nanocore | 86059a4b84489fb1b625b1eb2bdabcd88fb4226fb04b769fddfe0fbec40c28b5

General

Target

receipt.exe
Size

878KB
MD5

14e1ad7305a1a922bbfb27648409cece
SHA1

c8dde3f6c66237043e38e666305b103da6869367
SHA256

86059a4b84489fb1b625b1eb2bdabcd88fb4226fb04b769fddfe0fbec40c28b5
SHA512

b5cf896bd1b270db3dead0c15a746a191eb83af62034d96690e0381a9aa2a059d9cf039c6f86f5b8b6e0cc0b507363d41777589c14d2c157fd4ea61d7b9ac1d4

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

cldgr.duckdns.org:8008

127.0.0.1:8008

Mutex

e05d61c5-9a4c-422d-885b-a239d0634e5c

Attributes

activate_away_mode
true
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2020-12-22T19:42:47.139515236Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
8008
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
e05d61c5-9a4c-422d-885b-a239d0634e5c
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
cldgr.duckdns.org
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

receipt.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LAN Host = "C:\\Program Files (x86)\\LAN Host\\lanhost.exe"	receipt.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

receipt.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA receipt.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

receipt.exe

description pid process target process

PID 1096 set thread context of 432 1096 receipt.exe receipt.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	receipt.exe

description	pid	process	target process
PID 1096 set thread context of 432	1096	receipt.exe	receipt.exe

Drops file in Program Files directory 2 IoCs

Processes:

receipt.exe

description	ioc	process
File created	C:\Program Files (x86)\LAN Host\lanhost.exe	receipt.exe
File opened for modification	C:\Program Files (x86)\LAN Host\lanhost.exe	receipt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

1640 schtasks.exe
1052 schtasks.exe
808 schtasks.exe
Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

receipt.exereceipt.exe

pid process

1096 receipt.exe
1096 receipt.exe
1096 receipt.exe
432 receipt.exe
432 receipt.exe
432 receipt.exe
432 receipt.exe
432 receipt.exe
432 receipt.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

receipt.exe

pid process

432 receipt.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

receipt.exereceipt.exe

description pid process

Token: SeDebugPrivilege 1096 receipt.exe
Token: SeDebugPrivilege 432 receipt.exe

pid	process
1640	schtasks.exe
1052	schtasks.exe
808	schtasks.exe

pid	process
1096	receipt.exe
1096	receipt.exe
1096	receipt.exe
432	receipt.exe
432	receipt.exe
432	receipt.exe
432	receipt.exe
432	receipt.exe
432	receipt.exe

pid	process
432	receipt.exe

description	pid	process
Token: SeDebugPrivilege	1096	receipt.exe
Token: SeDebugPrivilege	432	receipt.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

receipt.exereceipt.exe

description	pid	process	target process
PID 1096 wrote to memory of 1640	1096	receipt.exe	schtasks.exe
PID 1096 wrote to memory of 1640	1096	receipt.exe	schtasks.exe
PID 1096 wrote to memory of 1640	1096	receipt.exe	schtasks.exe
PID 1096 wrote to memory of 1640	1096	receipt.exe	schtasks.exe
PID 1096 wrote to memory of 1188	1096	receipt.exe	receipt.exe
PID 1096 wrote to memory of 1188	1096	receipt.exe	receipt.exe
PID 1096 wrote to memory of 1188	1096	receipt.exe	receipt.exe
PID 1096 wrote to memory of 1188	1096	receipt.exe	receipt.exe
PID 1096 wrote to memory of 432	1096	receipt.exe	receipt.exe
PID 1096 wrote to memory of 432	1096	receipt.exe	receipt.exe
PID 1096 wrote to memory of 432	1096	receipt.exe	receipt.exe
PID 1096 wrote to memory of 432	1096	receipt.exe	receipt.exe
PID 1096 wrote to memory of 432	1096	receipt.exe	receipt.exe
PID 1096 wrote to memory of 432	1096	receipt.exe	receipt.exe
PID 1096 wrote to memory of 432	1096	receipt.exe	receipt.exe
PID 1096 wrote to memory of 432	1096	receipt.exe	receipt.exe
PID 1096 wrote to memory of 432	1096	receipt.exe	receipt.exe
PID 432 wrote to memory of 1052	432	receipt.exe	schtasks.exe
PID 432 wrote to memory of 1052	432	receipt.exe	schtasks.exe
PID 432 wrote to memory of 1052	432	receipt.exe	schtasks.exe
PID 432 wrote to memory of 1052	432	receipt.exe	schtasks.exe
PID 432 wrote to memory of 808	432	receipt.exe	schtasks.exe
PID 432 wrote to memory of 808	432	receipt.exe	schtasks.exe
PID 432 wrote to memory of 808	432	receipt.exe	schtasks.exe
PID 432 wrote to memory of 808	432	receipt.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\receipt.exe
"C:\Users\Admin\AppData\Local\Temp\receipt.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1096

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uGgdCdbL" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB635.tmp"
2⤵
- Creates scheduled task(s)
PID:1640

C:\Users\Admin\AppData\Local\Temp\receipt.exe
"{path}"
2⤵
PID:1188

C:\Users\Admin\AppData\Local\Temp\receipt.exe
"{path}"
2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:432

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "LAN Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmpB9CD.tmp"
3⤵
- Creates scheduled task(s)
PID:1052

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "LAN Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpBA5B.tmp"
3⤵
- Creates scheduled task(s)
PID:808

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpB635.tmp

MD5
dfb24ee9cac1d20fff2ab0b80a6edfb1

SHA1
02e092436b49ecfe96015266e1a4e26b674cd122

SHA256
78987908e253e4b85950ea763aed33b9958cb1958b44d7aaebf77b55d2b101c4

SHA512
c0403afb0b54cae7a6862928ad97348aa91d3e07d75a5cf31cc6fed7148154d13e8102456e727f8f149bbd8b8478a5bf7cac729236260c894d6ece08e62a84d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB9CD.tmp

MD5
2237150f6585a5a008578ef40bb32466

SHA1
8f5e244b66d1a86a8592d014a817a467db467e49

SHA256
a697b23a9e986b47f4f19598de804dfc3e70c411dde186b9510152eb8655a649

SHA512
a72830c3d8d7e79567fd0a817f420593fe441104dd7406c5da9c7367363414e875df255ef6eb1142042f83fb15182eaa5fd1ca6d9070f2645c5e7af5c09e578f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBA5B.tmp

MD5
54865f98871478b2b88b7f8aa6100915

SHA1
6f8667f1ce25cebee2a7b460668736ff6bcfac54

SHA256
287f7b4372926ff59bb9a14bdfc00ad63f92af8efdb2e14f6f6baf31878fd44e

SHA512
caba0bd0cb0eda0710291f9754cfdef1a3d8fdb8b6d07f5d3e4d1e7b09c87f37032287ddef0a75485d6e685afa3510ee64453662e6c8d223ae171b392b58e493

Download Submit
memory/432-64-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/432-65-0x000000000041E792-mapping.dmp

Download
memory/432-67-0x00000000004C0000-0x00000000004C1000-memory.dmp

Filesize
4KB

Download
memory/808-70-0x0000000000000000-mapping.dmp

Download
memory/1052-68-0x0000000000000000-mapping.dmp

Download
memory/1096-59-0x0000000075281000-0x0000000075283000-memory.dmp

Filesize
8KB

Download
memory/1096-60-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/1096-61-0x00000000001A1000-0x00000000001A2000-memory.dmp

Filesize
4KB

Download
memory/1640-62-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads