nanocore | 477e309fab0a09cc96a1d3ea130cffe0d021d78cecfa9c7501d4c06cba93b040

General

Target

U85C0HFJ.exe
Size

842KB
MD5

1e6c98943038ee098cb0203a0d8231ef
SHA1

2dc93e968f7560f709c8a3c115e305194c8fe87d
SHA256

23143dfb44c72eeec3b05a6d3dde2c4245adcb7db200c00f7700257830b4bcc4
SHA512

6ab77d1062467897b892619d6a09360dfb8dc676abf813817c935b41f7119fa8cfc6912a1d4a576556f37c2875df3f68fc421de162e99ea9d586e36c8016d436

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

185.165.153.236:9083

godrich.duckdns.org:9083

Mutex

8048bd48-ccbd-4e17-b105-f23d73fd0f3e

Attributes

activate_away_mode
false
backup_connection_host
godrich.duckdns.org
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2020-05-16T12:17:36.575332436Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
false
clear_zone_identifier
false
connect_delay
4000
connection_port
9083
default_group
reciept
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
8048bd48-ccbd-4e17-b105-f23d73fd0f3e
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
185.165.153.236
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
4985
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

U85C0HFJ.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SCSI Subsystem = "C:\\Program Files (x86)\\SCSI Subsystem\\scsiss.exe"	U85C0HFJ.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

U85C0HFJ.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA U85C0HFJ.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

U85C0HFJ.exe

description pid process target process

PID 1352 set thread context of 2628 1352 U85C0HFJ.exe U85C0HFJ.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	U85C0HFJ.exe

description	pid	process	target process
PID 1352 set thread context of 2628	1352	U85C0HFJ.exe	U85C0HFJ.exe

Drops file in Program Files directory 2 IoCs

Processes:

U85C0HFJ.exe

description	ioc	process
File created	C:\Program Files (x86)\SCSI Subsystem\scsiss.exe	U85C0HFJ.exe
File opened for modification	C:\Program Files (x86)\SCSI Subsystem\scsiss.exe	U85C0HFJ.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2632 schtasks.exe
2232 schtasks.exe

pid	process
2632	schtasks.exe
2232	schtasks.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

U85C0HFJ.exeU85C0HFJ.exe

pid	process
1352	U85C0HFJ.exe
1352	U85C0HFJ.exe
1352	U85C0HFJ.exe
1352	U85C0HFJ.exe
1352	U85C0HFJ.exe
1352	U85C0HFJ.exe
2628	U85C0HFJ.exe
2628	U85C0HFJ.exe
2628	U85C0HFJ.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

U85C0HFJ.exe

pid process

2628 U85C0HFJ.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

U85C0HFJ.exeU85C0HFJ.exe

description pid process

Token: SeDebugPrivilege 1352 U85C0HFJ.exe
Token: SeDebugPrivilege 2628 U85C0HFJ.exe

pid	process
2628	U85C0HFJ.exe

description	pid	process
Token: SeDebugPrivilege	1352	U85C0HFJ.exe
Token: SeDebugPrivilege	2628	U85C0HFJ.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

U85C0HFJ.exeU85C0HFJ.exe

description	pid	process	target process
PID 1352 wrote to memory of 2628	1352	U85C0HFJ.exe	U85C0HFJ.exe
PID 1352 wrote to memory of 2628	1352	U85C0HFJ.exe	U85C0HFJ.exe
PID 1352 wrote to memory of 2628	1352	U85C0HFJ.exe	U85C0HFJ.exe
PID 1352 wrote to memory of 2628	1352	U85C0HFJ.exe	U85C0HFJ.exe
PID 1352 wrote to memory of 2628	1352	U85C0HFJ.exe	U85C0HFJ.exe
PID 1352 wrote to memory of 2628	1352	U85C0HFJ.exe	U85C0HFJ.exe
PID 1352 wrote to memory of 2628	1352	U85C0HFJ.exe	U85C0HFJ.exe
PID 1352 wrote to memory of 2628	1352	U85C0HFJ.exe	U85C0HFJ.exe
PID 2628 wrote to memory of 2632	2628	U85C0HFJ.exe	schtasks.exe
PID 2628 wrote to memory of 2632	2628	U85C0HFJ.exe	schtasks.exe
PID 2628 wrote to memory of 2632	2628	U85C0HFJ.exe	schtasks.exe
PID 2628 wrote to memory of 2232	2628	U85C0HFJ.exe	schtasks.exe
PID 2628 wrote to memory of 2232	2628	U85C0HFJ.exe	schtasks.exe
PID 2628 wrote to memory of 2232	2628	U85C0HFJ.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\U85C0HFJ.exe
"C:\Users\Admin\AppData\Local\Temp\U85C0HFJ.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1352

C:\Users\Admin\AppData\Local\Temp\U85C0HFJ.exe
"{path}"
2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2628

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "SCSI Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp222E.tmp"
3⤵
- Creates scheduled task(s)
PID:2632

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "SCSI Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp27AD.tmp"
3⤵
- Creates scheduled task(s)
PID:2232

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\U85C0HFJ.exe.log
Filesize
507B

MD5
8cf94b5356be60247d331660005941ec

SHA1
fdedb361f40f22cb6a086c808fc0056d4e421131

SHA256
52a5b2d36f2b72cb02c695cf7ef46444dda73d4ea82a73e0894c805fa9987bc0

SHA512
b886dfc8bf03f8627f051fb6e2ac40ae2e7713584695a365728eb2e2c87217830029aa35bd129c642fa03dde3f7a7dd5690b16248676be60a6bb5f497fb23651

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp222E.tmp
Filesize
1KB

MD5
4ff4b10cf65700de5145553c9ef11281

SHA1
7ed8f6d10d21ff964957a40ab7b5f18f3b781937

SHA256
46475d14cd8b49da221eeeb35ce439706991237e29a01f6b7dde4e91560618bc

SHA512
d9e5e9b788fdaaa2a5ad860ab1cb537526367d52a2ba89936daa31da3118581fed75eef02a3b9f10b11623b25ac0136e2a6e4aa68458b126a21a8fa3495002ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp27AD.tmp
Filesize
1KB

MD5
bd110f9fc6c1a842f1d9b269010b0611

SHA1
ef71c062902602faef9b66dcd1cfc9fe5baaf389

SHA256
8135c4e4eeaa741f752c0ab8f4ee33e3bb8a0cac5923812234f2e5177d50eb5b

SHA512
b8a7943a3126880b26407800bbdad5402c5b0e2aa106e7dbbb35d0cb145ca9de114401573a6aa66042a2e13674cfbcc2981d66b813f9b923fff5302210afba1f

Download Submit
memory/1352-130-0x0000000000FB0000-0x0000000001088000-memory.dmp

Filesize
864KB

Download
memory/1352-131-0x0000000006070000-0x0000000006614000-memory.dmp

Filesize
5.6MB

Download
memory/1352-132-0x0000000005CE0000-0x0000000005D72000-memory.dmp

Filesize
584KB

Download
memory/1352-133-0x0000000005E20000-0x0000000005EBC000-memory.dmp

Filesize
624KB

Download
memory/2232-140-0x0000000000000000-mapping.dmp

Download
memory/2628-134-0x0000000000000000-mapping.dmp

Download
memory/2628-135-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2628-137-0x0000000005600000-0x000000000560A000-memory.dmp

Filesize
40KB

Download
memory/2632-138-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads