nanocore | 9a74f71ee76b3652042a3f5e1f5e4a8bacc97a3c72b28baa37008169170ab980

General

Target

Orden n.º STL21119, pdf.exe
Size

1.0MB
MD5

35ac4ad018dc2bcdfaeff01decd3e8fe
SHA1

6dbe8e66f9e1c0f59169b7c7aff0bcdb9c789ecc
SHA256

9a74f71ee76b3652042a3f5e1f5e4a8bacc97a3c72b28baa37008169170ab980
SHA512

259b55ab84d7088d58c1e4c8c819fa84ef7591bfa9f4f16f21b5471ebb69bb984521447428e41f26a3e51cacc540c63bec1f39b126461af2270d1974bad5c495

Score

10^/10

nanocore keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

graceland777.ddns.net:7771

Mutex

f7d05b5d-02c5-486b-afe2-be27c9d37bca

Attributes

activate_away_mode
true
backup_connection_host
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2020-10-30T18:30:48.730556136Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
true
connect_delay
3997
connection_port
7771
default_group
MAX GRACE
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
f7d05b5d-02c5-486b-afe2-be27c9d37bca
mutex_timeout
5000
prevent_system_sleep
true
primary_connection_host
graceland777.ddns.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

MSBuild.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WAN Service = "C:\\Program Files (x86)\\WAN Service\\wansv.exe"	MSBuild.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Orden n.º STL21119, pdf.exe

description pid process target process

PID 988 set thread context of 2688 988 Orden n.º STL21119, pdf.exe MSBuild.exe

description	pid	process	target process
PID 988 set thread context of 2688	988	Orden n.º STL21119, pdf.exe	MSBuild.exe

Drops file in Program Files directory 2 IoCs

Processes:

MSBuild.exe

description	ioc	process
File created	C:\Program Files (x86)\WAN Service\wansv.exe	MSBuild.exe
File opened for modification	C:\Program Files (x86)\WAN Service\wansv.exe	MSBuild.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

312 schtasks.exe
432 schtasks.exe
2144 schtasks.exe
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

Orden n.º STL21119, pdf.exeMSBuild.exe

pid process

988 Orden n.º STL21119, pdf.exe
2688 MSBuild.exe
2688 MSBuild.exe
2688 MSBuild.exe
2688 MSBuild.exe
2688 MSBuild.exe
2688 MSBuild.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

MSBuild.exe

pid process

2688 MSBuild.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Orden n.º STL21119, pdf.exeMSBuild.exe

description pid process

Token: SeDebugPrivilege 988 Orden n.º STL21119, pdf.exe
Token: SeDebugPrivilege 2688 MSBuild.exe

pid	process
312	schtasks.exe
432	schtasks.exe
2144	schtasks.exe

pid	process
988	Orden n.º STL21119, pdf.exe
2688	MSBuild.exe
2688	MSBuild.exe
2688	MSBuild.exe
2688	MSBuild.exe
2688	MSBuild.exe
2688	MSBuild.exe

pid	process
2688	MSBuild.exe

description	pid	process
Token: SeDebugPrivilege	988	Orden n.º STL21119, pdf.exe
Token: SeDebugPrivilege	2688	MSBuild.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

Orden n.º STL21119, pdf.exeMSBuild.exe

description	pid	process	target process
PID 988 wrote to memory of 312	988	Orden n.º STL21119, pdf.exe	schtasks.exe
PID 988 wrote to memory of 312	988	Orden n.º STL21119, pdf.exe	schtasks.exe
PID 988 wrote to memory of 312	988	Orden n.º STL21119, pdf.exe	schtasks.exe
PID 988 wrote to memory of 2688	988	Orden n.º STL21119, pdf.exe	MSBuild.exe
PID 988 wrote to memory of 2688	988	Orden n.º STL21119, pdf.exe	MSBuild.exe
PID 988 wrote to memory of 2688	988	Orden n.º STL21119, pdf.exe	MSBuild.exe
PID 988 wrote to memory of 2688	988	Orden n.º STL21119, pdf.exe	MSBuild.exe
PID 988 wrote to memory of 2688	988	Orden n.º STL21119, pdf.exe	MSBuild.exe
PID 988 wrote to memory of 2688	988	Orden n.º STL21119, pdf.exe	MSBuild.exe
PID 988 wrote to memory of 2688	988	Orden n.º STL21119, pdf.exe	MSBuild.exe
PID 988 wrote to memory of 2688	988	Orden n.º STL21119, pdf.exe	MSBuild.exe
PID 2688 wrote to memory of 432	2688	MSBuild.exe	schtasks.exe
PID 2688 wrote to memory of 432	2688	MSBuild.exe	schtasks.exe
PID 2688 wrote to memory of 432	2688	MSBuild.exe	schtasks.exe
PID 2688 wrote to memory of 2144	2688	MSBuild.exe	schtasks.exe
PID 2688 wrote to memory of 2144	2688	MSBuild.exe	schtasks.exe
PID 2688 wrote to memory of 2144	2688	MSBuild.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\Orden n.º STL21119, pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Orden n.º STL21119, pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:988

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kSLtgWcvnYChD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD71C.tmp"
2⤵
- Creates scheduled task(s)
PID:312

C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
"{path}"
2⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2688

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "WAN Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmpDAF4.tmp"
3⤵
- Creates scheduled task(s)
PID:432

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "WAN Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpDB43.tmp"
3⤵
- Creates scheduled task(s)
PID:2144

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpD71C.tmp
MD5
bd1d114ce4f1aca78775ed73046afe70

SHA1
fc57360f36695f3cd0ebf6445709b2f2851f0dca

SHA256
a1e9b00e1a1c44f22a8658a31759f1c331dce629eed69a492cb825d3f6fc4c48

SHA512
95cfa710a43ee48d2fe13792e57e903392f41c2bd6dc9027c898e103279ac570f2afb573ce133d2715bd47eca206a5b42f7a2ead8a339087230df1fd9be74a23

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDAF4.tmp
MD5
ae766004c0d8792953bafffe8f6a2e3b

SHA1
14b12f27543a401e2fe0af8052e116cab0032426

SHA256
1abdd9b6a6b84e4ba1af1282dc84ce276c59ba253f4c4af05fea498a4fd99540

SHA512
e530da4a5d4336fc37838d0e93b5eb3804b9c489c71f6954a47fc81a4c655bb72ec493e109cf96e6e3617d7623ac80697ad3bbd5ffc6281bafc8b34dca5e6567

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDB43.tmp
MD5
eb527779d4a920bac8c3c59e8f4b4b4c

SHA1
4c9c48fd4ab89a983c87d810577133dc281160b4

SHA256
97a200adfccc855ed435941fe1453a6add1a66b8390d033279c2f1a6a64c26a2

SHA512
a48c1ca2310a4bceacca90d3b8748fdecc0169738905e0bc62a665ab048c1ae6bb801dc99f0f04d85287993c27bfd0a4e7f59d27a1c233b6662d6ba3ca586da0

Download Submit
memory/312-3-0x0000000000000000-mapping.dmp

Download
memory/432-7-0x0000000000000000-mapping.dmp

Download
memory/988-2-0x0000000002C40000-0x0000000002C41000-memory.dmp

Filesize
4KB

Download
memory/2144-10-0x0000000000000000-mapping.dmp

Download
memory/2688-5-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2688-6-0x000000000041E792-mapping.dmp

Download
memory/2688-9-0x0000000001270000-0x0000000001271000-memory.dmp

Filesize
4KB

Download
memory/2688-12-0x0000000001271000-0x0000000001272000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads