nanocore | f8ee546f04fa175fa9a8b1f3de8595bd0a4f6aebfeed50a95c5e309d49063e1e

General

Target

e13b24cda6737f13b2dc3f2c20d8823b.exe
Size

531KB
MD5

e13b24cda6737f13b2dc3f2c20d8823b
SHA1

b58a2436a4befb5b7465153a72f64fd17531644c
SHA256

f8ee546f04fa175fa9a8b1f3de8595bd0a4f6aebfeed50a95c5e309d49063e1e
SHA512

c8fd34d209a8659638e349a86fc39f76a11ee0a7a74afb4db479d7c00a6442194a3e3ff9aae41efb6acd065f2cf665342fd523aa19fe69cb95b0178f903b734c

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

chongmei33.publicvm.com:5569

Mutex

9b8ed064-d4db-4d21-985f-e3763341fef1

Attributes

activate_away_mode
true
backup_connection_host
chongmei33.publicvm.com
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2021-07-27T15:56:15.517725036Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
5569
default_group
OCT
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
9b8ed064-d4db-4d21-985f-e3763341fef1
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
chongmei33.publicvm.com
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

e13b24cda6737f13b2dc3f2c20d8823b.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\firefox = "\"C:\\Users\\Admin\\AppData\\Roaming\\firefox.exe\""	e13b24cda6737f13b2dc3f2c20d8823b.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

e13b24cda6737f13b2dc3f2c20d8823b.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	e13b24cda6737f13b2dc3f2c20d8823b.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

e13b24cda6737f13b2dc3f2c20d8823b.exe

description pid process target process

PID 1996 set thread context of 4416 1996 e13b24cda6737f13b2dc3f2c20d8823b.exe e13b24cda6737f13b2dc3f2c20d8823b.exe

description	pid	process	target process
PID 1996 set thread context of 4416	1996	e13b24cda6737f13b2dc3f2c20d8823b.exe	e13b24cda6737f13b2dc3f2c20d8823b.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

e13b24cda6737f13b2dc3f2c20d8823b.exee13b24cda6737f13b2dc3f2c20d8823b.exe

pid	process
1996	e13b24cda6737f13b2dc3f2c20d8823b.exe
1996	e13b24cda6737f13b2dc3f2c20d8823b.exe
4416	e13b24cda6737f13b2dc3f2c20d8823b.exe
4416	e13b24cda6737f13b2dc3f2c20d8823b.exe
4416	e13b24cda6737f13b2dc3f2c20d8823b.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

e13b24cda6737f13b2dc3f2c20d8823b.exe

pid process

4416 e13b24cda6737f13b2dc3f2c20d8823b.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

e13b24cda6737f13b2dc3f2c20d8823b.exee13b24cda6737f13b2dc3f2c20d8823b.exe

description pid process

Token: SeDebugPrivilege 1996 e13b24cda6737f13b2dc3f2c20d8823b.exe
Token: SeDebugPrivilege 4416 e13b24cda6737f13b2dc3f2c20d8823b.exe

pid	process
4416	e13b24cda6737f13b2dc3f2c20d8823b.exe

description	pid	process
Token: SeDebugPrivilege	1996	e13b24cda6737f13b2dc3f2c20d8823b.exe
Token: SeDebugPrivilege	4416	e13b24cda6737f13b2dc3f2c20d8823b.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

e13b24cda6737f13b2dc3f2c20d8823b.exe

description	pid	process	target process
PID 1996 wrote to memory of 4416	1996	e13b24cda6737f13b2dc3f2c20d8823b.exe	e13b24cda6737f13b2dc3f2c20d8823b.exe
PID 1996 wrote to memory of 4416	1996	e13b24cda6737f13b2dc3f2c20d8823b.exe	e13b24cda6737f13b2dc3f2c20d8823b.exe
PID 1996 wrote to memory of 4416	1996	e13b24cda6737f13b2dc3f2c20d8823b.exe	e13b24cda6737f13b2dc3f2c20d8823b.exe
PID 1996 wrote to memory of 4416	1996	e13b24cda6737f13b2dc3f2c20d8823b.exe	e13b24cda6737f13b2dc3f2c20d8823b.exe
PID 1996 wrote to memory of 4416	1996	e13b24cda6737f13b2dc3f2c20d8823b.exe	e13b24cda6737f13b2dc3f2c20d8823b.exe
PID 1996 wrote to memory of 4416	1996	e13b24cda6737f13b2dc3f2c20d8823b.exe	e13b24cda6737f13b2dc3f2c20d8823b.exe
PID 1996 wrote to memory of 4416	1996	e13b24cda6737f13b2dc3f2c20d8823b.exe	e13b24cda6737f13b2dc3f2c20d8823b.exe
PID 1996 wrote to memory of 4416	1996	e13b24cda6737f13b2dc3f2c20d8823b.exe	e13b24cda6737f13b2dc3f2c20d8823b.exe

C:\Users\Admin\AppData\Local\Temp\e13b24cda6737f13b2dc3f2c20d8823b.exe
"C:\Users\Admin\AppData\Local\Temp\e13b24cda6737f13b2dc3f2c20d8823b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996

C:\Users\Admin\AppData\Local\Temp\e13b24cda6737f13b2dc3f2c20d8823b.exe
C:\Users\Admin\AppData\Local\Temp\e13b24cda6737f13b2dc3f2c20d8823b.exe
2⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4416

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\e13b24cda6737f13b2dc3f2c20d8823b.exe.log
MD5
4f9330dcb7e8730af9341cfdf0d8030f

SHA1
67daaf17560b15fe1d861139bce85a3ff6dbed23

SHA256
1c25f424605d0e3ccf1ec077c36b3d2c89aa628521d10df851c2ff7689ad4617

SHA512
e3becfad18409be0797d172e8b1364775726f9d33d8f125c87656a829b0c0c86fcec433db4446371e68530c0d7cb594fdcf28bb75e1f5d4fba64fe38329d9a40

Download Submit
memory/1996-120-0x00000000055A0000-0x00000000055A1000-memory.dmp

Filesize
4KB

Download
memory/1996-118-0x0000000004DB0000-0x0000000004DB1000-memory.dmp

Filesize
4KB

Download
memory/1996-119-0x0000000004D30000-0x0000000004D31000-memory.dmp

Filesize
4KB

Download
memory/1996-115-0x0000000000410000-0x0000000000411000-memory.dmp

Filesize
4KB

Download
memory/1996-121-0x00000000050E0000-0x0000000005113000-memory.dmp

Filesize
204KB

Download
memory/1996-117-0x0000000004CC0000-0x0000000004D26000-memory.dmp

Filesize
408KB

Download
memory/4416-128-0x0000000004D80000-0x0000000004D81000-memory.dmp

Filesize
4KB

Download
memory/4416-122-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4416-123-0x000000000041E792-mapping.dmp

Download
memory/4416-129-0x0000000004F10000-0x0000000004F11000-memory.dmp

Filesize
4KB

Download
memory/4416-130-0x0000000004E20000-0x0000000004E21000-memory.dmp

Filesize
4KB

Download
memory/4416-131-0x0000000004E70000-0x000000000536E000-memory.dmp

Filesize
5.0MB

Download
memory/4416-132-0x0000000004EF0000-0x0000000004EF5000-memory.dmp

Filesize
20KB

Download
memory/4416-133-0x0000000005180000-0x0000000005199000-memory.dmp

Filesize
100KB

Download
memory/4416-134-0x0000000005B60000-0x0000000005B63000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads