nanocore | 7257729274b6ab5c1a605900fa40b2a76f386b3dbb3c0f4ab29e85b780eaef73

General

Target

#CHOO2.js
Size

7KB
MD5

4fc18805b5686d320a0ccdab8438ed7e
SHA1

afbe3e8f7448be3ace8f48f37c1524748533ed94
SHA256

7257729274b6ab5c1a605900fa40b2a76f386b3dbb3c0f4ab29e85b780eaef73
SHA512

9ec6470aadce9ddaebd57167658d1a8a22ddb496e452b3a4574d3c8fa8b5d643e49d96b31df64f89fe3847bc4c7be792e21f8de063be07ef3452e936931ded14

Score

10^/10

nanocore evasion keylogger persistence spyware stealer suricata trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

nanoboss.duckdns.org:6129

Mutex

f795cec6-1cfb-44f9-898a-e041c33422fe

Attributes

activate_away_mode
false
backup_connection_host
nanoboss.duckdns.org
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2021-08-10T14:25:49.368918836Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
6129
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
f795cec6-1cfb-44f9-898a-e041c33422fe
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
nanoboss.duckdns.org
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016
suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016
suricata
suricata: ET MALWARE Possible Malicious Macro EXE DL AlphaNumL
suricata: ET MALWARE Possible Malicious Macro EXE DL AlphaNumL
suricata
suricata: ET MALWARE Possible NanoCore C2 60B
suricata: ET MALWARE Possible NanoCore C2 60B
suricata
Blocklisted process makes network request 1 IoCs

Processes:

wscript.exe

flow pid process

4 1064 wscript.exe
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

nano6129.exe

pid process

408 nano6129.exe

flow	pid	process
4	1064	wscript.exe

pid	process
408	nano6129.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

nano6129.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SMTP Service = "C:\\Program Files (x86)\\SMTP Service\\smtpsvc.exe"	nano6129.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

nano6129.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA nano6129.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	nano6129.exe

Drops file in Program Files directory 2 IoCs

Processes:

nano6129.exe

description	ioc	process
File created	C:\Program Files (x86)\SMTP Service\smtpsvc.exe	nano6129.exe
File opened for modification	C:\Program Files (x86)\SMTP Service\smtpsvc.exe	nano6129.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1804 schtasks.exe
1548 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

nano6129.exe

pid process

408 nano6129.exe
408 nano6129.exe
408 nano6129.exe
408 nano6129.exe
408 nano6129.exe
408 nano6129.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

nano6129.exe

pid process

408 nano6129.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

nano6129.exe

description pid process

Token: SeDebugPrivilege 408 nano6129.exe

pid	process
1804	schtasks.exe
1548	schtasks.exe

pid	process
408	nano6129.exe
408	nano6129.exe
408	nano6129.exe
408	nano6129.exe
408	nano6129.exe
408	nano6129.exe

pid	process
408	nano6129.exe

description	pid	process
Token: SeDebugPrivilege	408	nano6129.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

wscript.exenano6129.exe

description	pid	process	target process
PID 1064 wrote to memory of 408	1064	wscript.exe	nano6129.exe
PID 1064 wrote to memory of 408	1064	wscript.exe	nano6129.exe
PID 1064 wrote to memory of 408	1064	wscript.exe	nano6129.exe
PID 1064 wrote to memory of 408	1064	wscript.exe	nano6129.exe
PID 408 wrote to memory of 1548	408	nano6129.exe	schtasks.exe
PID 408 wrote to memory of 1548	408	nano6129.exe	schtasks.exe
PID 408 wrote to memory of 1548	408	nano6129.exe	schtasks.exe
PID 408 wrote to memory of 1548	408	nano6129.exe	schtasks.exe
PID 408 wrote to memory of 1804	408	nano6129.exe	schtasks.exe
PID 408 wrote to memory of 1804	408	nano6129.exe	schtasks.exe
PID 408 wrote to memory of 1804	408	nano6129.exe	schtasks.exe
PID 408 wrote to memory of 1804	408	nano6129.exe	schtasks.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\#CHOO2.js
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1064
- C:\Users\Admin\AppData\Local\Temp\nano6129.exe
  "C:\Users\Admin\AppData\Local\Temp\nano6129.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:408
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /create /f /tn "SMTP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmpFA18.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:1548
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /create /f /tn "SMTP Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpFD73.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:1804

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nano6129.exe

MD5
4c342f040ad8b94e4f814e1f62e488ed

SHA1
f440ce00e772abd74f9e9e0ff8d227792b48712c

SHA256
988c1b9c99f74739edaf4e80ecaba04407e0ca7284f3dbd13c87a506bf0e97b7

SHA512
046adff832e07b7dbca40020a4c65412e5ed5e2d342b9d55219258b59f25a391752c0065e4ff9b1d504149a6f7226a6c8c4282aeb4a3fad3aeb68aa8f88e58cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nano6129.exe

MD5
4c342f040ad8b94e4f814e1f62e488ed

SHA1
f440ce00e772abd74f9e9e0ff8d227792b48712c

SHA256
988c1b9c99f74739edaf4e80ecaba04407e0ca7284f3dbd13c87a506bf0e97b7

SHA512
046adff832e07b7dbca40020a4c65412e5ed5e2d342b9d55219258b59f25a391752c0065e4ff9b1d504149a6f7226a6c8c4282aeb4a3fad3aeb68aa8f88e58cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFA18.tmp

MD5
c04dd5db5ad0101acca7163a01d3e067

SHA1
d264e1533dd4275af3748d386a77843386fd4b38

SHA256
d0c5ea5cd181a81af880a92988e689623f65586add14524daade790313167051

SHA512
96bcce0ba28fc21621af5de08cb0d68258e02d90e699c90731dfa486712d6e2740932f17bef70933cbf7e3d4c29ab41f127ccc4b32480c5520a331f83fa36900

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFD73.tmp

MD5
cfae5a3b7d8aa9653fe2512578a0d23a

SHA1
a91a2f8daef114f89038925ada6784646a0a5b12

SHA256
2ab741415f193a2a9134eac48a2310899d18efb5e61c3e81c35140a7efea30fa

SHA512
9dfd7eca6924ae2785ce826a447b6ce6d043c552fbd3b8a804ce6722b07a74900e703dc56cd4443cae9ab9601f21a6068e29771e48497a9ae434096a11814e84

Download Submit
memory/408-55-0x0000000000000000-mapping.dmp

Download
memory/408-58-0x0000000075191000-0x0000000075193000-memory.dmp

Filesize
8KB

Download
memory/408-59-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/1548-60-0x0000000000000000-mapping.dmp

Download
memory/1804-62-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads