nanocore | f475dda218513a22edc7ec2e734fb91ddf60dc7b38b87e7de487de6fe9307e47

Analysis

max time kernel
78s
max time network
152s
platform
windows10_x64
resource
win10-en-20210920
submitted
26-10-2021 16:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0475ed517da8a71bc4a87f14a44cf8fe.exe
Size

12KB
MD5

0475ed517da8a71bc4a87f14a44cf8fe
SHA1

311e146bcc1a342ab135240e0c8e31730f8ad879
SHA256

f475dda218513a22edc7ec2e734fb91ddf60dc7b38b87e7de487de6fe9307e47
SHA512

9087831b5e355f48d38df716982125865aefde794ad8c1ecdd68606a4a338182eff4a2b7bcf7dc29098178b9fd485a599eae2a011f01257536c3b0b0f9ac5f58

Score

10^/10

nanocore evasion keylogger spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

fridaycav.duckdns.org:6400

Mutex

453aeca4-8168-43fd-806a-925b22b64441

Attributes

activate_away_mode
true
backup_connection_host
fridaycav.duckdns.org
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2021-07-20T17:51:18.465757636Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
6400
default_group
FRIDAY CAV
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
453aeca4-8168-43fd-806a-925b22b64441
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
fridaycav.duckdns.org
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

0475ed517da8a71bc4a87f14a44cf8fe.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	0475ed517da8a71bc4a87f14a44cf8fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	0475ed517da8a71bc4a87f14a44cf8fe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Public\Documents\䯶䰍䯷䯳䰒䯯䰤䯷䰥䰔䯸䰤䰄䯰䰀\svchost.exe = "0"	0475ed517da8a71bc4a87f14a44cf8fe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\0475ed517da8a71bc4a87f14a44cf8fe.exe = "0"	0475ed517da8a71bc4a87f14a44cf8fe.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

0475ed517da8a71bc4a87f14a44cf8fe.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0475ed517da8a71bc4a87f14a44cf8fe.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 15 IoCs

Processes:

0475ed517da8a71bc4a87f14a44cf8fe.exe

pid	process
2516	0475ed517da8a71bc4a87f14a44cf8fe.exe
2516	0475ed517da8a71bc4a87f14a44cf8fe.exe
2516	0475ed517da8a71bc4a87f14a44cf8fe.exe
2516	0475ed517da8a71bc4a87f14a44cf8fe.exe
2516	0475ed517da8a71bc4a87f14a44cf8fe.exe
2516	0475ed517da8a71bc4a87f14a44cf8fe.exe
2516	0475ed517da8a71bc4a87f14a44cf8fe.exe
2516	0475ed517da8a71bc4a87f14a44cf8fe.exe
2516	0475ed517da8a71bc4a87f14a44cf8fe.exe
2516	0475ed517da8a71bc4a87f14a44cf8fe.exe
2516	0475ed517da8a71bc4a87f14a44cf8fe.exe
2516	0475ed517da8a71bc4a87f14a44cf8fe.exe
2516	0475ed517da8a71bc4a87f14a44cf8fe.exe
2516	0475ed517da8a71bc4a87f14a44cf8fe.exe
2516	0475ed517da8a71bc4a87f14a44cf8fe.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

0475ed517da8a71bc4a87f14a44cf8fe.exe

description pid process target process

PID 2516 set thread context of 3456 2516 0475ed517da8a71bc4a87f14a44cf8fe.exe 0475ed517da8a71bc4a87f14a44cf8fe.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3516 2516 WerFault.exe 0475ed517da8a71bc4a87f14a44cf8fe.exe

description	pid	process	target process
PID 2516 set thread context of 3456	2516	0475ed517da8a71bc4a87f14a44cf8fe.exe	0475ed517da8a71bc4a87f14a44cf8fe.exe

pid	pid_target	process	target process
3516	2516	WerFault.exe	0475ed517da8a71bc4a87f14a44cf8fe.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

Processes:

0475ed517da8a71bc4a87f14a44cf8fe.exepowershell.exepowershell.exepowershell.exe0475ed517da8a71bc4a87f14a44cf8fe.exeWerFault.exe

pid	process
2516	0475ed517da8a71bc4a87f14a44cf8fe.exe
2516	0475ed517da8a71bc4a87f14a44cf8fe.exe
2516	0475ed517da8a71bc4a87f14a44cf8fe.exe
1000	powershell.exe
2516	0475ed517da8a71bc4a87f14a44cf8fe.exe
2516	0475ed517da8a71bc4a87f14a44cf8fe.exe
1188	powershell.exe
708	powershell.exe
1188	powershell.exe
1000	powershell.exe
708	powershell.exe
3456	0475ed517da8a71bc4a87f14a44cf8fe.exe
3456	0475ed517da8a71bc4a87f14a44cf8fe.exe
3456	0475ed517da8a71bc4a87f14a44cf8fe.exe
3516	WerFault.exe
3516	WerFault.exe
3516	WerFault.exe
3516	WerFault.exe
3516	WerFault.exe
3516	WerFault.exe
3516	WerFault.exe
3516	WerFault.exe
3516	WerFault.exe
3516	WerFault.exe
3516	WerFault.exe
3516	WerFault.exe
3516	WerFault.exe
708	powershell.exe
1000	powershell.exe
1188	powershell.exe
3456	0475ed517da8a71bc4a87f14a44cf8fe.exe
3456	0475ed517da8a71bc4a87f14a44cf8fe.exe
3456	0475ed517da8a71bc4a87f14a44cf8fe.exe
3456	0475ed517da8a71bc4a87f14a44cf8fe.exe
3456	0475ed517da8a71bc4a87f14a44cf8fe.exe
3456	0475ed517da8a71bc4a87f14a44cf8fe.exe
3456	0475ed517da8a71bc4a87f14a44cf8fe.exe
3456	0475ed517da8a71bc4a87f14a44cf8fe.exe
3456	0475ed517da8a71bc4a87f14a44cf8fe.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

0475ed517da8a71bc4a87f14a44cf8fe.exe

pid process

3456 0475ed517da8a71bc4a87f14a44cf8fe.exe

pid	process
3456	0475ed517da8a71bc4a87f14a44cf8fe.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

0475ed517da8a71bc4a87f14a44cf8fe.exepowershell.exepowershell.exepowershell.exeWerFault.exe0475ed517da8a71bc4a87f14a44cf8fe.exe

description	pid	process
Token: SeDebugPrivilege	2516	0475ed517da8a71bc4a87f14a44cf8fe.exe
Token: SeDebugPrivilege	1000	powershell.exe
Token: SeDebugPrivilege	1188	powershell.exe
Token: SeDebugPrivilege	708	powershell.exe
Token: SeRestorePrivilege	3516	WerFault.exe
Token: SeBackupPrivilege	3516	WerFault.exe
Token: SeDebugPrivilege	3456	0475ed517da8a71bc4a87f14a44cf8fe.exe
Token: SeDebugPrivilege	3516	WerFault.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

0475ed517da8a71bc4a87f14a44cf8fe.exe

description	pid	process	target process
PID 2516 wrote to memory of 1000	2516	0475ed517da8a71bc4a87f14a44cf8fe.exe	powershell.exe
PID 2516 wrote to memory of 1000	2516	0475ed517da8a71bc4a87f14a44cf8fe.exe	powershell.exe
PID 2516 wrote to memory of 1000	2516	0475ed517da8a71bc4a87f14a44cf8fe.exe	powershell.exe
PID 2516 wrote to memory of 1188	2516	0475ed517da8a71bc4a87f14a44cf8fe.exe	powershell.exe
PID 2516 wrote to memory of 1188	2516	0475ed517da8a71bc4a87f14a44cf8fe.exe	powershell.exe
PID 2516 wrote to memory of 1188	2516	0475ed517da8a71bc4a87f14a44cf8fe.exe	powershell.exe
PID 2516 wrote to memory of 708	2516	0475ed517da8a71bc4a87f14a44cf8fe.exe	powershell.exe
PID 2516 wrote to memory of 708	2516	0475ed517da8a71bc4a87f14a44cf8fe.exe	powershell.exe
PID 2516 wrote to memory of 708	2516	0475ed517da8a71bc4a87f14a44cf8fe.exe	powershell.exe
PID 2516 wrote to memory of 3360	2516	0475ed517da8a71bc4a87f14a44cf8fe.exe	0475ed517da8a71bc4a87f14a44cf8fe.exe
PID 2516 wrote to memory of 3360	2516	0475ed517da8a71bc4a87f14a44cf8fe.exe	0475ed517da8a71bc4a87f14a44cf8fe.exe
PID 2516 wrote to memory of 3360	2516	0475ed517da8a71bc4a87f14a44cf8fe.exe	0475ed517da8a71bc4a87f14a44cf8fe.exe
PID 2516 wrote to memory of 3456	2516	0475ed517da8a71bc4a87f14a44cf8fe.exe	0475ed517da8a71bc4a87f14a44cf8fe.exe
PID 2516 wrote to memory of 3456	2516	0475ed517da8a71bc4a87f14a44cf8fe.exe	0475ed517da8a71bc4a87f14a44cf8fe.exe
PID 2516 wrote to memory of 3456	2516	0475ed517da8a71bc4a87f14a44cf8fe.exe	0475ed517da8a71bc4a87f14a44cf8fe.exe
PID 2516 wrote to memory of 3456	2516	0475ed517da8a71bc4a87f14a44cf8fe.exe	0475ed517da8a71bc4a87f14a44cf8fe.exe
PID 2516 wrote to memory of 3456	2516	0475ed517da8a71bc4a87f14a44cf8fe.exe	0475ed517da8a71bc4a87f14a44cf8fe.exe
PID 2516 wrote to memory of 3456	2516	0475ed517da8a71bc4a87f14a44cf8fe.exe	0475ed517da8a71bc4a87f14a44cf8fe.exe
PID 2516 wrote to memory of 3456	2516	0475ed517da8a71bc4a87f14a44cf8fe.exe	0475ed517da8a71bc4a87f14a44cf8fe.exe
PID 2516 wrote to memory of 3456	2516	0475ed517da8a71bc4a87f14a44cf8fe.exe	0475ed517da8a71bc4a87f14a44cf8fe.exe

C:\Users\Admin\AppData\Local\Temp\0475ed517da8a71bc4a87f14a44cf8fe.exe
"C:\Users\Admin\AppData\Local\Temp\0475ed517da8a71bc4a87f14a44cf8fe.exe"
1⤵
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\䯶䰍䯷䯳䰒䯯䰤䯷䰥䰔䯸䰤䰄䯰䰀\svchost.exe" -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1000
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\0475ed517da8a71bc4a87f14a44cf8fe.exe" -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1188
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\䯶䰍䯷䯳䰒䯯䰤䯷䰥䰔䯸䰤䰄䯰䰀\svchost.exe" -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:708
- C:\Users\Admin\AppData\Local\Temp\0475ed517da8a71bc4a87f14a44cf8fe.exe
  "C:\Users\Admin\AppData\Local\Temp\0475ed517da8a71bc4a87f14a44cf8fe.exe"
  2⤵
  PID:3360
- C:\Users\Admin\AppData\Local\Temp\0475ed517da8a71bc4a87f14a44cf8fe.exe
  "C:\Users\Admin\AppData\Local\Temp\0475ed517da8a71bc4a87f14a44cf8fe.exe"
  2⤵
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:3456
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2516 -s 2184
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3516

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
f50d3c07a2c9c2cee8a7f2e70aa04567

SHA1
bdfd0e3800fc50f84e75150f1816d0367080c4f2

SHA256
7f95b2dfb1f499a3b79edfb73180247e609b2e0ed7ad818024c05ed186bceedc

SHA512
cc864c7f4521fb041f2a6a4c41e86c0cf6c768f6fbb06f4c4f703d3e210ad43c6dd3346470cef30fa1855ef00a4a3dfcb994768e049973d8b031946f4e0b6b61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
ac14a1a602d3a82c3d8f1b07672bd72c

SHA1
c7d893b0b3041105bffc82d70f36e1e0023e6840

SHA256
fc6659c52eafd9d99bc763594f3b222d615e9308e73abb703b56ea4d7f22d5ae

SHA512
8ffdfbd5111087895f8414bffc8dc4020349480b86840c4a98a2c594ba779ec90fe7ee2004854578c53d0cdf731aff49370261ef15155c5a847345e806a946a6

Download Submit
memory/708-156-0x0000000006CF2000-0x0000000006CF3000-memory.dmp

Filesize
4KB

Download
memory/708-180-0x00000000047E0000-0x00000000047E1000-memory.dmp

Filesize
4KB

Download
memory/708-260-0x0000000006CF3000-0x0000000006CF4000-memory.dmp

Filesize
4KB

Download
memory/708-227-0x000000007EEE0000-0x000000007EEE1000-memory.dmp

Filesize
4KB

Download
memory/708-151-0x0000000006CF0000-0x0000000006CF1000-memory.dmp

Filesize
4KB

Download
memory/708-133-0x00000000047E0000-0x00000000047E1000-memory.dmp

Filesize
4KB

Download
memory/708-135-0x00000000047E0000-0x00000000047E1000-memory.dmp

Filesize
4KB

Download
memory/708-126-0x0000000000000000-mapping.dmp

Download
memory/708-164-0x0000000007C70000-0x0000000007C71000-memory.dmp

Filesize
4KB

Download
memory/1000-179-0x0000000004B90000-0x0000000004B91000-memory.dmp

Filesize
4KB

Download
memory/1000-129-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

Filesize
4KB

Download
memory/1000-128-0x0000000004B90000-0x0000000004B91000-memory.dmp

Filesize
4KB

Download
memory/1000-127-0x0000000004B90000-0x0000000004B91000-memory.dmp

Filesize
4KB

Download
memory/1000-130-0x0000000007820000-0x0000000007821000-memory.dmp

Filesize
4KB

Download
memory/1000-259-0x00000000071E3000-0x00000000071E4000-memory.dmp

Filesize
4KB

Download
memory/1000-149-0x00000000071E2000-0x00000000071E3000-memory.dmp

Filesize
4KB

Download
memory/1000-155-0x0000000007E50000-0x0000000007E51000-memory.dmp

Filesize
4KB

Download
memory/1000-124-0x0000000000000000-mapping.dmp

Download
memory/1000-223-0x000000007E820000-0x000000007E821000-memory.dmp

Filesize
4KB

Download
memory/1000-147-0x00000000071E0000-0x00000000071E1000-memory.dmp

Filesize
4KB

Download
memory/1000-145-0x0000000007720000-0x0000000007721000-memory.dmp

Filesize
4KB

Download
memory/1188-131-0x0000000003390000-0x0000000003391000-memory.dmp

Filesize
4KB

Download
memory/1188-125-0x0000000000000000-mapping.dmp

Download
memory/1188-258-0x0000000004EF3000-0x0000000004EF4000-memory.dmp

Filesize
4KB

Download
memory/1188-231-0x000000007EBD0000-0x000000007EBD1000-memory.dmp

Filesize
4KB

Download
memory/1188-183-0x0000000003390000-0x0000000003391000-memory.dmp

Filesize
4KB

Download
memory/1188-150-0x0000000004EF0000-0x0000000004EF1000-memory.dmp

Filesize
4KB

Download
memory/1188-153-0x0000000004EF2000-0x0000000004EF3000-memory.dmp

Filesize
4KB

Download
memory/1188-161-0x0000000007FB0000-0x0000000007FB1000-memory.dmp

Filesize
4KB

Download
memory/1188-132-0x0000000003390000-0x0000000003391000-memory.dmp

Filesize
4KB

Download
memory/1188-173-0x0000000008690000-0x0000000008691000-memory.dmp

Filesize
4KB

Download
memory/1188-170-0x00000000074D0000-0x00000000074D1000-memory.dmp

Filesize
4KB

Download
memory/2516-123-0x0000000008100000-0x0000000008101000-memory.dmp

Filesize
4KB

Download
memory/2516-117-0x0000000004EE0000-0x0000000004EE1000-memory.dmp

Filesize
4KB

Download
memory/2516-118-0x00000000049E0000-0x00000000049E1000-memory.dmp

Filesize
4KB

Download
memory/2516-115-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2516-134-0x0000000008280000-0x0000000008281000-memory.dmp

Filesize
4KB

Download
memory/2516-119-0x0000000004A80000-0x0000000004A81000-memory.dmp

Filesize
4KB

Download
memory/2516-120-0x00000000049E0000-0x0000000004EDE000-memory.dmp

Filesize
5.0MB

Download
memory/2516-121-0x0000000000860000-0x00000000008EF000-memory.dmp

Filesize
572KB

Download
memory/2516-122-0x0000000006BC0000-0x0000000006BC1000-memory.dmp

Filesize
4KB

Download
memory/3456-189-0x0000000006B30000-0x0000000006B36000-memory.dmp

Filesize
24KB

Download
memory/3456-169-0x0000000005840000-0x0000000005843000-memory.dmp

Filesize
12KB

Download
memory/3456-190-0x0000000006B40000-0x0000000006B47000-memory.dmp

Filesize
28KB

Download
memory/3456-188-0x0000000006B20000-0x0000000006B2C000-memory.dmp

Filesize
48KB

Download
memory/3456-187-0x0000000006B10000-0x0000000006B16000-memory.dmp

Filesize
24KB

Download
memory/3456-152-0x0000000005530000-0x0000000005A2E000-memory.dmp

Filesize
5.0MB

Download
memory/3456-140-0x000000000041E792-mapping.dmp

Download
memory/3456-186-0x0000000006AD0000-0x0000000006AE5000-memory.dmp

Filesize
84KB

Download
memory/3456-185-0x0000000006AC0000-0x0000000006ACD000-memory.dmp

Filesize
52KB

Download
memory/3456-137-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3456-167-0x0000000005820000-0x0000000005825000-memory.dmp

Filesize
20KB

Download
memory/3456-168-0x0000000006260000-0x0000000006279000-memory.dmp

Filesize
100KB

Download