nanocore | ddf8ab872396cd5a0309e340a721b2b90e6ee8a8a41a47f3993a1c49d4944d1f

General

Target

Scan_doc81910292021/doblMnP7hpCPcLO.exe
Size

420KB
MD5

4cad4eb9554abd6d6ea7aec20369fe69
SHA1

8d6e536c1661f8423d775f17838e7d489c7935e5
SHA256

5bfb1cac480cef041cf243ab99c7b4498ca7a802c6614a0744b06146dd531cf0
SHA512

de5d1942f30f890e770886f64c217571482f31be1808bf7b40f52b81ce2d593b9b85387fa301cdf82207abd78335fa1b2f4c2ff24b4b1616b3ae9b2eebe278fb

Score

10^/10

nanocore evasion keylogger persistence spyware stealer suricata trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

bustabantu1996.ddns.net:5454

bustabantu1996.duckdns.org:5454

Mutex

628c9aea-d11c-40ee-81f0-a6cf62e674a4

Attributes

activate_away_mode
true
backup_connection_host
bustabantu1996.duckdns.org
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2021-08-10T05:16:22.140814636Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
5454
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
628c9aea-d11c-40ee-81f0-a6cf62e674a4
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
bustabantu1996.ddns.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
suricata: ET MALWARE Possible NanoCore C2 60B
suricata: ET MALWARE Possible NanoCore C2 60B
suricata

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

doblMnP7hpCPcLO.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SCSI Service = "C:\\Program Files (x86)\\SCSI Service\\scsisvc.exe"	doblMnP7hpCPcLO.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

doblMnP7hpCPcLO.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA doblMnP7hpCPcLO.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

doblMnP7hpCPcLO.exe

description pid process target process

PID 744 set thread context of 592 744 doblMnP7hpCPcLO.exe doblMnP7hpCPcLO.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	doblMnP7hpCPcLO.exe

description	pid	process	target process
PID 744 set thread context of 592	744	doblMnP7hpCPcLO.exe	doblMnP7hpCPcLO.exe

Drops file in Program Files directory 2 IoCs

Processes:

doblMnP7hpCPcLO.exe

description	ioc	process
File created	C:\Program Files (x86)\SCSI Service\scsisvc.exe	doblMnP7hpCPcLO.exe
File opened for modification	C:\Program Files (x86)\SCSI Service\scsisvc.exe	doblMnP7hpCPcLO.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

512 schtasks.exe

pid	process
512	schtasks.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

doblMnP7hpCPcLO.exepowershell.exedoblMnP7hpCPcLO.exe

pid	process
744	doblMnP7hpCPcLO.exe
744	doblMnP7hpCPcLO.exe
744	doblMnP7hpCPcLO.exe
744	doblMnP7hpCPcLO.exe
744	doblMnP7hpCPcLO.exe
744	doblMnP7hpCPcLO.exe
744	doblMnP7hpCPcLO.exe
744	doblMnP7hpCPcLO.exe
744	doblMnP7hpCPcLO.exe
744	doblMnP7hpCPcLO.exe
744	doblMnP7hpCPcLO.exe
744	doblMnP7hpCPcLO.exe
744	doblMnP7hpCPcLO.exe
744	doblMnP7hpCPcLO.exe
744	doblMnP7hpCPcLO.exe
744	doblMnP7hpCPcLO.exe
744	doblMnP7hpCPcLO.exe
4052	powershell.exe
4052	powershell.exe
592	doblMnP7hpCPcLO.exe
592	doblMnP7hpCPcLO.exe
592	doblMnP7hpCPcLO.exe
4052	powershell.exe
592	doblMnP7hpCPcLO.exe
592	doblMnP7hpCPcLO.exe
592	doblMnP7hpCPcLO.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

doblMnP7hpCPcLO.exe

pid process

592 doblMnP7hpCPcLO.exe

pid	process
592	doblMnP7hpCPcLO.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

doblMnP7hpCPcLO.exepowershell.exedoblMnP7hpCPcLO.exe

description	pid	process
Token: SeDebugPrivilege	744	doblMnP7hpCPcLO.exe
Token: SeDebugPrivilege	4052	powershell.exe
Token: SeDebugPrivilege	592	doblMnP7hpCPcLO.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

doblMnP7hpCPcLO.exe

description	pid	process	target process
PID 744 wrote to memory of 4052	744	doblMnP7hpCPcLO.exe	powershell.exe
PID 744 wrote to memory of 4052	744	doblMnP7hpCPcLO.exe	powershell.exe
PID 744 wrote to memory of 4052	744	doblMnP7hpCPcLO.exe	powershell.exe
PID 744 wrote to memory of 512	744	doblMnP7hpCPcLO.exe	schtasks.exe
PID 744 wrote to memory of 512	744	doblMnP7hpCPcLO.exe	schtasks.exe
PID 744 wrote to memory of 512	744	doblMnP7hpCPcLO.exe	schtasks.exe
PID 744 wrote to memory of 592	744	doblMnP7hpCPcLO.exe	doblMnP7hpCPcLO.exe
PID 744 wrote to memory of 592	744	doblMnP7hpCPcLO.exe	doblMnP7hpCPcLO.exe
PID 744 wrote to memory of 592	744	doblMnP7hpCPcLO.exe	doblMnP7hpCPcLO.exe
PID 744 wrote to memory of 592	744	doblMnP7hpCPcLO.exe	doblMnP7hpCPcLO.exe
PID 744 wrote to memory of 592	744	doblMnP7hpCPcLO.exe	doblMnP7hpCPcLO.exe
PID 744 wrote to memory of 592	744	doblMnP7hpCPcLO.exe	doblMnP7hpCPcLO.exe
PID 744 wrote to memory of 592	744	doblMnP7hpCPcLO.exe	doblMnP7hpCPcLO.exe
PID 744 wrote to memory of 592	744	doblMnP7hpCPcLO.exe	doblMnP7hpCPcLO.exe

C:\Users\Admin\AppData\Local\Temp\Scan_doc81910292021\doblMnP7hpCPcLO.exe
"C:\Users\Admin\AppData\Local\Temp\Scan_doc81910292021\doblMnP7hpCPcLO.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:744

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Scan_doc81910292021\doblMnP7hpCPcLO.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4052

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KJTyqZxfdl" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA10E.tmp"
2⤵
- Creates scheduled task(s)
PID:512

C:\Users\Admin\AppData\Local\Temp\Scan_doc81910292021\doblMnP7hpCPcLO.exe
"C:\Users\Admin\AppData\Local\Temp\Scan_doc81910292021\doblMnP7hpCPcLO.exe"
2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:592

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/512-126-0x0000000000000000-mapping.dmp

Download
memory/592-148-0x0000000005370000-0x000000000586E000-memory.dmp

Filesize
5.0MB

Download
memory/592-129-0x000000000041E792-mapping.dmp

Download
memory/592-142-0x0000000005840000-0x0000000005845000-memory.dmp

Filesize
20KB

Download
memory/592-128-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/592-143-0x0000000005850000-0x0000000005869000-memory.dmp

Filesize
100KB

Download
memory/592-144-0x0000000006170000-0x0000000006173000-memory.dmp

Filesize
12KB

Download
memory/744-119-0x0000000005380000-0x0000000005381000-memory.dmp

Filesize
4KB

Download
memory/744-123-0x0000000006DB0000-0x0000000006E04000-memory.dmp

Filesize
336KB

Download
memory/744-122-0x00000000087F0000-0x00000000087F1000-memory.dmp

Filesize
4KB

Download
memory/744-121-0x00000000086E0000-0x00000000086E6000-memory.dmp

Filesize
24KB

Download
memory/744-120-0x00000000050C0000-0x00000000055BE000-memory.dmp

Filesize
5.0MB

Download
memory/744-115-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download
memory/744-118-0x0000000005170000-0x0000000005171000-memory.dmp

Filesize
4KB

Download
memory/744-117-0x00000000055C0000-0x00000000055C1000-memory.dmp

Filesize
4KB

Download
memory/4052-139-0x00000000080E0000-0x00000000080E1000-memory.dmp

Filesize
4KB

Download
memory/4052-124-0x0000000000000000-mapping.dmp

Download
memory/4052-138-0x0000000007890000-0x0000000007891000-memory.dmp

Filesize
4KB

Download
memory/4052-131-0x00000000079B0000-0x00000000079B1000-memory.dmp

Filesize
4KB

Download
memory/4052-141-0x0000000008330000-0x0000000008331000-memory.dmp

Filesize
4KB

Download
memory/4052-130-0x0000000004EB0000-0x0000000004EB1000-memory.dmp

Filesize
4KB

Download
memory/4052-127-0x0000000003540000-0x0000000003541000-memory.dmp

Filesize
4KB

Download
memory/4052-125-0x0000000003540000-0x0000000003541000-memory.dmp

Filesize
4KB

Download
memory/4052-145-0x0000000008210000-0x0000000008211000-memory.dmp

Filesize
4KB

Download
memory/4052-146-0x0000000007370000-0x0000000007371000-memory.dmp

Filesize
4KB

Download
memory/4052-147-0x0000000007372000-0x0000000007373000-memory.dmp

Filesize
4KB

Download
memory/4052-137-0x00000000077F0000-0x00000000077F1000-memory.dmp

Filesize
4KB

Download
memory/4052-149-0x00000000086F0000-0x00000000086F1000-memory.dmp

Filesize
4KB

Download
memory/4052-150-0x0000000008A30000-0x0000000008A31000-memory.dmp

Filesize
4KB

Download
memory/4052-151-0x0000000003540000-0x0000000003541000-memory.dmp

Filesize
4KB

Download
memory/4052-158-0x000000007F130000-0x000000007F131000-memory.dmp

Filesize
4KB

Download
memory/4052-159-0x0000000009970000-0x00000000099A3000-memory.dmp

Filesize
204KB

Download
memory/4052-166-0x0000000009930000-0x0000000009931000-memory.dmp

Filesize
4KB

Download
memory/4052-171-0x0000000009AA0000-0x0000000009AA1000-memory.dmp

Filesize
4KB

Download
memory/4052-172-0x0000000009CC0000-0x0000000009CC1000-memory.dmp

Filesize
4KB

Download
memory/4052-241-0x0000000007373000-0x0000000007374000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads