nanocore | e100812a13dcc0b92ee42371dd7b03f674581c41dc3a2c70109acff79333cf30

General

Target

090090000000.exe
Size

371KB
MD5

b8019a09822153f1fd0081cd3f97e6af
SHA1

44cc6dd5c8c7c22b8a92976cf8c77705437faa00
SHA256

e100812a13dcc0b92ee42371dd7b03f674581c41dc3a2c70109acff79333cf30
SHA512

9cb5133d42a77234a714f50edc933684524ec7614e27d9f28fe141d03f07b5debd646670d6d64a0ad9795ad768bd6345b98f1de4c7a1c9e8a230996d338f883f

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

185.222.57.171:4445

Mutex

2dd052c5-2546-4017-851f-7f690b3c80bf

Attributes

activate_away_mode
true
backup_connection_host
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2021-01-29T09:36:10.211722536Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
4445
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
2dd052c5-2546-4017-851f-7f690b3c80bf
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
185.222.57.171
primary_dns_server
8.8.8.8
request_elevation
false
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Loads dropped DLL 1 IoCs

Processes:

090090000000.exe

pid process

660 090090000000.exe

pid	process
660	090090000000.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

090090000000.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UPNP Subsystem = "C:\\Program Files (x86)\\UPNP Subsystem\\upnpss.exe"	090090000000.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

090090000000.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 090090000000.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

090090000000.exe

description pid process target process

PID 660 set thread context of 3512 660 090090000000.exe 090090000000.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	090090000000.exe

description	pid	process	target process
PID 660 set thread context of 3512	660	090090000000.exe	090090000000.exe

Drops file in Program Files directory 2 IoCs

Processes:

090090000000.exe

description	ioc	process
File created	C:\Program Files (x86)\UPNP Subsystem\upnpss.exe	090090000000.exe
File opened for modification	C:\Program Files (x86)\UPNP Subsystem\upnpss.exe	090090000000.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2832 schtasks.exe
220 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

090090000000.exe

pid process

3512 090090000000.exe
3512 090090000000.exe
3512 090090000000.exe
3512 090090000000.exe
3512 090090000000.exe
3512 090090000000.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

090090000000.exe

pid process

3512 090090000000.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

090090000000.exe

pid process

660 090090000000.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

090090000000.exe

description pid process

Token: SeDebugPrivilege 3512 090090000000.exe

pid	process
2832	schtasks.exe
220	schtasks.exe

pid	process
3512	090090000000.exe
3512	090090000000.exe
3512	090090000000.exe
3512	090090000000.exe
3512	090090000000.exe
3512	090090000000.exe

pid	process
3512	090090000000.exe

pid	process
660	090090000000.exe

description	pid	process
Token: SeDebugPrivilege	3512	090090000000.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

090090000000.exe090090000000.exe

description	pid	process	target process
PID 660 wrote to memory of 3512	660	090090000000.exe	090090000000.exe
PID 660 wrote to memory of 3512	660	090090000000.exe	090090000000.exe
PID 660 wrote to memory of 3512	660	090090000000.exe	090090000000.exe
PID 660 wrote to memory of 3512	660	090090000000.exe	090090000000.exe
PID 3512 wrote to memory of 2832	3512	090090000000.exe	schtasks.exe
PID 3512 wrote to memory of 2832	3512	090090000000.exe	schtasks.exe
PID 3512 wrote to memory of 2832	3512	090090000000.exe	schtasks.exe
PID 3512 wrote to memory of 220	3512	090090000000.exe	schtasks.exe
PID 3512 wrote to memory of 220	3512	090090000000.exe	schtasks.exe
PID 3512 wrote to memory of 220	3512	090090000000.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\090090000000.exe
"C:\Users\Admin\AppData\Local\Temp\090090000000.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:660

C:\Users\Admin\AppData\Local\Temp\090090000000.exe
"C:\Users\Admin\AppData\Local\Temp\090090000000.exe"
2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3512

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "UPNP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp648C.tmp"
3⤵
- Creates scheduled task(s)
PID:2832

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "UPNP Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp6604.tmp"
3⤵
- Creates scheduled task(s)
PID:220

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp648C.tmp
MD5
216524da36141b4c03b54996cf81e172

SHA1
9cfb4085c34863bd5a1289568e972a85fccb16e9

SHA256
159f97971eb222a1b81ea6e1366a48db0a8e1cdfd426f0f29c250eab1e83d546

SHA512
a64685345aabb46cf2cf6398ca6808431836fd678c9aed0b7a6b872cd5a45f5ae4778c97f39eb1389ef5e20e56217291d670f62b63859ae6ef08cef72003d2b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6604.tmp
MD5
af9986f5e128fd8bd3ae748fcba6576d

SHA1
8060072c35108b48649a03be91803b97f1ad40a4

SHA256
f3242f6480b3d1a8f9285135fdce9a201c4802ce062eee4fb41c488a21d53303

SHA512
f35c8e1699905bc972ae48a5a4a9fd33ea04b2d851ffc1cb1d1573a2087121d803b4186a696b2edad10a9c46c388a478e105f5a730020b598aa9f483086dba38

Download Submit
\Users\Admin\AppData\Local\Temp\nst50C7.tmp\ulwfuy.dll
MD5
1948a6b2f6f9092393adda25ecc49cbc

SHA1
f9438d6dd5a08018c45662d63232606d87526d83

SHA256
97000d24be3ce1a208ccb9115245466022d66505eceb03e39a2286107e0eecef

SHA512
70faf5541bc6d2ca9ab8cdd4b731ac6544d76320124afc6f995c31d34792a065298a7a516f013b2c662d18f92227e68b3fd0fa8f7aa33f353a409546e50fdbc0

Download Submit
memory/220-126-0x0000000000000000-mapping.dmp

Download
memory/660-116-0x0000000002C51000-0x0000000002C56000-memory.dmp

Filesize
20KB

Download
memory/660-115-0x0000000002C50000-0x0000000002C51000-memory.dmp

Filesize
4KB

Download
memory/2832-124-0x0000000000000000-mapping.dmp

Download
memory/3512-119-0x0000000002350000-0x0000000002351000-memory.dmp

Filesize
4KB

Download
memory/3512-122-0x0000000002357000-0x0000000002358000-memory.dmp

Filesize
4KB

Download
memory/3512-123-0x0000000002358000-0x0000000002359000-memory.dmp

Filesize
4KB

Download
memory/3512-121-0x0000000002352000-0x0000000002354000-memory.dmp

Filesize
8KB

Download
memory/3512-120-0x0000000002351000-0x0000000002352000-memory.dmp

Filesize
4KB

Download
memory/3512-118-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3512-117-0x000000000040188B-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads