nanocore | 0cb26078cd6e9230a907fba0949163f96aae92447c3f335cd80c76c045b44e52

General

Target

COMPANY PROFILE AND PRODUCT DETAILS.exe
Size

1.3MB
MD5

6e8422cff134a8555f61ef0d739b75ac
SHA1

a12969dc92814fc8ef583280b227e5cb855881f2
SHA256

d1ae10fa2fb16503171022a85d2f104d50c56971455762df22d63ca284fa19e6
SHA512

1ea46be3b365b3eb763a6febcd38befbac2565419859ef4255bc02abbf1fba650cf035a95b2f025e4f8cb70bda3e86fa8762d196e7cb099356b3d82b4579ecf7

Score

10^/10

nanocore keylogger spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

apaduckdns.duckdns.org:54984

172.111.250.107:54984

Mutex

8fa6609b-cd9c-498b-823e-04cd8e10bbc4

Attributes

activate_away_mode
true
backup_connection_host
172.111.250.107
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2019-08-09T12:26:00.965163036Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
54984
default_group
NONNYCRYPTER
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
8fa6609b-cd9c-498b-823e-04cd8e10bbc4
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
apaduckdns.duckdns.org
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Drops startup file 1 IoCs

Processes:

COMPANY PROFILE AND PRODUCT DETAILS.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitsProxy.url	COMPANY PROFILE AND PRODUCT DETAILS.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

COMPANY PROFILE AND PRODUCT DETAILS.exe

description pid process target process

PID 1424 set thread context of 752 1424 COMPANY PROFILE AND PRODUCT DETAILS.exe RegSvcs.exe

description	pid	process	target process
PID 1424 set thread context of 752	1424	COMPANY PROFILE AND PRODUCT DETAILS.exe	RegSvcs.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

COMPANY PROFILE AND PRODUCT DETAILS.exe

pid	process
1424	COMPANY PROFILE AND PRODUCT DETAILS.exe
1424	COMPANY PROFILE AND PRODUCT DETAILS.exe
1424	COMPANY PROFILE AND PRODUCT DETAILS.exe
1424	COMPANY PROFILE AND PRODUCT DETAILS.exe
1424	COMPANY PROFILE AND PRODUCT DETAILS.exe
1424	COMPANY PROFILE AND PRODUCT DETAILS.exe
1424	COMPANY PROFILE AND PRODUCT DETAILS.exe
1424	COMPANY PROFILE AND PRODUCT DETAILS.exe
1424	COMPANY PROFILE AND PRODUCT DETAILS.exe
1424	COMPANY PROFILE AND PRODUCT DETAILS.exe
1424	COMPANY PROFILE AND PRODUCT DETAILS.exe
1424	COMPANY PROFILE AND PRODUCT DETAILS.exe
1424	COMPANY PROFILE AND PRODUCT DETAILS.exe
1424	COMPANY PROFILE AND PRODUCT DETAILS.exe
1424	COMPANY PROFILE AND PRODUCT DETAILS.exe
1424	COMPANY PROFILE AND PRODUCT DETAILS.exe
1424	COMPANY PROFILE AND PRODUCT DETAILS.exe
1424	COMPANY PROFILE AND PRODUCT DETAILS.exe
1424	COMPANY PROFILE AND PRODUCT DETAILS.exe
1424	COMPANY PROFILE AND PRODUCT DETAILS.exe
1424	COMPANY PROFILE AND PRODUCT DETAILS.exe
1424	COMPANY PROFILE AND PRODUCT DETAILS.exe
1424	COMPANY PROFILE AND PRODUCT DETAILS.exe
1424	COMPANY PROFILE AND PRODUCT DETAILS.exe
1424	COMPANY PROFILE AND PRODUCT DETAILS.exe
1424	COMPANY PROFILE AND PRODUCT DETAILS.exe
1424	COMPANY PROFILE AND PRODUCT DETAILS.exe
1424	COMPANY PROFILE AND PRODUCT DETAILS.exe
1424	COMPANY PROFILE AND PRODUCT DETAILS.exe
1424	COMPANY PROFILE AND PRODUCT DETAILS.exe
1424	COMPANY PROFILE AND PRODUCT DETAILS.exe
1424	COMPANY PROFILE AND PRODUCT DETAILS.exe
1424	COMPANY PROFILE AND PRODUCT DETAILS.exe
1424	COMPANY PROFILE AND PRODUCT DETAILS.exe
1424	COMPANY PROFILE AND PRODUCT DETAILS.exe
1424	COMPANY PROFILE AND PRODUCT DETAILS.exe
1424	COMPANY PROFILE AND PRODUCT DETAILS.exe
1424	COMPANY PROFILE AND PRODUCT DETAILS.exe
1424	COMPANY PROFILE AND PRODUCT DETAILS.exe
1424	COMPANY PROFILE AND PRODUCT DETAILS.exe
1424	COMPANY PROFILE AND PRODUCT DETAILS.exe
1424	COMPANY PROFILE AND PRODUCT DETAILS.exe
1424	COMPANY PROFILE AND PRODUCT DETAILS.exe
1424	COMPANY PROFILE AND PRODUCT DETAILS.exe
1424	COMPANY PROFILE AND PRODUCT DETAILS.exe
1424	COMPANY PROFILE AND PRODUCT DETAILS.exe
1424	COMPANY PROFILE AND PRODUCT DETAILS.exe
1424	COMPANY PROFILE AND PRODUCT DETAILS.exe
1424	COMPANY PROFILE AND PRODUCT DETAILS.exe
1424	COMPANY PROFILE AND PRODUCT DETAILS.exe
1424	COMPANY PROFILE AND PRODUCT DETAILS.exe
1424	COMPANY PROFILE AND PRODUCT DETAILS.exe
1424	COMPANY PROFILE AND PRODUCT DETAILS.exe
1424	COMPANY PROFILE AND PRODUCT DETAILS.exe
1424	COMPANY PROFILE AND PRODUCT DETAILS.exe
1424	COMPANY PROFILE AND PRODUCT DETAILS.exe
1424	COMPANY PROFILE AND PRODUCT DETAILS.exe
1424	COMPANY PROFILE AND PRODUCT DETAILS.exe
1424	COMPANY PROFILE AND PRODUCT DETAILS.exe
1424	COMPANY PROFILE AND PRODUCT DETAILS.exe
1424	COMPANY PROFILE AND PRODUCT DETAILS.exe
1424	COMPANY PROFILE AND PRODUCT DETAILS.exe
1424	COMPANY PROFILE AND PRODUCT DETAILS.exe
1424	COMPANY PROFILE AND PRODUCT DETAILS.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

RegSvcs.exe

pid process

752 RegSvcs.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegSvcs.exe

description pid process

Token: SeDebugPrivilege 752 RegSvcs.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

COMPANY PROFILE AND PRODUCT DETAILS.exe

pid process

1424 COMPANY PROFILE AND PRODUCT DETAILS.exe
1424 COMPANY PROFILE AND PRODUCT DETAILS.exe
1424 COMPANY PROFILE AND PRODUCT DETAILS.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

COMPANY PROFILE AND PRODUCT DETAILS.exe

pid process

1424 COMPANY PROFILE AND PRODUCT DETAILS.exe
1424 COMPANY PROFILE AND PRODUCT DETAILS.exe
1424 COMPANY PROFILE AND PRODUCT DETAILS.exe

pid	process
752	RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	752	RegSvcs.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

COMPANY PROFILE AND PRODUCT DETAILS.exe

description	pid	process	target process
PID 1424 wrote to memory of 752	1424	COMPANY PROFILE AND PRODUCT DETAILS.exe	RegSvcs.exe
PID 1424 wrote to memory of 752	1424	COMPANY PROFILE AND PRODUCT DETAILS.exe	RegSvcs.exe
PID 1424 wrote to memory of 752	1424	COMPANY PROFILE AND PRODUCT DETAILS.exe	RegSvcs.exe
PID 1424 wrote to memory of 752	1424	COMPANY PROFILE AND PRODUCT DETAILS.exe	RegSvcs.exe
PID 1424 wrote to memory of 752	1424	COMPANY PROFILE AND PRODUCT DETAILS.exe	RegSvcs.exe
PID 1424 wrote to memory of 752	1424	COMPANY PROFILE AND PRODUCT DETAILS.exe	RegSvcs.exe
PID 1424 wrote to memory of 752	1424	COMPANY PROFILE AND PRODUCT DETAILS.exe	RegSvcs.exe
PID 1424 wrote to memory of 752	1424	COMPANY PROFILE AND PRODUCT DETAILS.exe	RegSvcs.exe
PID 1424 wrote to memory of 752	1424	COMPANY PROFILE AND PRODUCT DETAILS.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\COMPANY PROFILE AND PRODUCT DETAILS.exe
"C:\Users\Admin\AppData\Local\Temp\COMPANY PROFILE AND PRODUCT DETAILS.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1424
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegSvcs.exe"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:752

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/752-54-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/752-55-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/752-60-0x000000000041E792-mapping.dmp

Download
memory/752-61-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/752-62-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/752-66-0x0000000000B20000-0x0000000000B21000-memory.dmp

Filesize
4KB

Download
memory/752-67-0x0000000000B21000-0x0000000000B22000-memory.dmp

Filesize
4KB

Download
memory/752-68-0x0000000000B26000-0x0000000000B37000-memory.dmp

Filesize
68KB

Download
memory/1424-53-0x0000000076201000-0x0000000076203000-memory.dmp

Filesize
8KB

Download
memory/1424-64-0x0000000000350000-0x0000000000383000-memory.dmp

Filesize
204KB

Download
memory/1424-65-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads