nanocore | 4989e077de4fee06f408f91fd62665c36d60633c9dcc808c5539add5a5500164

Analysis

max time kernel
152s
max time network
155s
submitted
01-01-1970 00:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New Order Contract No 44322465.exe
Size

4.3MB
MD5

834abcb28b565a0f0fb7c41226835ab3
SHA1

e226f85077045a1846374e4f9c8664a83a0a3103
SHA256

4989e077de4fee06f408f91fd62665c36d60633c9dcc808c5539add5a5500164
SHA512

c9b814fab0ad4a2fddb166822844c559dd22583c94af024dd41d61af48d86cd88cd505731dc9da812a7f0526c20819556e88e3b10cfb112d8605d5a800bca0b4

Score

10^/10

nanocore agilenet evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

arkseven702.ddns.net:7727

Mutex

74fb9edb-82b1-41e4-91bd-7fe787b0bbad

Attributes

activate_away_mode
true
backup_connection_host
arkseven702.ddns.net
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2021-08-02T20:32:24.918316736Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
false
clear_zone_identifier
true
connect_delay
4000
connection_port
7727
default_group
gatewayproject
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
74fb9edb-82b1-41e4-91bd-7fe787b0bbad
mutex_timeout
5000
prevent_system_sleep
true
primary_connection_host
arkseven702.ddns.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Executes dropped EXE 4 IoCs

Processes:

aa.exeInstallUtil.exesvchost.exesvchost.exe

pid process

1192 aa.exe
1704 InstallUtil.exe
2652 svchost.exe
760 svchost.exe

pid	process
1192	aa.exe
1704	InstallUtil.exe
2652	svchost.exe
760	svchost.exe

Drops startup file 1 IoCs

Processes:

New Order Contract No 44322465.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aa.lnk	New Order Contract No 44322465.exe

Obfuscated with Agile.Net obfuscator 2 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral2/memory/3144-121-0x0000000005880000-0x00000000058A1000-memory.dmp	agile_net
behavioral2/memory/3144-124-0x00000000053B0000-0x00000000058AE000-memory.dmp	agile_net

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

InstallUtil.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SMTP Manager = "C:\\Program Files (x86)\\SMTP Manager\\smtpmgr.exe"	InstallUtil.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

InstallUtil.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA InstallUtil.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

aa.exe

description pid process target process

PID 1192 set thread context of 1704 1192 aa.exe InstallUtil.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	InstallUtil.exe

description	pid	process	target process
PID 1192 set thread context of 1704	1192	aa.exe	InstallUtil.exe

Drops file in Program Files directory 2 IoCs

Processes:

InstallUtil.exe

description	ioc	process
File created	C:\Program Files (x86)\SMTP Manager\smtpmgr.exe	InstallUtil.exe
File opened for modification	C:\Program Files (x86)\SMTP Manager\smtpmgr.exe	InstallUtil.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

New Order Contract No 44322465.exeaa.exeInstallUtil.exesvchost.exesvchost.exe

pid	process
3144	New Order Contract No 44322465.exe
3144	New Order Contract No 44322465.exe
3144	New Order Contract No 44322465.exe
3144	New Order Contract No 44322465.exe
3144	New Order Contract No 44322465.exe
3144	New Order Contract No 44322465.exe
3144	New Order Contract No 44322465.exe
3144	New Order Contract No 44322465.exe
3144	New Order Contract No 44322465.exe
3144	New Order Contract No 44322465.exe
3144	New Order Contract No 44322465.exe
3144	New Order Contract No 44322465.exe
3144	New Order Contract No 44322465.exe
3144	New Order Contract No 44322465.exe
3144	New Order Contract No 44322465.exe
1192	aa.exe
1192	aa.exe
1192	aa.exe
1192	aa.exe
1704	InstallUtil.exe
1704	InstallUtil.exe
1704	InstallUtil.exe
2652	svchost.exe
760	svchost.exe
760	svchost.exe
760	svchost.exe
1192	aa.exe
1192	aa.exe
1192	aa.exe
1192	aa.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

InstallUtil.exe

pid process

1704 InstallUtil.exe

pid	process
1704	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

New Order Contract No 44322465.exeaa.exeInstallUtil.exesvchost.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	3144	New Order Contract No 44322465.exe
Token: SeDebugPrivilege	1192	aa.exe
Token: SeDebugPrivilege	1704	InstallUtil.exe
Token: SeDebugPrivilege	2652	svchost.exe
Token: SeDebugPrivilege	760	svchost.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

New Order Contract No 44322465.exeaa.exesvchost.exe

description	pid	process	target process
PID 3144 wrote to memory of 1192	3144	New Order Contract No 44322465.exe	aa.exe
PID 3144 wrote to memory of 1192	3144	New Order Contract No 44322465.exe	aa.exe
PID 3144 wrote to memory of 1192	3144	New Order Contract No 44322465.exe	aa.exe
PID 1192 wrote to memory of 1704	1192	aa.exe	InstallUtil.exe
PID 1192 wrote to memory of 1704	1192	aa.exe	InstallUtil.exe
PID 1192 wrote to memory of 1704	1192	aa.exe	InstallUtil.exe
PID 1192 wrote to memory of 1704	1192	aa.exe	InstallUtil.exe
PID 1192 wrote to memory of 1704	1192	aa.exe	InstallUtil.exe
PID 1192 wrote to memory of 1704	1192	aa.exe	InstallUtil.exe
PID 1192 wrote to memory of 1704	1192	aa.exe	InstallUtil.exe
PID 1192 wrote to memory of 1704	1192	aa.exe	InstallUtil.exe
PID 1192 wrote to memory of 2652	1192	aa.exe	svchost.exe
PID 1192 wrote to memory of 2652	1192	aa.exe	svchost.exe
PID 1192 wrote to memory of 2652	1192	aa.exe	svchost.exe
PID 2652 wrote to memory of 760	2652	svchost.exe	svchost.exe
PID 2652 wrote to memory of 760	2652	svchost.exe	svchost.exe
PID 2652 wrote to memory of 760	2652	svchost.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\New Order Contract No 44322465.exe
"C:\Users\Admin\AppData\Local\Temp\New Order Contract No 44322465.exe"
1⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3144
- C:\Users\Admin\AppData\Roaming\aa.exe
  "C:\Users\Admin\AppData\Roaming\aa.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1192
- - C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
    "C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:1704
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2652
  - - C:\Users\Admin\AppData\Local\Temp\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:760

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe

MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe

MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.txt

MD5
d322c306364b2cae583c6e8bbbbbba7a

SHA1
b843726efdd398dfa166d1e643177036fd024f20

SHA256
d0dbdee98967b4b417a2496fe490a5fc6fc8aa80489a7c61e580ce94412351f5

SHA512
f1ed603159e34b7160be8a10c843548119f9df78b6dbcd69f4ce1288fe2314631549fc571aab17c03eeaae68c00e3c66dc8be5ff795260fdc5478753b2402074

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.txt

MD5
0e580cb5fe54c2569f1bf2e1cef7b971

SHA1
91b393c5da1d5bc12ad952a396fde3cf56781d7e

SHA256
ced414747cefc8779bfcac946e249495c10ee988fc65969007cb146fefe58421

SHA512
3689d47644753e2b58de19c3dd0d0d5df7080ffc2fb0fee6c9aad6d2df594b6f4ed4aa69fcf340946cf56a146f5ac40ebc4b711e5c6387bbcb1a7d2b4cc9a297

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.txt

MD5
cd183f8b49b3b9ca62339f1eb9e9b754

SHA1
447ee3b197758fd8bf43e18c19dc106fd5e90a3c

SHA256
6ecffcb445c2e3315d9f7bf45171b122c12078eb862e8e26ceee6c8000edd681

SHA512
855fafaef92f123a6f68dfcb01895f9ab04632fd2eea529fd41c97a1f1be68c3ad565f6b54a36b752b30edc7e12361e3f419d6a0aaca61d370fab7f5b71072ae

Download Submit
C:\Users\Admin\AppData\Roaming\aa.exe

MD5
834abcb28b565a0f0fb7c41226835ab3

SHA1
e226f85077045a1846374e4f9c8664a83a0a3103

SHA256
4989e077de4fee06f408f91fd62665c36d60633c9dcc808c5539add5a5500164

SHA512
c9b814fab0ad4a2fddb166822844c559dd22583c94af024dd41d61af48d86cd88cd505731dc9da812a7f0526c20819556e88e3b10cfb112d8605d5a800bca0b4

Download Submit
C:\Users\Admin\AppData\Roaming\aa.exe

MD5
834abcb28b565a0f0fb7c41226835ab3

SHA1
e226f85077045a1846374e4f9c8664a83a0a3103

SHA256
4989e077de4fee06f408f91fd62665c36d60633c9dcc808c5539add5a5500164

SHA512
c9b814fab0ad4a2fddb166822844c559dd22583c94af024dd41d61af48d86cd88cd505731dc9da812a7f0526c20819556e88e3b10cfb112d8605d5a800bca0b4

Download Submit
memory/760-161-0x0000000000000000-mapping.dmp

Download
memory/1192-125-0x0000000000000000-mapping.dmp

Download
memory/1192-133-0x0000000005840000-0x00000000058D2000-memory.dmp

Filesize
584KB

Download
memory/1192-137-0x0000000005840000-0x00000000058D2000-memory.dmp

Filesize
584KB

Download
memory/1192-138-0x0000000007870000-0x000000000787B000-memory.dmp

Filesize
44KB

Download
memory/1192-139-0x0000000006CA0000-0x0000000006CA1000-memory.dmp

Filesize
4KB

Download
memory/1704-153-0x0000000005D00000-0x0000000005D03000-memory.dmp

Filesize
12KB

Download
memory/1704-152-0x0000000005B00000-0x0000000005B19000-memory.dmp

Filesize
100KB

Download
memory/1704-140-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1704-141-0x000000000041E792-mapping.dmp

Download
memory/1704-149-0x0000000005870000-0x0000000005D6E000-memory.dmp

Filesize
5.0MB

Download
memory/1704-150-0x0000000005810000-0x0000000005811000-memory.dmp

Filesize
4KB

Download
memory/1704-151-0x0000000005A70000-0x0000000005A75000-memory.dmp

Filesize
20KB

Download
memory/2652-154-0x0000000000000000-mapping.dmp

Download
memory/2652-157-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/3144-115-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/3144-124-0x00000000053B0000-0x00000000058AE000-memory.dmp

Filesize
5.0MB

Download
memory/3144-123-0x0000000006770000-0x0000000006771000-memory.dmp

Filesize
4KB

Download
memory/3144-122-0x00000000067B0000-0x00000000067B1000-memory.dmp

Filesize
4KB

Download
memory/3144-121-0x0000000005880000-0x00000000058A1000-memory.dmp

Filesize
132KB

Download
memory/3144-120-0x00000000053B0000-0x00000000058AE000-memory.dmp

Filesize
5.0MB

Download
memory/3144-119-0x0000000005450000-0x0000000005451000-memory.dmp

Filesize
4KB

Download
memory/3144-118-0x0000000005280000-0x0000000005281000-memory.dmp

Filesize
4KB

Download
memory/3144-117-0x00000000058B0000-0x00000000058B1000-memory.dmp

Filesize
4KB

Download