nanocore | 7257729274b6ab5c1a605900fa40b2a76f386b3dbb3c0f4ab29e85b780eaef73

General

Target

#CHOO2.js
Size

7KB
MD5

4fc18805b5686d320a0ccdab8438ed7e
SHA1

afbe3e8f7448be3ace8f48f37c1524748533ed94
SHA256

7257729274b6ab5c1a605900fa40b2a76f386b3dbb3c0f4ab29e85b780eaef73
SHA512

9ec6470aadce9ddaebd57167658d1a8a22ddb496e452b3a4574d3c8fa8b5d643e49d96b31df64f89fe3847bc4c7be792e21f8de063be07ef3452e936931ded14

Score

10^/10

nanocore evasion keylogger persistence spyware stealer suricata trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

nanoboss.duckdns.org:6129

Mutex

f795cec6-1cfb-44f9-898a-e041c33422fe

Attributes

activate_away_mode
false
backup_connection_host
nanoboss.duckdns.org
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2021-08-10T14:25:49.368918836Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
6129
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
f795cec6-1cfb-44f9-898a-e041c33422fe
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
nanoboss.duckdns.org
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016
suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016
suricata
suricata: ET MALWARE Possible Malicious Macro EXE DL AlphaNumL
suricata: ET MALWARE Possible Malicious Macro EXE DL AlphaNumL
suricata
suricata: ET MALWARE Possible NanoCore C2 60B
suricata: ET MALWARE Possible NanoCore C2 60B
suricata
Blocklisted process makes network request 1 IoCs

Processes:

wscript.exe

flow pid process

8 3020 wscript.exe
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

nano6129.exe

pid process

1864 nano6129.exe

flow	pid	process
8	3020	wscript.exe

pid	process
1864	nano6129.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

nano6129.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SCSI Service = "C:\\Program Files (x86)\\SCSI Service\\scsisvc.exe"	nano6129.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

nano6129.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA nano6129.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	nano6129.exe

Drops file in Program Files directory 2 IoCs

Processes:

nano6129.exe

description	ioc	process
File created	C:\Program Files (x86)\SCSI Service\scsisvc.exe	nano6129.exe
File opened for modification	C:\Program Files (x86)\SCSI Service\scsisvc.exe	nano6129.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1112 schtasks.exe
1248 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

nano6129.exe

pid process

1864 nano6129.exe
1864 nano6129.exe
1864 nano6129.exe
1864 nano6129.exe
1864 nano6129.exe
1864 nano6129.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

nano6129.exe

pid process

1864 nano6129.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

nano6129.exe

description pid process

Token: SeDebugPrivilege 1864 nano6129.exe

pid	process
1112	schtasks.exe
1248	schtasks.exe

pid	process
1864	nano6129.exe
1864	nano6129.exe
1864	nano6129.exe
1864	nano6129.exe
1864	nano6129.exe
1864	nano6129.exe

pid	process
1864	nano6129.exe

description	pid	process
Token: SeDebugPrivilege	1864	nano6129.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

wscript.exenano6129.exe

description	pid	process	target process
PID 3020 wrote to memory of 1864	3020	wscript.exe	nano6129.exe
PID 3020 wrote to memory of 1864	3020	wscript.exe	nano6129.exe
PID 3020 wrote to memory of 1864	3020	wscript.exe	nano6129.exe
PID 1864 wrote to memory of 1112	1864	nano6129.exe	schtasks.exe
PID 1864 wrote to memory of 1112	1864	nano6129.exe	schtasks.exe
PID 1864 wrote to memory of 1112	1864	nano6129.exe	schtasks.exe
PID 1864 wrote to memory of 1248	1864	nano6129.exe	schtasks.exe
PID 1864 wrote to memory of 1248	1864	nano6129.exe	schtasks.exe
PID 1864 wrote to memory of 1248	1864	nano6129.exe	schtasks.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\#CHOO2.js
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Users\Admin\AppData\Local\Temp\nano6129.exe
  "C:\Users\Admin\AppData\Local\Temp\nano6129.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1864
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /create /f /tn "SCSI Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmpEA90.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:1112
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /create /f /tn "SCSI Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpEDCD.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:1248

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nano6129.exe

MD5
4c342f040ad8b94e4f814e1f62e488ed

SHA1
f440ce00e772abd74f9e9e0ff8d227792b48712c

SHA256
988c1b9c99f74739edaf4e80ecaba04407e0ca7284f3dbd13c87a506bf0e97b7

SHA512
046adff832e07b7dbca40020a4c65412e5ed5e2d342b9d55219258b59f25a391752c0065e4ff9b1d504149a6f7226a6c8c4282aeb4a3fad3aeb68aa8f88e58cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nano6129.exe

MD5
4c342f040ad8b94e4f814e1f62e488ed

SHA1
f440ce00e772abd74f9e9e0ff8d227792b48712c

SHA256
988c1b9c99f74739edaf4e80ecaba04407e0ca7284f3dbd13c87a506bf0e97b7

SHA512
046adff832e07b7dbca40020a4c65412e5ed5e2d342b9d55219258b59f25a391752c0065e4ff9b1d504149a6f7226a6c8c4282aeb4a3fad3aeb68aa8f88e58cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEA90.tmp

MD5
c04dd5db5ad0101acca7163a01d3e067

SHA1
d264e1533dd4275af3748d386a77843386fd4b38

SHA256
d0c5ea5cd181a81af880a92988e689623f65586add14524daade790313167051

SHA512
96bcce0ba28fc21621af5de08cb0d68258e02d90e699c90731dfa486712d6e2740932f17bef70933cbf7e3d4c29ab41f127ccc4b32480c5520a331f83fa36900

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEDCD.tmp

MD5
4e71faa3a77029484cfaba423d96618f

SHA1
9c837d050bb43d69dc608af809c292e13bca4718

SHA256
c470f45efd2e7c4c5b88534a18965a78dce0f8e154d3e45a9d5569ad0e334bdb

SHA512
6d014de41352f2b0b494d94cd58188791e81d4e53578d0722110b6827793b735e19c614877f25c61b26233dea1b5f1998ba1240bdc8fa04c87b7e64a4ca15fe0

Download Submit
memory/1112-118-0x0000000000000000-mapping.dmp

Download
memory/1248-121-0x0000000000000000-mapping.dmp

Download
memory/1864-115-0x0000000000000000-mapping.dmp

Download
memory/1864-119-0x0000000002B30000-0x0000000002B31000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads