nanocore | d2ec2611b322552856d3f202484914625b49f0dc3326d8ea3acdb3a57e65b1ef

General

Target

192F43C51F4A671079872C28ABB01A64.exe
Size

690KB
MD5

192f43c51f4a671079872c28abb01a64
SHA1

2fd4c2e5a93358c848061ba35628a814e6dac1bb
SHA256

d2ec2611b322552856d3f202484914625b49f0dc3326d8ea3acdb3a57e65b1ef
SHA512

36236e1bb1511b34dc7b8bbddb55a714059522677e54566e09e531a1cebd0de16119b4554f99020badc20caa4a72224a3addc68efbcdaaaf0026cf671e9e16a7

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

backu4734.duckdns.org:8092

Mutex

ccf3c62d-d356-4a80-bb94-307bc35a5e01

Attributes

activate_away_mode
false
backup_connection_host
backu4734.duckdns.org
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2021-01-05T15:22:20.555580436Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
8092
default_group
Backup
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
ccf3c62d-d356-4a80-bb94-307bc35a5e01
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
backu4734.duckdns.org
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Loads dropped DLL 1 IoCs

Processes:

192F43C51F4A671079872C28ABB01A64.exe

pid process

3680 192F43C51F4A671079872C28ABB01A64.exe

pid	process
3680	192F43C51F4A671079872C28ABB01A64.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

192F43C51F4A671079872C28ABB01A64.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ISS Manager = "C:\\Program Files (x86)\\ISS Manager\\issmgr.exe"	192F43C51F4A671079872C28ABB01A64.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

192F43C51F4A671079872C28ABB01A64.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	192F43C51F4A671079872C28ABB01A64.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

192F43C51F4A671079872C28ABB01A64.exe

description pid process target process

PID 3680 set thread context of 1008 3680 192F43C51F4A671079872C28ABB01A64.exe 192F43C51F4A671079872C28ABB01A64.exe

description	pid	process	target process
PID 3680 set thread context of 1008	3680	192F43C51F4A671079872C28ABB01A64.exe	192F43C51F4A671079872C28ABB01A64.exe

Drops file in Program Files directory 2 IoCs

Processes:

192F43C51F4A671079872C28ABB01A64.exe

description	ioc	process
File created	C:\Program Files (x86)\ISS Manager\issmgr.exe	192F43C51F4A671079872C28ABB01A64.exe
File opened for modification	C:\Program Files (x86)\ISS Manager\issmgr.exe	192F43C51F4A671079872C28ABB01A64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3436 schtasks.exe
1288 schtasks.exe

pid	process
3436	schtasks.exe
1288	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

192F43C51F4A671079872C28ABB01A64.exe

pid	process
1008	192F43C51F4A671079872C28ABB01A64.exe
1008	192F43C51F4A671079872C28ABB01A64.exe
1008	192F43C51F4A671079872C28ABB01A64.exe
1008	192F43C51F4A671079872C28ABB01A64.exe
1008	192F43C51F4A671079872C28ABB01A64.exe
1008	192F43C51F4A671079872C28ABB01A64.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

192F43C51F4A671079872C28ABB01A64.exe

pid process

1008 192F43C51F4A671079872C28ABB01A64.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

192F43C51F4A671079872C28ABB01A64.exe

pid process

3680 192F43C51F4A671079872C28ABB01A64.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

192F43C51F4A671079872C28ABB01A64.exe

description pid process

Token: SeDebugPrivilege 1008 192F43C51F4A671079872C28ABB01A64.exe

pid	process
3680	192F43C51F4A671079872C28ABB01A64.exe

description	pid	process
Token: SeDebugPrivilege	1008	192F43C51F4A671079872C28ABB01A64.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

192F43C51F4A671079872C28ABB01A64.exe192F43C51F4A671079872C28ABB01A64.exe

description	pid	process	target process
PID 3680 wrote to memory of 1008	3680	192F43C51F4A671079872C28ABB01A64.exe	192F43C51F4A671079872C28ABB01A64.exe
PID 3680 wrote to memory of 1008	3680	192F43C51F4A671079872C28ABB01A64.exe	192F43C51F4A671079872C28ABB01A64.exe
PID 3680 wrote to memory of 1008	3680	192F43C51F4A671079872C28ABB01A64.exe	192F43C51F4A671079872C28ABB01A64.exe
PID 3680 wrote to memory of 1008	3680	192F43C51F4A671079872C28ABB01A64.exe	192F43C51F4A671079872C28ABB01A64.exe
PID 1008 wrote to memory of 3436	1008	192F43C51F4A671079872C28ABB01A64.exe	schtasks.exe
PID 1008 wrote to memory of 3436	1008	192F43C51F4A671079872C28ABB01A64.exe	schtasks.exe
PID 1008 wrote to memory of 3436	1008	192F43C51F4A671079872C28ABB01A64.exe	schtasks.exe
PID 1008 wrote to memory of 1288	1008	192F43C51F4A671079872C28ABB01A64.exe	schtasks.exe
PID 1008 wrote to memory of 1288	1008	192F43C51F4A671079872C28ABB01A64.exe	schtasks.exe
PID 1008 wrote to memory of 1288	1008	192F43C51F4A671079872C28ABB01A64.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\192F43C51F4A671079872C28ABB01A64.exe
"C:\Users\Admin\AppData\Local\Temp\192F43C51F4A671079872C28ABB01A64.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3680

C:\Users\Admin\AppData\Local\Temp\192F43C51F4A671079872C28ABB01A64.exe
"C:\Users\Admin\AppData\Local\Temp\192F43C51F4A671079872C28ABB01A64.exe"
2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1008

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "ISS Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmpAE28.tmp"
3⤵
- Creates scheduled task(s)
PID:3436

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "ISS Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpAEB5.tmp"
3⤵
- Creates scheduled task(s)
PID:1288

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpAE28.tmp
MD5
914c9c0ec8b02383ac0d53aeef5cdaa4

SHA1
542b23eb21050810689ce818f63651a157f45558

SHA256
64972199c4725e94293903699d6a9314e04d67c42c29d5d23b33c3be2bd59b25

SHA512
10d522ccf9a0b0d4e6bde96e5f00b43a9ee86bc53580c573870932ca6307bb505087c44d910fb7cedf9216ec5066ee0748711abaae1a747e9a906d1cef5aa4f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAEB5.tmp
MD5
ea7095fa975a5ac043c9de2899ce61d0

SHA1
ba4e21d0728fb1b4b87006c2e8ceb6109c9046a3

SHA256
5a1ba7b1b91e0bb7aedcfa82dc687972abb31f72ae1613ac586938ef0843f30f

SHA512
b52c8f1b58f263a3d1ad1ef9939167853a5f55033d9ad8976130174c7118407711a0703266c7d2d542bc2ca8119f875e35cc791b9dd70ef83b5310ac1e7cd1cb

Download Submit
\Users\Admin\AppData\Local\Temp\nss2708.tmp\o76acto.dll
MD5
7faa067d6fadabc699ba34d9c7eb7a11

SHA1
336715b289c2edb0eb7fa37a5fd47310683c800d

SHA256
f0890e26b090e99ed0c52bb59befb6db350b937005f4855ba75665a6953cac07

SHA512
cf86cc97ca035195e71f990c0010923d619c9866df5d0c2090023fb08b49a1027c198e159ba8fd696535141b2f9eaad1d4eac125405898beed5ad0e2a1200ac4

Download Submit
memory/1008-139-0x0000000005FE0000-0x0000000005FEC000-memory.dmp

Filesize
48KB

Download
memory/1008-148-0x00000000060D0000-0x00000000060D1000-memory.dmp

Filesize
4KB

Download
memory/1008-133-0x0000000005760000-0x0000000005765000-memory.dmp

Filesize
20KB

Download
memory/1008-121-0x0000000004860000-0x0000000004861000-memory.dmp

Filesize
4KB

Download
memory/1008-122-0x0000000004E50000-0x0000000004E51000-memory.dmp

Filesize
4KB

Download
memory/1008-123-0x0000000004FF0000-0x0000000004FF1000-memory.dmp

Filesize
4KB

Download
memory/1008-124-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1008-125-0x0000000004940000-0x0000000004941000-memory.dmp

Filesize
4KB

Download
memory/1008-126-0x0000000004942000-0x0000000004943000-memory.dmp

Filesize
4KB

Download
memory/1008-127-0x0000000004943000-0x0000000004944000-memory.dmp

Filesize
4KB

Download
memory/1008-128-0x0000000004944000-0x0000000004945000-memory.dmp

Filesize
4KB

Download
memory/1008-147-0x00000000060A0000-0x00000000060AF000-memory.dmp

Filesize
60KB

Download
memory/1008-117-0x000000000040188B-mapping.dmp

Download
memory/1008-146-0x0000000006070000-0x0000000006099000-memory.dmp

Filesize
164KB

Download
memory/1008-120-0x0000000004950000-0x0000000004951000-memory.dmp

Filesize
4KB

Download
memory/1008-134-0x00000000057F0000-0x0000000005809000-memory.dmp

Filesize
100KB

Download
memory/1008-118-0x0000000002370000-0x00000000023A3000-memory.dmp

Filesize
204KB

Download
memory/1008-135-0x0000000005920000-0x0000000005923000-memory.dmp

Filesize
12KB

Download
memory/1008-136-0x0000000005930000-0x000000000593D000-memory.dmp

Filesize
52KB

Download
memory/1008-137-0x0000000005940000-0x0000000005955000-memory.dmp

Filesize
84KB

Download
memory/1008-138-0x0000000005FD0000-0x0000000005FD6000-memory.dmp

Filesize
24KB

Download
memory/1008-145-0x0000000006050000-0x000000000605A000-memory.dmp

Filesize
40KB

Download
memory/1008-140-0x0000000005FF0000-0x0000000005FF6000-memory.dmp

Filesize
24KB

Download
memory/1008-141-0x0000000006000000-0x0000000006007000-memory.dmp

Filesize
28KB

Download
memory/1008-142-0x0000000006010000-0x000000000601D000-memory.dmp

Filesize
52KB

Download
memory/1008-143-0x0000000006020000-0x0000000006029000-memory.dmp

Filesize
36KB

Download
memory/1008-144-0x0000000006030000-0x000000000603F000-memory.dmp

Filesize
60KB

Download
memory/1288-131-0x0000000000000000-mapping.dmp

Download
memory/3436-129-0x0000000000000000-mapping.dmp

Download
memory/3680-115-0x0000000003320000-0x0000000003321000-memory.dmp

Filesize
4KB

Download
memory/3680-116-0x0000000003321000-0x0000000003324000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads