nanocore | a6aaa67c49799355898d8682152182b03f37a7d603bac9a70ddd7e0f9634aced

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-en-20210920
submitted
19-10-2021 14:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Output.js
Size

1.5MB
MD5

10121200161a9b69383c486c79db5c3c
SHA1

bd3a112217bd7dbfacd85d0375e26b048c617cb2
SHA256

a6aaa67c49799355898d8682152182b03f37a7d603bac9a70ddd7e0f9634aced
SHA512

d6bc5157638b35997c5a937c70c700f671e4cdc11eb19e4665defc1c332d246b16f017bb76d8fc87dcc3d7df1d8471ce5d9730e218ffd7d9c0cacc8b3ac74eda

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Disables Task Manager via registry modification
evasion
Executes dropped EXE 2 IoCs

Processes:

Filname.exevmgsxoas.pif

pid process

2028 Filname.exe
1420 vmgsxoas.pif

pid	process
2028	Filname.exe
1420	vmgsxoas.pif

Drops startup file 2 IoCs

Processes:

vmgsxoas.pif

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk	vmgsxoas.pif
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk	vmgsxoas.pif

Loads dropped DLL 4 IoCs

Processes:

Filname.exe

pid process

2028 Filname.exe
2028 Filname.exe
2028 Filname.exe
2028 Filname.exe

pid	process
2028	Filname.exe
2028	Filname.exe
2028	Filname.exe
2028	Filname.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

vmgsxoas.pif

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	vmgsxoas.pif
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\08480610 = "c:\\08480610\\start.vbs"	vmgsxoas.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	vmgsxoas.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\08480610\\vmgsxoas.pif c:\\08480610\\nxxe.dst"	vmgsxoas.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AutoUpdate = "c:\\08480610\\Update.vbs"	vmgsxoas.pif

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

vmgsxoas.pif

pid	process
1420	vmgsxoas.pif
1420	vmgsxoas.pif
1420	vmgsxoas.pif
1420	vmgsxoas.pif
1420	vmgsxoas.pif
1420	vmgsxoas.pif
1420	vmgsxoas.pif
1420	vmgsxoas.pif
1420	vmgsxoas.pif
1420	vmgsxoas.pif
1420	vmgsxoas.pif
1420	vmgsxoas.pif
1420	vmgsxoas.pif
1420	vmgsxoas.pif
1420	vmgsxoas.pif
1420	vmgsxoas.pif
1420	vmgsxoas.pif
1420	vmgsxoas.pif
1420	vmgsxoas.pif
1420	vmgsxoas.pif
1420	vmgsxoas.pif
1420	vmgsxoas.pif
1420	vmgsxoas.pif
1420	vmgsxoas.pif
1420	vmgsxoas.pif
1420	vmgsxoas.pif
1420	vmgsxoas.pif
1420	vmgsxoas.pif
1420	vmgsxoas.pif
1420	vmgsxoas.pif
1420	vmgsxoas.pif
1420	vmgsxoas.pif
1420	vmgsxoas.pif
1420	vmgsxoas.pif
1420	vmgsxoas.pif
1420	vmgsxoas.pif
1420	vmgsxoas.pif
1420	vmgsxoas.pif
1420	vmgsxoas.pif
1420	vmgsxoas.pif
1420	vmgsxoas.pif
1420	vmgsxoas.pif
1420	vmgsxoas.pif
1420	vmgsxoas.pif
1420	vmgsxoas.pif
1420	vmgsxoas.pif
1420	vmgsxoas.pif
1420	vmgsxoas.pif
1420	vmgsxoas.pif
1420	vmgsxoas.pif
1420	vmgsxoas.pif
1420	vmgsxoas.pif
1420	vmgsxoas.pif
1420	vmgsxoas.pif
1420	vmgsxoas.pif
1420	vmgsxoas.pif
1420	vmgsxoas.pif
1420	vmgsxoas.pif
1420	vmgsxoas.pif
1420	vmgsxoas.pif
1420	vmgsxoas.pif
1420	vmgsxoas.pif
1420	vmgsxoas.pif
1420	vmgsxoas.pif

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

wscript.exeFilname.exevmgsxoas.pif

description	pid	process	target process
PID 2012 wrote to memory of 2028	2012	wscript.exe	Filname.exe
PID 2012 wrote to memory of 2028	2012	wscript.exe	Filname.exe
PID 2012 wrote to memory of 2028	2012	wscript.exe	Filname.exe
PID 2012 wrote to memory of 2028	2012	wscript.exe	Filname.exe
PID 2028 wrote to memory of 1420	2028	Filname.exe	vmgsxoas.pif
PID 2028 wrote to memory of 1420	2028	Filname.exe	vmgsxoas.pif
PID 2028 wrote to memory of 1420	2028	Filname.exe	vmgsxoas.pif
PID 2028 wrote to memory of 1420	2028	Filname.exe	vmgsxoas.pif
PID 1420 wrote to memory of 1828	1420	vmgsxoas.pif	mshta.exe
PID 1420 wrote to memory of 1828	1420	vmgsxoas.pif	mshta.exe
PID 1420 wrote to memory of 1828	1420	vmgsxoas.pif	mshta.exe
PID 1420 wrote to memory of 1828	1420	vmgsxoas.pif	mshta.exe
PID 1420 wrote to memory of 1480	1420	vmgsxoas.pif	mshta.exe
PID 1420 wrote to memory of 1480	1420	vmgsxoas.pif	mshta.exe
PID 1420 wrote to memory of 1480	1420	vmgsxoas.pif	mshta.exe
PID 1420 wrote to memory of 1480	1420	vmgsxoas.pif	mshta.exe
PID 1420 wrote to memory of 404	1420	vmgsxoas.pif	mshta.exe
PID 1420 wrote to memory of 404	1420	vmgsxoas.pif	mshta.exe
PID 1420 wrote to memory of 404	1420	vmgsxoas.pif	mshta.exe
PID 1420 wrote to memory of 404	1420	vmgsxoas.pif	mshta.exe
PID 1420 wrote to memory of 1760	1420	vmgsxoas.pif	mshta.exe
PID 1420 wrote to memory of 1760	1420	vmgsxoas.pif	mshta.exe
PID 1420 wrote to memory of 1760	1420	vmgsxoas.pif	mshta.exe
PID 1420 wrote to memory of 1760	1420	vmgsxoas.pif	mshta.exe
PID 1420 wrote to memory of 1052	1420	vmgsxoas.pif	mshta.exe
PID 1420 wrote to memory of 1052	1420	vmgsxoas.pif	mshta.exe
PID 1420 wrote to memory of 1052	1420	vmgsxoas.pif	mshta.exe
PID 1420 wrote to memory of 1052	1420	vmgsxoas.pif	mshta.exe
PID 1420 wrote to memory of 1808	1420	vmgsxoas.pif	mshta.exe
PID 1420 wrote to memory of 1808	1420	vmgsxoas.pif	mshta.exe
PID 1420 wrote to memory of 1808	1420	vmgsxoas.pif	mshta.exe
PID 1420 wrote to memory of 1808	1420	vmgsxoas.pif	mshta.exe
PID 1420 wrote to memory of 1536	1420	vmgsxoas.pif	mshta.exe
PID 1420 wrote to memory of 1536	1420	vmgsxoas.pif	mshta.exe
PID 1420 wrote to memory of 1536	1420	vmgsxoas.pif	mshta.exe
PID 1420 wrote to memory of 1536	1420	vmgsxoas.pif	mshta.exe
PID 1420 wrote to memory of 2044	1420	vmgsxoas.pif	RegSvcs.exe
PID 1420 wrote to memory of 2044	1420	vmgsxoas.pif	RegSvcs.exe
PID 1420 wrote to memory of 2044	1420	vmgsxoas.pif	RegSvcs.exe
PID 1420 wrote to memory of 2044	1420	vmgsxoas.pif	RegSvcs.exe
PID 1420 wrote to memory of 2044	1420	vmgsxoas.pif	RegSvcs.exe
PID 1420 wrote to memory of 2044	1420	vmgsxoas.pif	RegSvcs.exe
PID 1420 wrote to memory of 2044	1420	vmgsxoas.pif	RegSvcs.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Output.js
1⤵
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Users\Admin\AppData\Local\Temp\Filname.exe
  "C:\Users\Admin\AppData\Local\Temp\Filname.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\08480610\vmgsxoas.pif
    "C:\08480610\vmgsxoas.pif" nxxe.dst
    3⤵
    - Executes dropped EXE
    - Drops startup file
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1420
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe"
      4⤵
      PID:1828
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe"
      4⤵
      PID:1480
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe"
      4⤵
      PID:404
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe"
      4⤵
      PID:1760
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe"
      4⤵
      PID:1052
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe"
      4⤵
      PID:1808
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe"
      4⤵
      PID:1536
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      PID:2044

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\08480610\hrmrjq.egw

MD5
47ab01c250eaaee33a4c1657e2de043b

SHA1
6522bd97d4b32ba3d5f61beb194e11f3af2c7e9b

SHA256
bd1d8be825067d7dca1804b07059aebd172d0b80f11278c46859dc1e266405a8

SHA512
2e07a13a9d9bdae012ad109fd208e5c1daacfad1c3f39753a28fc5a5ae151dd79b87db3096ba190b241ec72c364665359e8c88c9aeb36deebfe289036b6b9113

Download Submit
C:\08480610\nxxe.dst

MD5
8ad9153a1924adba4775343d0e0bd5cf

SHA1
2854cc18b0f53e554cb8f63a0dffa8f452275f57

SHA256
170a983e13eecbe68cdafef68b975a414fa4f2d6c84da2cdf36decc92fa8519b

SHA512
09360c9c6e24435d24cab1d6d0ee7befea8fc43636dd75de07a27625b9a52fd3f319a9bfa86221d45acabc55a5936cea09f5f11a3bbbc3342d9126496a07548a

Download Submit
C:\08480610\segwpjxen.msc

MD5
9de579d72ccea1846d549ddca751db8e

SHA1
c821135312c0653e9dfc2ee6b1b70cfcee198a0e

SHA256
3d73d4dec94ba4d4cbab3d5b5f00f6a7f04963b760cd666809cae6e9d05306ee

SHA512
00d9b0e1c44b1072a37735eca70105f4962b51e744f8d806c27d063f283fa27233a32ee49d40cada4f948b0475633eca5cbe19c37bfcbed08f71fd1e02b3ad89

Download Submit
C:\08480610\vmgsxoas.pif

MD5
8e699954f6b5d64683412cc560938507

SHA1
8ca6708b0f158eacce3ac28b23c23ed42c168c29

SHA256
c9a2399cc1ce6f71db9da2f16e6c025bf6cb0f4345b427f21449cf927d627a40

SHA512
13035106149c8d336189b4a6bdaf25e10ac0b027baea963b3ec66a815a572426b2e9485258447cf1362802a0f03a2aa257b276057590663161d9d55d5b737b02

Download Submit
C:\Users\Admin\AppData\Local\Temp\Filname.exe

MD5
4d606b05f624febecbb3ae59014ef1e5

SHA1
bf6e4cc9fabc4196d53c8648ba2e813423aeedb7

SHA256
97fc758fb55917d833e5c6adbf1e64bed2a9c9542e29b08479d3d6864c482ec1

SHA512
d2a8288ee4d2f0029efd9dd12f6fe0e324de0d973a01b4f0aff10d896e91b7475965c71d4fe5381edbff30cb1baa3bebef27bde5f85840a39b9f11031cbdd15d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Filname.exe

MD5
4d606b05f624febecbb3ae59014ef1e5

SHA1
bf6e4cc9fabc4196d53c8648ba2e813423aeedb7

SHA256
97fc758fb55917d833e5c6adbf1e64bed2a9c9542e29b08479d3d6864c482ec1

SHA512
d2a8288ee4d2f0029efd9dd12f6fe0e324de0d973a01b4f0aff10d896e91b7475965c71d4fe5381edbff30cb1baa3bebef27bde5f85840a39b9f11031cbdd15d

Download Submit
\08480610\vmgsxoas.pif

MD5
8e699954f6b5d64683412cc560938507

SHA1
8ca6708b0f158eacce3ac28b23c23ed42c168c29

SHA256
c9a2399cc1ce6f71db9da2f16e6c025bf6cb0f4345b427f21449cf927d627a40

SHA512
13035106149c8d336189b4a6bdaf25e10ac0b027baea963b3ec66a815a572426b2e9485258447cf1362802a0f03a2aa257b276057590663161d9d55d5b737b02

Download Submit
\08480610\vmgsxoas.pif

MD5
8e699954f6b5d64683412cc560938507

SHA1
8ca6708b0f158eacce3ac28b23c23ed42c168c29

SHA256
c9a2399cc1ce6f71db9da2f16e6c025bf6cb0f4345b427f21449cf927d627a40

SHA512
13035106149c8d336189b4a6bdaf25e10ac0b027baea963b3ec66a815a572426b2e9485258447cf1362802a0f03a2aa257b276057590663161d9d55d5b737b02

Download Submit
\08480610\vmgsxoas.pif

MD5
8e699954f6b5d64683412cc560938507

SHA1
8ca6708b0f158eacce3ac28b23c23ed42c168c29

SHA256
c9a2399cc1ce6f71db9da2f16e6c025bf6cb0f4345b427f21449cf927d627a40

SHA512
13035106149c8d336189b4a6bdaf25e10ac0b027baea963b3ec66a815a572426b2e9485258447cf1362802a0f03a2aa257b276057590663161d9d55d5b737b02

Download Submit
\08480610\vmgsxoas.pif

MD5
8e699954f6b5d64683412cc560938507

SHA1
8ca6708b0f158eacce3ac28b23c23ed42c168c29

SHA256
c9a2399cc1ce6f71db9da2f16e6c025bf6cb0f4345b427f21449cf927d627a40

SHA512
13035106149c8d336189b4a6bdaf25e10ac0b027baea963b3ec66a815a572426b2e9485258447cf1362802a0f03a2aa257b276057590663161d9d55d5b737b02

Download Submit
memory/404-69-0x0000000000000000-mapping.dmp

Download
memory/1052-71-0x0000000000000000-mapping.dmp

Download
memory/1420-8-0x0000000000000000-mapping.dmp

Download
memory/1480-68-0x0000000000000000-mapping.dmp

Download
memory/1536-73-0x0000000000000000-mapping.dmp

Download
memory/1760-70-0x0000000000000000-mapping.dmp

Download
memory/1808-72-0x0000000000000000-mapping.dmp

Download
memory/1828-67-0x0000000000000000-mapping.dmp

Download
memory/2028-0-0x0000000000000000-mapping.dmp

Download
memory/2028-2-0x0000000075FA1000-0x0000000075FA3000-memory.dmp

Filesize
8KB

Download