nanocore | 274e4f123b2129e9e8d7f6eb638e3dc5fddf524781b1a7b2819b7cc6c8ca2a89

General

Target

MRC20201030XMY, pdf.exe
Size

680KB
MD5

745a0884f13a2c9fac2d787e7454160f
SHA1

ed1c474eb18b804a4b3270ce6ea4a7f8c6d27291
SHA256

274e4f123b2129e9e8d7f6eb638e3dc5fddf524781b1a7b2819b7cc6c8ca2a89
SHA512

ac010dd0512e112b7556541d555cb25d126c87017f0d4f1c01ccab52446693a30f6a5593ba1bce0545e89fc3ba179ce3b28327f5b931ac98d5b5dae867ed8e58

Score

10^/10

nanocore keylogger spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

graceland777.ddns.net:7771

Mutex

88abe1b7-73a7-478a-80b3-05251cbe93c2

Attributes

activate_away_mode
true
backup_connection_host
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2020-11-10T18:05:18.611593036Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
true
connect_delay
4000
connection_port
7771
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
88abe1b7-73a7-478a-80b3-05251cbe93c2
mutex_timeout
5000
prevent_system_sleep
true
primary_connection_host
graceland777.ddns.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Suspicious use of SetThreadContext 2 IoCs

Processes:

MRC20201030XMY, pdf.exeRegSvcs.exe

description	pid	process	target process
PID 636 set thread context of 1968	636	MRC20201030XMY, pdf.exe	RegSvcs.exe
PID 1968 set thread context of 2756	1968	RegSvcs.exe	RegSvcs.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

RegSvcs.exeRegSvcs.exe

pid process

1968 RegSvcs.exe
2756 RegSvcs.exe
2756 RegSvcs.exe
2756 RegSvcs.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

RegSvcs.exe

pid process

2756 RegSvcs.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

RegSvcs.exeRegSvcs.exe

description pid process

Token: SeDebugPrivilege 1968 RegSvcs.exe
Token: SeDebugPrivilege 2756 RegSvcs.exe

pid	process
1968	RegSvcs.exe
2756	RegSvcs.exe
2756	RegSvcs.exe
2756	RegSvcs.exe

pid	process
2756	RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	1968	RegSvcs.exe
Token: SeDebugPrivilege	2756	RegSvcs.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

MRC20201030XMY, pdf.exeRegSvcs.exe

description	pid	process	target process
PID 636 wrote to memory of 1968	636	MRC20201030XMY, pdf.exe	RegSvcs.exe
PID 636 wrote to memory of 1968	636	MRC20201030XMY, pdf.exe	RegSvcs.exe
PID 636 wrote to memory of 1968	636	MRC20201030XMY, pdf.exe	RegSvcs.exe
PID 636 wrote to memory of 1968	636	MRC20201030XMY, pdf.exe	RegSvcs.exe
PID 636 wrote to memory of 1968	636	MRC20201030XMY, pdf.exe	RegSvcs.exe
PID 636 wrote to memory of 1968	636	MRC20201030XMY, pdf.exe	RegSvcs.exe
PID 636 wrote to memory of 1968	636	MRC20201030XMY, pdf.exe	RegSvcs.exe
PID 636 wrote to memory of 1968	636	MRC20201030XMY, pdf.exe	RegSvcs.exe
PID 1968 wrote to memory of 2756	1968	RegSvcs.exe	RegSvcs.exe
PID 1968 wrote to memory of 2756	1968	RegSvcs.exe	RegSvcs.exe
PID 1968 wrote to memory of 2756	1968	RegSvcs.exe	RegSvcs.exe
PID 1968 wrote to memory of 2756	1968	RegSvcs.exe	RegSvcs.exe
PID 1968 wrote to memory of 2756	1968	RegSvcs.exe	RegSvcs.exe
PID 1968 wrote to memory of 2756	1968	RegSvcs.exe	RegSvcs.exe
PID 1968 wrote to memory of 2756	1968	RegSvcs.exe	RegSvcs.exe
PID 1968 wrote to memory of 2756	1968	RegSvcs.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\MRC20201030XMY, pdf.exe
"C:\Users\Admin\AppData\Local\Temp\MRC20201030XMY, pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:636

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"{path}"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1968

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"{path}"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2756

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/636-2-0x0000000002DF0000-0x0000000002DF1000-memory.dmp

Filesize
4KB

Download
memory/1968-3-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1968-4-0x0000000000465A6E-mapping.dmp

Download
memory/1968-5-0x00000000031B0000-0x00000000031B1000-memory.dmp

Filesize
4KB

Download
memory/1968-6-0x00000000031B1000-0x00000000031B2000-memory.dmp

Filesize
4KB

Download
memory/2756-7-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2756-8-0x000000000041E792-mapping.dmp

Download
memory/2756-9-0x00000000028A0000-0x00000000028A1000-memory.dmp

Filesize
4KB

Download
memory/2756-10-0x00000000028A1000-0x00000000028A2000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing