nanocore | 0f13df07fb8d92d3c1acc3b799dbbef6f7a45158bd33c08e74a5f29b0b450965

General

Target

862020,pdf.exe
Size

666KB
MD5

c8b0e1ef53206e9a1f8845d379ae6d34
SHA1

127047c52e010a9d5dae43bc2530d43b6db579ce
SHA256

3cb221973d52d12fc900f37496a9c5f77b30da63886a0f7d54111982c00e872b
SHA512

11b72d575390150f0b5200d27cee00787c63102703e2d56b05bcccc398d5ea828c0e0480dae4fc9d9a8f3af802e81e99c28b269e445cc2c3a78b3c2e67a943bc

Score

10^/10

nanocore keylogger spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

billionaire.ddns.net:3734

Mutex

24d8b675-ce49-4a1b-a4a3-dc5d84e97d70

Attributes

activate_away_mode
true
backup_connection_host
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2020-03-25T16:42:00.435974836Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
3734
default_group
Billion
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
24d8b675-ce49-4a1b-a4a3-dc5d84e97d70
mutex_timeout
5000
prevent_system_sleep
true
primary_connection_host
billionaire.ddns.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

862020,pdf.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	862020,pdf.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

862020,pdf.exe

description pid process target process

PID 4476 set thread context of 3604 4476 862020,pdf.exe MSBuild.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3112 schtasks.exe
4460 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

862020,pdf.exeMSBuild.exe

pid process

4476 862020,pdf.exe
3604 MSBuild.exe
3604 MSBuild.exe
3604 MSBuild.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

MSBuild.exe

pid process

3604 MSBuild.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

862020,pdf.exeMSBuild.exe

description pid process

Token: SeDebugPrivilege 4476 862020,pdf.exe
Token: SeDebugPrivilege 3604 MSBuild.exe

description	pid	process	target process
PID 4476 set thread context of 3604	4476	862020,pdf.exe	MSBuild.exe

pid	process
3112	schtasks.exe
4460	schtasks.exe

pid	process
4476	862020,pdf.exe
3604	MSBuild.exe
3604	MSBuild.exe
3604	MSBuild.exe

pid	process
3604	MSBuild.exe

description	pid	process
Token: SeDebugPrivilege	4476	862020,pdf.exe
Token: SeDebugPrivilege	3604	MSBuild.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

862020,pdf.exeMSBuild.exe

description	pid	process	target process
PID 4476 wrote to memory of 3112	4476	862020,pdf.exe	schtasks.exe
PID 4476 wrote to memory of 3112	4476	862020,pdf.exe	schtasks.exe
PID 4476 wrote to memory of 3112	4476	862020,pdf.exe	schtasks.exe
PID 4476 wrote to memory of 3604	4476	862020,pdf.exe	MSBuild.exe
PID 4476 wrote to memory of 3604	4476	862020,pdf.exe	MSBuild.exe
PID 4476 wrote to memory of 3604	4476	862020,pdf.exe	MSBuild.exe
PID 4476 wrote to memory of 3604	4476	862020,pdf.exe	MSBuild.exe
PID 4476 wrote to memory of 3604	4476	862020,pdf.exe	MSBuild.exe
PID 4476 wrote to memory of 3604	4476	862020,pdf.exe	MSBuild.exe
PID 4476 wrote to memory of 3604	4476	862020,pdf.exe	MSBuild.exe
PID 4476 wrote to memory of 3604	4476	862020,pdf.exe	MSBuild.exe
PID 3604 wrote to memory of 4460	3604	MSBuild.exe	schtasks.exe
PID 3604 wrote to memory of 4460	3604	MSBuild.exe	schtasks.exe
PID 3604 wrote to memory of 4460	3604	MSBuild.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\862020,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\862020,pdf.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4476

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lCwqeTSzvEZ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp75D7.tmp"
2⤵
- Creates scheduled task(s)
PID:3112

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3604

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "WPA Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmp7A3C.tmp"
3⤵
- Creates scheduled task(s)
PID:4460

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp75D7.tmp

Filesize
1KB

MD5
357cccdb4961c3cb89c021775fbb9935

SHA1
426fb9613e593045538bf457740650a20708f3ff

SHA256
71a474c0d1f207bee09891e2b0729604c384cc95dcc59caf64b9dcc53414b6a9

SHA512
4f694463fa4a1d26aa15efeac38ee042db2bbe219bb6569c6856def8cda46f3e552412b47eadaa181431a79fde1e43d2ca4a0f744ceee85c5873fd580f39eea1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7A3C.tmp

Filesize
1KB

MD5
3e2b26ed8b75ae83a269595180e84ef6

SHA1
d30a0335fcce406bca8ba5764288235e6192f608

SHA256
108be30aeb8eb31c185a39a6726f26dacbc4e4124951c61a29ade4b7038c71ea

SHA512
b6981c68fcb886cc8379a068b96931b9d4f5cc5aa9bdc467e36c4168fe6c5273a2a84d8850b12c11703ec03ac6b1f1950d1e669efcb59fc2402ce4bba9dc03d3

Download Submit
memory/3112-137-0x0000000000000000-mapping.dmp

Download
memory/3604-140-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3604-139-0x0000000000000000-mapping.dmp

Download
memory/4460-141-0x0000000000000000-mapping.dmp

Download
memory/4476-133-0x00000000057A0000-0x0000000005832000-memory.dmp

Filesize
584KB

Download
memory/4476-136-0x0000000005930000-0x0000000005996000-memory.dmp

Filesize
408KB

Download
memory/4476-135-0x0000000005840000-0x0000000005896000-memory.dmp

Filesize
344KB

Download
memory/4476-134-0x0000000005730000-0x000000000573A000-memory.dmp

Filesize
40KB

Download
memory/4476-130-0x0000000000C40000-0x0000000000CEC000-memory.dmp

Filesize
688KB

Download
memory/4476-132-0x0000000005CB0000-0x0000000006254000-memory.dmp

Filesize
5.6MB

Download
memory/4476-131-0x0000000005660000-0x00000000056FC000-memory.dmp

Filesize
624KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads