nanocore | 477e309fab0a09cc96a1d3ea130cffe0d021d78cecfa9c7501d4c06cba93b040

General

Target

U85C0HFJ.exe
Size

842KB
MD5

1e6c98943038ee098cb0203a0d8231ef
SHA1

2dc93e968f7560f709c8a3c115e305194c8fe87d
SHA256

23143dfb44c72eeec3b05a6d3dde2c4245adcb7db200c00f7700257830b4bcc4
SHA512

6ab77d1062467897b892619d6a09360dfb8dc676abf813817c935b41f7119fa8cfc6912a1d4a576556f37c2875df3f68fc421de162e99ea9d586e36c8016d436

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

185.165.153.236:9083

godrich.duckdns.org:9083

Mutex

8048bd48-ccbd-4e17-b105-f23d73fd0f3e

Attributes

activate_away_mode
false
backup_connection_host
godrich.duckdns.org
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2020-05-16T12:17:36.575332436Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
false
clear_zone_identifier
false
connect_delay
4000
connection_port
9083
default_group
reciept
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
8048bd48-ccbd-4e17-b105-f23d73fd0f3e
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
185.165.153.236
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
4985
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

U85C0HFJ.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ARP Service = "C:\\Program Files (x86)\\ARP Service\\arpsvc.exe"	U85C0HFJ.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

U85C0HFJ.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA U85C0HFJ.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

U85C0HFJ.exe

description pid process target process

PID 1228 set thread context of 1836 1228 U85C0HFJ.exe U85C0HFJ.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	U85C0HFJ.exe

description	pid	process	target process
PID 1228 set thread context of 1836	1228	U85C0HFJ.exe	U85C0HFJ.exe

Drops file in Program Files directory 2 IoCs

Processes:

U85C0HFJ.exe

description	ioc	process
File created	C:\Program Files (x86)\ARP Service\arpsvc.exe	U85C0HFJ.exe
File opened for modification	C:\Program Files (x86)\ARP Service\arpsvc.exe	U85C0HFJ.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

688 schtasks.exe
456 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

U85C0HFJ.exeU85C0HFJ.exe

pid process

1228 U85C0HFJ.exe
1228 U85C0HFJ.exe
1228 U85C0HFJ.exe
1228 U85C0HFJ.exe
1836 U85C0HFJ.exe
1836 U85C0HFJ.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

U85C0HFJ.exe

pid process

1836 U85C0HFJ.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

U85C0HFJ.exeU85C0HFJ.exe

description pid process

Token: SeDebugPrivilege 1228 U85C0HFJ.exe
Token: SeDebugPrivilege 1836 U85C0HFJ.exe

pid	process
688	schtasks.exe
456	schtasks.exe

pid	process
1228	U85C0HFJ.exe
1228	U85C0HFJ.exe
1228	U85C0HFJ.exe
1228	U85C0HFJ.exe
1836	U85C0HFJ.exe
1836	U85C0HFJ.exe

pid	process
1836	U85C0HFJ.exe

description	pid	process
Token: SeDebugPrivilege	1228	U85C0HFJ.exe
Token: SeDebugPrivilege	1836	U85C0HFJ.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

U85C0HFJ.exeU85C0HFJ.exe

description	pid	process	target process
PID 1228 wrote to memory of 1836	1228	U85C0HFJ.exe	U85C0HFJ.exe
PID 1228 wrote to memory of 1836	1228	U85C0HFJ.exe	U85C0HFJ.exe
PID 1228 wrote to memory of 1836	1228	U85C0HFJ.exe	U85C0HFJ.exe
PID 1228 wrote to memory of 1836	1228	U85C0HFJ.exe	U85C0HFJ.exe
PID 1228 wrote to memory of 1836	1228	U85C0HFJ.exe	U85C0HFJ.exe
PID 1228 wrote to memory of 1836	1228	U85C0HFJ.exe	U85C0HFJ.exe
PID 1228 wrote to memory of 1836	1228	U85C0HFJ.exe	U85C0HFJ.exe
PID 1228 wrote to memory of 1836	1228	U85C0HFJ.exe	U85C0HFJ.exe
PID 1228 wrote to memory of 1836	1228	U85C0HFJ.exe	U85C0HFJ.exe
PID 1836 wrote to memory of 688	1836	U85C0HFJ.exe	schtasks.exe
PID 1836 wrote to memory of 688	1836	U85C0HFJ.exe	schtasks.exe
PID 1836 wrote to memory of 688	1836	U85C0HFJ.exe	schtasks.exe
PID 1836 wrote to memory of 688	1836	U85C0HFJ.exe	schtasks.exe
PID 1836 wrote to memory of 456	1836	U85C0HFJ.exe	schtasks.exe
PID 1836 wrote to memory of 456	1836	U85C0HFJ.exe	schtasks.exe
PID 1836 wrote to memory of 456	1836	U85C0HFJ.exe	schtasks.exe
PID 1836 wrote to memory of 456	1836	U85C0HFJ.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\U85C0HFJ.exe
"C:\Users\Admin\AppData\Local\Temp\U85C0HFJ.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1228

C:\Users\Admin\AppData\Local\Temp\U85C0HFJ.exe
"{path}"
2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1836

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "ARP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmpAB5D.tmp"
3⤵
- Creates scheduled task(s)
PID:688

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "ARP Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpB03E.tmp"
3⤵
- Creates scheduled task(s)
PID:456

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpAB5D.tmp
Filesize
1KB

MD5
4ff4b10cf65700de5145553c9ef11281

SHA1
7ed8f6d10d21ff964957a40ab7b5f18f3b781937

SHA256
46475d14cd8b49da221eeeb35ce439706991237e29a01f6b7dde4e91560618bc

SHA512
d9e5e9b788fdaaa2a5ad860ab1cb537526367d52a2ba89936daa31da3118581fed75eef02a3b9f10b11623b25ac0136e2a6e4aa68458b126a21a8fa3495002ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB03E.tmp
Filesize
1KB

MD5
1badb6e2b29a1c4bfff3c179d53ab96b

SHA1
4b2ad3e5f3826d252d1c8bf1c8f0702f39129fa1

SHA256
6259ac4e6859a1b528d77ccea12b378f7dfa1eff359d9b8899414b4b1c484699

SHA512
36338e2a74fd85c5f2c84be009981a7260692c1bcb121a42018209031082da69bf65640702d53e28b54871f9d44e65fdbebaf4771c530699c3e93981b58129b4

Download Submit
memory/456-73-0x0000000000000000-mapping.dmp

Download
memory/688-71-0x0000000000000000-mapping.dmp

Download
memory/1228-55-0x0000000000200000-0x000000000020A000-memory.dmp

Filesize
40KB

Download
memory/1228-56-0x00000000010A0000-0x00000000010FE000-memory.dmp

Filesize
376KB

Download
memory/1228-57-0x0000000000900000-0x0000000000938000-memory.dmp

Filesize
224KB

Download
memory/1228-54-0x0000000001180000-0x0000000001258000-memory.dmp

Filesize
864KB

Download
memory/1836-59-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1836-65-0x000000000041E792-mapping.dmp

Download
memory/1836-67-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1836-69-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1836-70-0x00000000751C1000-0x00000000751C3000-memory.dmp

Filesize
8KB

Download
memory/1836-64-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1836-62-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1836-61-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1836-58-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1836-75-0x00000000004A0000-0x00000000004AA000-memory.dmp

Filesize
40KB

Download
memory/1836-76-0x00000000004B0000-0x00000000004CE000-memory.dmp

Filesize
120KB

Download
memory/1836-77-0x0000000000550000-0x000000000055A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads