nanocore | 9a28b730d4601c17f4bffa6c63c681e0f3c95d9f8c95a700c2b77c2bdb2dc8f9

General

Target

TT COPY.xlsx
Size

679KB
MD5

bff0c36c3c73c83a4a144bb7b5874056
SHA1

4eaa93a36139ba7c7e60c90790ce3ece26b2cbce
SHA256

9a28b730d4601c17f4bffa6c63c681e0f3c95d9f8c95a700c2b77c2bdb2dc8f9
SHA512

7c1d3001c40803060fa4b60c486c4554cb46a8d1306869fecbc3ae747b0b26a547ba12198d22c3ddbb08301d088ae96aa2f66f132dd42a54556ccb47386885ca

Score

10^/10

nanocore evasion keylogger persistence spyware stealer suricata trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

godisgood1.hopto.org:7712

Mutex

9ed8d108-2eb1-4e23-9679-783796e4baff

Attributes

activate_away_mode
true
backup_connection_host
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2021-04-23T17:16:53.813634136Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
7712
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
9ed8d108-2eb1-4e23-9679-783796e4baff
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
godisgood1.hopto.org
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
suricata: ET MALWARE Possible NanoCore C2 60B
suricata
Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

4 1628 EQNEDT32.EXE
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

CBM.exeCBM.exeCBM.exe

pid process

840 CBM.exe
1052 CBM.exe
1528 CBM.exe
Loads dropped DLL 2 IoCs

Processes:

EQNEDT32.EXE

pid process

1628 EQNEDT32.EXE
1628 EQNEDT32.EXE

flow	pid	process
4	1628	EQNEDT32.EXE

pid	process
1628	EQNEDT32.EXE
1628	EQNEDT32.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

CBM.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DPI Service = "C:\\Program Files (x86)\\DPI Service\\dpisv.exe"	CBM.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

CBM.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA CBM.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

CBM.exe

description pid process target process

PID 840 set thread context of 1528 840 CBM.exe CBM.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	CBM.exe

description	pid	process	target process
PID 840 set thread context of 1528	840	CBM.exe	CBM.exe

Drops file in Program Files directory 2 IoCs

Processes:

CBM.exe

description	ioc	process
File created	C:\Program Files (x86)\DPI Service\dpisv.exe	CBM.exe
File opened for modification	C:\Program Files (x86)\DPI Service\dpisv.exe	CBM.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

948 schtasks.exe
904 schtasks.exe
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1628 EQNEDT32.EXE

pid	process
948	schtasks.exe
904	schtasks.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
1628	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1840 EXCEL.EXE

pid	process
1840	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

CBM.exeCBM.exe

pid	process
840	CBM.exe
840	CBM.exe
1528	CBM.exe
1528	CBM.exe
1528	CBM.exe
1528	CBM.exe
1528	CBM.exe
1528	CBM.exe
1528	CBM.exe
1528	CBM.exe
1528	CBM.exe
1528	CBM.exe
1528	CBM.exe
1528	CBM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

CBM.exe

pid process

1528 CBM.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

CBM.exeCBM.exe

description pid process

Token: SeDebugPrivilege 840 CBM.exe
Token: SeDebugPrivilege 1528 CBM.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

1840 EXCEL.EXE
1840 EXCEL.EXE
1840 EXCEL.EXE

pid	process
1528	CBM.exe

description	pid	process
Token: SeDebugPrivilege	840	CBM.exe
Token: SeDebugPrivilege	1528	CBM.exe

pid	process
1840	EXCEL.EXE
1840	EXCEL.EXE
1840	EXCEL.EXE

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

EQNEDT32.EXEEXCEL.EXECBM.exeCBM.exe

description	pid	process	target process
PID 1628 wrote to memory of 840	1628	EQNEDT32.EXE	CBM.exe
PID 1628 wrote to memory of 840	1628	EQNEDT32.EXE	CBM.exe
PID 1628 wrote to memory of 840	1628	EQNEDT32.EXE	CBM.exe
PID 1628 wrote to memory of 840	1628	EQNEDT32.EXE	CBM.exe
PID 1840 wrote to memory of 916	1840	EXCEL.EXE	splwow64.exe
PID 1840 wrote to memory of 916	1840	EXCEL.EXE	splwow64.exe
PID 1840 wrote to memory of 916	1840	EXCEL.EXE	splwow64.exe
PID 1840 wrote to memory of 916	1840	EXCEL.EXE	splwow64.exe
PID 840 wrote to memory of 1052	840	CBM.exe	CBM.exe
PID 840 wrote to memory of 1052	840	CBM.exe	CBM.exe
PID 840 wrote to memory of 1052	840	CBM.exe	CBM.exe
PID 840 wrote to memory of 1052	840	CBM.exe	CBM.exe
PID 840 wrote to memory of 1528	840	CBM.exe	CBM.exe
PID 840 wrote to memory of 1528	840	CBM.exe	CBM.exe
PID 840 wrote to memory of 1528	840	CBM.exe	CBM.exe
PID 840 wrote to memory of 1528	840	CBM.exe	CBM.exe
PID 840 wrote to memory of 1528	840	CBM.exe	CBM.exe
PID 840 wrote to memory of 1528	840	CBM.exe	CBM.exe
PID 840 wrote to memory of 1528	840	CBM.exe	CBM.exe
PID 840 wrote to memory of 1528	840	CBM.exe	CBM.exe
PID 840 wrote to memory of 1528	840	CBM.exe	CBM.exe
PID 1528 wrote to memory of 948	1528	CBM.exe	schtasks.exe
PID 1528 wrote to memory of 948	1528	CBM.exe	schtasks.exe
PID 1528 wrote to memory of 948	1528	CBM.exe	schtasks.exe
PID 1528 wrote to memory of 948	1528	CBM.exe	schtasks.exe
PID 1528 wrote to memory of 904	1528	CBM.exe	schtasks.exe
PID 1528 wrote to memory of 904	1528	CBM.exe	schtasks.exe
PID 1528 wrote to memory of 904	1528	CBM.exe	schtasks.exe
PID 1528 wrote to memory of 904	1528	CBM.exe	schtasks.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\TT COPY.xlsx"
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1840

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:916

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1628

C:\Users\Admin\AppData\Roaming\CBM.exe
C:\Users\Admin\AppData\Roaming\CBM.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:840

C:\Users\Admin\AppData\Roaming\CBM.exe
"{path}"
3⤵
- Executes dropped EXE
PID:1052

C:\Users\Admin\AppData\Roaming\CBM.exe
"{path}"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1528

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DPI Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp6114.tmp"
4⤵
- Creates scheduled task(s)
PID:948

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DPI Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp61FF.tmp"
4⤵
- Creates scheduled task(s)
PID:904

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Exploitation for Client Execution

1

T1203

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp6114.tmp
MD5
6bae186b8e002410e651b9ba00d16b25

SHA1
52b6b48b4be252776acc252f65a05d71340fe3f0

SHA256
97cd3bccc5f09d09db0f786fdd8682fcde28e11ecb90159a4925df02bc98194a

SHA512
e79234d9467c46ac72b3631522e00dc18ea94d62c2fca6735b19c779ee9e66689a5de724ee90fd344c46cbf78576cc129455aa6415844bcfc88045435952e99d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp61FF.tmp
MD5
a9af285136db016a568e4a53208f21d0

SHA1
e1afef2b7ee8ae945353315daa19a15574b435b7

SHA256
7dce876e35550f4a5b8ce8a8bbab3b0ccd7c5b8660f9db4b832466b77e3a8b7c

SHA512
80a1f5e463a87cddc0f66336e2dc4262daf98984c6f6c662c3615d615ebe7c58677c3d694edb3bd7816ccee969aae967c7efe8526ba423f274ac1210c0c8bd6e

Download Submit
C:\Users\Admin\AppData\Roaming\CBM.exe
MD5
d9b7fb50628a76fe7603d82f6f0c0bd8

SHA1
019ef807727684992fefd8dc47bdcc2593419389

SHA256
c8d57922491f40b0c3e2ea9b0aff04df0de89ae9a6525508868134d1caca3113

SHA512
e966f22d4b151262c4177913d38d7b733565d5f75324cfcf3a61e56168a32bd848aeadc4cdcfe8d66d747d8926eadf1163219ba2360fcd368e2eb179d7ee8412

Download Submit
C:\Users\Admin\AppData\Roaming\CBM.exe
MD5
d9b7fb50628a76fe7603d82f6f0c0bd8

SHA1
019ef807727684992fefd8dc47bdcc2593419389

SHA256
c8d57922491f40b0c3e2ea9b0aff04df0de89ae9a6525508868134d1caca3113

SHA512
e966f22d4b151262c4177913d38d7b733565d5f75324cfcf3a61e56168a32bd848aeadc4cdcfe8d66d747d8926eadf1163219ba2360fcd368e2eb179d7ee8412

Download Submit
C:\Users\Admin\AppData\Roaming\CBM.exe
MD5
d9b7fb50628a76fe7603d82f6f0c0bd8

SHA1
019ef807727684992fefd8dc47bdcc2593419389

SHA256
c8d57922491f40b0c3e2ea9b0aff04df0de89ae9a6525508868134d1caca3113

SHA512
e966f22d4b151262c4177913d38d7b733565d5f75324cfcf3a61e56168a32bd848aeadc4cdcfe8d66d747d8926eadf1163219ba2360fcd368e2eb179d7ee8412

Download Submit
C:\Users\Admin\AppData\Roaming\CBM.exe
MD5
d9b7fb50628a76fe7603d82f6f0c0bd8

SHA1
019ef807727684992fefd8dc47bdcc2593419389

SHA256
c8d57922491f40b0c3e2ea9b0aff04df0de89ae9a6525508868134d1caca3113

SHA512
e966f22d4b151262c4177913d38d7b733565d5f75324cfcf3a61e56168a32bd848aeadc4cdcfe8d66d747d8926eadf1163219ba2360fcd368e2eb179d7ee8412

Download Submit
\Users\Admin\AppData\Roaming\CBM.exe
MD5
d9b7fb50628a76fe7603d82f6f0c0bd8

SHA1
019ef807727684992fefd8dc47bdcc2593419389

SHA256
c8d57922491f40b0c3e2ea9b0aff04df0de89ae9a6525508868134d1caca3113

SHA512
e966f22d4b151262c4177913d38d7b733565d5f75324cfcf3a61e56168a32bd848aeadc4cdcfe8d66d747d8926eadf1163219ba2360fcd368e2eb179d7ee8412

Download Submit
\Users\Admin\AppData\Roaming\CBM.exe
MD5
d9b7fb50628a76fe7603d82f6f0c0bd8

SHA1
019ef807727684992fefd8dc47bdcc2593419389

SHA256
c8d57922491f40b0c3e2ea9b0aff04df0de89ae9a6525508868134d1caca3113

SHA512
e966f22d4b151262c4177913d38d7b733565d5f75324cfcf3a61e56168a32bd848aeadc4cdcfe8d66d747d8926eadf1163219ba2360fcd368e2eb179d7ee8412

Download Submit
memory/840-69-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/840-72-0x0000000000381000-0x0000000000382000-memory.dmp

Filesize
4KB

Download
memory/840-65-0x0000000000000000-mapping.dmp

Download
memory/904-81-0x0000000000000000-mapping.dmp

Download
memory/916-70-0x0000000000000000-mapping.dmp

Download
memory/916-71-0x000007FEFBF71000-0x000007FEFBF73000-memory.dmp

Filesize
8KB

Download
memory/948-79-0x0000000000000000-mapping.dmp

Download
memory/1528-74-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1528-75-0x000000000041E792-mapping.dmp

Download
memory/1528-78-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1628-62-0x00000000757C1000-0x00000000757C3000-memory.dmp

Filesize
8KB

Download
memory/1840-61-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1840-59-0x000000002FD31000-0x000000002FD34000-memory.dmp

Filesize
12KB

Download
memory/1840-60-0x00000000717B1000-0x00000000717B3000-memory.dmp

Filesize
8KB

Download
memory/1840-83-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads