nanocore | cc536d630284e622821d1034fadec488cb35dc72bdfb75edbd184a638d052f98

General

Target

fb64fc2471a48928b7989f7e959de261.exe
Size

867KB
MD5

fb64fc2471a48928b7989f7e959de261
SHA1

334f95083ee83d20255b87e0bfd4aae86a922d20
SHA256

cc536d630284e622821d1034fadec488cb35dc72bdfb75edbd184a638d052f98
SHA512

c96a7ef0e0691096e7cd8c841696a4be951f4b1621c4aa89b39d98e24e9310464558c66eba3f67600e169da46d9936d670a26802b2f5550a4804552ef9fc7916

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

hhjhtggfr.duckdns.org:8234

dertrefg.duckdns.org:8234

Mutex

6a1c2465-7ac5-4f1d-acc5-ef04fcf454c9

Attributes

activate_away_mode
true
backup_connection_host
dertrefg.duckdns.org
backup_dns_server
dertrefg.duckdns.org
buffer_size
65535
build_time
2021-03-26T23:25:40.118592436Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
8234
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
6a1c2465-7ac5-4f1d-acc5-ef04fcf454c9
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
hhjhtggfr.duckdns.org
primary_dns_server
hhjhtggfr.duckdns.org
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

fb64fc2471a48928b7989f7e959de261.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ISS Manager = "C:\\Program Files (x86)\\ISS Manager\\issmgr.exe"	fb64fc2471a48928b7989f7e959de261.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

fb64fc2471a48928b7989f7e959de261.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fb64fc2471a48928b7989f7e959de261.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

fb64fc2471a48928b7989f7e959de261.exe

description pid process target process

PID 3016 set thread context of 3928 3016 fb64fc2471a48928b7989f7e959de261.exe fb64fc2471a48928b7989f7e959de261.exe

description	pid	process	target process
PID 3016 set thread context of 3928	3016	fb64fc2471a48928b7989f7e959de261.exe	fb64fc2471a48928b7989f7e959de261.exe

Drops file in Program Files directory 2 IoCs

Processes:

fb64fc2471a48928b7989f7e959de261.exe

description	ioc	process
File created	C:\Program Files (x86)\ISS Manager\issmgr.exe	fb64fc2471a48928b7989f7e959de261.exe
File opened for modification	C:\Program Files (x86)\ISS Manager\issmgr.exe	fb64fc2471a48928b7989f7e959de261.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

fb64fc2471a48928b7989f7e959de261.exefb64fc2471a48928b7989f7e959de261.exe

pid	process
3016	fb64fc2471a48928b7989f7e959de261.exe
3016	fb64fc2471a48928b7989f7e959de261.exe
3928	fb64fc2471a48928b7989f7e959de261.exe
3928	fb64fc2471a48928b7989f7e959de261.exe
3928	fb64fc2471a48928b7989f7e959de261.exe
3928	fb64fc2471a48928b7989f7e959de261.exe
3928	fb64fc2471a48928b7989f7e959de261.exe
3928	fb64fc2471a48928b7989f7e959de261.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

fb64fc2471a48928b7989f7e959de261.exe

pid process

3928 fb64fc2471a48928b7989f7e959de261.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

fb64fc2471a48928b7989f7e959de261.exefb64fc2471a48928b7989f7e959de261.exe

description pid process

Token: SeDebugPrivilege 3016 fb64fc2471a48928b7989f7e959de261.exe
Token: SeDebugPrivilege 3928 fb64fc2471a48928b7989f7e959de261.exe

pid	process
3928	fb64fc2471a48928b7989f7e959de261.exe

description	pid	process
Token: SeDebugPrivilege	3016	fb64fc2471a48928b7989f7e959de261.exe
Token: SeDebugPrivilege	3928	fb64fc2471a48928b7989f7e959de261.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

fb64fc2471a48928b7989f7e959de261.exe

description	pid	process	target process
PID 3016 wrote to memory of 3928	3016	fb64fc2471a48928b7989f7e959de261.exe	fb64fc2471a48928b7989f7e959de261.exe
PID 3016 wrote to memory of 3928	3016	fb64fc2471a48928b7989f7e959de261.exe	fb64fc2471a48928b7989f7e959de261.exe
PID 3016 wrote to memory of 3928	3016	fb64fc2471a48928b7989f7e959de261.exe	fb64fc2471a48928b7989f7e959de261.exe
PID 3016 wrote to memory of 3928	3016	fb64fc2471a48928b7989f7e959de261.exe	fb64fc2471a48928b7989f7e959de261.exe
PID 3016 wrote to memory of 3928	3016	fb64fc2471a48928b7989f7e959de261.exe	fb64fc2471a48928b7989f7e959de261.exe
PID 3016 wrote to memory of 3928	3016	fb64fc2471a48928b7989f7e959de261.exe	fb64fc2471a48928b7989f7e959de261.exe
PID 3016 wrote to memory of 3928	3016	fb64fc2471a48928b7989f7e959de261.exe	fb64fc2471a48928b7989f7e959de261.exe
PID 3016 wrote to memory of 3928	3016	fb64fc2471a48928b7989f7e959de261.exe	fb64fc2471a48928b7989f7e959de261.exe

C:\Users\Admin\AppData\Local\Temp\fb64fc2471a48928b7989f7e959de261.exe
"C:\Users\Admin\AppData\Local\Temp\fb64fc2471a48928b7989f7e959de261.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Users\Admin\AppData\Local\Temp\fb64fc2471a48928b7989f7e959de261.exe
  C:\Users\Admin\AppData\Local\Temp\fb64fc2471a48928b7989f7e959de261.exe
  2⤵
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:3928

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\fb64fc2471a48928b7989f7e959de261.exe.log

MD5
9e7845217df4a635ec4341c3d52ed685

SHA1
d65cb39d37392975b038ce503a585adadb805da5

SHA256
d60e596ed3d5c13dc9f1660e6d870d99487e1383891437645c4562a9ecaa8c9b

SHA512
307c3b4d4f2655bdeb177e7b9c981ca27513618903f02c120caa755c9da5a8dd03ebab660b56108a680720a97c1e9596692490aede18cc4bd77b9fc3d8e68aa1

Download Submit
memory/3016-116-0x00000000052D0000-0x00000000052D1000-memory.dmp

Filesize
4KB

Download
memory/3016-117-0x0000000004D20000-0x0000000004D21000-memory.dmp

Filesize
4KB

Download
memory/3016-118-0x0000000004E90000-0x0000000004E91000-memory.dmp

Filesize
4KB

Download
memory/3016-119-0x0000000004DD0000-0x00000000052CE000-memory.dmp

Filesize
5.0MB

Download
memory/3016-120-0x0000000006840000-0x00000000068AD000-memory.dmp

Filesize
436KB

Download
memory/3016-125-0x00000000070D0000-0x0000000007151000-memory.dmp

Filesize
516KB

Download
memory/3016-114-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/3928-138-0x0000000005600000-0x0000000005AFE000-memory.dmp

Filesize
5.0MB

Download
memory/3928-141-0x0000000006B50000-0x0000000006B56000-memory.dmp

Filesize
24KB

Download
memory/3928-133-0x0000000005740000-0x0000000005741000-memory.dmp

Filesize
4KB

Download
memory/3928-135-0x0000000005730000-0x0000000005735000-memory.dmp

Filesize
20KB

Download
memory/3928-136-0x0000000005AD0000-0x0000000005AE9000-memory.dmp

Filesize
100KB

Download
memory/3928-137-0x0000000005AF0000-0x0000000005AF3000-memory.dmp

Filesize
12KB

Download
memory/3928-126-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3928-139-0x00000000063B0000-0x00000000063BD000-memory.dmp

Filesize
52KB

Download
memory/3928-140-0x0000000006B10000-0x0000000006B25000-memory.dmp

Filesize
84KB

Download
memory/3928-127-0x000000000041E792-mapping.dmp

Download
memory/3928-142-0x0000000006B60000-0x0000000006B6C000-memory.dmp

Filesize
48KB

Download
memory/3928-143-0x0000000006B70000-0x0000000006B77000-memory.dmp

Filesize
28KB

Download
memory/3928-144-0x0000000006B80000-0x0000000006B86000-memory.dmp

Filesize
24KB

Download
memory/3928-145-0x0000000006B90000-0x0000000006B9D000-memory.dmp

Filesize
52KB

Download
memory/3928-146-0x0000000006BA0000-0x0000000006BA9000-memory.dmp

Filesize
36KB

Download
memory/3928-147-0x0000000006BB0000-0x0000000006BBF000-memory.dmp

Filesize
60KB

Download
memory/3928-148-0x0000000006BD0000-0x0000000006BDA000-memory.dmp

Filesize
40KB

Download
memory/3928-149-0x0000000006BE0000-0x0000000006C09000-memory.dmp

Filesize
164KB

Download
memory/3928-150-0x0000000006C20000-0x0000000006C2F000-memory.dmp

Filesize
60KB

Download
memory/3928-151-0x0000000006DF0000-0x0000000006DF1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads