nanocore | 66d2cbc64ba169d994da1f76587f48695ae0c3ec91fed8cb17c023e7370db0c9

General

Target

1514dad5fc756723d4c00e0817605ae9.exe
Size

1.8MB
MD5

1514dad5fc756723d4c00e0817605ae9
SHA1

ba60f92da33b83ec49dd2a80dcdaec358dfc4c53
SHA256

66d2cbc64ba169d994da1f76587f48695ae0c3ec91fed8cb17c023e7370db0c9
SHA512

7656d372e1972e21911017873a89b4959abc982d2535b20d03fca07ce4764b37b271c3fa27cf52c9815b3e53a11c38d451a8d32134c541721085c7856460b475

Score

10^/10

nanocore evasion keylogger persistence ransomware spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

dmjncbzvayuywqalponmcbvzcxhyuesgfhdnautwm.ydns.eu:2420

Mutex

9a83c6a0-5b64-416c-b0dc-d47048e32edf

Attributes

activate_away_mode
true
backup_connection_host
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2020-11-08T01:17:30.860776436Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
2420
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
9a83c6a0-5b64-416c-b0dc-d47048e32edf
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
dmjncbzvayuywqalponmcbvzcxhyuesgfhdnautwm.ydns.eu
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1514dad5fc756723d4c00e0817605ae9.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WPA Host = "C:\\Program Files (x86)\\WPA Host\\wpahost.exe"	1514dad5fc756723d4c00e0817605ae9.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

1514dad5fc756723d4c00e0817605ae9.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1514dad5fc756723d4c00e0817605ae9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
ransomware

System Information Discovery
T1082

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

Processes:

1514dad5fc756723d4c00e0817605ae9.exe

pid	process
776	1514dad5fc756723d4c00e0817605ae9.exe
776	1514dad5fc756723d4c00e0817605ae9.exe
776	1514dad5fc756723d4c00e0817605ae9.exe
776	1514dad5fc756723d4c00e0817605ae9.exe
776	1514dad5fc756723d4c00e0817605ae9.exe
776	1514dad5fc756723d4c00e0817605ae9.exe
776	1514dad5fc756723d4c00e0817605ae9.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1514dad5fc756723d4c00e0817605ae9.exe

description pid process target process

PID 776 set thread context of 608 776 1514dad5fc756723d4c00e0817605ae9.exe 1514dad5fc756723d4c00e0817605ae9.exe

description	pid	process	target process
PID 776 set thread context of 608	776	1514dad5fc756723d4c00e0817605ae9.exe	1514dad5fc756723d4c00e0817605ae9.exe

Drops file in Program Files directory 2 IoCs

Processes:

1514dad5fc756723d4c00e0817605ae9.exe

description	ioc	process
File created	C:\Program Files (x86)\WPA Host\wpahost.exe	1514dad5fc756723d4c00e0817605ae9.exe
File opened for modification	C:\Program Files (x86)\WPA Host\wpahost.exe	1514dad5fc756723d4c00e0817605ae9.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1772 schtasks.exe
808 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1968 timeout.exe

pid	process
1772	schtasks.exe
808	schtasks.exe

pid	process
1968	timeout.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

1514dad5fc756723d4c00e0817605ae9.exe1514dad5fc756723d4c00e0817605ae9.exe

pid	process
776	1514dad5fc756723d4c00e0817605ae9.exe
776	1514dad5fc756723d4c00e0817605ae9.exe
776	1514dad5fc756723d4c00e0817605ae9.exe
608	1514dad5fc756723d4c00e0817605ae9.exe
608	1514dad5fc756723d4c00e0817605ae9.exe
608	1514dad5fc756723d4c00e0817605ae9.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

1514dad5fc756723d4c00e0817605ae9.exe

pid process

608 1514dad5fc756723d4c00e0817605ae9.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

1514dad5fc756723d4c00e0817605ae9.exe1514dad5fc756723d4c00e0817605ae9.exe

description pid process

Token: SeDebugPrivilege 776 1514dad5fc756723d4c00e0817605ae9.exe
Token: SeDebugPrivilege 608 1514dad5fc756723d4c00e0817605ae9.exe

pid	process
608	1514dad5fc756723d4c00e0817605ae9.exe

description	pid	process
Token: SeDebugPrivilege	776	1514dad5fc756723d4c00e0817605ae9.exe
Token: SeDebugPrivilege	608	1514dad5fc756723d4c00e0817605ae9.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

1514dad5fc756723d4c00e0817605ae9.execmd.exe1514dad5fc756723d4c00e0817605ae9.exe

description	pid	process	target process
PID 776 wrote to memory of 2036	776	1514dad5fc756723d4c00e0817605ae9.exe	cmd.exe
PID 776 wrote to memory of 2036	776	1514dad5fc756723d4c00e0817605ae9.exe	cmd.exe
PID 776 wrote to memory of 2036	776	1514dad5fc756723d4c00e0817605ae9.exe	cmd.exe
PID 776 wrote to memory of 2036	776	1514dad5fc756723d4c00e0817605ae9.exe	cmd.exe
PID 2036 wrote to memory of 1968	2036	cmd.exe	timeout.exe
PID 2036 wrote to memory of 1968	2036	cmd.exe	timeout.exe
PID 2036 wrote to memory of 1968	2036	cmd.exe	timeout.exe
PID 2036 wrote to memory of 1968	2036	cmd.exe	timeout.exe
PID 776 wrote to memory of 608	776	1514dad5fc756723d4c00e0817605ae9.exe	1514dad5fc756723d4c00e0817605ae9.exe
PID 776 wrote to memory of 608	776	1514dad5fc756723d4c00e0817605ae9.exe	1514dad5fc756723d4c00e0817605ae9.exe
PID 776 wrote to memory of 608	776	1514dad5fc756723d4c00e0817605ae9.exe	1514dad5fc756723d4c00e0817605ae9.exe
PID 776 wrote to memory of 608	776	1514dad5fc756723d4c00e0817605ae9.exe	1514dad5fc756723d4c00e0817605ae9.exe
PID 776 wrote to memory of 608	776	1514dad5fc756723d4c00e0817605ae9.exe	1514dad5fc756723d4c00e0817605ae9.exe
PID 776 wrote to memory of 608	776	1514dad5fc756723d4c00e0817605ae9.exe	1514dad5fc756723d4c00e0817605ae9.exe
PID 776 wrote to memory of 608	776	1514dad5fc756723d4c00e0817605ae9.exe	1514dad5fc756723d4c00e0817605ae9.exe
PID 776 wrote to memory of 608	776	1514dad5fc756723d4c00e0817605ae9.exe	1514dad5fc756723d4c00e0817605ae9.exe
PID 776 wrote to memory of 608	776	1514dad5fc756723d4c00e0817605ae9.exe	1514dad5fc756723d4c00e0817605ae9.exe
PID 608 wrote to memory of 1772	608	1514dad5fc756723d4c00e0817605ae9.exe	schtasks.exe
PID 608 wrote to memory of 1772	608	1514dad5fc756723d4c00e0817605ae9.exe	schtasks.exe
PID 608 wrote to memory of 1772	608	1514dad5fc756723d4c00e0817605ae9.exe	schtasks.exe
PID 608 wrote to memory of 1772	608	1514dad5fc756723d4c00e0817605ae9.exe	schtasks.exe
PID 608 wrote to memory of 808	608	1514dad5fc756723d4c00e0817605ae9.exe	schtasks.exe
PID 608 wrote to memory of 808	608	1514dad5fc756723d4c00e0817605ae9.exe	schtasks.exe
PID 608 wrote to memory of 808	608	1514dad5fc756723d4c00e0817605ae9.exe	schtasks.exe
PID 608 wrote to memory of 808	608	1514dad5fc756723d4c00e0817605ae9.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\1514dad5fc756723d4c00e0817605ae9.exe
"C:\Users\Admin\AppData\Local\Temp\1514dad5fc756723d4c00e0817605ae9.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:776

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
2⤵
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:1968

C:\Users\Admin\AppData\Local\Temp\1514dad5fc756723d4c00e0817605ae9.exe
"C:\Users\Admin\AppData\Local\Temp\1514dad5fc756723d4c00e0817605ae9.exe"
2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:608

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "WPA Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmp982.tmp"
3⤵
- Creates scheduled task(s)
PID:1772

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "WPA Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpACB.tmp"
3⤵
- Creates scheduled task(s)
PID:808

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp982.tmp

MD5
284bbc20466cbe9ba3462702e01c89d7

SHA1
13c946cedb05dd1fabf458ccc86fb2ff1bb35f50

SHA256
39e3f328609e5825954ce0dce32f4952b349cf758abbd1dde617114715859200

SHA512
2728465400c0f2ee4abb9eb67e6a382852f64e1ce0c253aeb2c52ed7163d609befe3f8e6946f288a04e857ac29870663615e490dbc95d4270a4a9a3328c34c93

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpACB.tmp

MD5
819bdbdac3be050783d203020e6c4c30

SHA1
a373521fceb21cac8b93e55ee48578e40a6e740b

SHA256
0e5dedca6d0d3c50ebcedb5bbf51ef3d434eb6b43da46764205de7636131f053

SHA512
cece1c4d8b4db79fc6e3cd225efaccdf9d2493f28991b1d48439944af38aaa61a215bd00a0beedcbdecc4f1ec5be0843774375a483f3d4a573a3980c54798cbd

Download Submit
memory/608-11-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/608-14-0x0000000000A80000-0x0000000000A81000-memory.dmp

Filesize
4KB

Download
memory/608-21-0x00000000003D0000-0x00000000003D3000-memory.dmp

Filesize
12KB

Download
memory/608-9-0x000000000041E792-mapping.dmp

Download
memory/608-8-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/608-10-0x0000000073D40000-0x000000007442E000-memory.dmp

Filesize
6.9MB

Download
memory/608-20-0x00000000003E0000-0x00000000003F9000-memory.dmp

Filesize
100KB

Download
memory/608-19-0x00000000003C0000-0x00000000003C5000-memory.dmp

Filesize
20KB

Download
memory/776-13-0x0000000006100000-0x0000000006101000-memory.dmp

Filesize
4KB

Download
memory/776-5-0x00000000004B0000-0x00000000004F4000-memory.dmp

Filesize
272KB

Download
memory/776-3-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/776-2-0x0000000073D40000-0x000000007442E000-memory.dmp

Filesize
6.9MB

Download
memory/808-17-0x0000000000000000-mapping.dmp

Download
memory/1772-15-0x0000000000000000-mapping.dmp

Download
memory/1968-7-0x0000000000000000-mapping.dmp

Download
memory/2036-6-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads