nanocore | 68fc463038581b0243f1c85a6397232c5db10dd9482caaf08bdc9cc275134a6a

Analysis

max time kernel
138s
max time network
171s
platform
windows7_x64
resource
win7-20220414-en
submitted
20-05-2022 22:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

68fc463038581b0243f1c85a6397232c5db10dd9482caaf08bdc9cc275134a6a.exe
Size

513KB
MD5

0a242406df260af40a8b4fd6258cfb5e
SHA1

2eac5ee482bc4b74a40f3d2d4537412d2708f2e5
SHA256

68fc463038581b0243f1c85a6397232c5db10dd9482caaf08bdc9cc275134a6a
SHA512

86b958e94a2d2ca5bafad1250920e1a1ab700757dabb0e53a5a8d6962ddcb55f5af07f42801c30604526418d18d636755d00d4d583ec988eca219da8b933f3d1

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

128.226.252.143:54984

127.0.0.1:54984

Mutex

71004c52-6256-4356-bd30-5affe1ec6914

Attributes

activate_away_mode
false
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2018-07-31T01:18:37.502649636Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
false
clear_zone_identifier
false
connect_delay
4000
connection_port
54984
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
71004c52-6256-4356-bd30-5affe1ec6914
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
128.226.252.143
primary_dns_server
8.8.8.8
request_elevation
false
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
false
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Executes dropped EXE 2 IoCs

Processes:

HWID CHANGER.EXESERVICES.EXE

pid process

1588 HWID CHANGER.EXE
1360 SERVICES.EXE

pid	process
1588	HWID CHANGER.EXE
1360	SERVICES.EXE

Loads dropped DLL 3 IoCs

Processes:

68fc463038581b0243f1c85a6397232c5db10dd9482caaf08bdc9cc275134a6a.exe

pid	process
976	68fc463038581b0243f1c85a6397232c5db10dd9482caaf08bdc9cc275134a6a.exe
976	68fc463038581b0243f1c85a6397232c5db10dd9482caaf08bdc9cc275134a6a.exe
976	68fc463038581b0243f1c85a6397232c5db10dd9482caaf08bdc9cc275134a6a.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

SERVICES.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ARP Service = "C:\\Program Files (x86)\\ARP Service\\arpsvc.exe"	SERVICES.EXE

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

SERVICES.EXE

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SERVICES.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SERVICES.EXE

Drops file in Program Files directory 2 IoCs

Processes:

SERVICES.EXE

description	ioc	process
File created	C:\Program Files (x86)\ARP Service\arpsvc.exe	SERVICES.EXE
File opened for modification	C:\Program Files (x86)\ARP Service\arpsvc.exe	SERVICES.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1320 schtasks.exe
664 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

SERVICES.EXE

pid process

1360 SERVICES.EXE
1360 SERVICES.EXE
1360 SERVICES.EXE
1360 SERVICES.EXE
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

SERVICES.EXE

pid process

1360 SERVICES.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

SERVICES.EXE

description pid process

Token: SeDebugPrivilege 1360 SERVICES.EXE
Token: SeDebugPrivilege 1360 SERVICES.EXE

pid	process
1320	schtasks.exe
664	schtasks.exe

pid	process
1360	SERVICES.EXE
1360	SERVICES.EXE
1360	SERVICES.EXE
1360	SERVICES.EXE

pid	process
1360	SERVICES.EXE

description	pid	process
Token: SeDebugPrivilege	1360	SERVICES.EXE
Token: SeDebugPrivilege	1360	SERVICES.EXE

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

68fc463038581b0243f1c85a6397232c5db10dd9482caaf08bdc9cc275134a6a.exeSERVICES.EXE

description	pid	process	target process
PID 976 wrote to memory of 1588	976	68fc463038581b0243f1c85a6397232c5db10dd9482caaf08bdc9cc275134a6a.exe	HWID CHANGER.EXE
PID 976 wrote to memory of 1588	976	68fc463038581b0243f1c85a6397232c5db10dd9482caaf08bdc9cc275134a6a.exe	HWID CHANGER.EXE
PID 976 wrote to memory of 1588	976	68fc463038581b0243f1c85a6397232c5db10dd9482caaf08bdc9cc275134a6a.exe	HWID CHANGER.EXE
PID 976 wrote to memory of 1588	976	68fc463038581b0243f1c85a6397232c5db10dd9482caaf08bdc9cc275134a6a.exe	HWID CHANGER.EXE
PID 976 wrote to memory of 1360	976	68fc463038581b0243f1c85a6397232c5db10dd9482caaf08bdc9cc275134a6a.exe	SERVICES.EXE
PID 976 wrote to memory of 1360	976	68fc463038581b0243f1c85a6397232c5db10dd9482caaf08bdc9cc275134a6a.exe	SERVICES.EXE
PID 976 wrote to memory of 1360	976	68fc463038581b0243f1c85a6397232c5db10dd9482caaf08bdc9cc275134a6a.exe	SERVICES.EXE
PID 976 wrote to memory of 1360	976	68fc463038581b0243f1c85a6397232c5db10dd9482caaf08bdc9cc275134a6a.exe	SERVICES.EXE
PID 1360 wrote to memory of 1320	1360	SERVICES.EXE	schtasks.exe
PID 1360 wrote to memory of 1320	1360	SERVICES.EXE	schtasks.exe
PID 1360 wrote to memory of 1320	1360	SERVICES.EXE	schtasks.exe
PID 1360 wrote to memory of 1320	1360	SERVICES.EXE	schtasks.exe
PID 1360 wrote to memory of 664	1360	SERVICES.EXE	schtasks.exe
PID 1360 wrote to memory of 664	1360	SERVICES.EXE	schtasks.exe
PID 1360 wrote to memory of 664	1360	SERVICES.EXE	schtasks.exe
PID 1360 wrote to memory of 664	1360	SERVICES.EXE	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\68fc463038581b0243f1c85a6397232c5db10dd9482caaf08bdc9cc275134a6a.exe
"C:\Users\Admin\AppData\Local\Temp\68fc463038581b0243f1c85a6397232c5db10dd9482caaf08bdc9cc275134a6a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:976

C:\Users\Admin\AppData\Local\Temp\HWID CHANGER.EXE
"C:\Users\Admin\AppData\Local\Temp\HWID CHANGER.EXE"
2⤵
- Executes dropped EXE
PID:1588

C:\Users\Admin\AppData\Local\Temp\SERVICES.EXE
"C:\Users\Admin\AppData\Local\Temp\SERVICES.EXE"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1360

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "ARP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp621E.tmp"
3⤵
- Creates scheduled task(s)
PID:1320

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "ARP Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp68B4.tmp"
3⤵
- Creates scheduled task(s)
PID:664

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HWID CHANGER.EXE

Filesize
138KB

MD5
88b430e9224557e9eeab96a9096a0e3b

SHA1
cb7a4f3efbfe68009c6b1677ed50991e134161e8

SHA256
c2b6d3a912a5dc8ddc8c4a2d67379d0395d60d4daf620ab7874741904a90793c

SHA512
e9631bbef6b40a07080b985d5bffaeeaab0f5cb61471ed710e174474afd724ee4ae8c207c8818e1c9bc137f1b06c4013fe2b576be439b1f464ddcb6153bbf72d

Download Submit
C:\Users\Admin\AppData\Local\Temp\HWID CHANGER.EXE

Filesize
138KB

MD5
88b430e9224557e9eeab96a9096a0e3b

SHA1
cb7a4f3efbfe68009c6b1677ed50991e134161e8

SHA256
c2b6d3a912a5dc8ddc8c4a2d67379d0395d60d4daf620ab7874741904a90793c

SHA512
e9631bbef6b40a07080b985d5bffaeeaab0f5cb61471ed710e174474afd724ee4ae8c207c8818e1c9bc137f1b06c4013fe2b576be439b1f464ddcb6153bbf72d

Download Submit
C:\Users\Admin\AppData\Local\Temp\SERVICES.EXE

Filesize
203KB

MD5
fbf4540d5b491f75fe1c22ac4815fa83

SHA1
83275825f4b8c75bb0b7395baf910a64d2dffe61

SHA256
e4d9229c04e7024390df8fae3a78756ac414064a5d5895c1adb67e25d034c8b6

SHA512
1b74e235dd1681f7a3c047f3feff131bd898464e3a98e32c3c7f6c68bd2b6a76e7c3e5a06d4c8f31c1a40b8e62920a90fb50d05eb8711eee875d31f1bf18bda1

Download Submit
C:\Users\Admin\AppData\Local\Temp\SERVICES.EXE

Filesize
203KB

MD5
fbf4540d5b491f75fe1c22ac4815fa83

SHA1
83275825f4b8c75bb0b7395baf910a64d2dffe61

SHA256
e4d9229c04e7024390df8fae3a78756ac414064a5d5895c1adb67e25d034c8b6

SHA512
1b74e235dd1681f7a3c047f3feff131bd898464e3a98e32c3c7f6c68bd2b6a76e7c3e5a06d4c8f31c1a40b8e62920a90fb50d05eb8711eee875d31f1bf18bda1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp621E.tmp

Filesize
1KB

MD5
ceee50b15e8af3709e3b6797b4fe0dff

SHA1
94686fe6430122551a42b8c9871845c0990161f3

SHA256
9d5d630ffb1574bb8c5345c56805fcbd7879d2b9b7b7b799825cc6f33b232ce0

SHA512
372c46f1e7a50282fcc0aec8747fe82b29ec4cad9fa0e8f7a40d831b0e5aeca1925366da0f5edc22eeed5ef412a0f7a3785669a62874f7c4d40b3b089926604d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp68B4.tmp

Filesize
1KB

MD5
1badb6e2b29a1c4bfff3c179d53ab96b

SHA1
4b2ad3e5f3826d252d1c8bf1c8f0702f39129fa1

SHA256
6259ac4e6859a1b528d77ccea12b378f7dfa1eff359d9b8899414b4b1c484699

SHA512
36338e2a74fd85c5f2c84be009981a7260692c1bcb121a42018209031082da69bf65640702d53e28b54871f9d44e65fdbebaf4771c530699c3e93981b58129b4

Download Submit
\Users\Admin\AppData\Local\Temp\HWID CHANGER.EXE

Filesize
138KB

MD5
88b430e9224557e9eeab96a9096a0e3b

SHA1
cb7a4f3efbfe68009c6b1677ed50991e134161e8

SHA256
c2b6d3a912a5dc8ddc8c4a2d67379d0395d60d4daf620ab7874741904a90793c

SHA512
e9631bbef6b40a07080b985d5bffaeeaab0f5cb61471ed710e174474afd724ee4ae8c207c8818e1c9bc137f1b06c4013fe2b576be439b1f464ddcb6153bbf72d

Download Submit
\Users\Admin\AppData\Local\Temp\SERVICES.EXE

Filesize
203KB

MD5
fbf4540d5b491f75fe1c22ac4815fa83

SHA1
83275825f4b8c75bb0b7395baf910a64d2dffe61

SHA256
e4d9229c04e7024390df8fae3a78756ac414064a5d5895c1adb67e25d034c8b6

SHA512
1b74e235dd1681f7a3c047f3feff131bd898464e3a98e32c3c7f6c68bd2b6a76e7c3e5a06d4c8f31c1a40b8e62920a90fb50d05eb8711eee875d31f1bf18bda1

Download Submit
\Users\Admin\AppData\Local\Temp\SERVICES.EXE

Filesize
203KB

MD5
fbf4540d5b491f75fe1c22ac4815fa83

SHA1
83275825f4b8c75bb0b7395baf910a64d2dffe61

SHA256
e4d9229c04e7024390df8fae3a78756ac414064a5d5895c1adb67e25d034c8b6

SHA512
1b74e235dd1681f7a3c047f3feff131bd898464e3a98e32c3c7f6c68bd2b6a76e7c3e5a06d4c8f31c1a40b8e62920a90fb50d05eb8711eee875d31f1bf18bda1

Download Submit
memory/664-70-0x0000000000000000-mapping.dmp

Download
memory/976-54-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download
memory/1320-67-0x0000000000000000-mapping.dmp

Download
memory/1360-61-0x0000000000000000-mapping.dmp

Download
memory/1360-69-0x0000000074310000-0x00000000748BB000-memory.dmp

Filesize
5.7MB

Download
memory/1588-65-0x0000000000280000-0x00000000002A8000-memory.dmp

Filesize
160KB

Download
memory/1588-56-0x0000000000000000-mapping.dmp

Download
memory/1588-72-0x0000000004DB5000-0x0000000004DC6000-memory.dmp

Filesize
68KB

Download