nanocore | 40b5ac8fcefc98a9feb178542659bc830beeae78e6bd813a3c1cb5d75d4b8801

General

Target

858f1b8a674c27585699974f7d6a471e.exe
Size

1.3MB
MD5

858f1b8a674c27585699974f7d6a471e
SHA1

87e0520b23807e3f7e3e79e977e51d00f2e3a789
SHA256

40b5ac8fcefc98a9feb178542659bc830beeae78e6bd813a3c1cb5d75d4b8801
SHA512

aa3493c55478dce7f9f039d765e85ad491768d28d8d44433f880ba53b0970a1d85f72fb5c51e60a60e6bc45506965d60ca26c5627d0594a76ab50a31a8c12ae1

Score

10^/10

nanocore keylogger spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

194.5.98.208:5566

mustpay2211.ddns.net:5566

Mutex

6271a422-9054-4af4-800a-d95aff150568

Attributes

activate_away_mode
true
backup_connection_host
mustpay2211.ddns.net
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2021-02-19T01:09:24.102448236Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
5566
default_group
PRINCE
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
6271a422-9054-4af4-800a-d95aff150568
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
194.5.98.208
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Suspicious use of SetThreadContext 1 IoCs

Processes:

858f1b8a674c27585699974f7d6a471e.exe

description pid process target process

PID 4452 set thread context of 4184 4452 858f1b8a674c27585699974f7d6a471e.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4000 schtasks.exe

description	pid	process	target process
PID 4452 set thread context of 4184	4452	858f1b8a674c27585699974f7d6a471e.exe	RegSvcs.exe

pid	process
4000	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

858f1b8a674c27585699974f7d6a471e.exeRegSvcs.exe

pid	process
4452	858f1b8a674c27585699974f7d6a471e.exe
4452	858f1b8a674c27585699974f7d6a471e.exe
4452	858f1b8a674c27585699974f7d6a471e.exe
4452	858f1b8a674c27585699974f7d6a471e.exe
4452	858f1b8a674c27585699974f7d6a471e.exe
4452	858f1b8a674c27585699974f7d6a471e.exe
4184	RegSvcs.exe
4184	RegSvcs.exe
4184	RegSvcs.exe
4184	RegSvcs.exe
4184	RegSvcs.exe
4184	RegSvcs.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

RegSvcs.exe

pid process

4184 RegSvcs.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

858f1b8a674c27585699974f7d6a471e.exeRegSvcs.exe

description pid process

Token: SeDebugPrivilege 4452 858f1b8a674c27585699974f7d6a471e.exe
Token: SeDebugPrivilege 4184 RegSvcs.exe

pid	process
4184	RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	4452	858f1b8a674c27585699974f7d6a471e.exe
Token: SeDebugPrivilege	4184	RegSvcs.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

858f1b8a674c27585699974f7d6a471e.exe

description	pid	process	target process
PID 4452 wrote to memory of 4000	4452	858f1b8a674c27585699974f7d6a471e.exe	schtasks.exe
PID 4452 wrote to memory of 4000	4452	858f1b8a674c27585699974f7d6a471e.exe	schtasks.exe
PID 4452 wrote to memory of 4000	4452	858f1b8a674c27585699974f7d6a471e.exe	schtasks.exe
PID 4452 wrote to memory of 4200	4452	858f1b8a674c27585699974f7d6a471e.exe	RegSvcs.exe
PID 4452 wrote to memory of 4200	4452	858f1b8a674c27585699974f7d6a471e.exe	RegSvcs.exe
PID 4452 wrote to memory of 4200	4452	858f1b8a674c27585699974f7d6a471e.exe	RegSvcs.exe
PID 4452 wrote to memory of 4176	4452	858f1b8a674c27585699974f7d6a471e.exe	RegSvcs.exe
PID 4452 wrote to memory of 4176	4452	858f1b8a674c27585699974f7d6a471e.exe	RegSvcs.exe
PID 4452 wrote to memory of 4176	4452	858f1b8a674c27585699974f7d6a471e.exe	RegSvcs.exe
PID 4452 wrote to memory of 4224	4452	858f1b8a674c27585699974f7d6a471e.exe	RegSvcs.exe
PID 4452 wrote to memory of 4224	4452	858f1b8a674c27585699974f7d6a471e.exe	RegSvcs.exe
PID 4452 wrote to memory of 4224	4452	858f1b8a674c27585699974f7d6a471e.exe	RegSvcs.exe
PID 4452 wrote to memory of 4184	4452	858f1b8a674c27585699974f7d6a471e.exe	RegSvcs.exe
PID 4452 wrote to memory of 4184	4452	858f1b8a674c27585699974f7d6a471e.exe	RegSvcs.exe
PID 4452 wrote to memory of 4184	4452	858f1b8a674c27585699974f7d6a471e.exe	RegSvcs.exe
PID 4452 wrote to memory of 4184	4452	858f1b8a674c27585699974f7d6a471e.exe	RegSvcs.exe
PID 4452 wrote to memory of 4184	4452	858f1b8a674c27585699974f7d6a471e.exe	RegSvcs.exe
PID 4452 wrote to memory of 4184	4452	858f1b8a674c27585699974f7d6a471e.exe	RegSvcs.exe
PID 4452 wrote to memory of 4184	4452	858f1b8a674c27585699974f7d6a471e.exe	RegSvcs.exe
PID 4452 wrote to memory of 4184	4452	858f1b8a674c27585699974f7d6a471e.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\858f1b8a674c27585699974f7d6a471e.exe
"C:\Users\Admin\AppData\Local\Temp\858f1b8a674c27585699974f7d6a471e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4452

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RKmQwOp" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA902.tmp"
2⤵
- Creates scheduled task(s)
PID:4000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
PID:4200

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
PID:4176

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
PID:4224

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4184

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpA902.tmp
MD5
1c0abfa09758339333d7913dc322ce9f

SHA1
603c1f12939932c55e72e4a4f8a500201890fbb0

SHA256
6f019369137ff1c3bca576190d12b88689daba562c65db94be9df345155b683f

SHA512
734e5a3193b41990f21f64a84a96c98e67c0e536c486137425872fbe35359e18e83a631451b645720103353598b0b222775349faeb685d43f768d3c36b6d5d6b

Download Submit
memory/4000-124-0x0000000000000000-mapping.dmp

Download
memory/4184-142-0x0000000005F70000-0x0000000005F79000-memory.dmp

Filesize
36KB

Download
memory/4184-126-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4184-135-0x00000000054D0000-0x00000000054DD000-memory.dmp

Filesize
52KB

Download
memory/4184-137-0x0000000005640000-0x0000000005655000-memory.dmp

Filesize
84KB

Download
memory/4184-148-0x00000000063C0000-0x00000000063CF000-memory.dmp

Filesize
60KB

Download
memory/4184-147-0x0000000006370000-0x0000000006399000-memory.dmp

Filesize
164KB

Download
memory/4184-146-0x0000000005FE0000-0x0000000005FE3000-memory.dmp

Filesize
12KB

Download
memory/4184-145-0x0000000005FB0000-0x0000000005FC9000-memory.dmp

Filesize
100KB

Download
memory/4184-136-0x0000000005160000-0x000000000565E000-memory.dmp

Filesize
5.0MB

Download
memory/4184-141-0x0000000005F40000-0x0000000005F4D000-memory.dmp

Filesize
52KB

Download
memory/4184-127-0x000000000041E792-mapping.dmp

Download
memory/4184-134-0x00000000054C0000-0x00000000054C5000-memory.dmp

Filesize
20KB

Download
memory/4184-143-0x0000000005F90000-0x0000000005F9F000-memory.dmp

Filesize
60KB

Download
memory/4184-149-0x0000000005160000-0x000000000565E000-memory.dmp

Filesize
5.0MB

Download
memory/4184-144-0x0000000005FA0000-0x0000000005FAA000-memory.dmp

Filesize
40KB

Download
memory/4184-138-0x0000000005F10000-0x0000000005F16000-memory.dmp

Filesize
24KB

Download
memory/4184-139-0x0000000005F20000-0x0000000005F27000-memory.dmp

Filesize
28KB

Download
memory/4184-140-0x0000000005F30000-0x0000000005F36000-memory.dmp

Filesize
24KB

Download
memory/4452-117-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/4452-114-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/4452-119-0x0000000004FD0000-0x0000000004FD1000-memory.dmp

Filesize
4KB

Download
memory/4452-116-0x0000000005510000-0x0000000005511000-memory.dmp

Filesize
4KB

Download
memory/4452-118-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/4452-123-0x00000000082C0000-0x0000000008350000-memory.dmp

Filesize
576KB

Download
memory/4452-122-0x0000000002760000-0x0000000002837000-memory.dmp

Filesize
860KB

Download
memory/4452-121-0x00000000029D0000-0x00000000029D1000-memory.dmp

Filesize
4KB

Download
memory/4452-120-0x0000000005230000-0x0000000005234000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads