nanocore | c1fe3e56f08c36036a18d891a41fe2b59dbb1b6ba24e0d5237e05ed32c810390

General

Target

2208753-866432.exe
Size

819KB
MD5

9da635ac2ddb4110650e12cf1b49807d
SHA1

6596d90c96829258c22bf1a645b35db7ecfe6746
SHA256

c1fe3e56f08c36036a18d891a41fe2b59dbb1b6ba24e0d5237e05ed32c810390
SHA512

ee94c6707bde6537a322524833cf495323aca2be97fc24e797765491b911353e61034902670556f98e5fa17c225206e0816deba386e880f0205e2ebc9c05232c

Score

10^/10

nanocore evasion keylogger spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

fgtrert.duckdns.org:4948

qweerreww.duckdns.org:4948

Mutex

f9d67c34-3506-4888-9966-78d7bc0f3872

Attributes

activate_away_mode
true
backup_connection_host
qweerreww.duckdns.org
backup_dns_server
qweerreww.duckdns.org
buffer_size
65535
build_time
2020-11-08T18:33:11.699418536Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
4948
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
f9d67c34-3506-4888-9966-78d7bc0f3872
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
fgtrert.duckdns.org
primary_dns_server
fgtrert.duckdns.org
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

2208753-866432.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 2208753-866432.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

2208753-866432.exe

description pid process target process

PID 816 set thread context of 3764 816 2208753-866432.exe 2208753-866432.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

2208753-866432.exe

pid process

3764 2208753-866432.exe
3764 2208753-866432.exe
3764 2208753-866432.exe
3764 2208753-866432.exe
3764 2208753-866432.exe
3764 2208753-866432.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

2208753-866432.exe

pid process

3764 2208753-866432.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2208753-866432.exe2208753-866432.exe

description pid process

Token: SeDebugPrivilege 816 2208753-866432.exe
Token: SeDebugPrivilege 3764 2208753-866432.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2208753-866432.exe

description	pid	process	target process
PID 816 set thread context of 3764	816	2208753-866432.exe	2208753-866432.exe

pid	process
3764	2208753-866432.exe
3764	2208753-866432.exe
3764	2208753-866432.exe
3764	2208753-866432.exe
3764	2208753-866432.exe
3764	2208753-866432.exe

pid	process
3764	2208753-866432.exe

description	pid	process
Token: SeDebugPrivilege	816	2208753-866432.exe
Token: SeDebugPrivilege	3764	2208753-866432.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

2208753-866432.exe

description	pid	process	target process
PID 816 wrote to memory of 3764	816	2208753-866432.exe	2208753-866432.exe
PID 816 wrote to memory of 3764	816	2208753-866432.exe	2208753-866432.exe
PID 816 wrote to memory of 3764	816	2208753-866432.exe	2208753-866432.exe
PID 816 wrote to memory of 3764	816	2208753-866432.exe	2208753-866432.exe
PID 816 wrote to memory of 3764	816	2208753-866432.exe	2208753-866432.exe
PID 816 wrote to memory of 3764	816	2208753-866432.exe	2208753-866432.exe
PID 816 wrote to memory of 3764	816	2208753-866432.exe	2208753-866432.exe
PID 816 wrote to memory of 3764	816	2208753-866432.exe	2208753-866432.exe

C:\Users\Admin\AppData\Local\Temp\2208753-866432.exe
"C:\Users\Admin\AppData\Local\Temp\2208753-866432.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:816

C:\Users\Admin\AppData\Local\Temp\2208753-866432.exe
"{path}"
2⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\2208753-866432.exe.log

MD5
b4f7a6a57cb46d94b72410eb6a6d45a9

SHA1
69f3596ffa027202d391444b769ceea0ae14c5f7

SHA256
23994ebe221a48ea16ebad51ae0d4b47ccd415ae10581f9405e588d4f6c2523b

SHA512
be6da516e54c3a5b33ac2603137a2f8cf8445ff5961dd266faedf3627bae8979953d7ef305538df0151c609917a5b99bf5d023bdd32de50fd5c723950f90db5c

Download Submit
memory/816-3-0x0000000000B00000-0x0000000000B01000-memory.dmp

Filesize
4KB

Download
memory/816-5-0x0000000007D60000-0x0000000007D61000-memory.dmp

Filesize
4KB

Download
memory/816-6-0x0000000007900000-0x0000000007901000-memory.dmp

Filesize
4KB

Download
memory/816-7-0x0000000007A60000-0x0000000007A61000-memory.dmp

Filesize
4KB

Download
memory/816-8-0x00000000078F0000-0x00000000078F1000-memory.dmp

Filesize
4KB

Download
memory/816-9-0x0000000007D50000-0x0000000007D54000-memory.dmp

Filesize
16KB

Download
memory/816-10-0x0000000002E70000-0x0000000002ECB000-memory.dmp

Filesize
364KB

Download
memory/816-11-0x0000000009CF0000-0x0000000009CF1000-memory.dmp

Filesize
4KB

Download
memory/816-2-0x0000000074070000-0x000000007475E000-memory.dmp

Filesize
6.9MB

Download
memory/3764-23-0x00000000050B0000-0x00000000050C9000-memory.dmp

Filesize
100KB

Download
memory/3764-28-0x0000000006360000-0x0000000006366000-memory.dmp

Filesize
24KB

Download
memory/3764-15-0x0000000074070000-0x000000007475E000-memory.dmp

Filesize
6.9MB

Download
memory/3764-22-0x0000000004F30000-0x0000000004F35000-memory.dmp

Filesize
20KB

Download
memory/3764-12-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3764-24-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/3764-25-0x00000000051F0000-0x00000000051F3000-memory.dmp

Filesize
12KB

Download
memory/3764-26-0x0000000005210000-0x000000000521D000-memory.dmp

Filesize
52KB

Download
memory/3764-27-0x0000000005430000-0x0000000005445000-memory.dmp

Filesize
84KB

Download
memory/3764-13-0x000000000041E792-mapping.dmp

Download
memory/3764-29-0x0000000006370000-0x000000000637C000-memory.dmp

Filesize
48KB

Download
memory/3764-30-0x0000000006380000-0x0000000006387000-memory.dmp

Filesize
28KB

Download
memory/3764-31-0x0000000006390000-0x0000000006396000-memory.dmp

Filesize
24KB

Download
memory/3764-32-0x00000000063A0000-0x00000000063AD000-memory.dmp

Filesize
52KB

Download
memory/3764-33-0x00000000063B0000-0x00000000063B9000-memory.dmp

Filesize
36KB

Download
memory/3764-34-0x00000000063C0000-0x00000000063CF000-memory.dmp

Filesize
60KB

Download
memory/3764-35-0x00000000063E0000-0x00000000063EA000-memory.dmp

Filesize
40KB

Download
memory/3764-36-0x00000000063F0000-0x0000000006419000-memory.dmp

Filesize
164KB

Download
memory/3764-37-0x0000000006430000-0x000000000643F000-memory.dmp

Filesize
60KB

Download
memory/3764-38-0x0000000006600000-0x0000000006601000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing