nanocore | 66d2cbc64ba169d994da1f76587f48695ae0c3ec91fed8cb17c023e7370db0c9

General

Target

1514dad5fc756723d4c00e0817605ae9.exe
Size

1.8MB
MD5

1514dad5fc756723d4c00e0817605ae9
SHA1

ba60f92da33b83ec49dd2a80dcdaec358dfc4c53
SHA256

66d2cbc64ba169d994da1f76587f48695ae0c3ec91fed8cb17c023e7370db0c9
SHA512

7656d372e1972e21911017873a89b4959abc982d2535b20d03fca07ce4764b37b271c3fa27cf52c9815b3e53a11c38d451a8d32134c541721085c7856460b475

Score

10^/10

nanocore evasion keylogger persistence ransomware spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

dmjncbzvayuywqalponmcbvzcxhyuesgfhdnautwm.ydns.eu:2420

Mutex

9a83c6a0-5b64-416c-b0dc-d47048e32edf

Attributes

activate_away_mode
true
backup_connection_host
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2020-11-08T01:17:30.860776436Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
2420
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
9a83c6a0-5b64-416c-b0dc-d47048e32edf
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
dmjncbzvayuywqalponmcbvzcxhyuesgfhdnautwm.ydns.eu
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1514dad5fc756723d4c00e0817605ae9.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SMTP Manager = "C:\\Program Files (x86)\\SMTP Manager\\smtpmgr.exe"	1514dad5fc756723d4c00e0817605ae9.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

1514dad5fc756723d4c00e0817605ae9.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1514dad5fc756723d4c00e0817605ae9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
ransomware

System Information Discovery
T1082

Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs

Processes:

1514dad5fc756723d4c00e0817605ae9.exe

pid	process
644	1514dad5fc756723d4c00e0817605ae9.exe
644	1514dad5fc756723d4c00e0817605ae9.exe
644	1514dad5fc756723d4c00e0817605ae9.exe
644	1514dad5fc756723d4c00e0817605ae9.exe
644	1514dad5fc756723d4c00e0817605ae9.exe
644	1514dad5fc756723d4c00e0817605ae9.exe
644	1514dad5fc756723d4c00e0817605ae9.exe
644	1514dad5fc756723d4c00e0817605ae9.exe
644	1514dad5fc756723d4c00e0817605ae9.exe
644	1514dad5fc756723d4c00e0817605ae9.exe
644	1514dad5fc756723d4c00e0817605ae9.exe
644	1514dad5fc756723d4c00e0817605ae9.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1514dad5fc756723d4c00e0817605ae9.exe

description pid process target process

PID 644 set thread context of 188 644 1514dad5fc756723d4c00e0817605ae9.exe 1514dad5fc756723d4c00e0817605ae9.exe

description	pid	process	target process
PID 644 set thread context of 188	644	1514dad5fc756723d4c00e0817605ae9.exe	1514dad5fc756723d4c00e0817605ae9.exe

Drops file in Program Files directory 2 IoCs

Processes:

1514dad5fc756723d4c00e0817605ae9.exe

description	ioc	process
File created	C:\Program Files (x86)\SMTP Manager\smtpmgr.exe	1514dad5fc756723d4c00e0817605ae9.exe
File opened for modification	C:\Program Files (x86)\SMTP Manager\smtpmgr.exe	1514dad5fc756723d4c00e0817605ae9.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2608 644 WerFault.exe 1514dad5fc756723d4c00e0817605ae9.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3876 schtasks.exe
2132 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3148 timeout.exe

pid	pid_target	process	target process
2608	644	WerFault.exe	1514dad5fc756723d4c00e0817605ae9.exe

pid	process
3876	schtasks.exe
2132	schtasks.exe

pid	process
3148	timeout.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

1514dad5fc756723d4c00e0817605ae9.exeWerFault.exe1514dad5fc756723d4c00e0817605ae9.exe

pid	process
644	1514dad5fc756723d4c00e0817605ae9.exe
644	1514dad5fc756723d4c00e0817605ae9.exe
644	1514dad5fc756723d4c00e0817605ae9.exe
2608	WerFault.exe
2608	WerFault.exe
2608	WerFault.exe
2608	WerFault.exe
2608	WerFault.exe
2608	WerFault.exe
2608	WerFault.exe
2608	WerFault.exe
2608	WerFault.exe
2608	WerFault.exe
2608	WerFault.exe
2608	WerFault.exe
2608	WerFault.exe
2608	WerFault.exe
188	1514dad5fc756723d4c00e0817605ae9.exe
188	1514dad5fc756723d4c00e0817605ae9.exe
188	1514dad5fc756723d4c00e0817605ae9.exe
188	1514dad5fc756723d4c00e0817605ae9.exe
188	1514dad5fc756723d4c00e0817605ae9.exe
188	1514dad5fc756723d4c00e0817605ae9.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

1514dad5fc756723d4c00e0817605ae9.exe

pid process

188 1514dad5fc756723d4c00e0817605ae9.exe

pid	process
188	1514dad5fc756723d4c00e0817605ae9.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

1514dad5fc756723d4c00e0817605ae9.exeWerFault.exe1514dad5fc756723d4c00e0817605ae9.exe

description	pid	process
Token: SeDebugPrivilege	644	1514dad5fc756723d4c00e0817605ae9.exe
Token: SeRestorePrivilege	2608	WerFault.exe
Token: SeBackupPrivilege	2608	WerFault.exe
Token: SeDebugPrivilege	2608	WerFault.exe
Token: SeDebugPrivilege	188	1514dad5fc756723d4c00e0817605ae9.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

1514dad5fc756723d4c00e0817605ae9.execmd.exe1514dad5fc756723d4c00e0817605ae9.exe

description	pid	process	target process
PID 644 wrote to memory of 1068	644	1514dad5fc756723d4c00e0817605ae9.exe	cmd.exe
PID 644 wrote to memory of 1068	644	1514dad5fc756723d4c00e0817605ae9.exe	cmd.exe
PID 644 wrote to memory of 1068	644	1514dad5fc756723d4c00e0817605ae9.exe	cmd.exe
PID 1068 wrote to memory of 3148	1068	cmd.exe	timeout.exe
PID 1068 wrote to memory of 3148	1068	cmd.exe	timeout.exe
PID 1068 wrote to memory of 3148	1068	cmd.exe	timeout.exe
PID 644 wrote to memory of 188	644	1514dad5fc756723d4c00e0817605ae9.exe	1514dad5fc756723d4c00e0817605ae9.exe
PID 644 wrote to memory of 188	644	1514dad5fc756723d4c00e0817605ae9.exe	1514dad5fc756723d4c00e0817605ae9.exe
PID 644 wrote to memory of 188	644	1514dad5fc756723d4c00e0817605ae9.exe	1514dad5fc756723d4c00e0817605ae9.exe
PID 644 wrote to memory of 188	644	1514dad5fc756723d4c00e0817605ae9.exe	1514dad5fc756723d4c00e0817605ae9.exe
PID 644 wrote to memory of 188	644	1514dad5fc756723d4c00e0817605ae9.exe	1514dad5fc756723d4c00e0817605ae9.exe
PID 644 wrote to memory of 188	644	1514dad5fc756723d4c00e0817605ae9.exe	1514dad5fc756723d4c00e0817605ae9.exe
PID 644 wrote to memory of 188	644	1514dad5fc756723d4c00e0817605ae9.exe	1514dad5fc756723d4c00e0817605ae9.exe
PID 644 wrote to memory of 188	644	1514dad5fc756723d4c00e0817605ae9.exe	1514dad5fc756723d4c00e0817605ae9.exe
PID 188 wrote to memory of 3876	188	1514dad5fc756723d4c00e0817605ae9.exe	schtasks.exe
PID 188 wrote to memory of 3876	188	1514dad5fc756723d4c00e0817605ae9.exe	schtasks.exe
PID 188 wrote to memory of 3876	188	1514dad5fc756723d4c00e0817605ae9.exe	schtasks.exe
PID 188 wrote to memory of 2132	188	1514dad5fc756723d4c00e0817605ae9.exe	schtasks.exe
PID 188 wrote to memory of 2132	188	1514dad5fc756723d4c00e0817605ae9.exe	schtasks.exe
PID 188 wrote to memory of 2132	188	1514dad5fc756723d4c00e0817605ae9.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\1514dad5fc756723d4c00e0817605ae9.exe
"C:\Users\Admin\AppData\Local\Temp\1514dad5fc756723d4c00e0817605ae9.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:644

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
2⤵
- Suspicious use of WriteProcessMemory
PID:1068

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:3148

C:\Users\Admin\AppData\Local\Temp\1514dad5fc756723d4c00e0817605ae9.exe
"C:\Users\Admin\AppData\Local\Temp\1514dad5fc756723d4c00e0817605ae9.exe"
2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:188

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "SMTP Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmp6D56.tmp"
3⤵
- Creates scheduled task(s)
PID:3876

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "SMTP Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp6E51.tmp"
3⤵
- Creates scheduled task(s)
PID:2132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 644 -s 1420
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2608

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp6D56.tmp

MD5
284bbc20466cbe9ba3462702e01c89d7

SHA1
13c946cedb05dd1fabf458ccc86fb2ff1bb35f50

SHA256
39e3f328609e5825954ce0dce32f4952b349cf758abbd1dde617114715859200

SHA512
2728465400c0f2ee4abb9eb67e6a382852f64e1ce0c253aeb2c52ed7163d609befe3f8e6946f288a04e857ac29870663615e490dbc95d4270a4a9a3328c34c93

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6E51.tmp

MD5
b3b017f9df206021717a11f11d895402

SHA1
e4ea12823af6550ee634536eec1eb14490580a3b

SHA256
654dfce2c28024364e679e1b958f3fb81fc6d29685d534d905d1c83a84351024

SHA512
95666cb81aa1fd1ade04a32f63381ce8bff274d7d300c0b59cbb10a294c4d1eebaa3000365a2000b38793de030044995cf23e623c5e3648d9b00501f97ff9343

Download Submit
memory/188-30-0x0000000005490000-0x0000000005493000-memory.dmp

Filesize
12KB

Download
memory/188-29-0x0000000005300000-0x0000000005319000-memory.dmp

Filesize
100KB

Download
memory/188-28-0x00000000052F0000-0x00000000052F5000-memory.dmp

Filesize
20KB

Download
memory/188-23-0x0000000005250000-0x0000000005251000-memory.dmp

Filesize
4KB

Download
memory/188-19-0x00000000052D0000-0x00000000052D1000-memory.dmp

Filesize
4KB

Download
memory/188-17-0x00000000051B0000-0x00000000051B1000-memory.dmp

Filesize
4KB

Download
memory/188-11-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/188-12-0x000000000041E792-mapping.dmp

Download
memory/188-13-0x0000000073F80000-0x000000007466E000-memory.dmp

Filesize
6.9MB

Download
memory/644-10-0x00000000077E0000-0x00000000077E1000-memory.dmp

Filesize
4KB

Download
memory/644-9-0x0000000007CF0000-0x0000000007CF1000-memory.dmp

Filesize
4KB

Download
memory/644-2-0x0000000073F80000-0x000000007466E000-memory.dmp

Filesize
6.9MB

Download
memory/644-6-0x0000000005410000-0x0000000005454000-memory.dmp

Filesize
272KB

Download
memory/644-5-0x0000000005950000-0x0000000005951000-memory.dmp

Filesize
4KB

Download
memory/644-3-0x0000000000F90000-0x0000000000F91000-memory.dmp

Filesize
4KB

Download
memory/1068-7-0x0000000000000000-mapping.dmp

Download
memory/2132-26-0x0000000000000000-mapping.dmp

Download
memory/2608-20-0x0000000004930000-0x0000000004931000-memory.dmp

Filesize
4KB

Download
memory/3148-8-0x0000000000000000-mapping.dmp

Download
memory/3876-24-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads