nanocore | 82ec68a5220c94aa244060779a39f104b7545473601225ec15bd1783bff8a50e

General

Target

DHL Delivery Details.exe
Size

1.3MB
MD5

c340e5c9b74e0b154602372e9f65f005
SHA1

94e113dcb8273d9b0645cbfd99a49b5f0dbb6dbc
SHA256

ed272b8224137d8c590dc8623e1d7e024dd372d00cee1c2a3dac035d2aa8ffbc
SHA512

b174ffc70d299dd3aa90460e4d3bcf1f8794da9d61dd4e50a4eb6bf16060722280ca611b4c9f09b87af5e14a711b206e459dbb4225ae14ff5d48eddab6bc3561

Score

10^/10

nanocore keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

23.105.131.230:21180

gintex.ddns.net:21180

Mutex

d02ab855-af92-413e-97e9-f7830911e832

Attributes

activate_away_mode
true
backup_connection_host
gintex.ddns.net
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2021-05-01T12:46:53.543931936Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
21180
default_group
kardinal2021
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
d02ab855-af92-413e-97e9-f7830911e832
mutex_timeout
5000
prevent_system_sleep
true
primary_connection_host
23.105.131.230
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RegSvcs.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LAN Host = "C:\\Program Files (x86)\\LAN Host\\lanhost.exe"	RegSvcs.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

DHL Delivery Details.exe

description pid process target process

PID 1240 set thread context of 616 1240 DHL Delivery Details.exe RegSvcs.exe

description	pid	process	target process
PID 1240 set thread context of 616	1240	DHL Delivery Details.exe	RegSvcs.exe

Drops file in Program Files directory 2 IoCs

Processes:

RegSvcs.exe

description	ioc	process
File created	C:\Program Files (x86)\LAN Host\lanhost.exe	RegSvcs.exe
File opened for modification	C:\Program Files (x86)\LAN Host\lanhost.exe	RegSvcs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

552 schtasks.exe
828 schtasks.exe
384 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

DHL Delivery Details.exeRegSvcs.exe

pid process

1240 DHL Delivery Details.exe
616 RegSvcs.exe
616 RegSvcs.exe
616 RegSvcs.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

RegSvcs.exe

pid process

616 RegSvcs.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

DHL Delivery Details.exeRegSvcs.exe

description pid process

Token: SeDebugPrivilege 1240 DHL Delivery Details.exe
Token: SeDebugPrivilege 616 RegSvcs.exe

pid	process
552	schtasks.exe
828	schtasks.exe
384	schtasks.exe

pid	process
1240	DHL Delivery Details.exe
616	RegSvcs.exe
616	RegSvcs.exe
616	RegSvcs.exe

pid	process
616	RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	1240	DHL Delivery Details.exe
Token: SeDebugPrivilege	616	RegSvcs.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

DHL Delivery Details.exeRegSvcs.exe

description	pid	process	target process
PID 1240 wrote to memory of 552	1240	DHL Delivery Details.exe	schtasks.exe
PID 1240 wrote to memory of 552	1240	DHL Delivery Details.exe	schtasks.exe
PID 1240 wrote to memory of 552	1240	DHL Delivery Details.exe	schtasks.exe
PID 1240 wrote to memory of 552	1240	DHL Delivery Details.exe	schtasks.exe
PID 1240 wrote to memory of 616	1240	DHL Delivery Details.exe	RegSvcs.exe
PID 1240 wrote to memory of 616	1240	DHL Delivery Details.exe	RegSvcs.exe
PID 1240 wrote to memory of 616	1240	DHL Delivery Details.exe	RegSvcs.exe
PID 1240 wrote to memory of 616	1240	DHL Delivery Details.exe	RegSvcs.exe
PID 1240 wrote to memory of 616	1240	DHL Delivery Details.exe	RegSvcs.exe
PID 1240 wrote to memory of 616	1240	DHL Delivery Details.exe	RegSvcs.exe
PID 1240 wrote to memory of 616	1240	DHL Delivery Details.exe	RegSvcs.exe
PID 1240 wrote to memory of 616	1240	DHL Delivery Details.exe	RegSvcs.exe
PID 1240 wrote to memory of 616	1240	DHL Delivery Details.exe	RegSvcs.exe
PID 1240 wrote to memory of 616	1240	DHL Delivery Details.exe	RegSvcs.exe
PID 1240 wrote to memory of 616	1240	DHL Delivery Details.exe	RegSvcs.exe
PID 1240 wrote to memory of 616	1240	DHL Delivery Details.exe	RegSvcs.exe
PID 616 wrote to memory of 828	616	RegSvcs.exe	schtasks.exe
PID 616 wrote to memory of 828	616	RegSvcs.exe	schtasks.exe
PID 616 wrote to memory of 828	616	RegSvcs.exe	schtasks.exe
PID 616 wrote to memory of 828	616	RegSvcs.exe	schtasks.exe
PID 616 wrote to memory of 384	616	RegSvcs.exe	schtasks.exe
PID 616 wrote to memory of 384	616	RegSvcs.exe	schtasks.exe
PID 616 wrote to memory of 384	616	RegSvcs.exe	schtasks.exe
PID 616 wrote to memory of 384	616	RegSvcs.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\DHL Delivery Details.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Delivery Details.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1240

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BsUBNSmzi" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA110.tmp"
2⤵
- Creates scheduled task(s)
PID:552

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
2⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:616

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "LAN Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmpA4E7.tmp"
3⤵
- Creates scheduled task(s)
PID:828

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "LAN Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpA555.tmp"
3⤵
- Creates scheduled task(s)
PID:384

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpA110.tmp
MD5
413672d5fd8479caee5e21dbac12b81d

SHA1
74e420d4befc01c29ba6ec8be397ecffdd76694d

SHA256
785fc8ba98fb8c40942b0c571c941936666f0e2b6754ee516b705356af460d59

SHA512
f1280e4d43af06fa67850f8c913b40443ba45d6477287df8377fda6308b10d9343367534d9930fd0626184c10495049f88ff3ecec437b20b1e39e8e790bbb7fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA4E7.tmp
MD5
8cad1b41587ced0f1e74396794f31d58

SHA1
11054bf74fcf5e8e412768035e4dae43aa7b710f

SHA256
3086d914f6b23268f8a12cb1a05516cd5465c2577e1d1e449f1b45c8e5e8f83c

SHA512
99c2ef89029de51a866df932841684b7fc912df21e10e2dd0d09e400203bbdc6cba6319a31780b7bf8b286d2cea8ea3fc7d084348bf2f002ab4f5a34218ccbef

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA555.tmp
MD5
54865f98871478b2b88b7f8aa6100915

SHA1
6f8667f1ce25cebee2a7b460668736ff6bcfac54

SHA256
287f7b4372926ff59bb9a14bdfc00ad63f92af8efdb2e14f6f6baf31878fd44e

SHA512
caba0bd0cb0eda0710291f9754cfdef1a3d8fdb8b6d07f5d3e4d1e7b09c87f37032287ddef0a75485d6e685afa3510ee64453662e6c8d223ae171b392b58e493

Download Submit
memory/384-73-0x0000000000000000-mapping.dmp

Download
memory/552-65-0x0000000000000000-mapping.dmp

Download
memory/616-68-0x000000000041E792-mapping.dmp

Download
memory/616-76-0x0000000000440000-0x0000000000459000-memory.dmp

Filesize
100KB

Download
memory/616-67-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/616-79-0x0000000004DC5000-0x0000000004DD6000-memory.dmp

Filesize
68KB

Download
memory/616-69-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/616-78-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

Filesize
4KB

Download
memory/616-77-0x00000000003F0000-0x00000000003F3000-memory.dmp

Filesize
12KB

Download
memory/616-75-0x00000000003E0000-0x00000000003E5000-memory.dmp

Filesize
20KB

Download
memory/828-71-0x0000000000000000-mapping.dmp

Download
memory/1240-61-0x0000000004D30000-0x0000000004D31000-memory.dmp

Filesize
4KB

Download
memory/1240-62-0x0000000000410000-0x0000000000412000-memory.dmp

Filesize
8KB

Download
memory/1240-64-0x0000000008080000-0x00000000080F2000-memory.dmp

Filesize
456KB

Download
memory/1240-63-0x0000000007DB0000-0x0000000007E70000-memory.dmp

Filesize
768KB

Download
memory/1240-59-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads