nanocore | 9d1471eae7d829825ef9d7001594e0630298a8aa3b794711b6d327092c73f1c7

General

Target

Deposit Scan8375647765.exe
Size

405KB
MD5

79aaf1a43c69a0276d646a4d3048c3be
SHA1

58ea495df57f673b02f5874fb63660f3df6a3c6b
SHA256

b274d35702981583cc16bca01745c74446bae278d8b41cdd1c4276690fef088a
SHA512

422c95514022394d17e3f07d112f821713b4b983bf5a79b598944ff0a2302849468ea2091138bbf606d3075b41df6aec1b3d5e285c448c30e26a7973df8e781e

Score

10^/10

nanocore evasion keylogger spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

chk.malatifs.com:5687

Mutex

f4252f4b-a328-4bca-abf7-2774a56c561f

Attributes

activate_away_mode
true
backup_connection_host
chk.malatifs.com
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2020-02-11T19:12:43.381707036Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
5687
default_group
toyu
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
f4252f4b-a328-4bca-abf7-2774a56c561f
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
chk.malatifs.com
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Executes dropped EXE 1 IoCs

Processes:

Deposit Scan8375647765.exe

pid process

984 Deposit Scan8375647765.exe

pid	process
984	Deposit Scan8375647765.exe

Drops startup file 2 IoCs

Processes:

Deposit Scan8375647765.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wsyjer.exe	Deposit Scan8375647765.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wsyjer.exe	Deposit Scan8375647765.exe

Loads dropped DLL 1 IoCs

Processes:

Deposit Scan8375647765.exe

pid process

1668 Deposit Scan8375647765.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

Deposit Scan8375647765.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Deposit Scan8375647765.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Deposit Scan8375647765.exe

description pid process target process

PID 1668 set thread context of 984 1668 Deposit Scan8375647765.exe Deposit Scan8375647765.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1704 schtasks.exe

description	pid	process	target process
PID 1668 set thread context of 984	1668	Deposit Scan8375647765.exe	Deposit Scan8375647765.exe

pid	process
1704	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

Deposit Scan8375647765.exeDeposit Scan8375647765.exe

pid	process
1668	Deposit Scan8375647765.exe
1668	Deposit Scan8375647765.exe
1668	Deposit Scan8375647765.exe
1668	Deposit Scan8375647765.exe
1668	Deposit Scan8375647765.exe
1668	Deposit Scan8375647765.exe
1668	Deposit Scan8375647765.exe
1668	Deposit Scan8375647765.exe
1668	Deposit Scan8375647765.exe
1668	Deposit Scan8375647765.exe
984	Deposit Scan8375647765.exe
984	Deposit Scan8375647765.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Deposit Scan8375647765.exe

pid process

984 Deposit Scan8375647765.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Deposit Scan8375647765.exeDeposit Scan8375647765.exe

description pid process

Token: SeDebugPrivilege 1668 Deposit Scan8375647765.exe
Token: SeDebugPrivilege 984 Deposit Scan8375647765.exe

pid	process
984	Deposit Scan8375647765.exe

description	pid	process
Token: SeDebugPrivilege	1668	Deposit Scan8375647765.exe
Token: SeDebugPrivilege	984	Deposit Scan8375647765.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

Deposit Scan8375647765.exeDeposit Scan8375647765.exe

description	pid	process	target process
PID 1668 wrote to memory of 984	1668	Deposit Scan8375647765.exe	Deposit Scan8375647765.exe
PID 1668 wrote to memory of 984	1668	Deposit Scan8375647765.exe	Deposit Scan8375647765.exe
PID 1668 wrote to memory of 984	1668	Deposit Scan8375647765.exe	Deposit Scan8375647765.exe
PID 1668 wrote to memory of 984	1668	Deposit Scan8375647765.exe	Deposit Scan8375647765.exe
PID 1668 wrote to memory of 984	1668	Deposit Scan8375647765.exe	Deposit Scan8375647765.exe
PID 1668 wrote to memory of 984	1668	Deposit Scan8375647765.exe	Deposit Scan8375647765.exe
PID 1668 wrote to memory of 984	1668	Deposit Scan8375647765.exe	Deposit Scan8375647765.exe
PID 1668 wrote to memory of 984	1668	Deposit Scan8375647765.exe	Deposit Scan8375647765.exe
PID 1668 wrote to memory of 984	1668	Deposit Scan8375647765.exe	Deposit Scan8375647765.exe
PID 984 wrote to memory of 1704	984	Deposit Scan8375647765.exe	schtasks.exe
PID 984 wrote to memory of 1704	984	Deposit Scan8375647765.exe	schtasks.exe
PID 984 wrote to memory of 1704	984	Deposit Scan8375647765.exe	schtasks.exe
PID 984 wrote to memory of 1704	984	Deposit Scan8375647765.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\Deposit Scan8375647765.exe
"C:\Users\Admin\AppData\Local\Temp\Deposit Scan8375647765.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1668

C:\Users\Admin\AppData\Local\Temp\Deposit Scan8375647765.exe
"C:\Users\Admin\AppData\Local\Temp\Deposit Scan8375647765.exe"
2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:984

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DSL Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp99E0.tmp"
3⤵
- Creates scheduled task(s)
PID:1704

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Deposit Scan8375647765.exe

Filesize
405KB

MD5
79aaf1a43c69a0276d646a4d3048c3be

SHA1
58ea495df57f673b02f5874fb63660f3df6a3c6b

SHA256
b274d35702981583cc16bca01745c74446bae278d8b41cdd1c4276690fef088a

SHA512
422c95514022394d17e3f07d112f821713b4b983bf5a79b598944ff0a2302849468ea2091138bbf606d3075b41df6aec1b3d5e285c448c30e26a7973df8e781e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp99E0.tmp

Filesize
1KB

MD5
4ca023f14d9a37b0f848a3ddce515193

SHA1
8d04776b7dfb9b512859b3f827d185b6d0670a00

SHA256
88563900c0afe498f968105a2feb7deb1c84648bca6c3fcc7367a1af7305654f

SHA512
7533f5722a8cf71cda8d8297d92d4f22b3ccb6f3c9057a3a2a8932095c2450e9fe5b7c76059bd9b9ad5361d5eb59574ab4b021af95b8a98e7e166168885c6470

Download Submit
\Users\Admin\AppData\Local\Temp\Deposit Scan8375647765.exe

Filesize
405KB

MD5
79aaf1a43c69a0276d646a4d3048c3be

SHA1
58ea495df57f673b02f5874fb63660f3df6a3c6b

SHA256
b274d35702981583cc16bca01745c74446bae278d8b41cdd1c4276690fef088a

SHA512
422c95514022394d17e3f07d112f821713b4b983bf5a79b598944ff0a2302849468ea2091138bbf606d3075b41df6aec1b3d5e285c448c30e26a7973df8e781e

Download Submit
memory/984-73-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/984-68-0x000000000041E792-mapping.dmp

Download
memory/984-79-0x0000000000460000-0x000000000046A000-memory.dmp

Filesize
40KB

Download
memory/984-78-0x0000000000580000-0x000000000059E000-memory.dmp

Filesize
120KB

Download
memory/984-61-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/984-62-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/984-64-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/984-65-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/984-67-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/984-77-0x0000000000450000-0x000000000045A000-memory.dmp

Filesize
40KB

Download
memory/984-71-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1668-56-0x00000000048B0000-0x00000000048FA000-memory.dmp

Filesize
296KB

Download
memory/1668-54-0x0000000000850000-0x00000000008BC000-memory.dmp

Filesize
432KB

Download
memory/1668-55-0x00000000004F0000-0x00000000004F8000-memory.dmp

Filesize
32KB

Download
memory/1668-58-0x00000000007F0000-0x0000000000806000-memory.dmp

Filesize
88KB

Download
memory/1668-57-0x0000000075BA1000-0x0000000075BA3000-memory.dmp

Filesize
8KB

Download
memory/1668-59-0x00000000008C0000-0x00000000008D4000-memory.dmp

Filesize
80KB

Download
memory/1704-75-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads