nanocore | 208caf830ee7e21732543dd4440d9908de1354ffc57e246339a9660c7609ce6f

General

Target

75fc4bd3b1f1d99b1f6ed722a1336296.exe
Size

1.8MB
MD5

75fc4bd3b1f1d99b1f6ed722a1336296
SHA1

0a37747013749af59be5767ecbffd1bf4a683b65
SHA256

208caf830ee7e21732543dd4440d9908de1354ffc57e246339a9660c7609ce6f
SHA512

351601b675388977066fac3f8cd790fa64fd6d29922a49a76431a08d5ac82c5590e8b3417633942ee36a37986ad99b9836d4ebeb7c09a4bfe9f7942c025c1722

Score

10^/10

nanocore evasion keylogger persistence ransomware spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

dmjncbzvayuywqalponmcbvzcxhyuesgfhdnautwm.ydns.eu:2420

Mutex

9a83c6a0-5b64-416c-b0dc-d47048e32edf

Attributes

activate_away_mode
true
backup_connection_host
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2020-11-08T01:17:30.860776436Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
2420
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
9a83c6a0-5b64-416c-b0dc-d47048e32edf
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
dmjncbzvayuywqalponmcbvzcxhyuesgfhdnautwm.ydns.eu
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

75fc4bd3b1f1d99b1f6ed722a1336296.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SMTP Manager = "C:\\Program Files (x86)\\SMTP Manager\\smtpmgr.exe"	75fc4bd3b1f1d99b1f6ed722a1336296.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

75fc4bd3b1f1d99b1f6ed722a1336296.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	75fc4bd3b1f1d99b1f6ed722a1336296.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
ransomware

System Information Discovery
T1082

Suspicious use of NtSetInformationThreadHideFromDebugger 13 IoCs

Processes:

75fc4bd3b1f1d99b1f6ed722a1336296.exe

pid	process
796	75fc4bd3b1f1d99b1f6ed722a1336296.exe
796	75fc4bd3b1f1d99b1f6ed722a1336296.exe
796	75fc4bd3b1f1d99b1f6ed722a1336296.exe
796	75fc4bd3b1f1d99b1f6ed722a1336296.exe
796	75fc4bd3b1f1d99b1f6ed722a1336296.exe
796	75fc4bd3b1f1d99b1f6ed722a1336296.exe
796	75fc4bd3b1f1d99b1f6ed722a1336296.exe
796	75fc4bd3b1f1d99b1f6ed722a1336296.exe
796	75fc4bd3b1f1d99b1f6ed722a1336296.exe
796	75fc4bd3b1f1d99b1f6ed722a1336296.exe
796	75fc4bd3b1f1d99b1f6ed722a1336296.exe
796	75fc4bd3b1f1d99b1f6ed722a1336296.exe
796	75fc4bd3b1f1d99b1f6ed722a1336296.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

75fc4bd3b1f1d99b1f6ed722a1336296.exe

description pid process target process

PID 796 set thread context of 200 796 75fc4bd3b1f1d99b1f6ed722a1336296.exe 75fc4bd3b1f1d99b1f6ed722a1336296.exe

description	pid	process	target process
PID 796 set thread context of 200	796	75fc4bd3b1f1d99b1f6ed722a1336296.exe	75fc4bd3b1f1d99b1f6ed722a1336296.exe

Drops file in Program Files directory 2 IoCs

Processes:

75fc4bd3b1f1d99b1f6ed722a1336296.exe

description	ioc	process
File created	C:\Program Files (x86)\SMTP Manager\smtpmgr.exe	75fc4bd3b1f1d99b1f6ed722a1336296.exe
File opened for modification	C:\Program Files (x86)\SMTP Manager\smtpmgr.exe	75fc4bd3b1f1d99b1f6ed722a1336296.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1324 796 WerFault.exe 75fc4bd3b1f1d99b1f6ed722a1336296.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1096 schtasks.exe
3956 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

576 timeout.exe

pid	pid_target	process	target process
1324	796	WerFault.exe	75fc4bd3b1f1d99b1f6ed722a1336296.exe

pid	process
1096	schtasks.exe
3956	schtasks.exe

pid	process
576	timeout.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

75fc4bd3b1f1d99b1f6ed722a1336296.exeWerFault.exe75fc4bd3b1f1d99b1f6ed722a1336296.exe

pid	process
796	75fc4bd3b1f1d99b1f6ed722a1336296.exe
796	75fc4bd3b1f1d99b1f6ed722a1336296.exe
796	75fc4bd3b1f1d99b1f6ed722a1336296.exe
1324	WerFault.exe
1324	WerFault.exe
1324	WerFault.exe
1324	WerFault.exe
1324	WerFault.exe
1324	WerFault.exe
1324	WerFault.exe
1324	WerFault.exe
1324	WerFault.exe
1324	WerFault.exe
1324	WerFault.exe
1324	WerFault.exe
1324	WerFault.exe
1324	WerFault.exe
1324	WerFault.exe
200	75fc4bd3b1f1d99b1f6ed722a1336296.exe
200	75fc4bd3b1f1d99b1f6ed722a1336296.exe
200	75fc4bd3b1f1d99b1f6ed722a1336296.exe
200	75fc4bd3b1f1d99b1f6ed722a1336296.exe
200	75fc4bd3b1f1d99b1f6ed722a1336296.exe
200	75fc4bd3b1f1d99b1f6ed722a1336296.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

75fc4bd3b1f1d99b1f6ed722a1336296.exe

pid process

200 75fc4bd3b1f1d99b1f6ed722a1336296.exe

pid	process
200	75fc4bd3b1f1d99b1f6ed722a1336296.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

75fc4bd3b1f1d99b1f6ed722a1336296.exeWerFault.exe75fc4bd3b1f1d99b1f6ed722a1336296.exe

description	pid	process
Token: SeDebugPrivilege	796	75fc4bd3b1f1d99b1f6ed722a1336296.exe
Token: SeRestorePrivilege	1324	WerFault.exe
Token: SeBackupPrivilege	1324	WerFault.exe
Token: SeDebugPrivilege	1324	WerFault.exe
Token: SeDebugPrivilege	200	75fc4bd3b1f1d99b1f6ed722a1336296.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

75fc4bd3b1f1d99b1f6ed722a1336296.execmd.exe75fc4bd3b1f1d99b1f6ed722a1336296.exe

description	pid	process	target process
PID 796 wrote to memory of 2828	796	75fc4bd3b1f1d99b1f6ed722a1336296.exe	cmd.exe
PID 796 wrote to memory of 2828	796	75fc4bd3b1f1d99b1f6ed722a1336296.exe	cmd.exe
PID 796 wrote to memory of 2828	796	75fc4bd3b1f1d99b1f6ed722a1336296.exe	cmd.exe
PID 2828 wrote to memory of 576	2828	cmd.exe	timeout.exe
PID 2828 wrote to memory of 576	2828	cmd.exe	timeout.exe
PID 2828 wrote to memory of 576	2828	cmd.exe	timeout.exe
PID 796 wrote to memory of 200	796	75fc4bd3b1f1d99b1f6ed722a1336296.exe	75fc4bd3b1f1d99b1f6ed722a1336296.exe
PID 796 wrote to memory of 200	796	75fc4bd3b1f1d99b1f6ed722a1336296.exe	75fc4bd3b1f1d99b1f6ed722a1336296.exe
PID 796 wrote to memory of 200	796	75fc4bd3b1f1d99b1f6ed722a1336296.exe	75fc4bd3b1f1d99b1f6ed722a1336296.exe
PID 796 wrote to memory of 200	796	75fc4bd3b1f1d99b1f6ed722a1336296.exe	75fc4bd3b1f1d99b1f6ed722a1336296.exe
PID 796 wrote to memory of 200	796	75fc4bd3b1f1d99b1f6ed722a1336296.exe	75fc4bd3b1f1d99b1f6ed722a1336296.exe
PID 796 wrote to memory of 200	796	75fc4bd3b1f1d99b1f6ed722a1336296.exe	75fc4bd3b1f1d99b1f6ed722a1336296.exe
PID 796 wrote to memory of 200	796	75fc4bd3b1f1d99b1f6ed722a1336296.exe	75fc4bd3b1f1d99b1f6ed722a1336296.exe
PID 796 wrote to memory of 200	796	75fc4bd3b1f1d99b1f6ed722a1336296.exe	75fc4bd3b1f1d99b1f6ed722a1336296.exe
PID 200 wrote to memory of 1096	200	75fc4bd3b1f1d99b1f6ed722a1336296.exe	schtasks.exe
PID 200 wrote to memory of 1096	200	75fc4bd3b1f1d99b1f6ed722a1336296.exe	schtasks.exe
PID 200 wrote to memory of 1096	200	75fc4bd3b1f1d99b1f6ed722a1336296.exe	schtasks.exe
PID 200 wrote to memory of 3956	200	75fc4bd3b1f1d99b1f6ed722a1336296.exe	schtasks.exe
PID 200 wrote to memory of 3956	200	75fc4bd3b1f1d99b1f6ed722a1336296.exe	schtasks.exe
PID 200 wrote to memory of 3956	200	75fc4bd3b1f1d99b1f6ed722a1336296.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\75fc4bd3b1f1d99b1f6ed722a1336296.exe
"C:\Users\Admin\AppData\Local\Temp\75fc4bd3b1f1d99b1f6ed722a1336296.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:796

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
2⤵
- Suspicious use of WriteProcessMemory
PID:2828

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:576

C:\Users\Admin\AppData\Local\Temp\75fc4bd3b1f1d99b1f6ed722a1336296.exe
"C:\Users\Admin\AppData\Local\Temp\75fc4bd3b1f1d99b1f6ed722a1336296.exe"
2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:200

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "SMTP Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmp69EB.tmp"
3⤵
- Creates scheduled task(s)
PID:1096

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "SMTP Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp6B24.tmp"
3⤵
- Creates scheduled task(s)
PID:3956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 796 -s 1452
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1324

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp69EB.tmp

MD5
fa0614745927cd8150c9645f22e497cd

SHA1
fc50c9353fede1fb1aeb4ddd04b21ec6c5768702

SHA256
ec63f19d01724a3ee4c3550f7d82d3be5449f95191ddee342146d2d28c57b6c1

SHA512
72a260fa7a2993dbec57da6a1c4c40764411382aa6cf288dd3f970910d3ad45842250a8f6fbd5bcdc8d4f2057d810573dbd4c232af9a92afe922c9278e2ec472

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6B24.tmp

MD5
b3b017f9df206021717a11f11d895402

SHA1
e4ea12823af6550ee634536eec1eb14490580a3b

SHA256
654dfce2c28024364e679e1b958f3fb81fc6d29685d534d905d1c83a84351024

SHA512
95666cb81aa1fd1ade04a32f63381ce8bff274d7d300c0b59cbb10a294c4d1eebaa3000365a2000b38793de030044995cf23e623c5e3648d9b00501f97ff9343

Download Submit
memory/200-17-0x0000000005700000-0x0000000005701000-memory.dmp

Filesize
4KB

Download
memory/200-30-0x0000000005D10000-0x0000000005D13000-memory.dmp

Filesize
12KB

Download
memory/200-29-0x00000000059E0000-0x00000000059F9000-memory.dmp

Filesize
100KB

Download
memory/200-28-0x00000000058A0000-0x00000000058A5000-memory.dmp

Filesize
20KB

Download
memory/200-23-0x0000000005A00000-0x0000000005A01000-memory.dmp

Filesize
4KB

Download
memory/200-10-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/200-11-0x000000000041E792-mapping.dmp

Download
memory/200-21-0x00000000031A0000-0x00000000031A1000-memory.dmp

Filesize
4KB

Download
memory/200-13-0x00000000730E0000-0x00000000737CE000-memory.dmp

Filesize
6.9MB

Download
memory/576-8-0x0000000000000000-mapping.dmp

Download
memory/796-12-0x0000000006CE0000-0x0000000006CE1000-memory.dmp

Filesize
4KB

Download
memory/796-9-0x00000000071F0000-0x00000000071F1000-memory.dmp

Filesize
4KB

Download
memory/796-2-0x00000000730E0000-0x00000000737CE000-memory.dmp

Filesize
6.9MB

Download
memory/796-6-0x0000000000ED0000-0x0000000000F12000-memory.dmp

Filesize
264KB

Download
memory/796-5-0x0000000004E40000-0x0000000004E41000-memory.dmp

Filesize
4KB

Download
memory/796-3-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/1096-24-0x0000000000000000-mapping.dmp

Download
memory/1324-19-0x0000000004B90000-0x0000000004B91000-memory.dmp

Filesize
4KB

Download
memory/2828-7-0x0000000000000000-mapping.dmp

Download
memory/3956-26-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads