nanocore | cd24b42c63793dfce4fff72bc96a8466efa54df6dc56d32331842834782caf72

Analysis

max time kernel
121s
max time network
148s
platform
windows7_x64
resource
win7-en-20211014
submitted
08-11-2021 14:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

vbc.exe
Size

588KB
MD5

e2ccf8d1e98bd35aaaaf8a69808766a4
SHA1

05ccc2c2bf372d67036f27d22accaff065b6f363
SHA256

cd24b42c63793dfce4fff72bc96a8466efa54df6dc56d32331842834782caf72
SHA512

c497444c8d62a4a05aa4fc9d429eae67adf3463eaf81d8213747474d9b67168f0116e93f87104619c7f6853f65c24caada51fbeba40bbdcb089a8e690aa3301f

Score

10^/10

nanocore agilenet evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

sicoslanderfamilydog.gleeze.com:4984

Mutex

cdfecb88-9e93-4c42-b7dc-3c480e7d2431

Attributes

activate_away_mode
true
backup_connection_host
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2021-08-15T08:39:45.330389636Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
4984
default_group
Family-B
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
cdfecb88-9e93-4c42-b7dc-3c480e7d2431
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
sicoslanderfamilydog.gleeze.com
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\microsoftz\\microsoftze.exe,"	reg.exe

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Executes dropped EXE 4 IoCs

Processes:

microsoftze.exemicrosoftze.exemicrosoftzf.exemicrosoftzf.exe

pid process

436 microsoftze.exe
1516 microsoftze.exe
1740 microsoftzf.exe
528 microsoftzf.exe
Loads dropped DLL 3 IoCs

Processes:

vbc.exemicrosoftze.exemicrosoftzf.exe

pid process

1684 vbc.exe
436 microsoftze.exe
1740 microsoftzf.exe

pid	process
436	microsoftze.exe
1516	microsoftze.exe
1740	microsoftzf.exe
528	microsoftzf.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/1684-58-0x0000000000630000-0x0000000000651000-memory.dmp	agile_net

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

microsoftze.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA microsoftze.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

microsoftze.exe

description pid process target process

PID 436 set thread context of 1516 436 microsoftze.exe microsoftze.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	microsoftze.exe

description	pid	process	target process
PID 436 set thread context of 1516	436	microsoftze.exe	microsoftze.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

vbc.exemicrosoftze.exemicrosoftze.exemicrosoftzf.exemicrosoftzf.exe

pid	process
1684	vbc.exe
1684	vbc.exe
1684	vbc.exe
436	microsoftze.exe
436	microsoftze.exe
436	microsoftze.exe
436	microsoftze.exe
1516	microsoftze.exe
1516	microsoftze.exe
1516	microsoftze.exe
1516	microsoftze.exe
1516	microsoftze.exe
1516	microsoftze.exe
1740	microsoftzf.exe
528	microsoftzf.exe
528	microsoftzf.exe
528	microsoftzf.exe
436	microsoftze.exe
436	microsoftze.exe
436	microsoftze.exe
436	microsoftze.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

microsoftze.exe

pid process

1516 microsoftze.exe

pid	process
1516	microsoftze.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

vbc.exemicrosoftze.exemicrosoftze.exemicrosoftzf.exemicrosoftzf.exe

description	pid	process
Token: SeDebugPrivilege	1684	vbc.exe
Token: SeDebugPrivilege	436	microsoftze.exe
Token: SeDebugPrivilege	1516	microsoftze.exe
Token: SeDebugPrivilege	1740	microsoftzf.exe
Token: SeDebugPrivilege	528	microsoftzf.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

vbc.execmd.exemicrosoftze.exemicrosoftzf.exe

description	pid	process	target process
PID 1684 wrote to memory of 1264	1684	vbc.exe	cmd.exe
PID 1684 wrote to memory of 1264	1684	vbc.exe	cmd.exe
PID 1684 wrote to memory of 1264	1684	vbc.exe	cmd.exe
PID 1684 wrote to memory of 1264	1684	vbc.exe	cmd.exe
PID 1264 wrote to memory of 1680	1264	cmd.exe	reg.exe
PID 1264 wrote to memory of 1680	1264	cmd.exe	reg.exe
PID 1264 wrote to memory of 1680	1264	cmd.exe	reg.exe
PID 1264 wrote to memory of 1680	1264	cmd.exe	reg.exe
PID 1684 wrote to memory of 436	1684	vbc.exe	microsoftze.exe
PID 1684 wrote to memory of 436	1684	vbc.exe	microsoftze.exe
PID 1684 wrote to memory of 436	1684	vbc.exe	microsoftze.exe
PID 1684 wrote to memory of 436	1684	vbc.exe	microsoftze.exe
PID 436 wrote to memory of 1516	436	microsoftze.exe	microsoftze.exe
PID 436 wrote to memory of 1516	436	microsoftze.exe	microsoftze.exe
PID 436 wrote to memory of 1516	436	microsoftze.exe	microsoftze.exe
PID 436 wrote to memory of 1516	436	microsoftze.exe	microsoftze.exe
PID 436 wrote to memory of 1516	436	microsoftze.exe	microsoftze.exe
PID 436 wrote to memory of 1516	436	microsoftze.exe	microsoftze.exe
PID 436 wrote to memory of 1516	436	microsoftze.exe	microsoftze.exe
PID 436 wrote to memory of 1516	436	microsoftze.exe	microsoftze.exe
PID 436 wrote to memory of 1516	436	microsoftze.exe	microsoftze.exe
PID 436 wrote to memory of 1740	436	microsoftze.exe	microsoftzf.exe
PID 436 wrote to memory of 1740	436	microsoftze.exe	microsoftzf.exe
PID 436 wrote to memory of 1740	436	microsoftze.exe	microsoftzf.exe
PID 436 wrote to memory of 1740	436	microsoftze.exe	microsoftzf.exe
PID 1740 wrote to memory of 528	1740	microsoftzf.exe	microsoftzf.exe
PID 1740 wrote to memory of 528	1740	microsoftzf.exe	microsoftzf.exe
PID 1740 wrote to memory of 528	1740	microsoftzf.exe	microsoftzf.exe
PID 1740 wrote to memory of 528	1740	microsoftzf.exe	microsoftzf.exe

C:\Users\Admin\AppData\Local\Temp\vbc.exe
"C:\Users\Admin\AppData\Local\Temp\vbc.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\microsoftz\microsoftze.exe,"
2⤵
- Suspicious use of WriteProcessMemory
PID:1264

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\microsoftz\microsoftze.exe,"
3⤵
- Modifies WinLogon for persistence
PID:1680

C:\Users\Admin\AppData\Local\microsoftz\microsoftze.exe
"C:\Users\Admin\AppData\Local\microsoftz\microsoftze.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:436

C:\Users\Admin\AppData\Local\microsoftz\microsoftze.exe
"C:\Users\Admin\AppData\Local\microsoftz\microsoftze.exe"
3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1516

C:\Users\Admin\AppData\Local\Temp\microsoftzf.exe
"C:\Users\Admin\AppData\Local\Temp\microsoftzf.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1740

C:\Users\Admin\AppData\Local\Temp\microsoftzf.exe
"C:\Users\Admin\AppData\Local\Temp\microsoftzf.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:528

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\microsoftzf.exe
MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\microsoftzf.exe
MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\microsoftzf.exe
MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\microsoftzf.txt
MD5
263712b67141c349fef448771f83b13b

SHA1
cabe5c268ad12622f1e4b79f4c7405c177c3e527

SHA256
9d620bb3b55d6139fa7ba64d2b759ce1157a00b69e2dd7a02c36f9326e2ec811

SHA512
1681f0a41237d2763656aff326dc198a3fe3be7b7e5f90d7415864d8997f5e3632ec7aa75278101da47fcd7bad36ac04120be56b86093732523be63385f6efe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\microsoftzf.txt
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\microsoftzf.txt
MD5
9426f07555abc0d735f5ff52b507ae6a

SHA1
b57ab2c2ac097c246a189dab334d16845fa712f3

SHA256
fc9b1acccd934ab96c7c1fe93cbd5d01c39c91dabaeb05301ec881f5bddd1c2a

SHA512
97971fe9969f5969f006ef022c6dcbb6e9b62a6b69bcc006f65f4dd42cd876e8f6c048a1c35ff2055d53bed759c58e37a2d9cfeebc8af06ce4a3b574a496edf8

Download Submit
C:\Users\Admin\AppData\Local\microsoftz\microsoftze.exe
MD5
e2ccf8d1e98bd35aaaaf8a69808766a4

SHA1
05ccc2c2bf372d67036f27d22accaff065b6f363

SHA256
cd24b42c63793dfce4fff72bc96a8466efa54df6dc56d32331842834782caf72

SHA512
c497444c8d62a4a05aa4fc9d429eae67adf3463eaf81d8213747474d9b67168f0116e93f87104619c7f6853f65c24caada51fbeba40bbdcb089a8e690aa3301f

Download Submit
C:\Users\Admin\AppData\Local\microsoftz\microsoftze.exe
MD5
e2ccf8d1e98bd35aaaaf8a69808766a4

SHA1
05ccc2c2bf372d67036f27d22accaff065b6f363

SHA256
cd24b42c63793dfce4fff72bc96a8466efa54df6dc56d32331842834782caf72

SHA512
c497444c8d62a4a05aa4fc9d429eae67adf3463eaf81d8213747474d9b67168f0116e93f87104619c7f6853f65c24caada51fbeba40bbdcb089a8e690aa3301f

Download Submit
C:\Users\Admin\AppData\Local\microsoftz\microsoftze.exe
MD5
e2ccf8d1e98bd35aaaaf8a69808766a4

SHA1
05ccc2c2bf372d67036f27d22accaff065b6f363

SHA256
cd24b42c63793dfce4fff72bc96a8466efa54df6dc56d32331842834782caf72

SHA512
c497444c8d62a4a05aa4fc9d429eae67adf3463eaf81d8213747474d9b67168f0116e93f87104619c7f6853f65c24caada51fbeba40bbdcb089a8e690aa3301f

Download Submit
\Users\Admin\AppData\Local\Temp\microsoftzf.exe
MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
\Users\Admin\AppData\Local\Temp\microsoftzf.exe
MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
\Users\Admin\AppData\Local\microsoftz\microsoftze.exe
MD5
e2ccf8d1e98bd35aaaaf8a69808766a4

SHA1
05ccc2c2bf372d67036f27d22accaff065b6f363

SHA256
cd24b42c63793dfce4fff72bc96a8466efa54df6dc56d32331842834782caf72

SHA512
c497444c8d62a4a05aa4fc9d429eae67adf3463eaf81d8213747474d9b67168f0116e93f87104619c7f6853f65c24caada51fbeba40bbdcb089a8e690aa3301f

Download Submit
memory/436-70-0x0000000004E51000-0x0000000004E52000-memory.dmp

Filesize
4KB

Download
memory/436-71-0x0000000001FD0000-0x0000000001FDB000-memory.dmp

Filesize
44KB

Download
memory/436-72-0x00000000041E0000-0x00000000041E1000-memory.dmp

Filesize
4KB

Download
memory/436-68-0x0000000004E50000-0x0000000004E51000-memory.dmp

Filesize
4KB

Download
memory/436-66-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/436-63-0x0000000000000000-mapping.dmp

Download
memory/528-113-0x0000000000000000-mapping.dmp

Download
memory/1264-59-0x0000000000000000-mapping.dmp

Download
memory/1516-73-0x0000000000080000-0x00000000000B8000-memory.dmp

Filesize
224KB

Download
memory/1516-106-0x0000000002000000-0x0000000002009000-memory.dmp

Filesize
36KB

Download
memory/1516-90-0x0000000000880000-0x0000000000899000-memory.dmp

Filesize
100KB

Download
memory/1516-91-0x00000000005E0000-0x00000000005E3000-memory.dmp

Filesize
12KB

Download
memory/1516-92-0x0000000004D00000-0x0000000004D01000-memory.dmp

Filesize
4KB

Download
memory/1516-87-0x0000000000080000-0x0000000000082000-memory.dmp

Filesize
8KB

Download
memory/1516-86-0x0000000000080000-0x00000000000B8000-memory.dmp

Filesize
224KB

Download
memory/1516-83-0x0000000000080000-0x00000000000B8000-memory.dmp

Filesize
224KB

Download
memory/1516-80-0x0000000000080000-0x00000000000B8000-memory.dmp

Filesize
224KB

Download
memory/1516-78-0x000000000041E792-mapping.dmp

Download
memory/1516-76-0x0000000000080000-0x00000000000B8000-memory.dmp

Filesize
224KB

Download
memory/1516-75-0x0000000000080000-0x00000000000B8000-memory.dmp

Filesize
224KB

Download
memory/1516-74-0x0000000000080000-0x00000000000B8000-memory.dmp

Filesize
224KB

Download
memory/1516-108-0x0000000004240000-0x000000000424A000-memory.dmp

Filesize
40KB

Download
memory/1516-100-0x0000000001E70000-0x0000000001E85000-memory.dmp

Filesize
84KB

Download
memory/1516-99-0x0000000001E60000-0x0000000001E6D000-memory.dmp

Filesize
52KB

Download
memory/1516-102-0x0000000001F00000-0x0000000001F0C000-memory.dmp

Filesize
48KB

Download
memory/1516-105-0x0000000001F70000-0x0000000001F7D000-memory.dmp

Filesize
52KB

Download
memory/1516-104-0x0000000001F60000-0x0000000001F66000-memory.dmp

Filesize
24KB

Download
memory/1516-89-0x00000000005D0000-0x00000000005D5000-memory.dmp

Filesize
20KB

Download
memory/1516-103-0x0000000001F50000-0x0000000001F57000-memory.dmp

Filesize
28KB

Download
memory/1516-101-0x0000000001EE0000-0x0000000001EE6000-memory.dmp

Filesize
24KB

Download
memory/1516-107-0x0000000004230000-0x000000000423F000-memory.dmp

Filesize
60KB

Download
memory/1516-110-0x0000000004260000-0x000000000426F000-memory.dmp

Filesize
60KB

Download
memory/1516-109-0x00000000046B0000-0x00000000046D9000-memory.dmp

Filesize
164KB

Download
memory/1680-61-0x0000000000000000-mapping.dmp

Download
memory/1684-55-0x0000000000880000-0x0000000000881000-memory.dmp

Filesize
4KB

Download
memory/1684-60-0x0000000002181000-0x0000000002182000-memory.dmp

Filesize
4KB

Download
memory/1684-58-0x0000000000630000-0x0000000000651000-memory.dmp

Filesize
132KB

Download
memory/1684-57-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/1740-97-0x0000000001100000-0x0000000001101000-memory.dmp

Filesize
4KB

Download
memory/1740-94-0x0000000000000000-mapping.dmp

Download