nanocore | fe480193c8817ca0d9dd2cdd6b679175b55c4f12bf55478d775298093191f31e

General

Target

DHL AWB TRACKNG DETAIL.exe
Size

379KB
MD5

7936b78bca1d7e23aa203369563ef9e5
SHA1

ee99523f6456a4ba9d026ecee447116ac43f25ac
SHA256

4810afd49cb35f756bab13c854922461be237236e455f7d07b32517cbc95a9a6
SHA512

bc74f50c35f0007c7bd52b55a501992729fd96e29c8d2646843bd1ab7a20dfaf3d3582176a168ec2f38aab0b2fc9d13aa24745e0a6b24d207132519db5d727a8

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

dunga.duckdns.org:9087

Mutex

91b56d86-44e9-4ab8-b650-866edac2901e

Attributes

activate_away_mode
true
backup_connection_host
dunga.duckdns.org
backup_dns_server
dunga.duckdns.org
buffer_size
65535
build_time
2021-01-25T17:53:41.406526036Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
9087
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
91b56d86-44e9-4ab8-b650-866edac2901e
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
dunga.duckdns.org
primary_dns_server
dunga.duckdns.org
request_elevation
false
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Executes dropped EXE 3 IoCs

Processes:

1lK8eDHXOrfuAIz.exeCTS.exe1lK8eDHXOrfuAIz.exe

pid process

200 1lK8eDHXOrfuAIz.exe
3840 CTS.exe
2728 1lK8eDHXOrfuAIz.exe
Loads dropped DLL 1 IoCs

Processes:

1lK8eDHXOrfuAIz.exe

pid process

200 1lK8eDHXOrfuAIz.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
200	1lK8eDHXOrfuAIz.exe
3840	CTS.exe
2728	1lK8eDHXOrfuAIz.exe

pid	process
200	1lK8eDHXOrfuAIz.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

DHL AWB TRACKNG DETAIL.exeCTS.exe1lK8eDHXOrfuAIz.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	DHL AWB TRACKNG DETAIL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	DHL AWB TRACKNG DETAIL.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	CTS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ISS Manager = "C:\\Program Files (x86)\\ISS Manager\\issmgr.exe"	1lK8eDHXOrfuAIz.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

1lK8eDHXOrfuAIz.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 1lK8eDHXOrfuAIz.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

1lK8eDHXOrfuAIz.exe

description pid process target process

PID 200 set thread context of 2728 200 1lK8eDHXOrfuAIz.exe 1lK8eDHXOrfuAIz.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1lK8eDHXOrfuAIz.exe

description	pid	process	target process
PID 200 set thread context of 2728	200	1lK8eDHXOrfuAIz.exe	1lK8eDHXOrfuAIz.exe

Drops file in Program Files directory 2 IoCs

Processes:

1lK8eDHXOrfuAIz.exe

description	ioc	process
File created	C:\Program Files (x86)\ISS Manager\issmgr.exe	1lK8eDHXOrfuAIz.exe
File opened for modification	C:\Program Files (x86)\ISS Manager\issmgr.exe	1lK8eDHXOrfuAIz.exe

Drops file in Windows directory 2 IoCs

Processes:

CTS.exeDHL AWB TRACKNG DETAIL.exe

description ioc process

File created C:\Windows\CTS.exe CTS.exe
File created C:\Windows\CTS.exe DHL AWB TRACKNG DETAIL.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\CTS.exe	CTS.exe
File created	C:\Windows\CTS.exe	DHL AWB TRACKNG DETAIL.exe

NSIS installer 6 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1lK8eDHXOrfuAIz.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\1lK8eDHXOrfuAIz.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\1lK8eDHXOrfuAIz.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\1lK8eDHXOrfuAIz.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\1lK8eDHXOrfuAIz.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\1lK8eDHXOrfuAIz.exe	nsis_installer_2

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3360 schtasks.exe
2220 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

1lK8eDHXOrfuAIz.exe

pid process

2728 1lK8eDHXOrfuAIz.exe
2728 1lK8eDHXOrfuAIz.exe
2728 1lK8eDHXOrfuAIz.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

1lK8eDHXOrfuAIz.exe

pid process

2728 1lK8eDHXOrfuAIz.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

1lK8eDHXOrfuAIz.exe

pid process

200 1lK8eDHXOrfuAIz.exe

pid	process
3360	schtasks.exe
2220	schtasks.exe

pid	process
2728	1lK8eDHXOrfuAIz.exe
2728	1lK8eDHXOrfuAIz.exe
2728	1lK8eDHXOrfuAIz.exe

pid	process
2728	1lK8eDHXOrfuAIz.exe

pid	process
200	1lK8eDHXOrfuAIz.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

DHL AWB TRACKNG DETAIL.exeCTS.exe1lK8eDHXOrfuAIz.exe

description	pid	process
Token: SeDebugPrivilege	2672	DHL AWB TRACKNG DETAIL.exe
Token: SeDebugPrivilege	3840	CTS.exe
Token: SeDebugPrivilege	2728	1lK8eDHXOrfuAIz.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

DHL AWB TRACKNG DETAIL.exe1lK8eDHXOrfuAIz.exe1lK8eDHXOrfuAIz.exe

description	pid	process	target process
PID 2672 wrote to memory of 200	2672	DHL AWB TRACKNG DETAIL.exe	1lK8eDHXOrfuAIz.exe
PID 2672 wrote to memory of 200	2672	DHL AWB TRACKNG DETAIL.exe	1lK8eDHXOrfuAIz.exe
PID 2672 wrote to memory of 200	2672	DHL AWB TRACKNG DETAIL.exe	1lK8eDHXOrfuAIz.exe
PID 2672 wrote to memory of 3840	2672	DHL AWB TRACKNG DETAIL.exe	CTS.exe
PID 2672 wrote to memory of 3840	2672	DHL AWB TRACKNG DETAIL.exe	CTS.exe
PID 2672 wrote to memory of 3840	2672	DHL AWB TRACKNG DETAIL.exe	CTS.exe
PID 200 wrote to memory of 2728	200	1lK8eDHXOrfuAIz.exe	1lK8eDHXOrfuAIz.exe
PID 200 wrote to memory of 2728	200	1lK8eDHXOrfuAIz.exe	1lK8eDHXOrfuAIz.exe
PID 200 wrote to memory of 2728	200	1lK8eDHXOrfuAIz.exe	1lK8eDHXOrfuAIz.exe
PID 200 wrote to memory of 2728	200	1lK8eDHXOrfuAIz.exe	1lK8eDHXOrfuAIz.exe
PID 2728 wrote to memory of 3360	2728	1lK8eDHXOrfuAIz.exe	schtasks.exe
PID 2728 wrote to memory of 3360	2728	1lK8eDHXOrfuAIz.exe	schtasks.exe
PID 2728 wrote to memory of 3360	2728	1lK8eDHXOrfuAIz.exe	schtasks.exe
PID 2728 wrote to memory of 2220	2728	1lK8eDHXOrfuAIz.exe	schtasks.exe
PID 2728 wrote to memory of 2220	2728	1lK8eDHXOrfuAIz.exe	schtasks.exe
PID 2728 wrote to memory of 2220	2728	1lK8eDHXOrfuAIz.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\DHL AWB TRACKNG DETAIL.exe
"C:\Users\Admin\AppData\Local\Temp\DHL AWB TRACKNG DETAIL.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2672

C:\Users\Admin\AppData\Local\Temp\1lK8eDHXOrfuAIz.exe
C:\Users\Admin\AppData\Local\Temp\1lK8eDHXOrfuAIz.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:200

C:\Users\Admin\AppData\Local\Temp\1lK8eDHXOrfuAIz.exe
C:\Users\Admin\AppData\Local\Temp\1lK8eDHXOrfuAIz.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2728

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "ISS Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmp1DCE.tmp"
4⤵
- Creates scheduled task(s)
PID:3360

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "ISS Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp1E4C.tmp"
4⤵
- Creates scheduled task(s)
PID:2220

C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3840

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1lK8eDHXOrfuAIz.exe
MD5
ad87becb87d4e0d8b6e026219159e9ee

SHA1
b800f8be72d8cfd4710d2fe1947a3abc88489b19

SHA256
29cb152e132ba4da36eeda013e0f55845422246db700b7fabfdda1e49b71b464

SHA512
3adea41b7ec89df5b3ac28beb0e20654a9a0ed26d75916cdd729b4d38e9ded644bce053860670b5120e1fde6814972ecc3f4744e9d563ea2f044bcfd8aa3f3a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1lK8eDHXOrfuAIz.exe
MD5
ad87becb87d4e0d8b6e026219159e9ee

SHA1
b800f8be72d8cfd4710d2fe1947a3abc88489b19

SHA256
29cb152e132ba4da36eeda013e0f55845422246db700b7fabfdda1e49b71b464

SHA512
3adea41b7ec89df5b3ac28beb0e20654a9a0ed26d75916cdd729b4d38e9ded644bce053860670b5120e1fde6814972ecc3f4744e9d563ea2f044bcfd8aa3f3a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1lK8eDHXOrfuAIz.exe
MD5
ad87becb87d4e0d8b6e026219159e9ee

SHA1
b800f8be72d8cfd4710d2fe1947a3abc88489b19

SHA256
29cb152e132ba4da36eeda013e0f55845422246db700b7fabfdda1e49b71b464

SHA512
3adea41b7ec89df5b3ac28beb0e20654a9a0ed26d75916cdd729b4d38e9ded644bce053860670b5120e1fde6814972ecc3f4744e9d563ea2f044bcfd8aa3f3a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1DCE.tmp
MD5
ec1ec9bbee42428fedff60bfdab0dac4

SHA1
ae3e9d8ea3ecd927f607c036665366529e515f24

SHA256
a3d90180e62b24e5d419afc3b9aebfad612d8f607bc93fedae2bb653a56d48cc

SHA512
6c291348927fa047dbd92f00ac608cf871ba10eefa5ca4781904503a5c5c4df6f3a377495188f50fe721d4a2df7ca7c5c4cd59340e96e821d91a6958c72c75f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1E4C.tmp
MD5
ea7095fa975a5ac043c9de2899ce61d0

SHA1
ba4e21d0728fb1b4b87006c2e8ceb6109c9046a3

SHA256
5a1ba7b1b91e0bb7aedcfa82dc687972abb31f72ae1613ac586938ef0843f30f

SHA512
b52c8f1b58f263a3d1ad1ef9939167853a5f55033d9ad8976130174c7118407711a0703266c7d2d542bc2ca8119f875e35cc791b9dd70ef83b5310ac1e7cd1cb

Download Submit
C:\Windows\CTS.exe
MD5
9471f0a5c13a6d9b41f142d876b46d86

SHA1
df13ce5f8351670562e1a312daad44783d2fa547

SHA256
a7d8a643f929a3d92bea8e707b6943a0b45e11731a9f29fb1c942bb4b3aff4a1

SHA512
34579c1b9eea8181fa7bf8e5ca5d7fd687395104aa9fe7f5f38e55f024e6b08e595bd896d76f5485bf72defb140a3d13bab7d84b1ad481f66860e51493db8c85

Download Submit
C:\Windows\CTS.exe
MD5
9471f0a5c13a6d9b41f142d876b46d86

SHA1
df13ce5f8351670562e1a312daad44783d2fa547

SHA256
a7d8a643f929a3d92bea8e707b6943a0b45e11731a9f29fb1c942bb4b3aff4a1

SHA512
34579c1b9eea8181fa7bf8e5ca5d7fd687395104aa9fe7f5f38e55f024e6b08e595bd896d76f5485bf72defb140a3d13bab7d84b1ad481f66860e51493db8c85

Download Submit
\Users\Admin\AppData\Local\Temp\nsl163F.tmp\lzif.dll
MD5
dd633261c7161397c1b12fdecc998ca6

SHA1
c8cd6e6887d98e9a002524060811f1c4d77d7df4

SHA256
ba421cfcb6fef46bd0f3a24ef4640a1c844bfede46642c2a4c7552ecb5f38358

SHA512
c51aa33de9a73af3daeb380a1b36fe8bce849ade2c5f187cccf41e2cf150e179274d6a0aa854f38f005c5ce660a97592fe68d7ebf3c2731713133f0ec2a8de94

Download Submit
memory/200-121-0x00000000021A0000-0x00000000021A1000-memory.dmp

Filesize
4KB

Download
memory/200-114-0x0000000000000000-mapping.dmp

Download
memory/200-122-0x00000000021A1000-0x00000000021A3000-memory.dmp

Filesize
8KB

Download
memory/2220-137-0x0000000000000000-mapping.dmp

Download
memory/2728-128-0x0000000004DF0000-0x0000000004DF1000-memory.dmp

Filesize
4KB

Download
memory/2728-134-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/2728-129-0x0000000004ED0000-0x0000000004ED1000-memory.dmp

Filesize
4KB

Download
memory/2728-130-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2728-131-0x00000000022A0000-0x00000000022A1000-memory.dmp

Filesize
4KB

Download
memory/2728-132-0x00000000022A2000-0x00000000022A3000-memory.dmp

Filesize
4KB

Download
memory/2728-133-0x00000000022A3000-0x00000000022A4000-memory.dmp

Filesize
4KB

Download
memory/2728-123-0x000000000040188B-mapping.dmp

Download
memory/2728-142-0x00000000022A4000-0x00000000022A5000-memory.dmp

Filesize
4KB

Download
memory/2728-127-0x00000000048F0000-0x00000000048F1000-memory.dmp

Filesize
4KB

Download
memory/2728-125-0x00000000022B0000-0x00000000022E3000-memory.dmp

Filesize
204KB

Download
memory/2728-141-0x0000000005820000-0x0000000005823000-memory.dmp

Filesize
12KB

Download
memory/2728-139-0x0000000005660000-0x0000000005665000-memory.dmp

Filesize
20KB

Download
memory/2728-140-0x00000000056F0000-0x0000000005709000-memory.dmp

Filesize
100KB

Download
memory/3360-135-0x0000000000000000-mapping.dmp

Download
memory/3840-116-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads