nanocore | 68fc463038581b0243f1c85a6397232c5db10dd9482caaf08bdc9cc275134a6a

General

Target

68fc463038581b0243f1c85a6397232c5db10dd9482caaf08bdc9cc275134a6a.exe
Size

513KB
MD5

0a242406df260af40a8b4fd6258cfb5e
SHA1

2eac5ee482bc4b74a40f3d2d4537412d2708f2e5
SHA256

68fc463038581b0243f1c85a6397232c5db10dd9482caaf08bdc9cc275134a6a
SHA512

86b958e94a2d2ca5bafad1250920e1a1ab700757dabb0e53a5a8d6962ddcb55f5af07f42801c30604526418d18d636755d00d4d583ec988eca219da8b933f3d1

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

128.226.252.143:54984

127.0.0.1:54984

Mutex

71004c52-6256-4356-bd30-5affe1ec6914

Attributes

activate_away_mode
false
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2018-07-31T01:18:37.502649636Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
false
clear_zone_identifier
false
connect_delay
4000
connection_port
54984
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
71004c52-6256-4356-bd30-5affe1ec6914
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
128.226.252.143
primary_dns_server
8.8.8.8
request_elevation
false
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
false
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Executes dropped EXE 2 IoCs

Processes:

HWID CHANGER.EXESERVICES.EXE

pid process

548 HWID CHANGER.EXE
3068 SERVICES.EXE

pid	process
548	HWID CHANGER.EXE
3068	SERVICES.EXE

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

68fc463038581b0243f1c85a6397232c5db10dd9482caaf08bdc9cc275134a6a.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	68fc463038581b0243f1c85a6397232c5db10dd9482caaf08bdc9cc275134a6a.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

SERVICES.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WPA Monitor = "C:\\Program Files (x86)\\WPA Monitor\\wpamon.exe"	SERVICES.EXE

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

SERVICES.EXE

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SERVICES.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SERVICES.EXE

Drops file in Program Files directory 2 IoCs

Processes:

SERVICES.EXE

description	ioc	process
File created	C:\Program Files (x86)\WPA Monitor\wpamon.exe	SERVICES.EXE
File opened for modification	C:\Program Files (x86)\WPA Monitor\wpamon.exe	SERVICES.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4068 schtasks.exe
3372 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

SERVICES.EXE

pid process

3068 SERVICES.EXE
3068 SERVICES.EXE
3068 SERVICES.EXE
3068 SERVICES.EXE
3068 SERVICES.EXE
3068 SERVICES.EXE
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

SERVICES.EXE

pid process

3068 SERVICES.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

SERVICES.EXE

description pid process

Token: SeDebugPrivilege 3068 SERVICES.EXE
Token: SeDebugPrivilege 3068 SERVICES.EXE

pid	process
4068	schtasks.exe
3372	schtasks.exe

pid	process
3068	SERVICES.EXE
3068	SERVICES.EXE
3068	SERVICES.EXE
3068	SERVICES.EXE
3068	SERVICES.EXE
3068	SERVICES.EXE

pid	process
3068	SERVICES.EXE

description	pid	process
Token: SeDebugPrivilege	3068	SERVICES.EXE
Token: SeDebugPrivilege	3068	SERVICES.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

68fc463038581b0243f1c85a6397232c5db10dd9482caaf08bdc9cc275134a6a.exeSERVICES.EXE

description	pid	process	target process
PID 2176 wrote to memory of 548	2176	68fc463038581b0243f1c85a6397232c5db10dd9482caaf08bdc9cc275134a6a.exe	HWID CHANGER.EXE
PID 2176 wrote to memory of 548	2176	68fc463038581b0243f1c85a6397232c5db10dd9482caaf08bdc9cc275134a6a.exe	HWID CHANGER.EXE
PID 2176 wrote to memory of 548	2176	68fc463038581b0243f1c85a6397232c5db10dd9482caaf08bdc9cc275134a6a.exe	HWID CHANGER.EXE
PID 2176 wrote to memory of 3068	2176	68fc463038581b0243f1c85a6397232c5db10dd9482caaf08bdc9cc275134a6a.exe	SERVICES.EXE
PID 2176 wrote to memory of 3068	2176	68fc463038581b0243f1c85a6397232c5db10dd9482caaf08bdc9cc275134a6a.exe	SERVICES.EXE
PID 2176 wrote to memory of 3068	2176	68fc463038581b0243f1c85a6397232c5db10dd9482caaf08bdc9cc275134a6a.exe	SERVICES.EXE
PID 3068 wrote to memory of 4068	3068	SERVICES.EXE	schtasks.exe
PID 3068 wrote to memory of 4068	3068	SERVICES.EXE	schtasks.exe
PID 3068 wrote to memory of 4068	3068	SERVICES.EXE	schtasks.exe
PID 3068 wrote to memory of 3372	3068	SERVICES.EXE	schtasks.exe
PID 3068 wrote to memory of 3372	3068	SERVICES.EXE	schtasks.exe
PID 3068 wrote to memory of 3372	3068	SERVICES.EXE	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\68fc463038581b0243f1c85a6397232c5db10dd9482caaf08bdc9cc275134a6a.exe
"C:\Users\Admin\AppData\Local\Temp\68fc463038581b0243f1c85a6397232c5db10dd9482caaf08bdc9cc275134a6a.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2176

C:\Users\Admin\AppData\Local\Temp\HWID CHANGER.EXE
"C:\Users\Admin\AppData\Local\Temp\HWID CHANGER.EXE"
2⤵
- Executes dropped EXE
PID:548

C:\Users\Admin\AppData\Local\Temp\SERVICES.EXE
"C:\Users\Admin\AppData\Local\Temp\SERVICES.EXE"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3068

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "WPA Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmpE871.tmp"
3⤵
- Creates scheduled task(s)
PID:4068

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "WPA Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpEA27.tmp"
3⤵
- Creates scheduled task(s)
PID:3372

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HWID CHANGER.EXE
Filesize
138KB

MD5
88b430e9224557e9eeab96a9096a0e3b

SHA1
cb7a4f3efbfe68009c6b1677ed50991e134161e8

SHA256
c2b6d3a912a5dc8ddc8c4a2d67379d0395d60d4daf620ab7874741904a90793c

SHA512
e9631bbef6b40a07080b985d5bffaeeaab0f5cb61471ed710e174474afd724ee4ae8c207c8818e1c9bc137f1b06c4013fe2b576be439b1f464ddcb6153bbf72d

Download Submit
C:\Users\Admin\AppData\Local\Temp\HWID CHANGER.EXE
Filesize
138KB

MD5
88b430e9224557e9eeab96a9096a0e3b

SHA1
cb7a4f3efbfe68009c6b1677ed50991e134161e8

SHA256
c2b6d3a912a5dc8ddc8c4a2d67379d0395d60d4daf620ab7874741904a90793c

SHA512
e9631bbef6b40a07080b985d5bffaeeaab0f5cb61471ed710e174474afd724ee4ae8c207c8818e1c9bc137f1b06c4013fe2b576be439b1f464ddcb6153bbf72d

Download Submit
C:\Users\Admin\AppData\Local\Temp\SERVICES.EXE
Filesize
203KB

MD5
fbf4540d5b491f75fe1c22ac4815fa83

SHA1
83275825f4b8c75bb0b7395baf910a64d2dffe61

SHA256
e4d9229c04e7024390df8fae3a78756ac414064a5d5895c1adb67e25d034c8b6

SHA512
1b74e235dd1681f7a3c047f3feff131bd898464e3a98e32c3c7f6c68bd2b6a76e7c3e5a06d4c8f31c1a40b8e62920a90fb50d05eb8711eee875d31f1bf18bda1

Download Submit
C:\Users\Admin\AppData\Local\Temp\SERVICES.EXE
Filesize
203KB

MD5
fbf4540d5b491f75fe1c22ac4815fa83

SHA1
83275825f4b8c75bb0b7395baf910a64d2dffe61

SHA256
e4d9229c04e7024390df8fae3a78756ac414064a5d5895c1adb67e25d034c8b6

SHA512
1b74e235dd1681f7a3c047f3feff131bd898464e3a98e32c3c7f6c68bd2b6a76e7c3e5a06d4c8f31c1a40b8e62920a90fb50d05eb8711eee875d31f1bf18bda1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE871.tmp
Filesize
1KB

MD5
ceee50b15e8af3709e3b6797b4fe0dff

SHA1
94686fe6430122551a42b8c9871845c0990161f3

SHA256
9d5d630ffb1574bb8c5345c56805fcbd7879d2b9b7b7b799825cc6f33b232ce0

SHA512
372c46f1e7a50282fcc0aec8747fe82b29ec4cad9fa0e8f7a40d831b0e5aeca1925366da0f5edc22eeed5ef412a0f7a3785669a62874f7c4d40b3b089926604d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEA27.tmp
Filesize
1KB

MD5
a246b3561d823177f3586e629f144233

SHA1
0f05d12e55a1d2e5e6a4f307c193882fba093315

SHA256
6abae7707b06e52b58f537b335e367cc54b093e899d78f16e94ceaf7ceafca52

SHA512
4246aa9a96331e2c7e36b37fa778e31ecae055c77164e0dc673aa50cdec368f08d356ab06ef1a4540816c474828048ab1bebed7e211a4eb929f2918e1fac9c6d

Download Submit
memory/548-136-0x0000000000A30000-0x0000000000A58000-memory.dmp

Filesize
160KB

Download
memory/548-137-0x0000000005500000-0x000000000559C000-memory.dmp

Filesize
624KB

Download
memory/548-138-0x0000000005B50000-0x00000000060F4000-memory.dmp

Filesize
5.6MB

Download
memory/548-139-0x00000000055A0000-0x0000000005632000-memory.dmp

Filesize
584KB

Download
memory/548-143-0x0000000005730000-0x0000000005786000-memory.dmp

Filesize
344KB

Download
memory/548-141-0x0000000005400000-0x000000000540A000-memory.dmp

Filesize
40KB

Download
memory/548-130-0x0000000000000000-mapping.dmp

Download
memory/3068-133-0x0000000000000000-mapping.dmp

Download
memory/3068-140-0x0000000074770000-0x0000000074D21000-memory.dmp

Filesize
5.7MB

Download
memory/3372-145-0x0000000000000000-mapping.dmp

Download
memory/4068-142-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads