

description pid process

Token: SeDebugPrivilege 2008 TECHNICAL OFFERS.exe

pid	process
2044	schtasks.exe
1980	schtasks.exe

pid	process
2008	TECHNICAL OFFERS.exe
2008	TECHNICAL OFFERS.exe

pid	process
2008	TECHNICAL OFFERS.exe

pid	process
848	TECHNICAL OFFERS.exe

description	pid	process
Token: SeDebugPrivilege	2008	TECHNICAL OFFERS.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

TECHNICAL OFFERS.exeTECHNICAL OFFERS.exe

description	pid	process	target process
PID 848 wrote to memory of 1996	848	TECHNICAL OFFERS.exe	cmd.exe
PID 848 wrote to memory of 1996	848	TECHNICAL OFFERS.exe	cmd.exe
PID 848 wrote to memory of 1996	848	TECHNICAL OFFERS.exe	cmd.exe
PID 848 wrote to memory of 1996	848	TECHNICAL OFFERS.exe	cmd.exe
PID 848 wrote to memory of 2008	848	TECHNICAL OFFERS.exe	TECHNICAL OFFERS.exe
PID 848 wrote to memory of 2008	848	TECHNICAL OFFERS.exe	TECHNICAL OFFERS.exe
PID 848 wrote to memory of 2008	848	TECHNICAL OFFERS.exe	TECHNICAL OFFERS.exe
PID 848 wrote to memory of 2008	848	TECHNICAL OFFERS.exe	TECHNICAL OFFERS.exe
PID 848 wrote to memory of 2008	848	TECHNICAL OFFERS.exe	TECHNICAL OFFERS.exe
PID 2008 wrote to memory of 1980	2008	TECHNICAL OFFERS.exe	schtasks.exe
PID 2008 wrote to memory of 1980	2008	TECHNICAL OFFERS.exe	schtasks.exe
PID 2008 wrote to memory of 1980	2008	TECHNICAL OFFERS.exe	schtasks.exe
PID 2008 wrote to memory of 1980	2008	TECHNICAL OFFERS.exe	schtasks.exe
PID 2008 wrote to memory of 2044	2008	TECHNICAL OFFERS.exe	schtasks.exe
PID 2008 wrote to memory of 2044	2008	TECHNICAL OFFERS.exe	schtasks.exe
PID 2008 wrote to memory of 2044	2008	TECHNICAL OFFERS.exe	schtasks.exe
PID 2008 wrote to memory of 2044	2008	TECHNICAL OFFERS.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\TECHNICAL OFFERS.exe
"C:\Users\Admin\AppData\Local\Temp\TECHNICAL OFFERS.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:1996

C:\Users\Admin\AppData\Local\Temp\TECHNICAL OFFERS.exe
"C:\Users\Admin\AppData\Local\Temp\TECHNICAL OFFERS.exe"
2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2008

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "WPA Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmp19D7.tmp"
3⤵
- Creates scheduled task(s)
PID:1980

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "WPA Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp1B10.tmp"
3⤵
- Creates scheduled task(s)
PID:2044

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp19D7.tmp
MD5
f2eee8cfc479e25d22bbd29ed53c009a

SHA1
1fa54cca5b14d3c35c977456a1b706e34069e3aa

SHA256
3e1fa2229e7740810a39a25e9087adfb4506250606ffecf5a60a04871569b32f

SHA512
b655eb4dcae4f1699f6e8a2a3c0c3779a7b9a8286d75764bea4231473421206870d8a1c3e4704af138ebf272fae81dd89444136046c7bbae966c17225f6c2f87

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1B10.tmp
MD5
819bdbdac3be050783d203020e6c4c30

SHA1
a373521fceb21cac8b93e55ee48578e40a6e740b

SHA256
0e5dedca6d0d3c50ebcedb5bbf51ef3d434eb6b43da46764205de7636131f053

SHA512
cece1c4d8b4db79fc6e3cd225efaccdf9d2493f28991b1d48439944af38aaa61a215bd00a0beedcbdecc4f1ec5be0843774375a483f3d4a573a3980c54798cbd

Download Submit
memory/1980-9-0x0000000000000000-mapping.dmp

Download
memory/1996-2-0x0000000000000000-mapping.dmp

Download
memory/2008-5-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2008-6-0x00000000745D0000-0x0000000074CBE000-memory.dmp

Filesize
6.9MB

Download
memory/2008-7-0x00000000004F0000-0x0000000000523000-memory.dmp

Filesize
204KB

Download
memory/2008-4-0x000000000040188B-mapping.dmp

Download
memory/2008-3-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2008-13-0x0000000000A90000-0x0000000000A95000-memory.dmp

Filesize
20KB

Download
memory/2008-14-0x0000000000AE0000-0x0000000000AF9000-memory.dmp

Filesize
100KB

Download
memory/2008-15-0x0000000000B10000-0x0000000000B13000-memory.dmp

Filesize
12KB

Download
memory/2044-11-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads