nanocore | 87312f2b8882751c350dfa9097a8ce18ef9c36e886de3aa02190dbc055a3a93a

General

Target

0RY9t35YcXOZNbf.exe
Size

594KB
MD5

0b5122869b9f16726f19a5f22d32eaad
SHA1

61d5174d14e9c5fce2e441619d7064c67fc969ac
SHA256

320b9847b87acc72f35b69c9767584a8627d6cce512d65d45ca5bbc62b94230e
SHA512

d3b41e245aed263e9f4938e65cb4189bc26cdf996354722334a314e40affdf5961de0f8d0972f30818736d81c52fb5537e99945a274cac9c91a6904e9068ca6b

Score

10^/10

nanocore keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

79.134.225.71:1985

127.0.0.1:1985

Mutex

b906c32a-7c7b-408f-aea8-c2cf051540c7

Attributes

activate_away_mode
true
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2020-05-08T07:10:15.167894836Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
false
clear_zone_identifier
false
connect_delay
4000
connection_port
1985
default_group
Cherry
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
b906c32a-7c7b-408f-aea8-c2cf051540c7
mutex_timeout
5000
prevent_system_sleep
true
primary_connection_host
79.134.225.71
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RegSvcs.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ARP Service = "C:\\Program Files (x86)\\ARP Service\\arpsvc.exe"	RegSvcs.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

0RY9t35YcXOZNbf.exe

description pid process target process

PID 532 set thread context of 1292 532 0RY9t35YcXOZNbf.exe RegSvcs.exe

description	pid	process	target process
PID 532 set thread context of 1292	532	0RY9t35YcXOZNbf.exe	RegSvcs.exe

Drops file in Program Files directory 2 IoCs

Processes:

RegSvcs.exe

description	ioc	process
File created	C:\Program Files (x86)\ARP Service\arpsvc.exe	RegSvcs.exe
File opened for modification	C:\Program Files (x86)\ARP Service\arpsvc.exe	RegSvcs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

852 schtasks.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

0RY9t35YcXOZNbf.exeRegSvcs.exe

pid process

532 0RY9t35YcXOZNbf.exe
532 0RY9t35YcXOZNbf.exe
532 0RY9t35YcXOZNbf.exe
1292 RegSvcs.exe
1292 RegSvcs.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

RegSvcs.exe

pid process

1292 RegSvcs.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

0RY9t35YcXOZNbf.exeRegSvcs.exe

description pid process

Token: SeDebugPrivilege 532 0RY9t35YcXOZNbf.exe
Token: SeDebugPrivilege 1292 RegSvcs.exe

pid	process
852	schtasks.exe

pid	process
532	0RY9t35YcXOZNbf.exe
532	0RY9t35YcXOZNbf.exe
532	0RY9t35YcXOZNbf.exe
1292	RegSvcs.exe
1292	RegSvcs.exe

pid	process
1292	RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	532	0RY9t35YcXOZNbf.exe
Token: SeDebugPrivilege	1292	RegSvcs.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

0RY9t35YcXOZNbf.exe

description	pid	process	target process
PID 532 wrote to memory of 852	532	0RY9t35YcXOZNbf.exe	schtasks.exe
PID 532 wrote to memory of 852	532	0RY9t35YcXOZNbf.exe	schtasks.exe
PID 532 wrote to memory of 852	532	0RY9t35YcXOZNbf.exe	schtasks.exe
PID 532 wrote to memory of 852	532	0RY9t35YcXOZNbf.exe	schtasks.exe
PID 532 wrote to memory of 1292	532	0RY9t35YcXOZNbf.exe	RegSvcs.exe
PID 532 wrote to memory of 1292	532	0RY9t35YcXOZNbf.exe	RegSvcs.exe
PID 532 wrote to memory of 1292	532	0RY9t35YcXOZNbf.exe	RegSvcs.exe
PID 532 wrote to memory of 1292	532	0RY9t35YcXOZNbf.exe	RegSvcs.exe
PID 532 wrote to memory of 1292	532	0RY9t35YcXOZNbf.exe	RegSvcs.exe
PID 532 wrote to memory of 1292	532	0RY9t35YcXOZNbf.exe	RegSvcs.exe
PID 532 wrote to memory of 1292	532	0RY9t35YcXOZNbf.exe	RegSvcs.exe
PID 532 wrote to memory of 1292	532	0RY9t35YcXOZNbf.exe	RegSvcs.exe
PID 532 wrote to memory of 1292	532	0RY9t35YcXOZNbf.exe	RegSvcs.exe
PID 532 wrote to memory of 1292	532	0RY9t35YcXOZNbf.exe	RegSvcs.exe
PID 532 wrote to memory of 1292	532	0RY9t35YcXOZNbf.exe	RegSvcs.exe
PID 532 wrote to memory of 1292	532	0RY9t35YcXOZNbf.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\0RY9t35YcXOZNbf.exe
"C:\Users\Admin\AppData\Local\Temp\0RY9t35YcXOZNbf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:532

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\&startupname&" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD099.tmp"
2⤵
- Creates scheduled task(s)
PID:852

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"{path}"
2⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1292

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpD099.tmp

Filesize
1KB

MD5
dc436ff5b60ef8168376c73a193ed25c

SHA1
0943c8a1a0851b7b79d31fadb488cce2e0444638

SHA256
949ee6cece73e1304479fc963d79d2fd8e6410f451c1ce0ae6fd6e1b40b70705

SHA512
1f66711762ef86444a1e4edd5e3105b2ca5e83ec72bc6c2e04c7b5a9de1f50df3a6a85c75fc54003e4ebb0c9d8061455a6ef2e544726536592fb32dbf99736bd

Download Submit
memory/532-54-0x0000000075711000-0x0000000075713000-memory.dmp

Filesize
8KB

Download
memory/532-55-0x0000000073FD0000-0x000000007457B000-memory.dmp

Filesize
5.7MB

Download
memory/852-56-0x0000000000000000-mapping.dmp

Download
memory/1292-61-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1292-59-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1292-58-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1292-62-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1292-65-0x000000000041E792-mapping.dmp

Download
memory/1292-64-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1292-67-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1292-69-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1292-71-0x0000000073FD0000-0x000000007457B000-memory.dmp

Filesize
5.7MB

Download
memory/1292-72-0x0000000073FD0000-0x000000007457B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads