nanocore | 012300706ce75e6e82abdaa865aa8ff684aef99eda98f9094278b8df84e9642c

General

Target

471e3984_by_Libranalysis.doc
Size

10KB
MD5

471e39840386d6b9c8e565123a389364
SHA1

d9050e2115ee03a7c8e0acc87d199ce0b4b7422a
SHA256

012300706ce75e6e82abdaa865aa8ff684aef99eda98f9094278b8df84e9642c
SHA512

13b841bab9f2ef3ce9a27854a09682ba8983df16b4551e997359511f19decb94f85b23b3811f742fd99fdb7f2985b8063a6444b6c556e7cbafebf8f4b3f4a1e5

Score

10^/10

nanocore keylogger spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

79.134.225.26:1133

nassiru1166main.ddns.net:1133

Mutex

21f4355e-8257-4e77-8f1b-c822c6ea3cbe

Attributes

activate_away_mode
true
backup_connection_host
nassiru1166main.ddns.net
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2021-02-05T23:55:31.583125836Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
1133
default_group
BUILD
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
21f4355e-8257-4e77-8f1b-c822c6ea3cbe
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
79.134.225.26
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

15 1644 EQNEDT32.EXE
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

vbc.exe

pid process

636 vbc.exe

flow	pid	process
15	1644	EQNEDT32.EXE

pid	process
636	vbc.exe

Abuses OpenXML format to download file from external location 2 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key opened	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Office\Common\Offline\Files\https://cutt.ly/dbzEXdF	WINWORD.EXE

Loads dropped DLL 4 IoCs

Processes:

EQNEDT32.EXE

pid process

1644 EQNEDT32.EXE
1644 EQNEDT32.EXE
1644 EQNEDT32.EXE
1644 EQNEDT32.EXE
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

vbc.exe

description pid process target process

PID 636 set thread context of 364 636 vbc.exe RegSvcs.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1644 EQNEDT32.EXE

pid	process
1644	EQNEDT32.EXE
1644	EQNEDT32.EXE
1644	EQNEDT32.EXE
1644	EQNEDT32.EXE

description	pid	process	target process
PID 636 set thread context of 364	636	vbc.exe	RegSvcs.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
1644	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1652 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

vbc.exeRegSvcs.exe

pid process

636 vbc.exe
364 RegSvcs.exe
364 RegSvcs.exe
364 RegSvcs.exe
364 RegSvcs.exe
364 RegSvcs.exe
364 RegSvcs.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

RegSvcs.exe

pid process

364 RegSvcs.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WINWORD.EXEvbc.exeRegSvcs.exe

description pid process

Token: SeShutdownPrivilege 1652 WINWORD.EXE
Token: SeDebugPrivilege 636 vbc.exe
Token: SeDebugPrivilege 364 RegSvcs.exe

pid	process
636	vbc.exe
364	RegSvcs.exe
364	RegSvcs.exe
364	RegSvcs.exe
364	RegSvcs.exe
364	RegSvcs.exe
364	RegSvcs.exe

pid	process
364	RegSvcs.exe

description	pid	process
Token: SeShutdownPrivilege	1652	WINWORD.EXE
Token: SeDebugPrivilege	636	vbc.exe
Token: SeDebugPrivilege	364	RegSvcs.exe

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

WINWORD.EXE

pid	process
1652	WINWORD.EXE
1652	WINWORD.EXE
1652	WINWORD.EXE
1652	WINWORD.EXE
1652	WINWORD.EXE
1652	WINWORD.EXE
1652	WINWORD.EXE
1652	WINWORD.EXE
1652	WINWORD.EXE
1652	WINWORD.EXE
1652	WINWORD.EXE
1652	WINWORD.EXE
1652	WINWORD.EXE
1652	WINWORD.EXE
1652	WINWORD.EXE
1652	WINWORD.EXE

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

EQNEDT32.EXEWINWORD.EXEvbc.exe

description	pid	process	target process
PID 1644 wrote to memory of 636	1644	EQNEDT32.EXE	vbc.exe
PID 1644 wrote to memory of 636	1644	EQNEDT32.EXE	vbc.exe
PID 1644 wrote to memory of 636	1644	EQNEDT32.EXE	vbc.exe
PID 1644 wrote to memory of 636	1644	EQNEDT32.EXE	vbc.exe
PID 1652 wrote to memory of 2020	1652	WINWORD.EXE	splwow64.exe
PID 1652 wrote to memory of 2020	1652	WINWORD.EXE	splwow64.exe
PID 1652 wrote to memory of 2020	1652	WINWORD.EXE	splwow64.exe
PID 1652 wrote to memory of 2020	1652	WINWORD.EXE	splwow64.exe
PID 636 wrote to memory of 364	636	vbc.exe	RegSvcs.exe
PID 636 wrote to memory of 364	636	vbc.exe	RegSvcs.exe
PID 636 wrote to memory of 364	636	vbc.exe	RegSvcs.exe
PID 636 wrote to memory of 364	636	vbc.exe	RegSvcs.exe
PID 636 wrote to memory of 364	636	vbc.exe	RegSvcs.exe
PID 636 wrote to memory of 364	636	vbc.exe	RegSvcs.exe
PID 636 wrote to memory of 364	636	vbc.exe	RegSvcs.exe
PID 636 wrote to memory of 364	636	vbc.exe	RegSvcs.exe
PID 636 wrote to memory of 364	636	vbc.exe	RegSvcs.exe
PID 636 wrote to memory of 364	636	vbc.exe	RegSvcs.exe
PID 636 wrote to memory of 364	636	vbc.exe	RegSvcs.exe
PID 636 wrote to memory of 364	636	vbc.exe	RegSvcs.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\471e3984_by_Libranalysis.doc"
1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1652

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:2020

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1644

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:636

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:364

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\vbc.exe
MD5
042aa11c6d49e1cca5923f02d1b0a5ae

SHA1
5a89ff2f9702a53fb638b8c7229ba868aaa58ae9

SHA256
3383218b916baf1a46989c4f253b29eb81e97ac763ab71615c81d85a18495f34

SHA512
6d0551584f1f4c5391012111be3bc251026d3db6a531ab7a8ce0d41cf278a254bc8a0bc66690a1a93c3bf52c2c1c70e7fcd94e4b8812bcea95efa8bda86d7184

Download Submit
C:\Users\Public\vbc.exe
MD5
042aa11c6d49e1cca5923f02d1b0a5ae

SHA1
5a89ff2f9702a53fb638b8c7229ba868aaa58ae9

SHA256
3383218b916baf1a46989c4f253b29eb81e97ac763ab71615c81d85a18495f34

SHA512
6d0551584f1f4c5391012111be3bc251026d3db6a531ab7a8ce0d41cf278a254bc8a0bc66690a1a93c3bf52c2c1c70e7fcd94e4b8812bcea95efa8bda86d7184

Download Submit
\Users\Public\vbc.exe
MD5
042aa11c6d49e1cca5923f02d1b0a5ae

SHA1
5a89ff2f9702a53fb638b8c7229ba868aaa58ae9

SHA256
3383218b916baf1a46989c4f253b29eb81e97ac763ab71615c81d85a18495f34

SHA512
6d0551584f1f4c5391012111be3bc251026d3db6a531ab7a8ce0d41cf278a254bc8a0bc66690a1a93c3bf52c2c1c70e7fcd94e4b8812bcea95efa8bda86d7184

Download Submit
\Users\Public\vbc.exe
MD5
042aa11c6d49e1cca5923f02d1b0a5ae

SHA1
5a89ff2f9702a53fb638b8c7229ba868aaa58ae9

SHA256
3383218b916baf1a46989c4f253b29eb81e97ac763ab71615c81d85a18495f34

SHA512
6d0551584f1f4c5391012111be3bc251026d3db6a531ab7a8ce0d41cf278a254bc8a0bc66690a1a93c3bf52c2c1c70e7fcd94e4b8812bcea95efa8bda86d7184

Download Submit
\Users\Public\vbc.exe
MD5
042aa11c6d49e1cca5923f02d1b0a5ae

SHA1
5a89ff2f9702a53fb638b8c7229ba868aaa58ae9

SHA256
3383218b916baf1a46989c4f253b29eb81e97ac763ab71615c81d85a18495f34

SHA512
6d0551584f1f4c5391012111be3bc251026d3db6a531ab7a8ce0d41cf278a254bc8a0bc66690a1a93c3bf52c2c1c70e7fcd94e4b8812bcea95efa8bda86d7184

Download Submit
\Users\Public\vbc.exe
MD5
042aa11c6d49e1cca5923f02d1b0a5ae

SHA1
5a89ff2f9702a53fb638b8c7229ba868aaa58ae9

SHA256
3383218b916baf1a46989c4f253b29eb81e97ac763ab71615c81d85a18495f34

SHA512
6d0551584f1f4c5391012111be3bc251026d3db6a531ab7a8ce0d41cf278a254bc8a0bc66690a1a93c3bf52c2c1c70e7fcd94e4b8812bcea95efa8bda86d7184

Download Submit
memory/364-77-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/364-81-0x0000000000C11000-0x0000000000C12000-memory.dmp

Filesize
4KB

Download
memory/364-80-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/364-78-0x000000000041E792-mapping.dmp

Download
memory/636-68-0x0000000000000000-mapping.dmp

Download
memory/636-72-0x0000000000460000-0x0000000000461000-memory.dmp

Filesize
4KB

Download
memory/636-75-0x0000000000461000-0x0000000000462000-memory.dmp

Filesize
4KB

Download
memory/1644-63-0x00000000754F1000-0x00000000754F3000-memory.dmp

Filesize
8KB

Download
memory/1652-76-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1652-61-0x000000006FD01000-0x000000006FD03000-memory.dmp

Filesize
8KB

Download
memory/1652-62-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1652-60-0x0000000072281000-0x0000000072284000-memory.dmp

Filesize
12KB

Download
memory/2020-73-0x0000000000000000-mapping.dmp

Download
memory/2020-74-0x000007FEFB6A1000-0x000007FEFB6A3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads