nanocore | 44b244b665832f11995d435e978ca9cd406c7bc8816e68c23c4a22a51990b0fb

General

Target

TECHNICAL OFFERS.exe
Size

288KB
MD5

7d5e8d9809ed642c031226dc385f98f3
SHA1

eb5b7f5617e9cac86931c9a6fecff5dce2d975dd
SHA256

44b244b665832f11995d435e978ca9cd406c7bc8816e68c23c4a22a51990b0fb
SHA512

66e35ba5914b03fbe549f61aec7143daca89655faa60c58556b4038b8db1d03452a3e92cb30519a587ae2964de8c2399e992394e326ab7a401d3fffde8baef2d

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

mystupidfriend.duckdns.org:6578

Mutex

32885bce-b113-4152-91c6-9c705cad8fa3

Attributes

activate_away_mode
true
backup_connection_host
mystupidfriend.duckdns.org
backup_dns_server
mystupidfriend.duckdns.org
buffer_size
65535
build_time
2020-10-27T08:44:15.324888036Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
6578
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
32885bce-b113-4152-91c6-9c705cad8fa3
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
mystupidfriend.duckdns.org
primary_dns_server
mystupidfriend.duckdns.org
request_elevation
false
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

TECHNICAL OFFERS.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SMTP Manager = "C:\\Program Files (x86)\\SMTP Manager\\smtpmgr.exe"	TECHNICAL OFFERS.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

TECHNICAL OFFERS.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA TECHNICAL OFFERS.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

TECHNICAL OFFERS.exe

description pid process target process

PID 1996 set thread context of 2824 1996 TECHNICAL OFFERS.exe TECHNICAL OFFERS.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	TECHNICAL OFFERS.exe

description	pid	process	target process
PID 1996 set thread context of 2824	1996	TECHNICAL OFFERS.exe	TECHNICAL OFFERS.exe

Drops file in Program Files directory 2 IoCs

Processes:

TECHNICAL OFFERS.exe

description	ioc	process
File created	C:\Program Files (x86)\SMTP Manager\smtpmgr.exe	TECHNICAL OFFERS.exe
File opened for modification	C:\Program Files (x86)\SMTP Manager\smtpmgr.exe	TECHNICAL OFFERS.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1936 schtasks.exe
3292 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

TECHNICAL OFFERS.exe

pid process

2824 TECHNICAL OFFERS.exe
2824 TECHNICAL OFFERS.exe
2824 TECHNICAL OFFERS.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

TECHNICAL OFFERS.exe

pid process

2824 TECHNICAL OFFERS.exe
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

TECHNICAL OFFERS.exeTECHNICAL OFFERS.exeTECHNICAL OFFERS.exe

pid process

492 TECHNICAL OFFERS.exe
3176 TECHNICAL OFFERS.exe
1996 TECHNICAL OFFERS.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

TECHNICAL OFFERS.exe

description pid process

Token: SeDebugPrivilege 2824 TECHNICAL OFFERS.exe

pid	process
1936	schtasks.exe
3292	schtasks.exe

pid	process
2824	TECHNICAL OFFERS.exe
2824	TECHNICAL OFFERS.exe
2824	TECHNICAL OFFERS.exe

pid	process
2824	TECHNICAL OFFERS.exe

pid	process
492	TECHNICAL OFFERS.exe
3176	TECHNICAL OFFERS.exe
1996	TECHNICAL OFFERS.exe

description	pid	process
Token: SeDebugPrivilege	2824	TECHNICAL OFFERS.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

TECHNICAL OFFERS.exeTECHNICAL OFFERS.exeTECHNICAL OFFERS.exeTECHNICAL OFFERS.exe

description	pid	process	target process
PID 492 wrote to memory of 2716	492	TECHNICAL OFFERS.exe	cmd.exe
PID 492 wrote to memory of 2716	492	TECHNICAL OFFERS.exe	cmd.exe
PID 492 wrote to memory of 2716	492	TECHNICAL OFFERS.exe	cmd.exe
PID 492 wrote to memory of 3120	492	TECHNICAL OFFERS.exe	TECHNICAL OFFERS.exe
PID 492 wrote to memory of 3120	492	TECHNICAL OFFERS.exe	TECHNICAL OFFERS.exe
PID 492 wrote to memory of 3120	492	TECHNICAL OFFERS.exe	TECHNICAL OFFERS.exe
PID 492 wrote to memory of 3176	492	TECHNICAL OFFERS.exe	TECHNICAL OFFERS.exe
PID 492 wrote to memory of 3176	492	TECHNICAL OFFERS.exe	TECHNICAL OFFERS.exe
PID 492 wrote to memory of 3176	492	TECHNICAL OFFERS.exe	TECHNICAL OFFERS.exe
PID 3176 wrote to memory of 3028	3176	TECHNICAL OFFERS.exe	cmd.exe
PID 3176 wrote to memory of 3028	3176	TECHNICAL OFFERS.exe	cmd.exe
PID 3176 wrote to memory of 3028	3176	TECHNICAL OFFERS.exe	cmd.exe
PID 3176 wrote to memory of 3688	3176	TECHNICAL OFFERS.exe	TECHNICAL OFFERS.exe
PID 3176 wrote to memory of 3688	3176	TECHNICAL OFFERS.exe	TECHNICAL OFFERS.exe
PID 3176 wrote to memory of 3688	3176	TECHNICAL OFFERS.exe	TECHNICAL OFFERS.exe
PID 3176 wrote to memory of 1996	3176	TECHNICAL OFFERS.exe	TECHNICAL OFFERS.exe
PID 3176 wrote to memory of 1996	3176	TECHNICAL OFFERS.exe	TECHNICAL OFFERS.exe
PID 3176 wrote to memory of 1996	3176	TECHNICAL OFFERS.exe	TECHNICAL OFFERS.exe
PID 1996 wrote to memory of 2816	1996	TECHNICAL OFFERS.exe	cmd.exe
PID 1996 wrote to memory of 2816	1996	TECHNICAL OFFERS.exe	cmd.exe
PID 1996 wrote to memory of 2816	1996	TECHNICAL OFFERS.exe	cmd.exe
PID 1996 wrote to memory of 2824	1996	TECHNICAL OFFERS.exe	TECHNICAL OFFERS.exe
PID 1996 wrote to memory of 2824	1996	TECHNICAL OFFERS.exe	TECHNICAL OFFERS.exe
PID 1996 wrote to memory of 2824	1996	TECHNICAL OFFERS.exe	TECHNICAL OFFERS.exe
PID 1996 wrote to memory of 2824	1996	TECHNICAL OFFERS.exe	TECHNICAL OFFERS.exe
PID 2824 wrote to memory of 1936	2824	TECHNICAL OFFERS.exe	schtasks.exe
PID 2824 wrote to memory of 1936	2824	TECHNICAL OFFERS.exe	schtasks.exe
PID 2824 wrote to memory of 1936	2824	TECHNICAL OFFERS.exe	schtasks.exe
PID 2824 wrote to memory of 3292	2824	TECHNICAL OFFERS.exe	schtasks.exe
PID 2824 wrote to memory of 3292	2824	TECHNICAL OFFERS.exe	schtasks.exe
PID 2824 wrote to memory of 3292	2824	TECHNICAL OFFERS.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\TECHNICAL OFFERS.exe
"C:\Users\Admin\AppData\Local\Temp\TECHNICAL OFFERS.exe"
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:2716

C:\Users\Admin\AppData\Local\Temp\TECHNICAL OFFERS.exe
"C:\Users\Admin\AppData\Local\Temp\TECHNICAL OFFERS.exe"
2⤵
PID:3120

C:\Users\Admin\AppData\Local\Temp\TECHNICAL OFFERS.exe
"C:\Users\Admin\AppData\Local\Temp\TECHNICAL OFFERS.exe"
2⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:3028

C:\Users\Admin\AppData\Local\Temp\TECHNICAL OFFERS.exe
"C:\Users\Admin\AppData\Local\Temp\TECHNICAL OFFERS.exe"
3⤵
PID:3688

C:\Users\Admin\AppData\Local\Temp\TECHNICAL OFFERS.exe
"C:\Users\Admin\AppData\Local\Temp\TECHNICAL OFFERS.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
4⤵
PID:2816

C:\Users\Admin\AppData\Local\Temp\TECHNICAL OFFERS.exe
"C:\Users\Admin\AppData\Local\Temp\TECHNICAL OFFERS.exe"
4⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2824

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "SMTP Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmp710F.tmp"
5⤵
- Creates scheduled task(s)
PID:1936

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "SMTP Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp721A.tmp"
5⤵
- Creates scheduled task(s)
PID:3292

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp710F.tmp
MD5
f2eee8cfc479e25d22bbd29ed53c009a

SHA1
1fa54cca5b14d3c35c977456a1b706e34069e3aa

SHA256
3e1fa2229e7740810a39a25e9087adfb4506250606ffecf5a60a04871569b32f

SHA512
b655eb4dcae4f1699f6e8a2a3c0c3779a7b9a8286d75764bea4231473421206870d8a1c3e4704af138ebf272fae81dd89444136046c7bbae966c17225f6c2f87

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp721A.tmp
MD5
b3b017f9df206021717a11f11d895402

SHA1
e4ea12823af6550ee634536eec1eb14490580a3b

SHA256
654dfce2c28024364e679e1b958f3fb81fc6d29685d534d905d1c83a84351024

SHA512
95666cb81aa1fd1ade04a32f63381ce8bff274d7d300c0b59cbb10a294c4d1eebaa3000365a2000b38793de030044995cf23e623c5e3648d9b00501f97ff9343

Download Submit
memory/1936-18-0x0000000000000000-mapping.dmp

Download
memory/1996-5-0x0000000000000000-mapping.dmp

Download
memory/1996-9-0x000000001BDF0000-0x000000001BE38000-memory.dmp

Filesize
288KB

Download
memory/2716-2-0x0000000000000000-mapping.dmp

Download
memory/2816-6-0x0000000000000000-mapping.dmp

Download
memory/2824-7-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2824-8-0x000000000040188B-mapping.dmp

Download
memory/2824-12-0x0000000002D10000-0x0000000002D43000-memory.dmp

Filesize
204KB

Download
memory/2824-14-0x00000000058D0000-0x00000000058D1000-memory.dmp

Filesize
4KB

Download
memory/2824-15-0x00000000052E0000-0x00000000052E1000-memory.dmp

Filesize
4KB

Download
memory/2824-16-0x0000000005470000-0x0000000005471000-memory.dmp

Filesize
4KB

Download
memory/2824-17-0x00000000052B0000-0x00000000052B1000-memory.dmp

Filesize
4KB

Download
memory/2824-11-0x0000000073060000-0x000000007374E000-memory.dmp

Filesize
6.9MB

Download
memory/2824-24-0x0000000005840000-0x0000000005843000-memory.dmp

Filesize
12KB

Download
memory/2824-23-0x0000000005650000-0x0000000005669000-memory.dmp

Filesize
100KB

Download
memory/2824-22-0x0000000005460000-0x0000000005465000-memory.dmp

Filesize
20KB

Download
memory/3028-4-0x0000000000000000-mapping.dmp

Download
memory/3176-3-0x0000000000000000-mapping.dmp

Download
memory/3292-20-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads