nanocore | 9accd263b79d26b6791096b9b5e6f7b0c9d16c0648648301c59bab32ada1071d

General

Target

INVOICE.exe
Size

1.3MB
MD5

088793d72583239cf48bc2cc6cd4e188
SHA1

a9c2abf03fd18407ec41030266dc5912fe5423e4
SHA256

9accd263b79d26b6791096b9b5e6f7b0c9d16c0648648301c59bab32ada1071d
SHA512

3e79b55722a912e04209be3b2c1f7319b88cd3a33d092073b32bafe20ed43887f251a3ad3c5a814d500ddd0871b83025bc7c8c453d224cb60360061fe5382744

Score

10^/10

nanocore keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

172.111.250.107:51000

apaduckdns.duckdns.org:51000

Mutex

599952d4-aed1-4828-a423-c4bf438e7e18

Attributes

activate_away_mode
true
backup_connection_host
apaduckdns.duckdns.org
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2019-09-12T02:24:33.575087936Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
51000
default_group
GREENFIELD
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
599952d4-aed1-4828-a423-c4bf438e7e18
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
172.111.250.107
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RegSvcs.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UDP Subsystem = "C:\\Program Files (x86)\\UDP Subsystem\\udpss.exe"	RegSvcs.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

INVOICE.exe

description pid process target process

PID 1324 set thread context of 952 1324 INVOICE.exe RegSvcs.exe

description	pid	process	target process
PID 1324 set thread context of 952	1324	INVOICE.exe	RegSvcs.exe

Drops file in Program Files directory 2 IoCs

Processes:

RegSvcs.exe

description	ioc	process
File created	C:\Program Files (x86)\UDP Subsystem\udpss.exe	RegSvcs.exe
File opened for modification	C:\Program Files (x86)\UDP Subsystem\udpss.exe	RegSvcs.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

RegSvcs.exe

pid process

952 RegSvcs.exe
952 RegSvcs.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

RegSvcs.exe

pid process

952 RegSvcs.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegSvcs.exe

description pid process

Token: SeDebugPrivilege 952 RegSvcs.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

INVOICE.exe

pid process

1324 INVOICE.exe
1324 INVOICE.exe
1324 INVOICE.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

INVOICE.exe

pid process

1324 INVOICE.exe
1324 INVOICE.exe
1324 INVOICE.exe

pid	process
952	RegSvcs.exe
952	RegSvcs.exe

pid	process
952	RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	952	RegSvcs.exe

pid	process
1324	INVOICE.exe
1324	INVOICE.exe
1324	INVOICE.exe

pid	process
1324	INVOICE.exe
1324	INVOICE.exe
1324	INVOICE.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

INVOICE.exe

description	pid	process	target process
PID 1324 wrote to memory of 952	1324	INVOICE.exe	RegSvcs.exe
PID 1324 wrote to memory of 952	1324	INVOICE.exe	RegSvcs.exe
PID 1324 wrote to memory of 952	1324	INVOICE.exe	RegSvcs.exe
PID 1324 wrote to memory of 952	1324	INVOICE.exe	RegSvcs.exe
PID 1324 wrote to memory of 952	1324	INVOICE.exe	RegSvcs.exe
PID 1324 wrote to memory of 952	1324	INVOICE.exe	RegSvcs.exe
PID 1324 wrote to memory of 952	1324	INVOICE.exe	RegSvcs.exe
PID 1324 wrote to memory of 952	1324	INVOICE.exe	RegSvcs.exe
PID 1324 wrote to memory of 952	1324	INVOICE.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\INVOICE.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICE.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1324
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
  "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegSvcs.exe"
  2⤵
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:952

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/952-54-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/952-55-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/952-62-0x000000000041E792-mapping.dmp

Download
memory/952-64-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/952-63-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/952-66-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/952-67-0x00000000006B1000-0x00000000006B2000-memory.dmp

Filesize
4KB

Download
memory/952-68-0x00000000006B6000-0x00000000006C7000-memory.dmp

Filesize
68KB

Download
memory/1324-53-0x0000000075661000-0x0000000075663000-memory.dmp

Filesize
8KB

Download
memory/1324-57-0x0000000002990000-0x00000000029C3000-memory.dmp

Filesize
204KB

Download
memory/1324-59-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads