nanocore | 4989e077de4fee06f408f91fd62665c36d60633c9dcc808c5539add5a5500164

Analysis

max time kernel
148s
max time network
179s
submitted
01-01-1970 00:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New Order Contract No 44322465.exe
Size

4.3MB
MD5

834abcb28b565a0f0fb7c41226835ab3
SHA1

e226f85077045a1846374e4f9c8664a83a0a3103
SHA256

4989e077de4fee06f408f91fd62665c36d60633c9dcc808c5539add5a5500164
SHA512

c9b814fab0ad4a2fddb166822844c559dd22583c94af024dd41d61af48d86cd88cd505731dc9da812a7f0526c20819556e88e3b10cfb112d8605d5a800bca0b4

Score

10^/10

nanocore agilenet evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

arkseven702.ddns.net:7727

Mutex

74fb9edb-82b1-41e4-91bd-7fe787b0bbad

Attributes

activate_away_mode
true
backup_connection_host
arkseven702.ddns.net
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2021-08-02T20:32:24.918316736Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
false
clear_zone_identifier
true
connect_delay
4000
connection_port
7727
default_group
gatewayproject
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
74fb9edb-82b1-41e4-91bd-7fe787b0bbad
mutex_timeout
5000
prevent_system_sleep
true
primary_connection_host
arkseven702.ddns.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Executes dropped EXE 4 IoCs

Processes:

aa.exeInstallUtil.exesvchost.exesvchost.exe

pid process

1828 aa.exe
860 InstallUtil.exe
1972 svchost.exe
612 svchost.exe

pid	process
1828	aa.exe
860	InstallUtil.exe
1972	svchost.exe
612	svchost.exe

Drops startup file 1 IoCs

Processes:

New Order Contract No 44322465.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aa.lnk	New Order Contract No 44322465.exe

Loads dropped DLL 4 IoCs

Processes:

New Order Contract No 44322465.exeaa.exesvchost.exe

pid process

548 New Order Contract No 44322465.exe
1828 aa.exe
1828 aa.exe
1972 svchost.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/548-57-0x00000000005E0000-0x0000000000601000-memory.dmp	agile_net

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

InstallUtil.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UDP Subsystem = "C:\\Program Files (x86)\\UDP Subsystem\\udpss.exe"	InstallUtil.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

InstallUtil.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA InstallUtil.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

aa.exe

description pid process target process

PID 1828 set thread context of 860 1828 aa.exe InstallUtil.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	InstallUtil.exe

description	pid	process	target process
PID 1828 set thread context of 860	1828	aa.exe	InstallUtil.exe

Drops file in Program Files directory 2 IoCs

Processes:

InstallUtil.exe

description	ioc	process
File created	C:\Program Files (x86)\UDP Subsystem\udpss.exe	InstallUtil.exe
File opened for modification	C:\Program Files (x86)\UDP Subsystem\udpss.exe	InstallUtil.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

New Order Contract No 44322465.exeaa.exeInstallUtil.exesvchost.exesvchost.exe

pid	process
548	New Order Contract No 44322465.exe
548	New Order Contract No 44322465.exe
548	New Order Contract No 44322465.exe
1828	aa.exe
1828	aa.exe
1828	aa.exe
860	InstallUtil.exe
860	InstallUtil.exe
1972	svchost.exe
612	svchost.exe
612	svchost.exe
612	svchost.exe
1828	aa.exe
1828	aa.exe
1828	aa.exe
1828	aa.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

InstallUtil.exe

pid process

860 InstallUtil.exe

pid	process
860	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

New Order Contract No 44322465.exeaa.exeInstallUtil.exesvchost.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	548	New Order Contract No 44322465.exe
Token: SeDebugPrivilege	1828	aa.exe
Token: SeDebugPrivilege	860	InstallUtil.exe
Token: SeDebugPrivilege	1972	svchost.exe
Token: SeDebugPrivilege	612	svchost.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

New Order Contract No 44322465.exeaa.exesvchost.exe

description	pid	process	target process
PID 548 wrote to memory of 1828	548	New Order Contract No 44322465.exe	aa.exe
PID 548 wrote to memory of 1828	548	New Order Contract No 44322465.exe	aa.exe
PID 548 wrote to memory of 1828	548	New Order Contract No 44322465.exe	aa.exe
PID 548 wrote to memory of 1828	548	New Order Contract No 44322465.exe	aa.exe
PID 1828 wrote to memory of 860	1828	aa.exe	InstallUtil.exe
PID 1828 wrote to memory of 860	1828	aa.exe	InstallUtil.exe
PID 1828 wrote to memory of 860	1828	aa.exe	InstallUtil.exe
PID 1828 wrote to memory of 860	1828	aa.exe	InstallUtil.exe
PID 1828 wrote to memory of 860	1828	aa.exe	InstallUtil.exe
PID 1828 wrote to memory of 860	1828	aa.exe	InstallUtil.exe
PID 1828 wrote to memory of 860	1828	aa.exe	InstallUtil.exe
PID 1828 wrote to memory of 860	1828	aa.exe	InstallUtil.exe
PID 1828 wrote to memory of 860	1828	aa.exe	InstallUtil.exe
PID 1828 wrote to memory of 860	1828	aa.exe	InstallUtil.exe
PID 1828 wrote to memory of 860	1828	aa.exe	InstallUtil.exe
PID 1828 wrote to memory of 860	1828	aa.exe	InstallUtil.exe
PID 1828 wrote to memory of 1972	1828	aa.exe	svchost.exe
PID 1828 wrote to memory of 1972	1828	aa.exe	svchost.exe
PID 1828 wrote to memory of 1972	1828	aa.exe	svchost.exe
PID 1828 wrote to memory of 1972	1828	aa.exe	svchost.exe
PID 1972 wrote to memory of 612	1972	svchost.exe	svchost.exe
PID 1972 wrote to memory of 612	1972	svchost.exe	svchost.exe
PID 1972 wrote to memory of 612	1972	svchost.exe	svchost.exe
PID 1972 wrote to memory of 612	1972	svchost.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\New Order Contract No 44322465.exe
"C:\Users\Admin\AppData\Local\Temp\New Order Contract No 44322465.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:548

C:\Users\Admin\AppData\Roaming\aa.exe
"C:\Users\Admin\AppData\Roaming\aa.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1828

C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
"C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:860

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:612

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.txt
MD5
fde3a25d315014e040cf0f8dc863f430

SHA1
616165d8f01c3b0f7391b63398810df4c399edc3

SHA256
3d99754134aa6ceb50083e880c63f4b1687461068caa8d17a6097e2089d4fdfb

SHA512
3aa825d8102ac355b9402c1f5c0b5ac8502d5c5e879c02c5fc2041ddb536d6cff8fe07faa4d59f988f815df9d513d888ee41108a30ea07e34bd62dd9a5be2c9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.txt
MD5
105e5c7571ad14d870a197f949f64888

SHA1
ea07c5b2f0de2972caa7f2d3ba735fb76e9939c6

SHA256
63b6f9d148ae99147603e70fdfcc814c84ac947c1a9b7fbad72654fb11631649

SHA512
c2e9f012fc548cfdb652f7c91806793d09b1589803ee65b684c71272a439c9e2e7d1280a00a0ee0e4be5f9f5023d04d87213e99d2f8d6ecdb3e32de48102c154

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.txt
MD5
7af871330b9528e826f40a1b3e9ea16f

SHA1
f696e14ace3a9f2da76a37954b744c55a8ae9d92

SHA256
0d7410a267830720dd9e82f3430179d3555671f88c39c6b4dfc9feb4203ce72c

SHA512
52c81796c22c79688c41149bc696c5eabfe70bd669b9f6401af1fcfd5fc941547e086e33977ba38230760e2320c7670fd15f3e87d1784938c641b15821d1d60f

Download Submit
C:\Users\Admin\AppData\Roaming\aa.exe
MD5
834abcb28b565a0f0fb7c41226835ab3

SHA1
e226f85077045a1846374e4f9c8664a83a0a3103

SHA256
4989e077de4fee06f408f91fd62665c36d60633c9dcc808c5539add5a5500164

SHA512
c9b814fab0ad4a2fddb166822844c559dd22583c94af024dd41d61af48d86cd88cd505731dc9da812a7f0526c20819556e88e3b10cfb112d8605d5a800bca0b4

Download Submit
C:\Users\Admin\AppData\Roaming\aa.exe
MD5
834abcb28b565a0f0fb7c41226835ab3

SHA1
e226f85077045a1846374e4f9c8664a83a0a3103

SHA256
4989e077de4fee06f408f91fd62665c36d60633c9dcc808c5539add5a5500164

SHA512
c9b814fab0ad4a2fddb166822844c559dd22583c94af024dd41d61af48d86cd88cd505731dc9da812a7f0526c20819556e88e3b10cfb112d8605d5a800bca0b4

Download Submit
\Users\Admin\AppData\Local\Temp\InstallUtil.exe
MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe
MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe
MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
\Users\Admin\AppData\Roaming\aa.exe
MD5
834abcb28b565a0f0fb7c41226835ab3

SHA1
e226f85077045a1846374e4f9c8664a83a0a3103

SHA256
4989e077de4fee06f408f91fd62665c36d60633c9dcc808c5539add5a5500164

SHA512
c9b814fab0ad4a2fddb166822844c559dd22583c94af024dd41d61af48d86cd88cd505731dc9da812a7f0526c20819556e88e3b10cfb112d8605d5a800bca0b4

Download Submit
memory/548-58-0x0000000005001000-0x0000000005002000-memory.dmp

Filesize
4KB

Download
memory/548-57-0x00000000005E0000-0x0000000000601000-memory.dmp

Filesize
132KB

Download
memory/548-56-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/548-54-0x0000000001360000-0x0000000001361000-memory.dmp

Filesize
4KB

Download
memory/612-93-0x0000000000000000-mapping.dmp

Download
memory/860-75-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/860-72-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/860-76-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/860-79-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/860-81-0x00000000006A0000-0x00000000006A5000-memory.dmp

Filesize
20KB

Download
memory/860-82-0x0000000000A90000-0x0000000000AA9000-memory.dmp

Filesize
100KB

Download
memory/860-83-0x00000000006B0000-0x00000000006B3000-memory.dmp

Filesize
12KB

Download
memory/860-84-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/860-74-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/860-77-0x000000000041E792-mapping.dmp

Download
memory/860-73-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1828-69-0x0000000001290000-0x0000000001291000-memory.dmp

Filesize
4KB

Download
memory/1828-68-0x0000000004FB0000-0x0000000004FBB000-memory.dmp

Filesize
44KB

Download
memory/1828-67-0x0000000004FD1000-0x0000000004FD2000-memory.dmp

Filesize
4KB

Download
memory/1828-65-0x0000000004FD0000-0x0000000004FD1000-memory.dmp

Filesize
4KB

Download
memory/1828-63-0x00000000012E0000-0x00000000012E1000-memory.dmp

Filesize
4KB

Download
memory/1828-60-0x0000000000000000-mapping.dmp

Download
memory/1972-89-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1972-86-0x0000000000000000-mapping.dmp

Download