nanocore | 0c0fb03ae8f2a44f05bb46d66a05377aa4aa38ca79924eb71be2aea3344a8d64

Analysis

max time kernel
141s
max time network
148s
platform
windows10_x64
resource
win10-en-20210920
submitted
08-10-2021 10:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

77e7c359cd4b72b1698280b71f4ec5c8.exe
Size

1.1MB
MD5

77e7c359cd4b72b1698280b71f4ec5c8
SHA1

afa378b045cb8ebb9e50cee90617f4041495bb68
SHA256

0c0fb03ae8f2a44f05bb46d66a05377aa4aa38ca79924eb71be2aea3344a8d64
SHA512

a5b362dbaa2f48ec23a1988c8fe70f6c36ad1a59631fd689407659e331fbdd55b73086aea56af8e3dbe4987a986985aaa48c5177b968dec97d38aa1adea2c956

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

strongodss.ddns.net:48562

185.19.85.175:48562

Mutex

ba2baad0-dd3f-4844-a1e3-4d042f9ae8b6

Attributes

activate_away_mode
false
backup_connection_host
185.19.85.175
backup_dns_server
buffer_size
65538
build_time
2021-04-20T00:12:13.961451136Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
false
clear_zone_identifier
false
connect_delay
4000
connection_port
48562
default_group
HOBBIT
enable_debug_mode
true
gc_threshold
1.0485772e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.0485772e+07
mutex
ba2baad0-dd3f-4844-a1e3-4d042f9ae8b6
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
strongodss.ddns.net
primary_dns_server
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
false
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8009

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Executes dropped EXE 2 IoCs

Processes:

nrcoltwou.pifRegSvcs.exe

pid process

3308 nrcoltwou.pif
992 RegSvcs.exe

pid	process
3308	nrcoltwou.pif
992	RegSvcs.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

nrcoltwou.pifRegSvcs.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	nrcoltwou.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Chrome = "C:\\Users\\Admin\\85169391\\NRCOLT~1.PIF C:\\Users\\Admin\\85169391\\dhvv.bgf"	nrcoltwou.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AutoUpdate = "C:\\Users\\Admin\\85169391\\Update.vbs"	nrcoltwou.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SCSI Service = "C:\\Program Files (x86)\\SCSI Service\\scsisvc.exe"	RegSvcs.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

RegSvcs.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegSvcs.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

nrcoltwou.pif

description pid process target process

PID 3308 set thread context of 992 3308 nrcoltwou.pif RegSvcs.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegSvcs.exe

description	pid	process	target process
PID 3308 set thread context of 992	3308	nrcoltwou.pif	RegSvcs.exe

Drops file in Program Files directory 2 IoCs

Processes:

RegSvcs.exe

description	ioc	process
File created	C:\Program Files (x86)\SCSI Service\scsisvc.exe	RegSvcs.exe
File opened for modification	C:\Program Files (x86)\SCSI Service\scsisvc.exe	RegSvcs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3388 schtasks.exe
3736 schtasks.exe
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

RegSvcs.exe

pid process

992 RegSvcs.exe
992 RegSvcs.exe
992 RegSvcs.exe
992 RegSvcs.exe
992 RegSvcs.exe
992 RegSvcs.exe
992 RegSvcs.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

RegSvcs.exe

pid process

992 RegSvcs.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

RegSvcs.exe

description pid process

Token: SeDebugPrivilege 992 RegSvcs.exe
Token: SeDebugPrivilege 992 RegSvcs.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

nrcoltwou.pif

pid process

3308 nrcoltwou.pif

pid	process
3388	schtasks.exe
3736	schtasks.exe

pid	process
992	RegSvcs.exe
992	RegSvcs.exe
992	RegSvcs.exe
992	RegSvcs.exe
992	RegSvcs.exe
992	RegSvcs.exe
992	RegSvcs.exe

pid	process
992	RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	992	RegSvcs.exe
Token: SeDebugPrivilege	992	RegSvcs.exe

pid	process
3308	nrcoltwou.pif

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

77e7c359cd4b72b1698280b71f4ec5c8.exenrcoltwou.pifRegSvcs.exe

description	pid	process	target process
PID 2068 wrote to memory of 3308	2068	77e7c359cd4b72b1698280b71f4ec5c8.exe	nrcoltwou.pif
PID 2068 wrote to memory of 3308	2068	77e7c359cd4b72b1698280b71f4ec5c8.exe	nrcoltwou.pif
PID 2068 wrote to memory of 3308	2068	77e7c359cd4b72b1698280b71f4ec5c8.exe	nrcoltwou.pif
PID 3308 wrote to memory of 992	3308	nrcoltwou.pif	RegSvcs.exe
PID 3308 wrote to memory of 992	3308	nrcoltwou.pif	RegSvcs.exe
PID 3308 wrote to memory of 992	3308	nrcoltwou.pif	RegSvcs.exe
PID 3308 wrote to memory of 992	3308	nrcoltwou.pif	RegSvcs.exe
PID 3308 wrote to memory of 992	3308	nrcoltwou.pif	RegSvcs.exe
PID 992 wrote to memory of 3388	992	RegSvcs.exe	schtasks.exe
PID 992 wrote to memory of 3388	992	RegSvcs.exe	schtasks.exe
PID 992 wrote to memory of 3388	992	RegSvcs.exe	schtasks.exe
PID 992 wrote to memory of 3736	992	RegSvcs.exe	schtasks.exe
PID 992 wrote to memory of 3736	992	RegSvcs.exe	schtasks.exe
PID 992 wrote to memory of 3736	992	RegSvcs.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\77e7c359cd4b72b1698280b71f4ec5c8.exe
"C:\Users\Admin\AppData\Local\Temp\77e7c359cd4b72b1698280b71f4ec5c8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Users\Admin\85169391\nrcoltwou.pif
  "C:\Users\Admin\85169391\nrcoltwou.pif" dhvv.bgf
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3308
- - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:992
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /create /f /tn "SCSI Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmpD9E6.tmp"
      4⤵
      Creates scheduled task(s)
      PID:3388
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /create /f /tn "SCSI Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpDB6E.tmp"
      4⤵
      Creates scheduled task(s)
      PID:3736

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\85169391\dhvv.bgf

MD5
954e76a842e032f7a251db0df6b101bc

SHA1
1d24feb336a3609c6f16c9c24898648145285f60

SHA256
42250e023f3f4f7c10e75b2d778dc0aa97faa7341fd4db381baa06437af4a1f9

SHA512
a283b551191d789deb6b4f52e7e31716ebaff6705cf037f9570297241cae7ec5ab947b8c30466a856823d8c5a0f10fd64704a7cb7d79bcbc64f306ebd752a824

Download Submit
C:\Users\Admin\85169391\hjtqo.vlh

MD5
ca4cf87a7d6a534d1ac85baedbe101dd

SHA1
76717270551e3bb27a5a01f01d0c4d1a0552221f

SHA256
40782515fc38396f9cfb18500afc4f17d1a5d33f0505b8b29685a3c6c0ca63e4

SHA512
0d48788317e124c0cc110f3208e5610998f555e701a4bd984da607b80c68ed6cfd9b2a4d84bf77124b4b83d5d7b442e09f8e9d6ecb02e30e013c07c88fe2821d

Download Submit
C:\Users\Admin\85169391\munqfwvg.dat

MD5
09aa1d567df3f1a926e44310485f8227

SHA1
1f44273cd400d5090c732fff9b7553dca16f90d5

SHA256
467e57c3f73e68172760bdae624c203826376bbedc53dd71e7e289f12aa366ac

SHA512
b625fd1a67a07034839f3e6d217392dc5f253a56b6565378ec5318e19e1a7dc4c30ebff93f6c6df613502a3cf8f24f4106b2c02a13e0ddd79b6b728b3f3d83e5

Download Submit
C:\Users\Admin\85169391\nrcoltwou.pif

MD5
279dae7236f5f2488a4bacde6027f730

SHA1
29a012e5259739f24480cedfd6d5f2d860cfcdb3

SHA256
415850f2706681a6d80708fca8ac18dcf97e58b8f3fdc7bc4b558ab15fc0a03f

SHA512
b81276fc4d915a9721dae15aa064781a1dba665ff4864ccbdf624e8049c1b3c12a2b374f11cffcf6e4a5217766836edbc5f2376ffa8765f9070cbd87d7ae2fe8

Download Submit
C:\Users\Admin\85169391\nrcoltwou.pif

MD5
279dae7236f5f2488a4bacde6027f730

SHA1
29a012e5259739f24480cedfd6d5f2d860cfcdb3

SHA256
415850f2706681a6d80708fca8ac18dcf97e58b8f3fdc7bc4b558ab15fc0a03f

SHA512
b81276fc4d915a9721dae15aa064781a1dba665ff4864ccbdf624e8049c1b3c12a2b374f11cffcf6e4a5217766836edbc5f2376ffa8765f9070cbd87d7ae2fe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD9E6.tmp

MD5
95aceabc58acad5d73372b0966ee1b35

SHA1
2293b7ad4793cf574b1a5220e85f329b5601040a

SHA256
8d9642e1c3cd1e0b5d1763de2fb5e605ba593e5a918b93eec15acbc5dcc48fd4

SHA512
00760dfc9d8caf357f0cee5336e5448a4cca18e32cc63e1a69c16e34fe00ea29acd5b2cf278e86c6f9c3e66a1b176d27ed927361848212e6bf1fade7d3d06e74

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDB6E.tmp

MD5
4e71faa3a77029484cfaba423d96618f

SHA1
9c837d050bb43d69dc608af809c292e13bca4718

SHA256
c470f45efd2e7c4c5b88534a18965a78dce0f8e154d3e45a9d5569ad0e334bdb

SHA512
6d014de41352f2b0b494d94cd58188791e81d4e53578d0722110b6827793b735e19c614877f25c61b26233dea1b5f1998ba1240bdc8fa04c87b7e64a4ca15fe0

Download Submit
memory/992-127-0x0000000005800000-0x0000000005801000-memory.dmp

Filesize
4KB

Download
memory/992-122-0x00000000005BE792-mapping.dmp

Download
memory/992-128-0x0000000005220000-0x0000000005221000-memory.dmp

Filesize
4KB

Download
memory/992-129-0x0000000005300000-0x0000000005301000-memory.dmp

Filesize
4KB

Download
memory/992-130-0x00000000051E0000-0x00000000051E1000-memory.dmp

Filesize
4KB

Download
memory/992-131-0x0000000005300000-0x00000000057FE000-memory.dmp

Filesize
5.0MB

Download
memory/992-139-0x0000000006220000-0x0000000006223000-memory.dmp

Filesize
12KB

Download
memory/992-138-0x0000000006200000-0x0000000006219000-memory.dmp

Filesize
100KB

Download
memory/992-137-0x0000000005490000-0x0000000005496000-memory.dmp

Filesize
24KB

Download
memory/992-121-0x00000000005A0000-0x0000000000B95000-memory.dmp

Filesize
6.0MB

Download
memory/992-136-0x0000000005480000-0x0000000005485000-memory.dmp

Filesize
20KB

Download
memory/3308-115-0x0000000000000000-mapping.dmp

Download
memory/3388-132-0x0000000000000000-mapping.dmp

Download
memory/3736-134-0x0000000000000000-mapping.dmp

Download