nanocore | 76ffd919e86b374004bcbc276cb6e18be4b63287d0ce6f7d9b1b756bfd79d47e

General

Target

company profile.scr
Size

1.4MB
MD5

02f3eef9da2ef90d0cf59bfaca176886
SHA1

6bca96158d72284a8b5a9e1fe01eb8504a1a05ff
SHA256

76ffd919e86b374004bcbc276cb6e18be4b63287d0ce6f7d9b1b756bfd79d47e
SHA512

ce64211fa30c6c1f8541d8889e0e373a829abd4e786b1ef6b473e851e9e7cf7c5109d0b2f85936494d4d3125cf63ffc6a282c75e1a34cdcf052111753ac35747

Score

10^/10

nanocore evasion keylogger ransomware spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

kcfresh.duckdns.org:5050

kcfresh.ddns.net:5050

Mutex

0af7db9b-e643-4242-8d33-72a12cf49afa

Attributes

activate_away_mode
true
backup_connection_host
kcfresh.ddns.net
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2020-08-30T11:16:25.017143336Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
5050
default_group
ONGOD
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
0af7db9b-e643-4242-8d33-72a12cf49afa
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
kcfresh.duckdns.org
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

company profile.scr

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA company profile.scr
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
ransomware

System Information Discovery
T1082
Suspicious use of SetThreadContext 1 IoCs

Processes:

company profile.scr

description pid process target process

PID 880 set thread context of 332 880 company profile.scr company profile.scr
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1688 schtasks.exe
1648 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

company profile.scrcompany profile.scr

pid process

880 company profile.scr
880 company profile.scr
880 company profile.scr
332 company profile.scr
332 company profile.scr
332 company profile.scr
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

company profile.scr

pid process

332 company profile.scr
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

company profile.scrcompany profile.scr

description pid process

Token: SeDebugPrivilege 880 company profile.scr
Token: SeDebugPrivilege 332 company profile.scr

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	company profile.scr

description	pid	process	target process
PID 880 set thread context of 332	880	company profile.scr	company profile.scr

pid	process
1688	schtasks.exe
1648	schtasks.exe

pid	process
880	company profile.scr
880	company profile.scr
880	company profile.scr
332	company profile.scr
332	company profile.scr
332	company profile.scr

pid	process
332	company profile.scr

description	pid	process
Token: SeDebugPrivilege	880	company profile.scr
Token: SeDebugPrivilege	332	company profile.scr

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

company profile.scrcompany profile.scr

description	pid	process	target process
PID 880 wrote to memory of 1688	880	company profile.scr	schtasks.exe
PID 880 wrote to memory of 1688	880	company profile.scr	schtasks.exe
PID 880 wrote to memory of 1688	880	company profile.scr	schtasks.exe
PID 880 wrote to memory of 1688	880	company profile.scr	schtasks.exe
PID 880 wrote to memory of 332	880	company profile.scr	company profile.scr
PID 880 wrote to memory of 332	880	company profile.scr	company profile.scr
PID 880 wrote to memory of 332	880	company profile.scr	company profile.scr
PID 880 wrote to memory of 332	880	company profile.scr	company profile.scr
PID 880 wrote to memory of 332	880	company profile.scr	company profile.scr
PID 880 wrote to memory of 332	880	company profile.scr	company profile.scr
PID 880 wrote to memory of 332	880	company profile.scr	company profile.scr
PID 880 wrote to memory of 332	880	company profile.scr	company profile.scr
PID 880 wrote to memory of 332	880	company profile.scr	company profile.scr
PID 332 wrote to memory of 1648	332	company profile.scr	schtasks.exe
PID 332 wrote to memory of 1648	332	company profile.scr	schtasks.exe
PID 332 wrote to memory of 1648	332	company profile.scr	schtasks.exe
PID 332 wrote to memory of 1648	332	company profile.scr	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\company profile.scr
"C:\Users\Admin\AppData\Local\Temp\company profile.scr" /S
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:880

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UnShSbgF" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB931.tmp"
2⤵
- Creates scheduled task(s)
PID:1688

C:\Users\Admin\AppData\Local\Temp\company profile.scr
"{path}"
2⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:332

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "WPA Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmpBE5F.tmp"
3⤵
- Creates scheduled task(s)
PID:1648

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpB931.tmp
MD5
03faaf08a924e5a6029de7019df13dc1

SHA1
357af48301f54f82688ff868d7eab2d6bd2f6672

SHA256
2e3632cd6221ef4c10d022753ce94e1b3266f8f541b98c6ad4f225b69ba16e1b

SHA512
8d1886415532ebd44e47d216c6626d7b53bc44f185c8f61d277b18834c7d8c1a2ff39ee9daf46d54503f8da10216e2181922c41eb5ac7b9363d749ed13f00575

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBE5F.tmp
MD5
67bc2a03290cda46ca32937084b2f24e

SHA1
7243d7baa72f70b9a4484a0ee624d60108db3f2e

SHA256
90c09575440dcfa12d3f1d6b2656e4c5f6b137af9afd60263d285e0fe2061262

SHA512
3e9fff4a093bf4471fbfd77dedcf20eb9def41f9d24adfdfeec87827dc7c5429074621e4343a049699b33c174f16e18a3c9740c230d8890b89d0f94b1ab88906

Download Submit
memory/332-16-0x0000000004A40000-0x0000000004A41000-memory.dmp

Filesize
4KB

Download
memory/332-13-0x0000000074120000-0x000000007480E000-memory.dmp

Filesize
6.9MB

Download
memory/332-21-0x0000000000460000-0x0000000000463000-memory.dmp

Filesize
12KB

Download
memory/332-20-0x00000000004E0000-0x00000000004F9000-memory.dmp

Filesize
100KB

Download
memory/332-19-0x0000000000450000-0x0000000000455000-memory.dmp

Filesize
20KB

Download
memory/332-14-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/332-11-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/332-12-0x000000000041E792-mapping.dmp

Download
memory/880-2-0x0000000074120000-0x000000007480E000-memory.dmp

Filesize
6.9MB

Download
memory/880-5-0x0000000000A00000-0x0000000000A8E000-memory.dmp

Filesize
568KB

Download
memory/880-6-0x00000000004B0000-0x00000000004B1000-memory.dmp

Filesize
4KB

Download
memory/880-3-0x0000000000A90000-0x0000000000A91000-memory.dmp

Filesize
4KB

Download
memory/880-8-0x00000000021C0000-0x0000000002212000-memory.dmp

Filesize
328KB

Download
memory/880-7-0x0000000000470000-0x000000000047E000-memory.dmp

Filesize
56KB

Download
memory/1648-17-0x0000000000000000-mapping.dmp

Download
memory/1688-9-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads