nanocore | 2719fac0d4d5ff10221753f561d70346516d6226a3868c40a9d4c9282f370aa0

Analysis

max time kernel
120s
max time network
150s
platform
windows7_x64
resource
win7-en-20211014
submitted
26-10-2021 06:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

credit notification pdf.exe
Size

3.4MB
MD5

69d14fb14deeb4bc08a3c47840d1f6fb
SHA1

2830362d97678edaa8dc6f28a8c555f690101bed
SHA256

2719fac0d4d5ff10221753f561d70346516d6226a3868c40a9d4c9282f370aa0
SHA512

fcabc96fc48d3ffb75b5b5499603916b27b1cd9556f60f37ba534c6669cb500deca22d110a334dd213611319898df59be80b11059d8fbc344e9afc6b9380d343

Score

10^/10

nanocore agilenet evasion keylogger persistence spyware stealer suricata trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

arkseven702.ddns.net:7727

Mutex

74fb9edb-82b1-41e4-91bd-7fe787b0bbad

Attributes

activate_away_mode
true
backup_connection_host
arkseven702.ddns.net
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2021-08-02T20:32:24.918316736Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
false
clear_zone_identifier
true
connect_delay
4000
connection_port
7727
default_group
gatewayproject
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
74fb9edb-82b1-41e4-91bd-7fe787b0bbad
mutex_timeout
5000
prevent_system_sleep
true
primary_connection_host
arkseven702.ddns.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
suricata: ET MALWARE Possible NanoCore C2 60B
suricata: ET MALWARE Possible NanoCore C2 60B
suricata
Executes dropped EXE 4 IoCs

Processes:

a.exeInstallUtil.exeinfo.exeinfo.exe

pid process

796 a.exe
1072 InstallUtil.exe
900 info.exe
1608 info.exe
Drops startup file 1 IoCs

Processes:

credit notification pdf.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.lnk credit notification pdf.exe
Loads dropped DLL 4 IoCs

Processes:

credit notification pdf.exea.exeinfo.exe

pid process

1332 credit notification pdf.exe
796 a.exe
796 a.exe
900 info.exe

pid	process
796	a.exe
1072	InstallUtil.exe
900	info.exe
1608	info.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a.lnk	credit notification pdf.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/1332-58-0x0000000000600000-0x0000000000621000-memory.dmp	agile_net

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

InstallUtil.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SMTP Service = "C:\\Program Files (x86)\\SMTP Service\\smtpsvc.exe"	InstallUtil.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

InstallUtil.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA InstallUtil.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

a.exe

description pid process target process

PID 796 set thread context of 1072 796 a.exe InstallUtil.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	InstallUtil.exe

description	pid	process	target process
PID 796 set thread context of 1072	796	a.exe	InstallUtil.exe

Drops file in Program Files directory 2 IoCs

Processes:

InstallUtil.exe

description	ioc	process
File created	C:\Program Files (x86)\SMTP Service\smtpsvc.exe	InstallUtil.exe
File opened for modification	C:\Program Files (x86)\SMTP Service\smtpsvc.exe	InstallUtil.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

credit notification pdf.exea.exeInstallUtil.exeinfo.exeinfo.exe

pid	process
1332	credit notification pdf.exe
1332	credit notification pdf.exe
1332	credit notification pdf.exe
796	a.exe
796	a.exe
796	a.exe
1072	InstallUtil.exe
1072	InstallUtil.exe
1072	InstallUtil.exe
1072	InstallUtil.exe
1072	InstallUtil.exe
900	info.exe
1608	info.exe
1608	info.exe
1608	info.exe
796	a.exe
796	a.exe
796	a.exe
796	a.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

InstallUtil.exe

pid process

1072 InstallUtil.exe

pid	process
1072	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

credit notification pdf.exea.exeInstallUtil.exeinfo.exeinfo.exe

description	pid	process
Token: SeDebugPrivilege	1332	credit notification pdf.exe
Token: SeDebugPrivilege	796	a.exe
Token: SeDebugPrivilege	1072	InstallUtil.exe
Token: SeDebugPrivilege	900	info.exe
Token: SeDebugPrivilege	1608	info.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

credit notification pdf.exea.exeinfo.exe

description	pid	process	target process
PID 1332 wrote to memory of 796	1332	credit notification pdf.exe	a.exe
PID 1332 wrote to memory of 796	1332	credit notification pdf.exe	a.exe
PID 1332 wrote to memory of 796	1332	credit notification pdf.exe	a.exe
PID 1332 wrote to memory of 796	1332	credit notification pdf.exe	a.exe
PID 796 wrote to memory of 1072	796	a.exe	InstallUtil.exe
PID 796 wrote to memory of 1072	796	a.exe	InstallUtil.exe
PID 796 wrote to memory of 1072	796	a.exe	InstallUtil.exe
PID 796 wrote to memory of 1072	796	a.exe	InstallUtil.exe
PID 796 wrote to memory of 1072	796	a.exe	InstallUtil.exe
PID 796 wrote to memory of 1072	796	a.exe	InstallUtil.exe
PID 796 wrote to memory of 1072	796	a.exe	InstallUtil.exe
PID 796 wrote to memory of 1072	796	a.exe	InstallUtil.exe
PID 796 wrote to memory of 1072	796	a.exe	InstallUtil.exe
PID 796 wrote to memory of 1072	796	a.exe	InstallUtil.exe
PID 796 wrote to memory of 1072	796	a.exe	InstallUtil.exe
PID 796 wrote to memory of 1072	796	a.exe	InstallUtil.exe
PID 796 wrote to memory of 900	796	a.exe	info.exe
PID 796 wrote to memory of 900	796	a.exe	info.exe
PID 796 wrote to memory of 900	796	a.exe	info.exe
PID 796 wrote to memory of 900	796	a.exe	info.exe
PID 900 wrote to memory of 1608	900	info.exe	info.exe
PID 900 wrote to memory of 1608	900	info.exe	info.exe
PID 900 wrote to memory of 1608	900	info.exe	info.exe
PID 900 wrote to memory of 1608	900	info.exe	info.exe

C:\Users\Admin\AppData\Local\Temp\credit notification pdf.exe
"C:\Users\Admin\AppData\Local\Temp\credit notification pdf.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1332

C:\Users\Admin\AppData\Roaming\a.exe
"C:\Users\Admin\AppData\Roaming\a.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:796

C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
"C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1072

C:\Users\Admin\AppData\Local\Temp\info.exe
"C:\Users\Admin\AppData\Local\Temp\info.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:900

C:\Users\Admin\AppData\Local\Temp\info.exe
"C:\Users\Admin\AppData\Local\Temp\info.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1608

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
C:\Users\Admin\AppData\Local\Temp\info.exe
MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\info.exe
MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\info.exe
MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\info.txt
MD5
26699f4bc2125233932e810b35b6d41b

SHA1
5cd07d3f00b6016da833498992457d828280b7d1

SHA256
5b39cf21c003ec9614a0c46ccf53cc7a2dbc41123d0a3067b31235739ffd1dc1

SHA512
cec371a4d791c4b56bed06376e3208d9ed2c61d4ebf552eb139d359b35c1cef558846fffcd0314234193105f2ade13c8b9a3f07668f00da5560c002666acc599

Download Submit
C:\Users\Admin\AppData\Local\Temp\info.txt
MD5
d3a337c32d12f40cc542c4fc6745c68b

SHA1
57a2e6e76da54c2f02114ec8a88f056fbeddb2b2

SHA256
3fa883b208d12375e7cda2839e1c7c6b27480d75a0fc4e4fd99d224021760aa0

SHA512
cd624098b739c80cb5c6942f15a0407e1af20a10be3c7f8d077729807ab37576eb77500271c1d3836c75201f22dc2b1f3bec16e4c667984dcdfe4aac9dde94ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\info.txt
MD5
d3a337c32d12f40cc542c4fc6745c68b

SHA1
57a2e6e76da54c2f02114ec8a88f056fbeddb2b2

SHA256
3fa883b208d12375e7cda2839e1c7c6b27480d75a0fc4e4fd99d224021760aa0

SHA512
cd624098b739c80cb5c6942f15a0407e1af20a10be3c7f8d077729807ab37576eb77500271c1d3836c75201f22dc2b1f3bec16e4c667984dcdfe4aac9dde94ca

Download Submit
C:\Users\Admin\AppData\Roaming\a.exe
MD5
69d14fb14deeb4bc08a3c47840d1f6fb

SHA1
2830362d97678edaa8dc6f28a8c555f690101bed

SHA256
2719fac0d4d5ff10221753f561d70346516d6226a3868c40a9d4c9282f370aa0

SHA512
fcabc96fc48d3ffb75b5b5499603916b27b1cd9556f60f37ba534c6669cb500deca22d110a334dd213611319898df59be80b11059d8fbc344e9afc6b9380d343

Download Submit
C:\Users\Admin\AppData\Roaming\a.exe
MD5
69d14fb14deeb4bc08a3c47840d1f6fb

SHA1
2830362d97678edaa8dc6f28a8c555f690101bed

SHA256
2719fac0d4d5ff10221753f561d70346516d6226a3868c40a9d4c9282f370aa0

SHA512
fcabc96fc48d3ffb75b5b5499603916b27b1cd9556f60f37ba534c6669cb500deca22d110a334dd213611319898df59be80b11059d8fbc344e9afc6b9380d343

Download Submit
\Users\Admin\AppData\Local\Temp\InstallUtil.exe
MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
\Users\Admin\AppData\Local\Temp\info.exe
MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
\Users\Admin\AppData\Local\Temp\info.exe
MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
\Users\Admin\AppData\Roaming\a.exe
MD5
69d14fb14deeb4bc08a3c47840d1f6fb

SHA1
2830362d97678edaa8dc6f28a8c555f690101bed

SHA256
2719fac0d4d5ff10221753f561d70346516d6226a3868c40a9d4c9282f370aa0

SHA512
fcabc96fc48d3ffb75b5b5499603916b27b1cd9556f60f37ba534c6669cb500deca22d110a334dd213611319898df59be80b11059d8fbc344e9afc6b9380d343

Download Submit
memory/796-61-0x0000000000000000-mapping.dmp

Download
memory/796-70-0x0000000004A90000-0x0000000004A91000-memory.dmp

Filesize
4KB

Download
memory/796-69-0x0000000000A50000-0x0000000000A5B000-memory.dmp

Filesize
44KB

Download
memory/796-68-0x0000000000B81000-0x0000000000B82000-memory.dmp

Filesize
4KB

Download
memory/796-66-0x0000000000B80000-0x0000000000B81000-memory.dmp

Filesize
4KB

Download
memory/796-64-0x0000000001320000-0x0000000001321000-memory.dmp

Filesize
4KB

Download
memory/900-102-0x0000000000E70000-0x0000000000E71000-memory.dmp

Filesize
4KB

Download
memory/900-99-0x0000000000000000-mapping.dmp

Download
memory/1072-83-0x0000000000780000-0x0000000000785000-memory.dmp

Filesize
20KB

Download
memory/1072-94-0x0000000000ED0000-0x0000000000EDF000-memory.dmp

Filesize
60KB

Download
memory/1072-74-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1072-84-0x0000000000930000-0x0000000000949000-memory.dmp

Filesize
100KB

Download
memory/1072-85-0x00000000009A0000-0x00000000009A3000-memory.dmp

Filesize
12KB

Download
memory/1072-86-0x0000000000A10000-0x0000000000A1D000-memory.dmp

Filesize
52KB

Download
memory/1072-87-0x0000000000AB0000-0x0000000000AC5000-memory.dmp

Filesize
84KB

Download
memory/1072-88-0x0000000000B80000-0x0000000000B86000-memory.dmp

Filesize
24KB

Download
memory/1072-89-0x0000000000BE0000-0x0000000000BEC000-memory.dmp

Filesize
48KB

Download
memory/1072-90-0x0000000000BF0000-0x0000000000BF7000-memory.dmp

Filesize
28KB

Download
memory/1072-91-0x0000000000C00000-0x0000000000C06000-memory.dmp

Filesize
24KB

Download
memory/1072-92-0x0000000000C50000-0x0000000000C5D000-memory.dmp

Filesize
52KB

Download
memory/1072-93-0x0000000000CE0000-0x0000000000CE9000-memory.dmp

Filesize
36KB

Download
memory/1072-82-0x00000000043C0000-0x00000000043C1000-memory.dmp

Filesize
4KB

Download
memory/1072-95-0x0000000000EE0000-0x0000000000EEA000-memory.dmp

Filesize
40KB

Download
memory/1072-96-0x0000000004CE0000-0x0000000004D09000-memory.dmp

Filesize
164KB

Download
memory/1072-97-0x0000000000F00000-0x0000000000F0F000-memory.dmp

Filesize
60KB

Download
memory/1072-80-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1072-77-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1072-78-0x000000000041E792-mapping.dmp

Download
memory/1072-73-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1072-76-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1072-75-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1332-55-0x0000000000A90000-0x0000000000A91000-memory.dmp

Filesize
4KB

Download
memory/1332-59-0x0000000004AD1000-0x0000000004AD2000-memory.dmp

Filesize
4KB

Download
memory/1332-58-0x0000000000600000-0x0000000000621000-memory.dmp

Filesize
132KB

Download
memory/1332-57-0x0000000004AD0000-0x0000000004AD1000-memory.dmp

Filesize
4KB

Download
memory/1608-106-0x0000000000000000-mapping.dmp

Download