nanocore | f605ba8fe94eb367829b61cd05eb5b07f4702b55f2a0faf51589cb46dd6f89a9

General

Target

d2eaaa542a2968b2a9ebe288166779e8.exe
Size

63KB
MD5

d2eaaa542a2968b2a9ebe288166779e8
SHA1

37bcd26dcd35f9dd16bd8aff7cad425f3898309c
SHA256

f605ba8fe94eb367829b61cd05eb5b07f4702b55f2a0faf51589cb46dd6f89a9
SHA512

059a1aed6e654fb4465e11f7a0687ac4e6ec0bc17f4ca2726f1bf4f069c1c757b3577d0dd3e5f5b31cfd9e7c0750ffd2880da31053f5ad8f258227029df3e89a

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

cloudhost.myfirewall.org:5654

Mutex

9845a945-f2ff-4e93-b909-aece664ddb48

Attributes

activate_away_mode
true
backup_connection_host
cloudhost.myfirewall.org
backup_dns_server
cloudhost.myfirewall.org
buffer_size
65535
build_time
2021-06-20T04:14:27.248073436Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
5654
default_group
J
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
9845a945-f2ff-4e93-b909-aece664ddb48
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
cloudhost.myfirewall.org
primary_dns_server
cloudhost.myfirewall.org
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

d2eaaa542a2968b2a9ebe288166779e8.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SMTP Manager = "C:\\Program Files (x86)\\SMTP Manager\\smtpmgr.exe"	d2eaaa542a2968b2a9ebe288166779e8.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

d2eaaa542a2968b2a9ebe288166779e8.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	d2eaaa542a2968b2a9ebe288166779e8.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

d2eaaa542a2968b2a9ebe288166779e8.exe

description pid process target process

PID 2268 set thread context of 1052 2268 d2eaaa542a2968b2a9ebe288166779e8.exe d2eaaa542a2968b2a9ebe288166779e8.exe

description	pid	process	target process
PID 2268 set thread context of 1052	2268	d2eaaa542a2968b2a9ebe288166779e8.exe	d2eaaa542a2968b2a9ebe288166779e8.exe

Drops file in Program Files directory 2 IoCs

Processes:

d2eaaa542a2968b2a9ebe288166779e8.exe

description	ioc	process
File created	C:\Program Files (x86)\SMTP Manager\smtpmgr.exe	d2eaaa542a2968b2a9ebe288166779e8.exe
File opened for modification	C:\Program Files (x86)\SMTP Manager\smtpmgr.exe	d2eaaa542a2968b2a9ebe288166779e8.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2072 schtasks.exe
3580 schtasks.exe

pid	process
2072	schtasks.exe
3580	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

d2eaaa542a2968b2a9ebe288166779e8.exed2eaaa542a2968b2a9ebe288166779e8.exe

pid	process
2268	d2eaaa542a2968b2a9ebe288166779e8.exe
2268	d2eaaa542a2968b2a9ebe288166779e8.exe
1052	d2eaaa542a2968b2a9ebe288166779e8.exe
1052	d2eaaa542a2968b2a9ebe288166779e8.exe
1052	d2eaaa542a2968b2a9ebe288166779e8.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

d2eaaa542a2968b2a9ebe288166779e8.exe

pid process

1052 d2eaaa542a2968b2a9ebe288166779e8.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

d2eaaa542a2968b2a9ebe288166779e8.exed2eaaa542a2968b2a9ebe288166779e8.exe

description pid process

Token: SeDebugPrivilege 2268 d2eaaa542a2968b2a9ebe288166779e8.exe
Token: SeDebugPrivilege 1052 d2eaaa542a2968b2a9ebe288166779e8.exe

pid	process
1052	d2eaaa542a2968b2a9ebe288166779e8.exe

description	pid	process
Token: SeDebugPrivilege	2268	d2eaaa542a2968b2a9ebe288166779e8.exe
Token: SeDebugPrivilege	1052	d2eaaa542a2968b2a9ebe288166779e8.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

d2eaaa542a2968b2a9ebe288166779e8.exed2eaaa542a2968b2a9ebe288166779e8.exe

description	pid	process	target process
PID 2268 wrote to memory of 1052	2268	d2eaaa542a2968b2a9ebe288166779e8.exe	d2eaaa542a2968b2a9ebe288166779e8.exe
PID 2268 wrote to memory of 1052	2268	d2eaaa542a2968b2a9ebe288166779e8.exe	d2eaaa542a2968b2a9ebe288166779e8.exe
PID 2268 wrote to memory of 1052	2268	d2eaaa542a2968b2a9ebe288166779e8.exe	d2eaaa542a2968b2a9ebe288166779e8.exe
PID 2268 wrote to memory of 1052	2268	d2eaaa542a2968b2a9ebe288166779e8.exe	d2eaaa542a2968b2a9ebe288166779e8.exe
PID 2268 wrote to memory of 1052	2268	d2eaaa542a2968b2a9ebe288166779e8.exe	d2eaaa542a2968b2a9ebe288166779e8.exe
PID 2268 wrote to memory of 1052	2268	d2eaaa542a2968b2a9ebe288166779e8.exe	d2eaaa542a2968b2a9ebe288166779e8.exe
PID 2268 wrote to memory of 1052	2268	d2eaaa542a2968b2a9ebe288166779e8.exe	d2eaaa542a2968b2a9ebe288166779e8.exe
PID 2268 wrote to memory of 1052	2268	d2eaaa542a2968b2a9ebe288166779e8.exe	d2eaaa542a2968b2a9ebe288166779e8.exe
PID 1052 wrote to memory of 2072	1052	d2eaaa542a2968b2a9ebe288166779e8.exe	schtasks.exe
PID 1052 wrote to memory of 2072	1052	d2eaaa542a2968b2a9ebe288166779e8.exe	schtasks.exe
PID 1052 wrote to memory of 2072	1052	d2eaaa542a2968b2a9ebe288166779e8.exe	schtasks.exe
PID 1052 wrote to memory of 3580	1052	d2eaaa542a2968b2a9ebe288166779e8.exe	schtasks.exe
PID 1052 wrote to memory of 3580	1052	d2eaaa542a2968b2a9ebe288166779e8.exe	schtasks.exe
PID 1052 wrote to memory of 3580	1052	d2eaaa542a2968b2a9ebe288166779e8.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\d2eaaa542a2968b2a9ebe288166779e8.exe
"C:\Users\Admin\AppData\Local\Temp\d2eaaa542a2968b2a9ebe288166779e8.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2268

C:\Users\Admin\AppData\Local\Temp\d2eaaa542a2968b2a9ebe288166779e8.exe
C:\Users\Admin\AppData\Local\Temp\d2eaaa542a2968b2a9ebe288166779e8.exe
2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1052

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "SMTP Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmp3890.tmp"
3⤵
- Creates scheduled task(s)
PID:2072

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "SMTP Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp39CA.tmp"
3⤵
- Creates scheduled task(s)
PID:3580

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\d2eaaa542a2968b2a9ebe288166779e8.exe.log
MD5
808e884c00533a9eb0e13e64960d9c3a

SHA1
279d05181fc6179a12df1a669ff5d8b64c1380ae

SHA256
2f6a0aab99b1c228a6642f44f8992646ce84c5a2b3b9941b6cf1f2badf67bdd6

SHA512
9489bdb2ffdfeef3c52edcfe9b34c6688eba53eb86075e0564df1cd474723c86b5b5aedc12df1ff5fc12cf97bd1e3cf9701ff61dc4ce90155d70e9ccfd0fc299

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3890.tmp
MD5
dbfc5e273d2e8c0a1e89317aebe012b5

SHA1
6bf4879b8982db970087c0f38d71384e10fd6f4f

SHA256
9c4cf0fc2fc4a8daeb4fe1943f065e21bee8ee49181c7f08cc7c209a79f649a8

SHA512
0220f0cda054e4b6c86b6318c00b561cbb61457ace62854c14af52a495f7391b597f437458001cf5ea349963e50f59e26a71b5476b6e7da51dab214e93f64eec

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp39CA.tmp
MD5
b3b017f9df206021717a11f11d895402

SHA1
e4ea12823af6550ee634536eec1eb14490580a3b

SHA256
654dfce2c28024364e679e1b958f3fb81fc6d29685d534d905d1c83a84351024

SHA512
95666cb81aa1fd1ade04a32f63381ce8bff274d7d300c0b59cbb10a294c4d1eebaa3000365a2000b38793de030044995cf23e623c5e3648d9b00501f97ff9343

Download Submit
memory/1052-126-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/1052-128-0x0000000004FF0000-0x0000000004FF1000-memory.dmp

Filesize
4KB

Download
memory/1052-121-0x000000000041E792-mapping.dmp

Download
memory/1052-136-0x0000000005350000-0x0000000005353000-memory.dmp

Filesize
12KB

Download
memory/1052-125-0x0000000005530000-0x0000000005531000-memory.dmp

Filesize
4KB

Download
memory/1052-135-0x00000000050B0000-0x00000000050C9000-memory.dmp

Filesize
100KB

Download
memory/1052-127-0x0000000005170000-0x0000000005171000-memory.dmp

Filesize
4KB

Download
memory/1052-120-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1052-134-0x0000000005080000-0x0000000005085000-memory.dmp

Filesize
20KB

Download
memory/1052-130-0x0000000005030000-0x000000000552E000-memory.dmp

Filesize
5.0MB

Download
memory/2072-129-0x0000000000000000-mapping.dmp

Download
memory/2268-118-0x0000000005960000-0x00000000059BB000-memory.dmp

Filesize
364KB

Download
memory/2268-117-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

Filesize
4KB

Download
memory/2268-115-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/2268-119-0x0000000005B40000-0x0000000005B73000-memory.dmp

Filesize
204KB

Download
memory/3580-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads