nanocore | 56f1040045ad7e244e7825dfb1c8d6a4714811511cc4c72d73d5c13c7411a168

General

Target

DHL TRACKING DETAILS.exe
Size

375KB
MD5

c83f7a1a326f7b47ec13eebea020a467
SHA1

90c2c4514dad7500f64ef90807841141cab506d4
SHA256

56f1040045ad7e244e7825dfb1c8d6a4714811511cc4c72d73d5c13c7411a168
SHA512

a5cfec49d6eb08f01bfdfa66cb2a3eb83221c48484efcb80f8a2d7802f92941ad8e21883e72cc0a4235f7bb758337b35a6868fcbb2fbda595d5d32cea1700a7a

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

chinomso.duckdns.org:7688

Mutex

bee718f3-e47a-44f8-955e-2fe2c6c0351c

Attributes

activate_away_mode
true
backup_connection_host
chinomso.duckdns.org
backup_dns_server
chinomso.duckdns.org
buffer_size
65535
build_time
2021-01-17T14:27:22.436365536Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
7688
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
bee718f3-e47a-44f8-955e-2fe2c6c0351c
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
chinomso.duckdns.org
primary_dns_server
chinomso.duckdns.org
request_elevation
false
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

DHL TRACKING DETAILS.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UPNP Subsystem = "C:\\Program Files (x86)\\UPNP Subsystem\\upnpss.exe"	DHL TRACKING DETAILS.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

DHL TRACKING DETAILS.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DHL TRACKING DETAILS.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

DHL TRACKING DETAILS.exe

description pid process target process

PID 664 set thread context of 2120 664 DHL TRACKING DETAILS.exe DHL TRACKING DETAILS.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DHL TRACKING DETAILS.exe

description	pid	process	target process
PID 664 set thread context of 2120	664	DHL TRACKING DETAILS.exe	DHL TRACKING DETAILS.exe

Drops file in Program Files directory 2 IoCs

Processes:

DHL TRACKING DETAILS.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\UPNP Subsystem\upnpss.exe	DHL TRACKING DETAILS.exe
File created	C:\Program Files (x86)\UPNP Subsystem\upnpss.exe	DHL TRACKING DETAILS.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

2148 schtasks.exe
2244 schtasks.exe
1988 schtasks.exe

pid	process
2148	schtasks.exe
2244	schtasks.exe
1988	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

DHL TRACKING DETAILS.exe

pid	process
2120	DHL TRACKING DETAILS.exe
2120	DHL TRACKING DETAILS.exe
2120	DHL TRACKING DETAILS.exe
2120	DHL TRACKING DETAILS.exe
2120	DHL TRACKING DETAILS.exe
2120	DHL TRACKING DETAILS.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

DHL TRACKING DETAILS.exe

pid process

2120 DHL TRACKING DETAILS.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

DHL TRACKING DETAILS.exe

description pid process

Token: SeDebugPrivilege 2120 DHL TRACKING DETAILS.exe

description	pid	process
Token: SeDebugPrivilege	2120	DHL TRACKING DETAILS.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

DHL TRACKING DETAILS.exeDHL TRACKING DETAILS.exe

description	pid	process	target process
PID 664 wrote to memory of 2244	664	DHL TRACKING DETAILS.exe	schtasks.exe
PID 664 wrote to memory of 2244	664	DHL TRACKING DETAILS.exe	schtasks.exe
PID 664 wrote to memory of 2244	664	DHL TRACKING DETAILS.exe	schtasks.exe
PID 664 wrote to memory of 2120	664	DHL TRACKING DETAILS.exe	DHL TRACKING DETAILS.exe
PID 664 wrote to memory of 2120	664	DHL TRACKING DETAILS.exe	DHL TRACKING DETAILS.exe
PID 664 wrote to memory of 2120	664	DHL TRACKING DETAILS.exe	DHL TRACKING DETAILS.exe
PID 664 wrote to memory of 2120	664	DHL TRACKING DETAILS.exe	DHL TRACKING DETAILS.exe
PID 664 wrote to memory of 2120	664	DHL TRACKING DETAILS.exe	DHL TRACKING DETAILS.exe
PID 664 wrote to memory of 2120	664	DHL TRACKING DETAILS.exe	DHL TRACKING DETAILS.exe
PID 664 wrote to memory of 2120	664	DHL TRACKING DETAILS.exe	DHL TRACKING DETAILS.exe
PID 664 wrote to memory of 2120	664	DHL TRACKING DETAILS.exe	DHL TRACKING DETAILS.exe
PID 2120 wrote to memory of 1988	2120	DHL TRACKING DETAILS.exe	schtasks.exe
PID 2120 wrote to memory of 1988	2120	DHL TRACKING DETAILS.exe	schtasks.exe
PID 2120 wrote to memory of 1988	2120	DHL TRACKING DETAILS.exe	schtasks.exe
PID 2120 wrote to memory of 2148	2120	DHL TRACKING DETAILS.exe	schtasks.exe
PID 2120 wrote to memory of 2148	2120	DHL TRACKING DETAILS.exe	schtasks.exe
PID 2120 wrote to memory of 2148	2120	DHL TRACKING DETAILS.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\DHL TRACKING DETAILS.exe
"C:\Users\Admin\AppData\Local\Temp\DHL TRACKING DETAILS.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:664

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VwBkiqeJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5862.tmp"
2⤵
- Creates scheduled task(s)
PID:2244

C:\Users\Admin\AppData\Local\Temp\DHL TRACKING DETAILS.exe
"C:\Users\Admin\AppData\Local\Temp\DHL TRACKING DETAILS.exe"
2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2120

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "UPNP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp5FD4.tmp"
3⤵
- Creates scheduled task(s)
PID:1988

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "UPNP Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp6033.tmp"
3⤵
- Creates scheduled task(s)
PID:2148

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp5FD4.tmp
MD5
473927eecfadb18098e36c3a1158a9c3

SHA1
b04a7ceb104d6256ddb3e93810c4fae339c1066d

SHA256
e483766a8138bf4dbffe48eeb9074cff494a56de667d853442556d91f70de908

SHA512
4c832369091bb92bc30d4f4d34ea9812c2506a0716dc5f8057bd10287bbe3436432dd824dcbb57b37a66bdb24881df9eca276c6ef7f6f6eb7a8241ef009074eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6033.tmp
MD5
af9986f5e128fd8bd3ae748fcba6576d

SHA1
8060072c35108b48649a03be91803b97f1ad40a4

SHA256
f3242f6480b3d1a8f9285135fdce9a201c4802ce062eee4fb41c488a21d53303

SHA512
f35c8e1699905bc972ae48a5a4a9fd33ea04b2d851ffc1cb1d1573a2087121d803b4186a696b2edad10a9c46c388a478e105f5a730020b598aa9f483086dba38

Download Submit
memory/664-116-0x0000000005720000-0x0000000005721000-memory.dmp

Filesize
4KB

Download
memory/664-117-0x0000000005220000-0x0000000005221000-memory.dmp

Filesize
4KB

Download
memory/664-118-0x00000000051A0000-0x00000000051A1000-memory.dmp

Filesize
4KB

Download
memory/664-119-0x0000000005220000-0x000000000571E000-memory.dmp

Filesize
5.0MB

Download
memory/664-120-0x0000000005710000-0x0000000005715000-memory.dmp

Filesize
20KB

Download
memory/664-121-0x00000000076C0000-0x00000000076C1000-memory.dmp

Filesize
4KB

Download
memory/664-122-0x0000000006F10000-0x0000000006F65000-memory.dmp

Filesize
340KB

Download
memory/664-114-0x0000000000850000-0x0000000000851000-memory.dmp

Filesize
4KB

Download
memory/1988-132-0x0000000000000000-mapping.dmp

Download
memory/2120-145-0x0000000006BE0000-0x0000000006BE6000-memory.dmp

Filesize
24KB

Download
memory/2120-143-0x0000000006BC0000-0x0000000006BCC000-memory.dmp

Filesize
48KB

Download
memory/2120-152-0x0000000006F90000-0x0000000006F91000-memory.dmp

Filesize
4KB

Download
memory/2120-124-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2120-136-0x0000000005220000-0x000000000571E000-memory.dmp

Filesize
5.0MB

Download
memory/2120-137-0x0000000005470000-0x0000000005475000-memory.dmp

Filesize
20KB

Download
memory/2120-138-0x0000000005480000-0x0000000005499000-memory.dmp

Filesize
100KB

Download
memory/2120-139-0x0000000006410000-0x0000000006413000-memory.dmp

Filesize
12KB

Download
memory/2120-140-0x0000000005600000-0x000000000560D000-memory.dmp

Filesize
52KB

Download
memory/2120-141-0x0000000006420000-0x0000000006435000-memory.dmp

Filesize
84KB

Download
memory/2120-142-0x0000000006BB0000-0x0000000006BB6000-memory.dmp

Filesize
24KB

Download
memory/2120-125-0x000000000041E792-mapping.dmp

Download
memory/2120-144-0x0000000006BD0000-0x0000000006BD7000-memory.dmp

Filesize
28KB

Download
memory/2120-151-0x0000000006C80000-0x0000000006C8F000-memory.dmp

Filesize
60KB

Download
memory/2120-146-0x0000000006BF0000-0x0000000006BFD000-memory.dmp

Filesize
52KB

Download
memory/2120-147-0x0000000006C00000-0x0000000006C09000-memory.dmp

Filesize
36KB

Download
memory/2120-148-0x0000000006C10000-0x0000000006C1F000-memory.dmp

Filesize
60KB

Download
memory/2120-149-0x0000000006C30000-0x0000000006C3A000-memory.dmp

Filesize
40KB

Download
memory/2120-150-0x0000000006C40000-0x0000000006C69000-memory.dmp

Filesize
164KB

Download
memory/2148-134-0x0000000000000000-mapping.dmp

Download
memory/2244-123-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads