nanocore | c8f88e8482ac653cd2b03a54695c1b27cb1c9b3c607e30847688023f2076e537

Analysis

max time kernel
122s
max time network
152s
platform
windows7_x64
resource
win7-en-20211014
submitted
20-10-2021 07:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

957cf22a9482b6f8dd1d2d3b372a89c2.exe
Size

1.4MB
MD5

957cf22a9482b6f8dd1d2d3b372a89c2
SHA1

968c7da9974abb70964b14111678b780c36d9b3c
SHA256

c8f88e8482ac653cd2b03a54695c1b27cb1c9b3c607e30847688023f2076e537
SHA512

1134fc172bf643591bd137b08dff03caab70eb88dff584a7fc05a1d742663e9da3ddaa04ad7902fe2aea4fa8a8d9ec87b1e05fe5e25ec1ddfbdde382c0f6f62b

Score

10^/10

nanocore evasion keylogger persistence spyware stealer suricata trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

newme122.3utilities.com:8822

newme1122.3utilities.com:8822

Mutex

dcf3fee6-c103-45ee-a2f0-f8afaa78d1fe

Attributes

activate_away_mode
true
backup_connection_host
newme1122.3utilities.com
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2021-07-31T13:00:17.372768836Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
8822
default_group
A New TIme Has Come
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
dcf3fee6-c103-45ee-a2f0-f8afaa78d1fe
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
newme122.3utilities.com
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
suricata: ET MALWARE Possible NanoCore C2 60B
suricata: ET MALWARE Possible NanoCore C2 60B
suricata
Executes dropped EXE 2 IoCs

Processes:

dcvpquafd.pifRegSvcs.exe

pid process

268 dcvpquafd.pif
924 RegSvcs.exe

pid	process
268	dcvpquafd.pif
924	RegSvcs.exe

Loads dropped DLL 5 IoCs

Processes:

957cf22a9482b6f8dd1d2d3b372a89c2.exedcvpquafd.pif

pid	process
1276	957cf22a9482b6f8dd1d2d3b372a89c2.exe
1276	957cf22a9482b6f8dd1d2d3b372a89c2.exe
1276	957cf22a9482b6f8dd1d2d3b372a89c2.exe
1276	957cf22a9482b6f8dd1d2d3b372a89c2.exe
268	dcvpquafd.pif

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

dcvpquafd.pif

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\GoogleServices = "C:\\Users\\Admin\\17386207\\DCVPQU~1.PIF C:\\Users\\Admin\\17386207\\edask.vat"	dcvpquafd.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	dcvpquafd.pif

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

RegSvcs.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegSvcs.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

dcvpquafd.pif

description pid process target process

PID 268 set thread context of 924 268 dcvpquafd.pif RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

RegSvcs.exe

pid process

924 RegSvcs.exe
924 RegSvcs.exe
924 RegSvcs.exe
924 RegSvcs.exe
924 RegSvcs.exe
924 RegSvcs.exe
924 RegSvcs.exe
924 RegSvcs.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

RegSvcs.exe

pid process

924 RegSvcs.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegSvcs.exe

description pid process

Token: SeDebugPrivilege 924 RegSvcs.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegSvcs.exe

description	pid	process	target process
PID 268 set thread context of 924	268	dcvpquafd.pif	RegSvcs.exe

pid	process
924	RegSvcs.exe
924	RegSvcs.exe
924	RegSvcs.exe
924	RegSvcs.exe
924	RegSvcs.exe
924	RegSvcs.exe
924	RegSvcs.exe
924	RegSvcs.exe

pid	process
924	RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	924	RegSvcs.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

957cf22a9482b6f8dd1d2d3b372a89c2.exedcvpquafd.pif

description	pid	process	target process
PID 1276 wrote to memory of 268	1276	957cf22a9482b6f8dd1d2d3b372a89c2.exe	dcvpquafd.pif
PID 1276 wrote to memory of 268	1276	957cf22a9482b6f8dd1d2d3b372a89c2.exe	dcvpquafd.pif
PID 1276 wrote to memory of 268	1276	957cf22a9482b6f8dd1d2d3b372a89c2.exe	dcvpquafd.pif
PID 1276 wrote to memory of 268	1276	957cf22a9482b6f8dd1d2d3b372a89c2.exe	dcvpquafd.pif
PID 268 wrote to memory of 924	268	dcvpquafd.pif	RegSvcs.exe
PID 268 wrote to memory of 924	268	dcvpquafd.pif	RegSvcs.exe
PID 268 wrote to memory of 924	268	dcvpquafd.pif	RegSvcs.exe
PID 268 wrote to memory of 924	268	dcvpquafd.pif	RegSvcs.exe
PID 268 wrote to memory of 924	268	dcvpquafd.pif	RegSvcs.exe
PID 268 wrote to memory of 924	268	dcvpquafd.pif	RegSvcs.exe
PID 268 wrote to memory of 924	268	dcvpquafd.pif	RegSvcs.exe
PID 268 wrote to memory of 924	268	dcvpquafd.pif	RegSvcs.exe
PID 268 wrote to memory of 924	268	dcvpquafd.pif	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\957cf22a9482b6f8dd1d2d3b372a89c2.exe
"C:\Users\Admin\AppData\Local\Temp\957cf22a9482b6f8dd1d2d3b372a89c2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1276

C:\Users\Admin\17386207\dcvpquafd.pif
"C:\Users\Admin\17386207\dcvpquafd.pif" edask.vat
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:268

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:924

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\17386207\dcvpquafd.pif
MD5
1d7071dd5cda216508b235c0e2318b05

SHA1
0b972fbc1ea8a47204b2a187e608744a4e947bc2

SHA256
788edeacd860a1a3bb22b839c1ecf408227e1e14bbe0b1baf55824075161f996

SHA512
65965d2de629024773dddf5f8f37d40a15afc51cbaec48c8cda3b0763e9391e065c5ee6ab81b7f4e53ab1f531ef53bb9dccd9ddd4a1c9423922eebf37e544118

Download Submit
C:\Users\Admin\17386207\edask.vat
MD5
b2fadf9828132b5d1883b5bf3850571f

SHA1
0fa8770e87f4819cf45570112cff825cd3c3bedc

SHA256
6a5ea5295355817b1782e504760a0925668743924d8406b8c62c98439ae27601

SHA512
dcf315145f6701def243c11ed365f8a9c22c0609ada7349b0e89a366c88b0a637de5256475fd32fc8df4da407343f32bc67bd94186006259ed52ff78e6c6ff19

Download Submit
C:\Users\Admin\17386207\ltgokssdov.mp3
MD5
4b6a00d393af4d73816edf20e082db9a

SHA1
ae93247477f6f7f8fbe311241baf66962f6ab7c5

SHA256
79dc15fe44c970c80e4871a5e7b83f451507853623bb34eda18eba7a10d68875

SHA512
fe1c440bc26fc4eedf0aeadfcc7b65cd9cd3bdf86aabf4be827e1513edb60fe8194eec01140c6fdb81dd501de9b5d033add5c40fb1540a77bc2ea202ed4965c6

Download Submit
C:\Users\Admin\17386207\spxkgme.ucf
MD5
24461c216ee93cde43cf9f46d70c9a0e

SHA1
78a31dddd030d3db4be437d7de36d1fffa7e2273

SHA256
8e41d3cac288024286d45ec002473a9feaddfe9b4fb9b50e6a6d26acbb1ecbdf

SHA512
5196efe4bd8e0d8339bdaf3476bd2a15fa13d34565b2095ff8dd79b162f9e02d9865dda74b8c22b43fd3bb5ebf93b725e4a5ee8da565b2376da30ae0cfb0d219

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
\Users\Admin\17386207\dcvpquafd.pif
MD5
1d7071dd5cda216508b235c0e2318b05

SHA1
0b972fbc1ea8a47204b2a187e608744a4e947bc2

SHA256
788edeacd860a1a3bb22b839c1ecf408227e1e14bbe0b1baf55824075161f996

SHA512
65965d2de629024773dddf5f8f37d40a15afc51cbaec48c8cda3b0763e9391e065c5ee6ab81b7f4e53ab1f531ef53bb9dccd9ddd4a1c9423922eebf37e544118

Download Submit
\Users\Admin\17386207\dcvpquafd.pif
MD5
1d7071dd5cda216508b235c0e2318b05

SHA1
0b972fbc1ea8a47204b2a187e608744a4e947bc2

SHA256
788edeacd860a1a3bb22b839c1ecf408227e1e14bbe0b1baf55824075161f996

SHA512
65965d2de629024773dddf5f8f37d40a15afc51cbaec48c8cda3b0763e9391e065c5ee6ab81b7f4e53ab1f531ef53bb9dccd9ddd4a1c9423922eebf37e544118

Download Submit
\Users\Admin\17386207\dcvpquafd.pif
MD5
1d7071dd5cda216508b235c0e2318b05

SHA1
0b972fbc1ea8a47204b2a187e608744a4e947bc2

SHA256
788edeacd860a1a3bb22b839c1ecf408227e1e14bbe0b1baf55824075161f996

SHA512
65965d2de629024773dddf5f8f37d40a15afc51cbaec48c8cda3b0763e9391e065c5ee6ab81b7f4e53ab1f531ef53bb9dccd9ddd4a1c9423922eebf37e544118

Download Submit
\Users\Admin\17386207\dcvpquafd.pif
MD5
1d7071dd5cda216508b235c0e2318b05

SHA1
0b972fbc1ea8a47204b2a187e608744a4e947bc2

SHA256
788edeacd860a1a3bb22b839c1ecf408227e1e14bbe0b1baf55824075161f996

SHA512
65965d2de629024773dddf5f8f37d40a15afc51cbaec48c8cda3b0763e9391e065c5ee6ab81b7f4e53ab1f531ef53bb9dccd9ddd4a1c9423922eebf37e544118

Download Submit
\Users\Admin\AppData\Local\Temp\RegSvcs.exe
MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
memory/268-60-0x0000000000000000-mapping.dmp

Download
memory/924-72-0x00000000002D0000-0x0000000000A19000-memory.dmp

Filesize
7.3MB

Download
memory/924-78-0x0000000000CA0000-0x0000000000CA6000-memory.dmp

Filesize
24KB

Download
memory/924-68-0x00000000002D0000-0x0000000000A19000-memory.dmp

Filesize
7.3MB

Download
memory/924-67-0x00000000002D0000-0x0000000000A19000-memory.dmp

Filesize
7.3MB

Download
memory/924-88-0x0000000004950000-0x000000000495F000-memory.dmp

Filesize
60KB

Download
memory/924-74-0x00000000054F0000-0x00000000054F1000-memory.dmp

Filesize
4KB

Download
memory/924-75-0x0000000000C00000-0x0000000000C05000-memory.dmp

Filesize
20KB

Download
memory/924-76-0x0000000000C70000-0x0000000000C7D000-memory.dmp

Filesize
52KB

Download
memory/924-77-0x0000000000C80000-0x0000000000C95000-memory.dmp

Filesize
84KB

Download
memory/924-69-0x00000000002EE792-mapping.dmp

Download
memory/924-79-0x0000000000CB0000-0x0000000000CB7000-memory.dmp

Filesize
28KB

Download
memory/924-81-0x0000000000E90000-0x0000000000E9D000-memory.dmp

Filesize
52KB

Download
memory/924-80-0x0000000000CC0000-0x0000000000CC6000-memory.dmp

Filesize
24KB

Download
memory/924-82-0x0000000000FA0000-0x0000000000FA9000-memory.dmp

Filesize
36KB

Download
memory/924-83-0x0000000000FC0000-0x0000000000FCF000-memory.dmp

Filesize
60KB

Download
memory/924-85-0x0000000002860000-0x0000000002879000-memory.dmp

Filesize
100KB

Download
memory/924-84-0x0000000001010000-0x000000000101A000-memory.dmp

Filesize
40KB

Download
memory/924-86-0x0000000002880000-0x0000000002883000-memory.dmp

Filesize
12KB

Download
memory/924-87-0x0000000004ED0000-0x0000000004EF9000-memory.dmp

Filesize
164KB

Download
memory/1276-55-0x00000000763C1000-0x00000000763C3000-memory.dmp

Filesize
8KB

Download