nanocore | 9fea8f3b2070ddd865fbc8e41f134829e0bacf4061ac245e3d3716bfd462d4aa

General

Target

PAYMENT FOR PROFORMA INV0089.exe
Size

1.2MB
MD5

af0bb269d15ab9be8cc4c2ba3d037171
SHA1

c0b881551c2e8cb4db285538ef2ac6e091c7537c
SHA256

9fea8f3b2070ddd865fbc8e41f134829e0bacf4061ac245e3d3716bfd462d4aa
SHA512

bcb208aedf64952e9137902263875846fc62a2aa5246d18d632b05e7e3e8826591e1e7f999e1f3cd91f793c64d8064ae3ec0c1116f850a2976664559aaff6d7a

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

night90.ddns.net:5657

127.0.0.1:5657

Mutex

0b119eb7-2d8f-489b-a81c-d786a1637de7

Attributes

activate_away_mode
false
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2021-04-05T11:22:54.943841536Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
false
clear_zone_identifier
false
connect_delay
4000
connection_port
5657
default_group
NEW DAY
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
0b119eb7-2d8f-489b-a81c-d786a1637de7
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
night90.ddns.net
primary_dns_server
night90.ddns.net
request_elevation
true
restart_delay
5000
run_delay
50
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

PAYMENT FOR PROFORMA INV0089.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ISS Manager = "C:\\Program Files (x86)\\ISS Manager\\issmgr.exe"	PAYMENT FOR PROFORMA INV0089.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

PAYMENT FOR PROFORMA INV0089.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	PAYMENT FOR PROFORMA INV0089.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

PAYMENT FOR PROFORMA INV0089.exe

description pid process target process

PID 3872 set thread context of 1064 3872 PAYMENT FOR PROFORMA INV0089.exe PAYMENT FOR PROFORMA INV0089.exe

description	pid	process	target process
PID 3872 set thread context of 1064	3872	PAYMENT FOR PROFORMA INV0089.exe	PAYMENT FOR PROFORMA INV0089.exe

Drops file in Program Files directory 2 IoCs

Processes:

PAYMENT FOR PROFORMA INV0089.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\ISS Manager\issmgr.exe	PAYMENT FOR PROFORMA INV0089.exe
File created	C:\Program Files (x86)\ISS Manager\issmgr.exe	PAYMENT FOR PROFORMA INV0089.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

2496 schtasks.exe
3952 schtasks.exe
3768 schtasks.exe

pid	process
2496	schtasks.exe
3952	schtasks.exe
3768	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

PAYMENT FOR PROFORMA INV0089.exePAYMENT FOR PROFORMA INV0089.exe

pid	process
3872	PAYMENT FOR PROFORMA INV0089.exe
1064	PAYMENT FOR PROFORMA INV0089.exe
1064	PAYMENT FOR PROFORMA INV0089.exe
1064	PAYMENT FOR PROFORMA INV0089.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

PAYMENT FOR PROFORMA INV0089.exe

pid process

1064 PAYMENT FOR PROFORMA INV0089.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

PAYMENT FOR PROFORMA INV0089.exePAYMENT FOR PROFORMA INV0089.exe

description pid process

Token: SeDebugPrivilege 3872 PAYMENT FOR PROFORMA INV0089.exe
Token: SeDebugPrivilege 1064 PAYMENT FOR PROFORMA INV0089.exe

pid	process
1064	PAYMENT FOR PROFORMA INV0089.exe

description	pid	process
Token: SeDebugPrivilege	3872	PAYMENT FOR PROFORMA INV0089.exe
Token: SeDebugPrivilege	1064	PAYMENT FOR PROFORMA INV0089.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

PAYMENT FOR PROFORMA INV0089.exePAYMENT FOR PROFORMA INV0089.exe

description	pid	process	target process
PID 3872 wrote to memory of 3768	3872	PAYMENT FOR PROFORMA INV0089.exe	schtasks.exe
PID 3872 wrote to memory of 3768	3872	PAYMENT FOR PROFORMA INV0089.exe	schtasks.exe
PID 3872 wrote to memory of 3768	3872	PAYMENT FOR PROFORMA INV0089.exe	schtasks.exe
PID 3872 wrote to memory of 1064	3872	PAYMENT FOR PROFORMA INV0089.exe	PAYMENT FOR PROFORMA INV0089.exe
PID 3872 wrote to memory of 1064	3872	PAYMENT FOR PROFORMA INV0089.exe	PAYMENT FOR PROFORMA INV0089.exe
PID 3872 wrote to memory of 1064	3872	PAYMENT FOR PROFORMA INV0089.exe	PAYMENT FOR PROFORMA INV0089.exe
PID 3872 wrote to memory of 1064	3872	PAYMENT FOR PROFORMA INV0089.exe	PAYMENT FOR PROFORMA INV0089.exe
PID 3872 wrote to memory of 1064	3872	PAYMENT FOR PROFORMA INV0089.exe	PAYMENT FOR PROFORMA INV0089.exe
PID 3872 wrote to memory of 1064	3872	PAYMENT FOR PROFORMA INV0089.exe	PAYMENT FOR PROFORMA INV0089.exe
PID 3872 wrote to memory of 1064	3872	PAYMENT FOR PROFORMA INV0089.exe	PAYMENT FOR PROFORMA INV0089.exe
PID 3872 wrote to memory of 1064	3872	PAYMENT FOR PROFORMA INV0089.exe	PAYMENT FOR PROFORMA INV0089.exe
PID 1064 wrote to memory of 2496	1064	PAYMENT FOR PROFORMA INV0089.exe	schtasks.exe
PID 1064 wrote to memory of 2496	1064	PAYMENT FOR PROFORMA INV0089.exe	schtasks.exe
PID 1064 wrote to memory of 2496	1064	PAYMENT FOR PROFORMA INV0089.exe	schtasks.exe
PID 1064 wrote to memory of 3952	1064	PAYMENT FOR PROFORMA INV0089.exe	schtasks.exe
PID 1064 wrote to memory of 3952	1064	PAYMENT FOR PROFORMA INV0089.exe	schtasks.exe
PID 1064 wrote to memory of 3952	1064	PAYMENT FOR PROFORMA INV0089.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\PAYMENT FOR PROFORMA INV0089.exe
"C:\Users\Admin\AppData\Local\Temp\PAYMENT FOR PROFORMA INV0089.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3872

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZKodLVapzQiD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA44F.tmp"
2⤵
- Creates scheduled task(s)
PID:3768

C:\Users\Admin\AppData\Local\Temp\PAYMENT FOR PROFORMA INV0089.exe
"C:\Users\Admin\AppData\Local\Temp\PAYMENT FOR PROFORMA INV0089.exe"
2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1064

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "ISS Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmpA808.tmp"
3⤵
- Creates scheduled task(s)
PID:2496

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "ISS Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpA857.tmp"
3⤵
- Creates scheduled task(s)
PID:3952

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpA44F.tmp
MD5
babc283e97608b957e4dc208542d56da

SHA1
909d2fb8c13e0c3805d6c862365b3cd8fb29363e

SHA256
7b4fc8f015736b0562f99fa75dbe5b251cd6569e60d29de2f95402af5c39801e

SHA512
4e5d4e93a373d9e21e9cbfcebd2f88d6a2c2f6bff3a95bf3236f13284a3841f5ad0f21feea64223c3135ceb6e70356a9647c462dc7618f42bea82b6d7c60acf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA808.tmp
MD5
94ecc4bbe7ced06daf6097d0af7c8384

SHA1
696da3da652c3cda7a969c867ef6681e3fa10d33

SHA256
9bc9f11e1f15083959ed102e945732759addd624609263d5fc2443ef6bc43dec

SHA512
9873f48134b1cbebe35cbb04abe98b164ef44443d2736074f1bfffc13e3fed97e8d87f84527a9426152a8e601fe49142ad15ccb3fe3efe0f73ad56d038a905c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA857.tmp
MD5
ea7095fa975a5ac043c9de2899ce61d0

SHA1
ba4e21d0728fb1b4b87006c2e8ceb6109c9046a3

SHA256
5a1ba7b1b91e0bb7aedcfa82dc687972abb31f72ae1613ac586938ef0843f30f

SHA512
b52c8f1b58f263a3d1ad1ef9939167853a5f55033d9ad8976130174c7118407711a0703266c7d2d542bc2ca8119f875e35cc791b9dd70ef83b5310ac1e7cd1cb

Download Submit
memory/1064-117-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1064-118-0x000000000041E792-mapping.dmp

Download
memory/1064-119-0x0000000000A10000-0x0000000000ABE000-memory.dmp

Filesize
696KB

Download
memory/2496-120-0x0000000000000000-mapping.dmp

Download
memory/3768-115-0x0000000000000000-mapping.dmp

Download
memory/3872-114-0x00000000011F0000-0x00000000011F1000-memory.dmp

Filesize
4KB

Download
memory/3952-122-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads