nanocore | f2206fc8580f9cb611e74d4070606043a81b5c0bd1bf7024da76545e48e81aa2

General

Target

CHT International.exe
Size

962KB
MD5

e2c47d253c496826365f96126fbd1ce1
SHA1

d3d866e2e9f30701eaf090a363492d187238d0ed
SHA256

f2206fc8580f9cb611e74d4070606043a81b5c0bd1bf7024da76545e48e81aa2
SHA512

4aa6e639c1e378cbf82b98c16b3001271457fbe67d9de57ca2d75109a8851aa7da77f4895c04ab1dbb40fb8f6a6aa74e91949b399f3c78bfc48b070328332930

Score

10^/10

nanocore evasion keylogger spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

fgtrert.duckdns.org:4948

qweerreww.duckdns.org:4948

Mutex

f9d67c34-3506-4888-9966-78d7bc0f3872

Attributes

activate_away_mode
true
backup_connection_host
qweerreww.duckdns.org
backup_dns_server
qweerreww.duckdns.org
buffer_size
65535
build_time
2020-11-08T18:33:11.699418536Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
4948
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
f9d67c34-3506-4888-9966-78d7bc0f3872
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
fgtrert.duckdns.org
primary_dns_server
fgtrert.duckdns.org
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

CHT International.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA CHT International.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

CHT International.exe

description pid process target process

PID 496 set thread context of 2304 496 CHT International.exe CHT International.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

CHT International.exe

pid process

2304 CHT International.exe
2304 CHT International.exe
2304 CHT International.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

CHT International.exe

pid process

2304 CHT International.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

CHT International.exeCHT International.exe

description pid process

Token: SeDebugPrivilege 496 CHT International.exe
Token: SeDebugPrivilege 2304 CHT International.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	CHT International.exe

description	pid	process	target process
PID 496 set thread context of 2304	496	CHT International.exe	CHT International.exe

pid	process
2304	CHT International.exe
2304	CHT International.exe
2304	CHT International.exe

pid	process
2304	CHT International.exe

description	pid	process
Token: SeDebugPrivilege	496	CHT International.exe
Token: SeDebugPrivilege	2304	CHT International.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

CHT International.exe

description	pid	process	target process
PID 496 wrote to memory of 2304	496	CHT International.exe	CHT International.exe
PID 496 wrote to memory of 2304	496	CHT International.exe	CHT International.exe
PID 496 wrote to memory of 2304	496	CHT International.exe	CHT International.exe
PID 496 wrote to memory of 2304	496	CHT International.exe	CHT International.exe
PID 496 wrote to memory of 2304	496	CHT International.exe	CHT International.exe
PID 496 wrote to memory of 2304	496	CHT International.exe	CHT International.exe
PID 496 wrote to memory of 2304	496	CHT International.exe	CHT International.exe
PID 496 wrote to memory of 2304	496	CHT International.exe	CHT International.exe

C:\Users\Admin\AppData\Local\Temp\CHT International.exe
"C:\Users\Admin\AppData\Local\Temp\CHT International.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:496

C:\Users\Admin\AppData\Local\Temp\CHT International.exe
"{path}"
2⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2304

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CHT International.exe.log

MD5
b4f7a6a57cb46d94b72410eb6a6d45a9

SHA1
69f3596ffa027202d391444b769ceea0ae14c5f7

SHA256
23994ebe221a48ea16ebad51ae0d4b47ccd415ae10581f9405e588d4f6c2523b

SHA512
be6da516e54c3a5b33ac2603137a2f8cf8445ff5961dd266faedf3627bae8979953d7ef305538df0151c609917a5b99bf5d023bdd32de50fd5c723950f90db5c

Download Submit
memory/496-7-0x0000000007340000-0x0000000007341000-memory.dmp

Filesize
4KB

Download
memory/496-3-0x00000000004D0000-0x00000000004D1000-memory.dmp

Filesize
4KB

Download
memory/496-6-0x0000000007350000-0x0000000007351000-memory.dmp

Filesize
4KB

Download
memory/496-2-0x0000000073AD0000-0x00000000741BE000-memory.dmp

Filesize
6.9MB

Download
memory/496-11-0x00000000096D0000-0x00000000096D1000-memory.dmp

Filesize
4KB

Download
memory/496-9-0x0000000007680000-0x0000000007684000-memory.dmp

Filesize
16KB

Download
memory/496-5-0x00000000077B0000-0x00000000077B1000-memory.dmp

Filesize
4KB

Download
memory/496-10-0x0000000002690000-0x00000000026EB000-memory.dmp

Filesize
364KB

Download
memory/496-8-0x00000000072D0000-0x00000000072D1000-memory.dmp

Filesize
4KB

Download
memory/2304-12-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2304-15-0x0000000073AD0000-0x00000000741BE000-memory.dmp

Filesize
6.9MB

Download
memory/2304-13-0x000000000041E792-mapping.dmp

Download
memory/2304-22-0x00000000057C0000-0x00000000057C5000-memory.dmp

Filesize
20KB

Download
memory/2304-23-0x0000000005FC0000-0x0000000005FD9000-memory.dmp

Filesize
100KB

Download
memory/2304-24-0x00000000060F0000-0x00000000060F3000-memory.dmp

Filesize
12KB

Download
memory/2304-25-0x0000000005580000-0x0000000005581000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing