nanocore | 692fb9c530fccb14cd56dec0ba71ff1be0018b28d81a3dee76a9ca788bc6465c

General

Target

RF172474228ES.exe
Size

506KB
MD5

8bbd8695bdfb7fb7438053fcdb6d79a4
SHA1

202966c54b72362c2e8c18e09d368eedd7dcc62a
SHA256

d278d26f9221b6542223942ce10c1a6c34c8a550c0d8e0d724798cadaf160bfd
SHA512

716cfd55b155014338fa2ff99e9c999a98163aa0977d1a274e3ca9505aa681509dccfe3853809c297140f58d9e8c6c669865bf285a0aabf552fe4b246feb849c

Score

10^/10

nanocore keylogger spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

185.140.53.9:9124

127.0.0.1:9124

Mutex

abee0a6e-9120-44aa-a70c-1e32c9a07128

Attributes

activate_away_mode
true
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2020-04-05T19:51:22.629259936Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
true
connect_delay
4000
connection_port
9124
default_group
Wish
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
abee0a6e-9120-44aa-a70c-1e32c9a07128
mutex_timeout
5000
prevent_system_sleep
true
primary_connection_host
185.140.53.9
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Suspicious use of SetThreadContext 1 IoCs

Processes:

RF172474228ES.exe

description pid process target process

PID 632 set thread context of 2032 632 RF172474228ES.exe MSBuild.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1672 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

RF172474228ES.exeMSBuild.exe

pid process

632 RF172474228ES.exe
2032 MSBuild.exe
2032 MSBuild.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

MSBuild.exe

pid process

2032 MSBuild.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

RF172474228ES.exeMSBuild.exe

description pid process

Token: SeDebugPrivilege 632 RF172474228ES.exe
Token: SeDebugPrivilege 2032 MSBuild.exe

description	pid	process	target process
PID 632 set thread context of 2032	632	RF172474228ES.exe	MSBuild.exe

pid	process
1672	schtasks.exe

pid	process
632	RF172474228ES.exe
2032	MSBuild.exe
2032	MSBuild.exe

pid	process
2032	MSBuild.exe

description	pid	process
Token: SeDebugPrivilege	632	RF172474228ES.exe
Token: SeDebugPrivilege	2032	MSBuild.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

RF172474228ES.exe

description	pid	process	target process
PID 632 wrote to memory of 1672	632	RF172474228ES.exe	schtasks.exe
PID 632 wrote to memory of 1672	632	RF172474228ES.exe	schtasks.exe
PID 632 wrote to memory of 1672	632	RF172474228ES.exe	schtasks.exe
PID 632 wrote to memory of 1672	632	RF172474228ES.exe	schtasks.exe
PID 632 wrote to memory of 2032	632	RF172474228ES.exe	MSBuild.exe
PID 632 wrote to memory of 2032	632	RF172474228ES.exe	MSBuild.exe
PID 632 wrote to memory of 2032	632	RF172474228ES.exe	MSBuild.exe
PID 632 wrote to memory of 2032	632	RF172474228ES.exe	MSBuild.exe
PID 632 wrote to memory of 2032	632	RF172474228ES.exe	MSBuild.exe
PID 632 wrote to memory of 2032	632	RF172474228ES.exe	MSBuild.exe
PID 632 wrote to memory of 2032	632	RF172474228ES.exe	MSBuild.exe
PID 632 wrote to memory of 2032	632	RF172474228ES.exe	MSBuild.exe
PID 632 wrote to memory of 2032	632	RF172474228ES.exe	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\RF172474228ES.exe
"C:\Users\Admin\AppData\Local\Temp\RF172474228ES.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:632

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\skzSSQhxUahA" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC9F.tmp"
2⤵
- Creates scheduled task(s)
PID:1672

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2032

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpC9F.tmp

Filesize
1KB

MD5
582efb4e457de0efd9723626b0bb3dfe

SHA1
daf66b6b7920333e1f1a86f234870809013d99cc

SHA256
bb52b1b191e67c57aa44c4f7c8b5bd4546041a737a329fe777870b069ddd911b

SHA512
f81eb4a5b6f22335c9c5a1ece4be1c18d68fad24a9ca7ecd9eb15c7249f76b997eaf679e9ff5e92f0be32faebcd0a8a29a0342db1de10922321099a1a0bc897b

Download Submit
memory/632-54-0x0000000000120000-0x00000000001A4000-memory.dmp

Filesize
528KB

Download
memory/632-55-0x0000000075391000-0x0000000075393000-memory.dmp

Filesize
8KB

Download
memory/632-56-0x0000000000350000-0x000000000035A000-memory.dmp

Filesize
40KB

Download
memory/632-57-0x0000000004870000-0x00000000048C2000-memory.dmp

Filesize
328KB

Download
memory/632-58-0x0000000001F00000-0x0000000001F3A000-memory.dmp

Filesize
232KB

Download
memory/1672-59-0x0000000000000000-mapping.dmp

Download
memory/2032-62-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2032-61-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2032-64-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2032-65-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2032-67-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2032-68-0x000000000041E792-mapping.dmp

Download
memory/2032-70-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2032-72-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2032-74-0x00000000006E0000-0x00000000006EA000-memory.dmp

Filesize
40KB

Download
memory/2032-75-0x0000000000730000-0x000000000074E000-memory.dmp

Filesize
120KB

Download
memory/2032-76-0x0000000000750000-0x000000000075A000-memory.dmp

Filesize
40KB

Download
memory/2032-77-0x0000000000B75000-0x0000000000B86000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads