nanocore | fc738d6f2c037f7fa3f40e362d99013664e4e0fc2ef54d61e1d2c4156e07ad50

Analysis

max time kernel
120s
max time network
151s
platform
windows7_x64
resource
win7-en-20211014
submitted
24-11-2021 11:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

versions.exe
Size

1.0MB
MD5

e40c85fb0613efb7c73b93d51a72cda5
SHA1

8db384a16df0c904d09e11577640b422355983d2
SHA256

fc738d6f2c037f7fa3f40e362d99013664e4e0fc2ef54d61e1d2c4156e07ad50
SHA512

046fe8316d680df22914b1a13c27efd5a877f7c36183ab25a5723d6bb412e7419d1e4122a6281db09a285b20310b9bbcddb280b6384efb9a712446da94cf2d49

Score

10^/10

nanocore agilenet evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

sicoslanderfamilydog.gleeze.com:4984

Mutex

cdfecb88-9e93-4c42-b7dc-3c480e7d2431

Attributes

activate_away_mode
true
backup_connection_host
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2021-08-15T08:39:45.330389636Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
4984
default_group
Family-B
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
cdfecb88-9e93-4c42-b7dc-3c480e7d2431
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
sicoslanderfamilydog.gleeze.com
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\Microsoft Dlli\\versions.exe,"	reg.exe

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Executes dropped EXE 4 IoCs

Processes:

versions.exeversions.exesys30.exesys30.exe

pid process

744 versions.exe
996 versions.exe
1800 sys30.exe
1552 sys30.exe
Loads dropped DLL 3 IoCs

Processes:

versions.exeversions.exesys30.exe

pid process

1644 versions.exe
744 versions.exe
1800 sys30.exe

pid	process
744	versions.exe
996	versions.exe
1800	sys30.exe
1552	sys30.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/1644-58-0x0000000004190000-0x00000000041B1000-memory.dmp	agile_net

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

versions.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA versions.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

versions.exe

description pid process target process

PID 744 set thread context of 996 744 versions.exe versions.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	versions.exe

description	pid	process	target process
PID 744 set thread context of 996	744	versions.exe	versions.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

versions.exeversions.exeversions.exesys30.exesys30.exe

pid	process
1644	versions.exe
1644	versions.exe
1644	versions.exe
744	versions.exe
744	versions.exe
744	versions.exe
744	versions.exe
996	versions.exe
996	versions.exe
996	versions.exe
996	versions.exe
996	versions.exe
996	versions.exe
1800	sys30.exe
1552	sys30.exe
1552	sys30.exe
1552	sys30.exe
744	versions.exe
744	versions.exe
744	versions.exe
744	versions.exe
744	versions.exe
744	versions.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

versions.exe

pid process

996 versions.exe

pid	process
996	versions.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

versions.exeversions.exeversions.exesys30.exesys30.exe

description	pid	process
Token: SeDebugPrivilege	1644	versions.exe
Token: SeDebugPrivilege	744	versions.exe
Token: SeDebugPrivilege	996	versions.exe
Token: SeDebugPrivilege	1800	sys30.exe
Token: SeDebugPrivilege	1552	sys30.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

versions.execmd.exeversions.exesys30.exe

description	pid	process	target process
PID 1644 wrote to memory of 1980	1644	versions.exe	cmd.exe
PID 1644 wrote to memory of 1980	1644	versions.exe	cmd.exe
PID 1644 wrote to memory of 1980	1644	versions.exe	cmd.exe
PID 1644 wrote to memory of 1980	1644	versions.exe	cmd.exe
PID 1980 wrote to memory of 1680	1980	cmd.exe	reg.exe
PID 1980 wrote to memory of 1680	1980	cmd.exe	reg.exe
PID 1980 wrote to memory of 1680	1980	cmd.exe	reg.exe
PID 1980 wrote to memory of 1680	1980	cmd.exe	reg.exe
PID 1644 wrote to memory of 744	1644	versions.exe	versions.exe
PID 1644 wrote to memory of 744	1644	versions.exe	versions.exe
PID 1644 wrote to memory of 744	1644	versions.exe	versions.exe
PID 1644 wrote to memory of 744	1644	versions.exe	versions.exe
PID 744 wrote to memory of 996	744	versions.exe	versions.exe
PID 744 wrote to memory of 996	744	versions.exe	versions.exe
PID 744 wrote to memory of 996	744	versions.exe	versions.exe
PID 744 wrote to memory of 996	744	versions.exe	versions.exe
PID 744 wrote to memory of 996	744	versions.exe	versions.exe
PID 744 wrote to memory of 996	744	versions.exe	versions.exe
PID 744 wrote to memory of 996	744	versions.exe	versions.exe
PID 744 wrote to memory of 996	744	versions.exe	versions.exe
PID 744 wrote to memory of 996	744	versions.exe	versions.exe
PID 744 wrote to memory of 1800	744	versions.exe	sys30.exe
PID 744 wrote to memory of 1800	744	versions.exe	sys30.exe
PID 744 wrote to memory of 1800	744	versions.exe	sys30.exe
PID 744 wrote to memory of 1800	744	versions.exe	sys30.exe
PID 1800 wrote to memory of 1552	1800	sys30.exe	sys30.exe
PID 1800 wrote to memory of 1552	1800	sys30.exe	sys30.exe
PID 1800 wrote to memory of 1552	1800	sys30.exe	sys30.exe
PID 1800 wrote to memory of 1552	1800	sys30.exe	sys30.exe

C:\Users\Admin\AppData\Local\Temp\versions.exe
"C:\Users\Admin\AppData\Local\Temp\versions.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1644

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\Microsoft Dlli\versions.exe,"
2⤵
- Suspicious use of WriteProcessMemory
PID:1980

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Local\Microsoft Dlli\versions.exe,"
3⤵
- Modifies WinLogon for persistence
PID:1680

C:\Users\Admin\AppData\Local\Microsoft Dlli\versions.exe
"C:\Users\Admin\AppData\Local\Microsoft Dlli\versions.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:744

C:\Users\Admin\AppData\Local\Microsoft Dlli\versions.exe
"C:\Users\Admin\AppData\Local\Microsoft Dlli\versions.exe"
3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:996

C:\Users\Admin\AppData\Local\Temp\sys30.exe
"C:\Users\Admin\AppData\Local\Temp\sys30.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1800

C:\Users\Admin\AppData\Local\Temp\sys30.exe
"C:\Users\Admin\AppData\Local\Temp\sys30.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1552

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft Dlli\versions.exe
MD5
e40c85fb0613efb7c73b93d51a72cda5

SHA1
8db384a16df0c904d09e11577640b422355983d2

SHA256
fc738d6f2c037f7fa3f40e362d99013664e4e0fc2ef54d61e1d2c4156e07ad50

SHA512
046fe8316d680df22914b1a13c27efd5a877f7c36183ab25a5723d6bb412e7419d1e4122a6281db09a285b20310b9bbcddb280b6384efb9a712446da94cf2d49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft Dlli\versions.exe
MD5
e40c85fb0613efb7c73b93d51a72cda5

SHA1
8db384a16df0c904d09e11577640b422355983d2

SHA256
fc738d6f2c037f7fa3f40e362d99013664e4e0fc2ef54d61e1d2c4156e07ad50

SHA512
046fe8316d680df22914b1a13c27efd5a877f7c36183ab25a5723d6bb412e7419d1e4122a6281db09a285b20310b9bbcddb280b6384efb9a712446da94cf2d49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft Dlli\versions.exe
MD5
e40c85fb0613efb7c73b93d51a72cda5

SHA1
8db384a16df0c904d09e11577640b422355983d2

SHA256
fc738d6f2c037f7fa3f40e362d99013664e4e0fc2ef54d61e1d2c4156e07ad50

SHA512
046fe8316d680df22914b1a13c27efd5a877f7c36183ab25a5723d6bb412e7419d1e4122a6281db09a285b20310b9bbcddb280b6384efb9a712446da94cf2d49

Download Submit
C:\Users\Admin\AppData\Local\Temp\sys30.exe
MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\sys30.exe
MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\sys30.exe
MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\sys30.txt
MD5
fe8776fcf5ba77ca8da2adafbcc71f9c

SHA1
f3b38408d225169de4bccf82155d6aac0956cd94

SHA256
fb0f1c480500367ee0804f87b5885701d39f51fe53330ec79bcf14119fe9dbc3

SHA512
14d25888656e79b1214bb85ba6da32f5e189e4d38c4714029754efe5a4b3445a79292e89610cad669b1c07977643635863df2e556f1ecca1491b3fc58c03e704

Download Submit
C:\Users\Admin\AppData\Local\Temp\sys30.txt
MD5
51ec579b34f887293d5f1a5d2dc0474c

SHA1
0651533e3c65e8910d01d9e0b28066c09cebb5d4

SHA256
ab9aa22079648535d8ef465b50a3c8b47d22050a2ece6cf2943f8f98c125350c

SHA512
90161e61511e245afdfa3f185b7dc925c579a66566e45a632b656ce8fde8504f9069e638cb43529ca0bbc21acc004c64b9de1a238d87f813cecc45ebfc52ba6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\sys30.txt
MD5
62b24a8b79dbaa491ee19e87a06922da

SHA1
b6ff934067d1afb9a62333c0494c9411037924e1

SHA256
df7e95dc7537f958b824aafda70dae69dd1947f0030bbcc7789f633a4a6061a0

SHA512
c6911fffa0758b7348ebebeeaff07401f8da996db4b3e800ecb40226c49e1fea9ae436077f689ddaa6915b2b43bdc13e2666bc86375279367136ab6c0e7955c3

Download Submit
\Users\Admin\AppData\Local\Microsoft Dlli\versions.exe
MD5
e40c85fb0613efb7c73b93d51a72cda5

SHA1
8db384a16df0c904d09e11577640b422355983d2

SHA256
fc738d6f2c037f7fa3f40e362d99013664e4e0fc2ef54d61e1d2c4156e07ad50

SHA512
046fe8316d680df22914b1a13c27efd5a877f7c36183ab25a5723d6bb412e7419d1e4122a6281db09a285b20310b9bbcddb280b6384efb9a712446da94cf2d49

Download Submit
\Users\Admin\AppData\Local\Temp\sys30.exe
MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
\Users\Admin\AppData\Local\Temp\sys30.exe
MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
memory/744-72-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/744-71-0x0000000000690000-0x000000000069B000-memory.dmp

Filesize
44KB

Download
memory/744-66-0x0000000001340000-0x0000000001341000-memory.dmp

Filesize
4KB

Download
memory/744-70-0x0000000000E91000-0x0000000000E92000-memory.dmp

Filesize
4KB

Download
memory/744-63-0x0000000000000000-mapping.dmp

Download
memory/744-68-0x0000000000E90000-0x0000000000E91000-memory.dmp

Filesize
4KB

Download
memory/996-73-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/996-74-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/996-84-0x00000000006B0000-0x00000000006C9000-memory.dmp

Filesize
100KB

Download
memory/996-85-0x00000000006D0000-0x00000000006D3000-memory.dmp

Filesize
12KB

Download
memory/996-82-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/996-103-0x0000000000FB0000-0x0000000000FBF000-memory.dmp

Filesize
60KB

Download
memory/996-80-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/996-78-0x000000000041E792-mapping.dmp

Download
memory/996-77-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/996-76-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/996-75-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/996-83-0x00000000005E0000-0x00000000005E5000-memory.dmp

Filesize
20KB

Download
memory/996-102-0x0000000000F80000-0x0000000000FA9000-memory.dmp

Filesize
164KB

Download
memory/996-93-0x0000000000840000-0x0000000000855000-memory.dmp

Filesize
84KB

Download
memory/996-92-0x0000000000830000-0x000000000083D000-memory.dmp

Filesize
52KB

Download
memory/996-98-0x0000000000DB0000-0x0000000000DBD000-memory.dmp

Filesize
52KB

Download
memory/996-97-0x0000000000D20000-0x0000000000D26000-memory.dmp

Filesize
24KB

Download
memory/996-96-0x0000000000CD0000-0x0000000000CD7000-memory.dmp

Filesize
28KB

Download
memory/996-95-0x0000000000C80000-0x0000000000C8C000-memory.dmp

Filesize
48KB

Download
memory/996-94-0x0000000000C20000-0x0000000000C26000-memory.dmp

Filesize
24KB

Download
memory/996-99-0x0000000000DC0000-0x0000000000DC9000-memory.dmp

Filesize
36KB

Download
memory/996-100-0x0000000000DD0000-0x0000000000DDF000-memory.dmp

Filesize
60KB

Download
memory/996-101-0x0000000000DE0000-0x0000000000DEA000-memory.dmp

Filesize
40KB

Download
memory/1552-107-0x0000000000000000-mapping.dmp

Download
memory/1644-58-0x0000000004190000-0x00000000041B1000-memory.dmp

Filesize
132KB

Download
memory/1644-61-0x0000000004BB1000-0x0000000004BB2000-memory.dmp

Filesize
4KB

Download
memory/1644-57-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

Filesize
4KB

Download
memory/1644-55-0x0000000000910000-0x0000000000911000-memory.dmp

Filesize
4KB

Download
memory/1680-60-0x0000000000000000-mapping.dmp

Download
memory/1800-90-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

Filesize
4KB

Download
memory/1800-87-0x0000000000000000-mapping.dmp

Download
memory/1980-59-0x0000000000000000-mapping.dmp

Download