nanocore | f475dda218513a22edc7ec2e734fb91ddf60dc7b38b87e7de487de6fe9307e47

General

Target

0475ed517da8a71bc4a87f14a44cf8fe.exe
Size

12KB
MD5

0475ed517da8a71bc4a87f14a44cf8fe
SHA1

311e146bcc1a342ab135240e0c8e31730f8ad879
SHA256

f475dda218513a22edc7ec2e734fb91ddf60dc7b38b87e7de487de6fe9307e47
SHA512

9087831b5e355f48d38df716982125865aefde794ad8c1ecdd68606a4a338182eff4a2b7bcf7dc29098178b9fd485a599eae2a011f01257536c3b0b0f9ac5f58

Score

10^/10

nanocore evasion keylogger spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

fridaycav.duckdns.org:6400

Mutex

453aeca4-8168-43fd-806a-925b22b64441

Attributes

activate_away_mode
true
backup_connection_host
fridaycav.duckdns.org
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2021-07-20T17:51:18.465757636Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
6400
default_group
FRIDAY CAV
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
453aeca4-8168-43fd-806a-925b22b64441
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
fridaycav.duckdns.org
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

0475ed517da8a71bc4a87f14a44cf8fe.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	0475ed517da8a71bc4a87f14a44cf8fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	0475ed517da8a71bc4a87f14a44cf8fe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Public\Documents\䯶䰍䯷䯳䰒䯯䰤䯷䰥䰔䯸䰤䰄䯰䰀\svchost.exe = "0"	0475ed517da8a71bc4a87f14a44cf8fe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\0475ed517da8a71bc4a87f14a44cf8fe.exe = "0"	0475ed517da8a71bc4a87f14a44cf8fe.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

0475ed517da8a71bc4a87f14a44cf8fe.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0475ed517da8a71bc4a87f14a44cf8fe.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 15 IoCs

Processes:

0475ed517da8a71bc4a87f14a44cf8fe.exe

pid	process
2664	0475ed517da8a71bc4a87f14a44cf8fe.exe
2664	0475ed517da8a71bc4a87f14a44cf8fe.exe
2664	0475ed517da8a71bc4a87f14a44cf8fe.exe
2664	0475ed517da8a71bc4a87f14a44cf8fe.exe
2664	0475ed517da8a71bc4a87f14a44cf8fe.exe
2664	0475ed517da8a71bc4a87f14a44cf8fe.exe
2664	0475ed517da8a71bc4a87f14a44cf8fe.exe
2664	0475ed517da8a71bc4a87f14a44cf8fe.exe
2664	0475ed517da8a71bc4a87f14a44cf8fe.exe
2664	0475ed517da8a71bc4a87f14a44cf8fe.exe
2664	0475ed517da8a71bc4a87f14a44cf8fe.exe
2664	0475ed517da8a71bc4a87f14a44cf8fe.exe
2664	0475ed517da8a71bc4a87f14a44cf8fe.exe
2664	0475ed517da8a71bc4a87f14a44cf8fe.exe
2664	0475ed517da8a71bc4a87f14a44cf8fe.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

0475ed517da8a71bc4a87f14a44cf8fe.exe

description pid process target process

PID 2664 set thread context of 2976 2664 0475ed517da8a71bc4a87f14a44cf8fe.exe 0475ed517da8a71bc4a87f14a44cf8fe.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2412 2664 WerFault.exe 0475ed517da8a71bc4a87f14a44cf8fe.exe

description	pid	process	target process
PID 2664 set thread context of 2976	2664	0475ed517da8a71bc4a87f14a44cf8fe.exe	0475ed517da8a71bc4a87f14a44cf8fe.exe

pid	pid_target	process	target process
2412	2664	WerFault.exe	0475ed517da8a71bc4a87f14a44cf8fe.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

Processes:

0475ed517da8a71bc4a87f14a44cf8fe.exepowershell.exepowershell.exepowershell.exe0475ed517da8a71bc4a87f14a44cf8fe.exeWerFault.exe

pid	process
2664	0475ed517da8a71bc4a87f14a44cf8fe.exe
2664	0475ed517da8a71bc4a87f14a44cf8fe.exe
2664	0475ed517da8a71bc4a87f14a44cf8fe.exe
868	powershell.exe
3760	powershell.exe
916	powershell.exe
2976	0475ed517da8a71bc4a87f14a44cf8fe.exe
2976	0475ed517da8a71bc4a87f14a44cf8fe.exe
2976	0475ed517da8a71bc4a87f14a44cf8fe.exe
868	powershell.exe
3760	powershell.exe
916	powershell.exe
2412	WerFault.exe
2412	WerFault.exe
2412	WerFault.exe
2412	WerFault.exe
2412	WerFault.exe
2412	WerFault.exe
2412	WerFault.exe
2412	WerFault.exe
2412	WerFault.exe
2412	WerFault.exe
2412	WerFault.exe
2412	WerFault.exe
2412	WerFault.exe
868	powershell.exe
3760	powershell.exe
916	powershell.exe
2976	0475ed517da8a71bc4a87f14a44cf8fe.exe
2976	0475ed517da8a71bc4a87f14a44cf8fe.exe
2976	0475ed517da8a71bc4a87f14a44cf8fe.exe
2976	0475ed517da8a71bc4a87f14a44cf8fe.exe
2976	0475ed517da8a71bc4a87f14a44cf8fe.exe
2976	0475ed517da8a71bc4a87f14a44cf8fe.exe
2976	0475ed517da8a71bc4a87f14a44cf8fe.exe
2976	0475ed517da8a71bc4a87f14a44cf8fe.exe
2976	0475ed517da8a71bc4a87f14a44cf8fe.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

0475ed517da8a71bc4a87f14a44cf8fe.exe

pid process

2976 0475ed517da8a71bc4a87f14a44cf8fe.exe

pid	process
2976	0475ed517da8a71bc4a87f14a44cf8fe.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

0475ed517da8a71bc4a87f14a44cf8fe.exepowershell.exepowershell.exepowershell.exe0475ed517da8a71bc4a87f14a44cf8fe.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	2664	0475ed517da8a71bc4a87f14a44cf8fe.exe
Token: SeDebugPrivilege	868	powershell.exe
Token: SeDebugPrivilege	3760	powershell.exe
Token: SeDebugPrivilege	916	powershell.exe
Token: SeDebugPrivilege	2976	0475ed517da8a71bc4a87f14a44cf8fe.exe
Token: SeRestorePrivilege	2412	WerFault.exe
Token: SeBackupPrivilege	2412	WerFault.exe
Token: SeDebugPrivilege	2412	WerFault.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

0475ed517da8a71bc4a87f14a44cf8fe.exe

description	pid	process	target process
PID 2664 wrote to memory of 868	2664	0475ed517da8a71bc4a87f14a44cf8fe.exe	powershell.exe
PID 2664 wrote to memory of 868	2664	0475ed517da8a71bc4a87f14a44cf8fe.exe	powershell.exe
PID 2664 wrote to memory of 868	2664	0475ed517da8a71bc4a87f14a44cf8fe.exe	powershell.exe
PID 2664 wrote to memory of 916	2664	0475ed517da8a71bc4a87f14a44cf8fe.exe	powershell.exe
PID 2664 wrote to memory of 916	2664	0475ed517da8a71bc4a87f14a44cf8fe.exe	powershell.exe
PID 2664 wrote to memory of 916	2664	0475ed517da8a71bc4a87f14a44cf8fe.exe	powershell.exe
PID 2664 wrote to memory of 3760	2664	0475ed517da8a71bc4a87f14a44cf8fe.exe	powershell.exe
PID 2664 wrote to memory of 3760	2664	0475ed517da8a71bc4a87f14a44cf8fe.exe	powershell.exe
PID 2664 wrote to memory of 3760	2664	0475ed517da8a71bc4a87f14a44cf8fe.exe	powershell.exe
PID 2664 wrote to memory of 2976	2664	0475ed517da8a71bc4a87f14a44cf8fe.exe	0475ed517da8a71bc4a87f14a44cf8fe.exe
PID 2664 wrote to memory of 2976	2664	0475ed517da8a71bc4a87f14a44cf8fe.exe	0475ed517da8a71bc4a87f14a44cf8fe.exe
PID 2664 wrote to memory of 2976	2664	0475ed517da8a71bc4a87f14a44cf8fe.exe	0475ed517da8a71bc4a87f14a44cf8fe.exe
PID 2664 wrote to memory of 2976	2664	0475ed517da8a71bc4a87f14a44cf8fe.exe	0475ed517da8a71bc4a87f14a44cf8fe.exe
PID 2664 wrote to memory of 2976	2664	0475ed517da8a71bc4a87f14a44cf8fe.exe	0475ed517da8a71bc4a87f14a44cf8fe.exe
PID 2664 wrote to memory of 2976	2664	0475ed517da8a71bc4a87f14a44cf8fe.exe	0475ed517da8a71bc4a87f14a44cf8fe.exe
PID 2664 wrote to memory of 2976	2664	0475ed517da8a71bc4a87f14a44cf8fe.exe	0475ed517da8a71bc4a87f14a44cf8fe.exe
PID 2664 wrote to memory of 2976	2664	0475ed517da8a71bc4a87f14a44cf8fe.exe	0475ed517da8a71bc4a87f14a44cf8fe.exe

C:\Users\Admin\AppData\Local\Temp\0475ed517da8a71bc4a87f14a44cf8fe.exe
"C:\Users\Admin\AppData\Local\Temp\0475ed517da8a71bc4a87f14a44cf8fe.exe"
1⤵
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2664

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\䯶䰍䯷䯳䰒䯯䰤䯷䰥䰔䯸䰤䰄䯰䰀\svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:868

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\0475ed517da8a71bc4a87f14a44cf8fe.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:916

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\䯶䰍䯷䯳䰒䯯䰤䯷䰥䰔䯸䰤䰄䯰䰀\svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3760

C:\Users\Admin\AppData\Local\Temp\0475ed517da8a71bc4a87f14a44cf8fe.exe
"C:\Users\Admin\AppData\Local\Temp\0475ed517da8a71bc4a87f14a44cf8fe.exe"
2⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 2176
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2412

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Disabling Security Tools

2

T1089

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
1c3ae3f91717f8c5274e401ae7d28155

SHA1
15babdcc9719cd6c43d64d80d41d4b0f4f47d377

SHA256
5f8c93576438ba52b564cb3d031a009407c1247971e29ba8dba9064e94f7238c

SHA512
c0f87da6209a8714f99dab5e37fdee2aa4ce364ec53ed0325f517ec78bd992a934de60b5d6bf19edb99d0838b665dcf5cd05241707645fa0a48344a79cc433cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
57c161ab7d0c85252be9a17ace1fcb67

SHA1
6b6fdf3a6105cfd30ebdca553fa5658d52b4c3a8

SHA256
a118e3af9a3223eb535e2744fbde3a4270d87dacba56eec714123442c93a4b8c

SHA512
ec73f3fd05c0a23f9e2a7f1bcec238773fe4472ce6044de919d85ebce76601ac7f8c1afe2294c4cc6d2c076ac16e7a4f34c3f7fa3097084611f3e96b3b5f61d9

Download Submit
memory/868-131-0x0000000006E60000-0x0000000006E61000-memory.dmp

Filesize
4KB

Download
memory/868-160-0x0000000007C60000-0x0000000007C61000-memory.dmp

Filesize
4KB

Download
memory/868-186-0x00000000049C0000-0x00000000049C1000-memory.dmp

Filesize
4KB

Download
memory/868-254-0x000000007F400000-0x000000007F401000-memory.dmp

Filesize
4KB

Download
memory/868-148-0x0000000006F82000-0x0000000006F83000-memory.dmp

Filesize
4KB

Download
memory/868-124-0x0000000000000000-mapping.dmp

Download
memory/868-293-0x0000000006F83000-0x0000000006F84000-memory.dmp

Filesize
4KB

Download
memory/868-147-0x0000000006F80000-0x0000000006F81000-memory.dmp

Filesize
4KB

Download
memory/868-127-0x00000000049C0000-0x00000000049C1000-memory.dmp

Filesize
4KB

Download
memory/868-128-0x00000000049C0000-0x00000000049C1000-memory.dmp

Filesize
4KB

Download
memory/868-135-0x00000000075C0000-0x00000000075C1000-memory.dmp

Filesize
4KB

Download
memory/868-164-0x0000000007CD0000-0x0000000007CD1000-memory.dmp

Filesize
4KB

Download
memory/868-167-0x0000000008060000-0x0000000008061000-memory.dmp

Filesize
4KB

Download
memory/916-151-0x0000000003602000-0x0000000003603000-memory.dmp

Filesize
4KB

Download
memory/916-132-0x0000000003520000-0x0000000003521000-memory.dmp

Filesize
4KB

Download
memory/916-149-0x0000000003600000-0x0000000003601000-memory.dmp

Filesize
4KB

Download
memory/916-125-0x0000000000000000-mapping.dmp

Download
memory/916-289-0x0000000003603000-0x0000000003604000-memory.dmp

Filesize
4KB

Download
memory/916-130-0x0000000003520000-0x0000000003521000-memory.dmp

Filesize
4KB

Download
memory/916-170-0x00000000086E0000-0x00000000086E1000-memory.dmp

Filesize
4KB

Download
memory/916-251-0x000000007F2C0000-0x000000007F2C1000-memory.dmp

Filesize
4KB

Download
memory/916-173-0x0000000008710000-0x0000000008711000-memory.dmp

Filesize
4KB

Download
memory/916-155-0x0000000007840000-0x0000000007841000-memory.dmp

Filesize
4KB

Download
memory/2664-117-0x00000000052F0000-0x00000000052F1000-memory.dmp

Filesize
4KB

Download
memory/2664-122-0x0000000007110000-0x0000000007111000-memory.dmp

Filesize
4KB

Download
memory/2664-115-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/2664-119-0x0000000004F70000-0x0000000004F71000-memory.dmp

Filesize
4KB

Download
memory/2664-121-0x0000000004910000-0x000000000499F000-memory.dmp

Filesize
572KB

Download
memory/2664-118-0x0000000004ED0000-0x0000000004ED1000-memory.dmp

Filesize
4KB

Download
memory/2664-129-0x0000000008740000-0x0000000008741000-memory.dmp

Filesize
4KB

Download
memory/2664-123-0x00000000085D0000-0x00000000085D1000-memory.dmp

Filesize
4KB

Download
memory/2664-120-0x0000000004DF0000-0x00000000052EE000-memory.dmp

Filesize
5.0MB

Download
memory/2976-153-0x00000000052F0000-0x00000000057EE000-memory.dmp

Filesize
5.0MB

Download
memory/2976-183-0x00000000068D0000-0x00000000068D6000-memory.dmp

Filesize
24KB

Download
memory/2976-159-0x0000000005FE0000-0x0000000005FF9000-memory.dmp

Filesize
100KB

Download
memory/2976-179-0x0000000006860000-0x000000000686D000-memory.dmp

Filesize
52KB

Download
memory/2976-180-0x0000000006870000-0x0000000006885000-memory.dmp

Filesize
84KB

Download
memory/2976-181-0x00000000068B0000-0x00000000068B6000-memory.dmp

Filesize
24KB

Download
memory/2976-182-0x00000000068C0000-0x00000000068CC000-memory.dmp

Filesize
48KB

Download
memory/2976-133-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2976-184-0x00000000068E0000-0x00000000068E7000-memory.dmp

Filesize
28KB

Download
memory/2976-185-0x00000000068F0000-0x00000000068FD000-memory.dmp

Filesize
52KB

Download
memory/2976-187-0x0000000006900000-0x0000000006902000-memory.dmp

Filesize
8KB

Download
memory/2976-163-0x0000000006000000-0x0000000006003000-memory.dmp

Filesize
12KB

Download
memory/2976-157-0x0000000005600000-0x0000000005605000-memory.dmp

Filesize
20KB

Download
memory/2976-190-0x0000000006910000-0x000000000691F000-memory.dmp

Filesize
60KB

Download
memory/2976-137-0x000000000041E792-mapping.dmp

Download
memory/3760-188-0x0000000000D10000-0x0000000000D11000-memory.dmp

Filesize
4KB

Download
memory/3760-150-0x0000000004970000-0x0000000004971000-memory.dmp

Filesize
4KB

Download
memory/3760-285-0x0000000004973000-0x0000000004974000-memory.dmp

Filesize
4KB

Download
memory/3760-152-0x0000000004972000-0x0000000004973000-memory.dmp

Filesize
4KB

Download
memory/3760-247-0x000000007ED20000-0x000000007ED21000-memory.dmp

Filesize
4KB

Download
memory/3760-136-0x0000000000D10000-0x0000000000D11000-memory.dmp

Filesize
4KB

Download
memory/3760-134-0x0000000000D10000-0x0000000000D11000-memory.dmp

Filesize
4KB

Download
memory/3760-126-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads