nanocore | a6aaa67c49799355898d8682152182b03f37a7d603bac9a70ddd7e0f9634aced

General

Target

Output.js
Size

1.5MB
MD5

10121200161a9b69383c486c79db5c3c
SHA1

bd3a112217bd7dbfacd85d0375e26b048c617cb2
SHA256

a6aaa67c49799355898d8682152182b03f37a7d603bac9a70ddd7e0f9634aced
SHA512

d6bc5157638b35997c5a937c70c700f671e4cdc11eb19e4665defc1c332d246b16f017bb76d8fc87dcc3d7df1d8471ce5d9730e218ffd7d9c0cacc8b3ac74eda

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

23.105.131.186:8777

Mutex

f96139ab-4501-4b7f-8179-e6ccdbddf26e

Attributes

activate_away_mode
true
backup_connection_host
23.105.131.186
backup_dns_server
buffer_size
65535
build_time
2021-07-24T21:27:22.697649536Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
8777
default_group
new bind
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
f96139ab-4501-4b7f-8179-e6ccdbddf26e
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
23.105.131.186
primary_dns_server
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Disables Task Manager via registry modification
evasion
Executes dropped EXE 2 IoCs

Processes:

Filname.exevmgsxoas.pif

pid process

1296 Filname.exe
1392 vmgsxoas.pif

pid	process
1296	Filname.exe
1392	vmgsxoas.pif

Drops startup file 2 IoCs

Processes:

vmgsxoas.pif

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk	vmgsxoas.pif
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk	vmgsxoas.pif

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

vmgsxoas.pifRegSvcs.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\08480610 = "c:\\08480610\\start.vbs"	vmgsxoas.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SMTP Manager = "C:\\Program Files (x86)\\SMTP Manager\\smtpmgr.exe"	RegSvcs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	vmgsxoas.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\08480610\\vmgsxoas.pif c:\\08480610\\nxxe.dst"	vmgsxoas.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AutoUpdate = "c:\\08480610\\Update.vbs"	vmgsxoas.pif
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	vmgsxoas.pif

Suspicious use of SetThreadContext 1 IoCs

Processes:

vmgsxoas.pif

description pid process target process

PID 1392 set thread context of 2296 1392 vmgsxoas.pif RegSvcs.exe

description	pid	process	target process
PID 1392 set thread context of 2296	1392	vmgsxoas.pif	RegSvcs.exe

Drops file in Program Files directory 2 IoCs

Processes:

RegSvcs.exe

description	ioc	process
File created	C:\Program Files (x86)\SMTP Manager\smtpmgr.exe	RegSvcs.exe
File opened for modification	C:\Program Files (x86)\SMTP Manager\smtpmgr.exe	RegSvcs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

vmgsxoas.pifRegSvcs.exe

pid	process
1392	vmgsxoas.pif
1392	vmgsxoas.pif
1392	vmgsxoas.pif
1392	vmgsxoas.pif
1392	vmgsxoas.pif
1392	vmgsxoas.pif
1392	vmgsxoas.pif
1392	vmgsxoas.pif
1392	vmgsxoas.pif
1392	vmgsxoas.pif
1392	vmgsxoas.pif
1392	vmgsxoas.pif
1392	vmgsxoas.pif
1392	vmgsxoas.pif
1392	vmgsxoas.pif
1392	vmgsxoas.pif
2296	RegSvcs.exe
2296	RegSvcs.exe
2296	RegSvcs.exe
2296	RegSvcs.exe
1392	vmgsxoas.pif
1392	vmgsxoas.pif
1392	vmgsxoas.pif
1392	vmgsxoas.pif
2296	RegSvcs.exe
2296	RegSvcs.exe
2296	RegSvcs.exe
1392	vmgsxoas.pif
1392	vmgsxoas.pif
1392	vmgsxoas.pif
1392	vmgsxoas.pif
1392	vmgsxoas.pif
1392	vmgsxoas.pif
1392	vmgsxoas.pif
1392	vmgsxoas.pif
1392	vmgsxoas.pif
1392	vmgsxoas.pif
1392	vmgsxoas.pif
1392	vmgsxoas.pif
1392	vmgsxoas.pif
1392	vmgsxoas.pif
1392	vmgsxoas.pif
1392	vmgsxoas.pif
1392	vmgsxoas.pif
1392	vmgsxoas.pif
1392	vmgsxoas.pif
1392	vmgsxoas.pif
1392	vmgsxoas.pif
1392	vmgsxoas.pif
1392	vmgsxoas.pif
1392	vmgsxoas.pif
1392	vmgsxoas.pif
1392	vmgsxoas.pif
1392	vmgsxoas.pif
1392	vmgsxoas.pif
1392	vmgsxoas.pif
1392	vmgsxoas.pif
1392	vmgsxoas.pif
1392	vmgsxoas.pif
1392	vmgsxoas.pif
1392	vmgsxoas.pif
1392	vmgsxoas.pif
1392	vmgsxoas.pif
1392	vmgsxoas.pif

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

RegSvcs.exe

pid process

2296 RegSvcs.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegSvcs.exe

description pid process

Token: SeDebugPrivilege 2296 RegSvcs.exe

pid	process
2296	RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	2296	RegSvcs.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

wscript.exeFilname.exevmgsxoas.pif

description	pid	process	target process
PID 2784 wrote to memory of 1296	2784	wscript.exe	Filname.exe
PID 2784 wrote to memory of 1296	2784	wscript.exe	Filname.exe
PID 2784 wrote to memory of 1296	2784	wscript.exe	Filname.exe
PID 1296 wrote to memory of 1392	1296	Filname.exe	vmgsxoas.pif
PID 1296 wrote to memory of 1392	1296	Filname.exe	vmgsxoas.pif
PID 1296 wrote to memory of 1392	1296	Filname.exe	vmgsxoas.pif
PID 1392 wrote to memory of 2544	1392	vmgsxoas.pif	mshta.exe
PID 1392 wrote to memory of 2544	1392	vmgsxoas.pif	mshta.exe
PID 1392 wrote to memory of 2544	1392	vmgsxoas.pif	mshta.exe
PID 1392 wrote to memory of 1048	1392	vmgsxoas.pif	mshta.exe
PID 1392 wrote to memory of 1048	1392	vmgsxoas.pif	mshta.exe
PID 1392 wrote to memory of 1048	1392	vmgsxoas.pif	mshta.exe
PID 1392 wrote to memory of 2768	1392	vmgsxoas.pif	mshta.exe
PID 1392 wrote to memory of 2768	1392	vmgsxoas.pif	mshta.exe
PID 1392 wrote to memory of 2768	1392	vmgsxoas.pif	mshta.exe
PID 1392 wrote to memory of 828	1392	vmgsxoas.pif	mshta.exe
PID 1392 wrote to memory of 828	1392	vmgsxoas.pif	mshta.exe
PID 1392 wrote to memory of 828	1392	vmgsxoas.pif	mshta.exe
PID 1392 wrote to memory of 1040	1392	vmgsxoas.pif	mshta.exe
PID 1392 wrote to memory of 1040	1392	vmgsxoas.pif	mshta.exe
PID 1392 wrote to memory of 1040	1392	vmgsxoas.pif	mshta.exe
PID 1392 wrote to memory of 3452	1392	vmgsxoas.pif	mshta.exe
PID 1392 wrote to memory of 3452	1392	vmgsxoas.pif	mshta.exe
PID 1392 wrote to memory of 3452	1392	vmgsxoas.pif	mshta.exe
PID 1392 wrote to memory of 3572	1392	vmgsxoas.pif	mshta.exe
PID 1392 wrote to memory of 3572	1392	vmgsxoas.pif	mshta.exe
PID 1392 wrote to memory of 3572	1392	vmgsxoas.pif	mshta.exe
PID 1392 wrote to memory of 2296	1392	vmgsxoas.pif	RegSvcs.exe
PID 1392 wrote to memory of 2296	1392	vmgsxoas.pif	RegSvcs.exe
PID 1392 wrote to memory of 2296	1392	vmgsxoas.pif	RegSvcs.exe
PID 1392 wrote to memory of 2296	1392	vmgsxoas.pif	RegSvcs.exe
PID 1392 wrote to memory of 2296	1392	vmgsxoas.pif	RegSvcs.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Output.js
1⤵
- Suspicious use of WriteProcessMemory
PID:2784

C:\Users\Admin\AppData\Local\Temp\Filname.exe
"C:\Users\Admin\AppData\Local\Temp\Filname.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1296

C:\08480610\vmgsxoas.pif
"C:\08480610\vmgsxoas.pif" nxxe.dst
3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1392

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
4⤵
PID:2544

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
4⤵
PID:1048

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
4⤵
PID:2768

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
4⤵
PID:828

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
4⤵
PID:1040

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
4⤵
PID:3452

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
4⤵
PID:3572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
4⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2296

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\08480610\hrmrjq.egw
MD5
47ab01c250eaaee33a4c1657e2de043b

SHA1
6522bd97d4b32ba3d5f61beb194e11f3af2c7e9b

SHA256
bd1d8be825067d7dca1804b07059aebd172d0b80f11278c46859dc1e266405a8

SHA512
2e07a13a9d9bdae012ad109fd208e5c1daacfad1c3f39753a28fc5a5ae151dd79b87db3096ba190b241ec72c364665359e8c88c9aeb36deebfe289036b6b9113

Download Submit
C:\08480610\nxxe.dst
MD5
8ad9153a1924adba4775343d0e0bd5cf

SHA1
2854cc18b0f53e554cb8f63a0dffa8f452275f57

SHA256
170a983e13eecbe68cdafef68b975a414fa4f2d6c84da2cdf36decc92fa8519b

SHA512
09360c9c6e24435d24cab1d6d0ee7befea8fc43636dd75de07a27625b9a52fd3f319a9bfa86221d45acabc55a5936cea09f5f11a3bbbc3342d9126496a07548a

Download Submit
C:\08480610\segwpjxen.msc
MD5
9de579d72ccea1846d549ddca751db8e

SHA1
c821135312c0653e9dfc2ee6b1b70cfcee198a0e

SHA256
3d73d4dec94ba4d4cbab3d5b5f00f6a7f04963b760cd666809cae6e9d05306ee

SHA512
00d9b0e1c44b1072a37735eca70105f4962b51e744f8d806c27d063f283fa27233a32ee49d40cada4f948b0475633eca5cbe19c37bfcbed08f71fd1e02b3ad89

Download Submit
C:\08480610\vmgsxoas.pif
MD5
8e699954f6b5d64683412cc560938507

SHA1
8ca6708b0f158eacce3ac28b23c23ed42c168c29

SHA256
c9a2399cc1ce6f71db9da2f16e6c025bf6cb0f4345b427f21449cf927d627a40

SHA512
13035106149c8d336189b4a6bdaf25e10ac0b027baea963b3ec66a815a572426b2e9485258447cf1362802a0f03a2aa257b276057590663161d9d55d5b737b02

Download Submit
C:\08480610\vmgsxoas.pif
MD5
8e699954f6b5d64683412cc560938507

SHA1
8ca6708b0f158eacce3ac28b23c23ed42c168c29

SHA256
c9a2399cc1ce6f71db9da2f16e6c025bf6cb0f4345b427f21449cf927d627a40

SHA512
13035106149c8d336189b4a6bdaf25e10ac0b027baea963b3ec66a815a572426b2e9485258447cf1362802a0f03a2aa257b276057590663161d9d55d5b737b02

Download Submit
C:\Users\Admin\AppData\Local\Temp\Filname.exe
MD5
4d606b05f624febecbb3ae59014ef1e5

SHA1
bf6e4cc9fabc4196d53c8648ba2e813423aeedb7

SHA256
97fc758fb55917d833e5c6adbf1e64bed2a9c9542e29b08479d3d6864c482ec1

SHA512
d2a8288ee4d2f0029efd9dd12f6fe0e324de0d973a01b4f0aff10d896e91b7475965c71d4fe5381edbff30cb1baa3bebef27bde5f85840a39b9f11031cbdd15d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Filname.exe
MD5
4d606b05f624febecbb3ae59014ef1e5

SHA1
bf6e4cc9fabc4196d53c8648ba2e813423aeedb7

SHA256
97fc758fb55917d833e5c6adbf1e64bed2a9c9542e29b08479d3d6864c482ec1

SHA512
d2a8288ee4d2f0029efd9dd12f6fe0e324de0d973a01b4f0aff10d896e91b7475965c71d4fe5381edbff30cb1baa3bebef27bde5f85840a39b9f11031cbdd15d

Download Submit
memory/828-126-0x0000000000000000-mapping.dmp

Download
memory/1040-127-0x0000000000000000-mapping.dmp

Download
memory/1048-124-0x0000000000000000-mapping.dmp

Download
memory/1296-115-0x0000000000000000-mapping.dmp

Download
memory/1392-118-0x0000000000000000-mapping.dmp

Download
memory/2296-138-0x0000000005F90000-0x0000000005F91000-memory.dmp

Filesize
4KB

Download
memory/2296-136-0x0000000005FF0000-0x0000000005FF1000-memory.dmp

Filesize
4KB

Download
memory/2296-143-0x0000000005F50000-0x000000000644E000-memory.dmp

Filesize
5.0MB

Download
memory/2296-142-0x0000000006CF0000-0x0000000006CF3000-memory.dmp

Filesize
12KB

Download
memory/2296-131-0x00000000013C0000-0x0000000001926000-memory.dmp

Filesize
5.4MB

Download
memory/2296-132-0x00000000013DE792-mapping.dmp

Download
memory/2296-135-0x0000000006450000-0x0000000006451000-memory.dmp

Filesize
4KB

Download
memory/2296-141-0x0000000006430000-0x0000000006449000-memory.dmp

Filesize
100KB

Download
memory/2296-137-0x0000000006090000-0x0000000006091000-memory.dmp

Filesize
4KB

Download
memory/2296-140-0x0000000006250000-0x0000000006255000-memory.dmp

Filesize
20KB

Download
memory/2296-139-0x0000000005F50000-0x000000000644E000-memory.dmp

Filesize
5.0MB

Download
memory/2544-123-0x0000000000000000-mapping.dmp

Download
memory/2768-125-0x0000000000000000-mapping.dmp

Download
memory/3452-128-0x0000000000000000-mapping.dmp

Download
memory/3572-129-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads