nanocore | 7ef7ce0c066779863c31b25f016814f07fb6b940bb4957ee72eacee2f9a13ddc

General

Target

009CVHJR393024.exe
Size

755KB
MD5

187c9da5f62d3a607eb6ed956766d3d9
SHA1

806b3b923ded374e8aca787a8e9710bc305887c2
SHA256

7ef7ce0c066779863c31b25f016814f07fb6b940bb4957ee72eacee2f9a13ddc
SHA512

d703ef8d8b557a0adeb12d33457535201fc73e9e76498c264d441c9da581bfd7364f61aec1a601cb51f3ce2e8c69da12cd8226b8dd52e7acf8f6fd419f471593

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

strongodss.ddns.net:58103

79.134.225.43:58103

Mutex

572eb7a9-aedf-4b39-8669-f7563dab8a38

Attributes

activate_away_mode
false
backup_connection_host
79.134.225.43
backup_dns_server
buffer_size
65538
build_time
2020-08-31T08:01:57.275180636Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
false
clear_zone_identifier
false
connect_delay
4000
connection_port
58103
default_group
GREAT
enable_debug_mode
true
gc_threshold
1.0485772e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.0485772e+07
mutex
572eb7a9-aedf-4b39-8669-f7563dab8a38
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
strongodss.ddns.net
primary_dns_server
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
false
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8009

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

009CVHJR393024.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	009CVHJR393024.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	009CVHJR393024.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RegSvcs.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SMTP Manager = "C:\\Program Files (x86)\\SMTP Manager\\smtpmgr.exe"	RegSvcs.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

009CVHJR393024.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	009CVHJR393024.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	009CVHJR393024.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

009CVHJR393024.exe

description pid process target process

PID 648 set thread context of 3948 648 009CVHJR393024.exe RegSvcs.exe

description	pid	process	target process
PID 648 set thread context of 3948	648	009CVHJR393024.exe	RegSvcs.exe

Drops file in Program Files directory 2 IoCs

Processes:

RegSvcs.exe

description	ioc	process
File created	C:\Program Files (x86)\SMTP Manager\smtpmgr.exe	RegSvcs.exe
File opened for modification	C:\Program Files (x86)\SMTP Manager\smtpmgr.exe	RegSvcs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

1424 schtasks.exe
2116 schtasks.exe
1164 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

009CVHJR393024.exeRegSvcs.exe

pid process

648 009CVHJR393024.exe
3948 RegSvcs.exe
3948 RegSvcs.exe
3948 RegSvcs.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

RegSvcs.exe

pid process

3948 RegSvcs.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

009CVHJR393024.exeRegSvcs.exe

description pid process

Token: SeDebugPrivilege 648 009CVHJR393024.exe
Token: SeDebugPrivilege 3948 RegSvcs.exe
Token: SeDebugPrivilege 3948 RegSvcs.exe

pid	process
1424	schtasks.exe
2116	schtasks.exe
1164	schtasks.exe

pid	process
648	009CVHJR393024.exe
3948	RegSvcs.exe
3948	RegSvcs.exe
3948	RegSvcs.exe

pid	process
3948	RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	648	009CVHJR393024.exe
Token: SeDebugPrivilege	3948	RegSvcs.exe
Token: SeDebugPrivilege	3948	RegSvcs.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

009CVHJR393024.exeRegSvcs.exe

description	pid	process	target process
PID 648 wrote to memory of 1424	648	009CVHJR393024.exe	schtasks.exe
PID 648 wrote to memory of 1424	648	009CVHJR393024.exe	schtasks.exe
PID 648 wrote to memory of 1424	648	009CVHJR393024.exe	schtasks.exe
PID 648 wrote to memory of 3948	648	009CVHJR393024.exe	RegSvcs.exe
PID 648 wrote to memory of 3948	648	009CVHJR393024.exe	RegSvcs.exe
PID 648 wrote to memory of 3948	648	009CVHJR393024.exe	RegSvcs.exe
PID 648 wrote to memory of 3948	648	009CVHJR393024.exe	RegSvcs.exe
PID 648 wrote to memory of 3948	648	009CVHJR393024.exe	RegSvcs.exe
PID 648 wrote to memory of 3948	648	009CVHJR393024.exe	RegSvcs.exe
PID 648 wrote to memory of 3948	648	009CVHJR393024.exe	RegSvcs.exe
PID 648 wrote to memory of 3948	648	009CVHJR393024.exe	RegSvcs.exe
PID 3948 wrote to memory of 2116	3948	RegSvcs.exe	schtasks.exe
PID 3948 wrote to memory of 2116	3948	RegSvcs.exe	schtasks.exe
PID 3948 wrote to memory of 2116	3948	RegSvcs.exe	schtasks.exe
PID 3948 wrote to memory of 1164	3948	RegSvcs.exe	schtasks.exe
PID 3948 wrote to memory of 1164	3948	RegSvcs.exe	schtasks.exe
PID 3948 wrote to memory of 1164	3948	RegSvcs.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\009CVHJR393024.exe
"C:\Users\Admin\AppData\Local\Temp\009CVHJR393024.exe"
1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:648

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SVafXAJvNYI" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2D79.tmp"
2⤵
- Creates scheduled task(s)
PID:1424

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"{path}"
2⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3948

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "SMTP Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmp353A.tmp"
3⤵
- Creates scheduled task(s)
PID:2116

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "SMTP Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp35A8.tmp"
3⤵
- Creates scheduled task(s)
PID:1164

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

4

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp2D79.tmp
MD5
aeb95524358c594c1ffb532ce018ad95

SHA1
80d9ac3991cb4828b6951355d3102ceae48861e4

SHA256
4a30705c2b0e07d64dd2748553eb5a7a95a21791392703ad7beaf62e5cc56698

SHA512
4495590916a9897788bad38fe94ec9dc686baf863663ff392daa976369b152ecce0ea3818a3f9bec65bc500591049e6d6979f2044e64f1a323b8880e303566e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp353A.tmp
MD5
40b11ef601fb28f9b2e69d36857bf2ec

SHA1
b6454020ad2ceed193f4792b77001d0bd741b370

SHA256
c51e12d18cc664425f6711d8ae2507068884c7057092cfa11884100e1e9d49e1

SHA512
e3c5bcc714cbfca4b8058ddcddf231dcefa69c15881ce3f8123e59ed45cfb5da052b56e1945dcf8dc7f800d62f9a4eecb82bca69a66a1530787aeffeb15e2bd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp35A8.tmp
MD5
b3b017f9df206021717a11f11d895402

SHA1
e4ea12823af6550ee634536eec1eb14490580a3b

SHA256
654dfce2c28024364e679e1b958f3fb81fc6d29685d534d905d1c83a84351024

SHA512
95666cb81aa1fd1ade04a32f63381ce8bff274d7d300c0b59cbb10a294c4d1eebaa3000365a2000b38793de030044995cf23e623c5e3648d9b00501f97ff9343

Download Submit
memory/648-2-0x0000000002600000-0x0000000002601000-memory.dmp

Filesize
4KB

Download
memory/648-3-0x0000000002601000-0x0000000002602000-memory.dmp

Filesize
4KB

Download
memory/1164-11-0x0000000000000000-mapping.dmp

Download
memory/1424-4-0x0000000000000000-mapping.dmp

Download
memory/2116-8-0x0000000000000000-mapping.dmp

Download
memory/3948-6-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3948-7-0x000000000041E792-mapping.dmp

Download
memory/3948-9-0x0000000002E10000-0x0000000002E11000-memory.dmp

Filesize
4KB

Download
memory/3948-13-0x0000000002E11000-0x0000000002E12000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads