nanocore | 64fab27a292c6f49262f33c5af0c3ff80425f82fe464b5f9099f5c0be62e966b

General

Target

PQ.exe
Size

486KB
MD5

b60d09f2dce10213744504e38a4036c0
SHA1

82b1b98f103f6694b3f45368f3c77481857ed28c
SHA256

1583c29f396b51c03866ecbac92dfae57d41c361d8f6f5ae71600a84a4b9033d
SHA512

1675f3389dcf12bec42615c8f21826aa0046d90582ab722981218368b9c041cb96f89ce6bdf525d5c2eaa28791b103cbed57b743032a8a9f3a17d100dc8cce95

Score

10^/10

nanocore evasion keylogger spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

bornsinner.myq-see.com:3941

Mutex

1276c0d6-7944-4dc2-bd80-b50fc12f063d

Attributes

activate_away_mode
true
backup_connection_host
backup_dns_server
buffer_size
65542
build_time
2020-02-03T06:34:44.711604836Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
3994
connection_port
3941
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
1276c0d6-7944-4dc2-bd80-b50fc12f063d
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
bornsinner.myq-see.com
primary_dns_server
bornsinner.myq-see.com
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

PQ.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	PQ.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	PQ.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

PQ.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	PQ.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	PQ.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

PQ.exe

description pid process target process

PID 1920 set thread context of 380 1920 PQ.exe MSBuild.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1188 schtasks.exe
1900 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

MSBuild.exe

pid process

380 MSBuild.exe
380 MSBuild.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

MSBuild.exe

pid process

380 MSBuild.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

MSBuild.exe

description pid process

Token: SeDebugPrivilege 380 MSBuild.exe

description	pid	process	target process
PID 1920 set thread context of 380	1920	PQ.exe	MSBuild.exe

pid	process
1188	schtasks.exe
1900	schtasks.exe

pid	process
380	MSBuild.exe
380	MSBuild.exe

pid	process
380	MSBuild.exe

description	pid	process
Token: SeDebugPrivilege	380	MSBuild.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

PQ.exeMSBuild.exe

description	pid	process	target process
PID 1920 wrote to memory of 1900	1920	PQ.exe	schtasks.exe
PID 1920 wrote to memory of 1900	1920	PQ.exe	schtasks.exe
PID 1920 wrote to memory of 1900	1920	PQ.exe	schtasks.exe
PID 1920 wrote to memory of 1900	1920	PQ.exe	schtasks.exe
PID 1920 wrote to memory of 380	1920	PQ.exe	MSBuild.exe
PID 1920 wrote to memory of 380	1920	PQ.exe	MSBuild.exe
PID 1920 wrote to memory of 380	1920	PQ.exe	MSBuild.exe
PID 1920 wrote to memory of 380	1920	PQ.exe	MSBuild.exe
PID 1920 wrote to memory of 380	1920	PQ.exe	MSBuild.exe
PID 1920 wrote to memory of 380	1920	PQ.exe	MSBuild.exe
PID 1920 wrote to memory of 380	1920	PQ.exe	MSBuild.exe
PID 1920 wrote to memory of 380	1920	PQ.exe	MSBuild.exe
PID 1920 wrote to memory of 380	1920	PQ.exe	MSBuild.exe
PID 380 wrote to memory of 1188	380	MSBuild.exe	schtasks.exe
PID 380 wrote to memory of 1188	380	MSBuild.exe	schtasks.exe
PID 380 wrote to memory of 1188	380	MSBuild.exe	schtasks.exe
PID 380 wrote to memory of 1188	380	MSBuild.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\PQ.exe
"C:\Users\Admin\AppData\Local\Temp\PQ.exe"
1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1920

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oJuuxxsWIJkn" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBBF0.tmp"
2⤵
- Creates scheduled task(s)
PID:1900

C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
"{path}"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:380

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "WPA Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmpE689.tmp"
3⤵
- Creates scheduled task(s)
PID:1188

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpBBF0.tmp

Filesize
1KB

MD5
4f2ec29d4756aae0f27025ab4bc6fddd

SHA1
120e6055faa9daaa72161f9a87db30d65ac6460d

SHA256
078ba0da286a38afce26713c867a6f3c0f0c0103eb5b9e0343cfd4b186ecbae8

SHA512
41d90605897c2cccbf8209dd208fbc063bfc5f5e3dab431cc7f26d9f28f5b1544a971b1bc9e5dbf41b955597c0f69b2e55383b3fd75c9cacc1b5b99668a251d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE689.tmp

Filesize
1KB

MD5
ae766004c0d8792953bafffe8f6a2e3b

SHA1
14b12f27543a401e2fe0af8052e116cab0032426

SHA256
1abdd9b6a6b84e4ba1af1282dc84ce276c59ba253f4c4af05fea498a4fd99540

SHA512
e530da4a5d4336fc37838d0e93b5eb3804b9c489c71f6954a47fc81a4c655bb72ec493e109cf96e6e3617d7623ac80697ad3bbd5ffc6281bafc8b34dca5e6567

Download Submit
memory/380-61-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/380-58-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/380-59-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/380-62-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/380-65-0x000000000041E792-mapping.dmp

Download
memory/380-64-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/380-67-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/380-69-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/380-73-0x0000000074A80000-0x000000007502B000-memory.dmp

Filesize
5.7MB

Download
memory/1188-71-0x0000000000000000-mapping.dmp

Download
memory/1900-56-0x0000000000000000-mapping.dmp

Download
memory/1920-54-0x0000000075F61000-0x0000000075F63000-memory.dmp

Filesize
8KB

Download
memory/1920-55-0x0000000074A80000-0x000000007502B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads