nanocore | 741d99e06fa4a9e945cd70675fe8f28c9182e5ceae54e922fe94a59084007b0b

General

Target

Z2OO7PDS.exe
Size

442KB
MD5

ba83069cf373373d35a107ac5d8b4da9
SHA1

8f1ccfccd2e9f2e3b4652bdf3b385d69c4f57c7d
SHA256

82c3dd9e4b7e58fba6607bd562d4a80bc2c30f329bd7e7a5be3f40398b45caf1
SHA512

b7d15454c882410ef178d8bc20ca747597a128234dc4bbfd92826b0b895bd4279a123d2f315aa107728f48ab41c54169136922cafca2616d3ad8c9d047fc5e5c

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

185.84.181.89:9083

godrich.duckdns.org:9083

Mutex

1279205d-f778-4dea-87c3-5b0f16201404

Attributes

activate_away_mode
true
backup_connection_host
godrich.duckdns.org
backup_dns_server
8.8.4.4
buffer_size
65556
build_time
2020-05-17T06:02:33.528877536Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
9083
default_group
Sales
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
1279205d-f778-4dea-87c3-5b0f16201404
mutex_timeout
5006
prevent_system_sleep
false
primary_connection_host
185.84.181.89
primary_dns_server
8.8.8.8
request_elevation
false
restart_delay
5012
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Z2OO7PDS.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WPA Service = "C:\\Program Files (x86)\\WPA Service\\wpasv.exe"	Z2OO7PDS.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Z2OO7PDS.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Z2OO7PDS.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Z2OO7PDS.exe

description pid process target process

PID 4828 set thread context of 4876 4828 Z2OO7PDS.exe Z2OO7PDS.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Z2OO7PDS.exe

description	pid	process	target process
PID 4828 set thread context of 4876	4828	Z2OO7PDS.exe	Z2OO7PDS.exe

Drops file in Program Files directory 2 IoCs

Processes:

Z2OO7PDS.exe

description	ioc	process
File created	C:\Program Files (x86)\WPA Service\wpasv.exe	Z2OO7PDS.exe
File opened for modification	C:\Program Files (x86)\WPA Service\wpasv.exe	Z2OO7PDS.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2576 schtasks.exe
4924 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

Z2OO7PDS.exeZ2OO7PDS.exe

pid process

4828 Z2OO7PDS.exe
4828 Z2OO7PDS.exe
4828 Z2OO7PDS.exe
4876 Z2OO7PDS.exe
4876 Z2OO7PDS.exe
4876 Z2OO7PDS.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Z2OO7PDS.exe

pid process

4876 Z2OO7PDS.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Z2OO7PDS.exeZ2OO7PDS.exe

description pid process

Token: SeDebugPrivilege 4828 Z2OO7PDS.exe
Token: SeDebugPrivilege 4876 Z2OO7PDS.exe

pid	process
2576	schtasks.exe
4924	schtasks.exe

pid	process
4828	Z2OO7PDS.exe
4828	Z2OO7PDS.exe
4828	Z2OO7PDS.exe
4876	Z2OO7PDS.exe
4876	Z2OO7PDS.exe
4876	Z2OO7PDS.exe

pid	process
4876	Z2OO7PDS.exe

description	pid	process
Token: SeDebugPrivilege	4828	Z2OO7PDS.exe
Token: SeDebugPrivilege	4876	Z2OO7PDS.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

Z2OO7PDS.exeZ2OO7PDS.exe

description	pid	process	target process
PID 4828 wrote to memory of 4876	4828	Z2OO7PDS.exe	Z2OO7PDS.exe
PID 4828 wrote to memory of 4876	4828	Z2OO7PDS.exe	Z2OO7PDS.exe
PID 4828 wrote to memory of 4876	4828	Z2OO7PDS.exe	Z2OO7PDS.exe
PID 4828 wrote to memory of 4876	4828	Z2OO7PDS.exe	Z2OO7PDS.exe
PID 4828 wrote to memory of 4876	4828	Z2OO7PDS.exe	Z2OO7PDS.exe
PID 4828 wrote to memory of 4876	4828	Z2OO7PDS.exe	Z2OO7PDS.exe
PID 4828 wrote to memory of 4876	4828	Z2OO7PDS.exe	Z2OO7PDS.exe
PID 4828 wrote to memory of 4876	4828	Z2OO7PDS.exe	Z2OO7PDS.exe
PID 4876 wrote to memory of 2576	4876	Z2OO7PDS.exe	schtasks.exe
PID 4876 wrote to memory of 2576	4876	Z2OO7PDS.exe	schtasks.exe
PID 4876 wrote to memory of 2576	4876	Z2OO7PDS.exe	schtasks.exe
PID 4876 wrote to memory of 4924	4876	Z2OO7PDS.exe	schtasks.exe
PID 4876 wrote to memory of 4924	4876	Z2OO7PDS.exe	schtasks.exe
PID 4876 wrote to memory of 4924	4876	Z2OO7PDS.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\Z2OO7PDS.exe
"C:\Users\Admin\AppData\Local\Temp\Z2OO7PDS.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4828

C:\Users\Admin\AppData\Local\Temp\Z2OO7PDS.exe
"{path}"
2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4876

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "WPA Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmpB70B.tmp"
3⤵
- Creates scheduled task(s)
PID:2576

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "WPA Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpBA0A.tmp"
3⤵
- Creates scheduled task(s)
PID:4924

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpB70B.tmp
Filesize
1KB

MD5
57d030974b893acde94283816b5c18d4

SHA1
2da210248ccdfeed7f64f6eed90e399be4a46e24

SHA256
f734ec317c0d58b4bd332dc4fd8ec671494355133424aa269d0cc0fbde983a44

SHA512
8030525f3dd8aafb027ee5d5e39f1894629bd8f777d977b5f57934298dafbea2122db47304dfdb273eb47a87024dd03e1f0dde7e02b8bf2fc360b4816b77f6df

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBA0A.tmp
Filesize
1KB

MD5
21de6c3a6440d917bdbb4b491191d9b2

SHA1
c63c300affe7147910dc4544d2d5f3029bf321a6

SHA256
23af17733a3882cdd82a5bbc321d896b2430dc1bb4b4ac034d129cde5027afc4

SHA512
dcd1c464ed36593b990e072940ab415804ef8076743015fff4939211e30e436beb7ce6af3072769abe0214f737cedb210d2b45e6e90da20dac54c3945b11575f

Download Submit
memory/2576-137-0x0000000000000000-mapping.dmp

Download
memory/4828-130-0x0000000000550000-0x00000000005C4000-memory.dmp

Filesize
464KB

Download
memory/4828-131-0x0000000005550000-0x0000000005AF4000-memory.dmp

Filesize
5.6MB

Download
memory/4828-132-0x0000000005040000-0x00000000050D2000-memory.dmp

Filesize
584KB

Download
memory/4828-133-0x0000000004F70000-0x0000000004F7A000-memory.dmp

Filesize
40KB

Download
memory/4828-134-0x0000000007C90000-0x0000000007D2C000-memory.dmp

Filesize
624KB

Download
memory/4876-135-0x0000000000000000-mapping.dmp

Download
memory/4876-136-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4924-139-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads