nanocore | a9f42fd5349d78db6bdd822c74d7d767f8d9ea7d9ccbed9cce2bd5c8a05fce59

General

Target

RxAiLsC8IM0TZpd.exe
Size

443KB
MD5

91fffd2debf555464c6ab22b1a439a64
SHA1

86bd10469e908471a8707ea488e7b0cb0ca17385
SHA256

5d9ebdf2cc71a3daaf79800947f04e0c54d10d0bfb2a5b2884d62408615c6027
SHA512

88ce4ee88fbf5281d2074f7ad14209f6f7e4eb3a05ac558b72fd1b0f0d0ae1f23d52206aa47a8d5518d3ba367e6da7a45900ce9313c996c991c5366e17f1fe33

Score

10^/10

nanocore evasion keylogger spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

u870797.nvpn.to:3119

Mutex

f813c4e2-fc76-409a-b46f-571ed35f6a5f

Attributes

activate_away_mode
true
backup_connection_host
u870797.nvpn.to
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2020-03-29T11:52:57.396056536Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
3119
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
f813c4e2-fc76-409a-b46f-571ed35f6a5f
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
u870797.nvpn.to
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RxAiLsC8IM0TZpd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	RxAiLsC8IM0TZpd.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

RxAiLsC8IM0TZpd.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RxAiLsC8IM0TZpd.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

RxAiLsC8IM0TZpd.exe

description pid process target process

PID 2672 set thread context of 4168 2672 RxAiLsC8IM0TZpd.exe RxAiLsC8IM0TZpd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3976 schtasks.exe
4680 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

RxAiLsC8IM0TZpd.exe

pid process

4168 RxAiLsC8IM0TZpd.exe
4168 RxAiLsC8IM0TZpd.exe
4168 RxAiLsC8IM0TZpd.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

RxAiLsC8IM0TZpd.exe

pid process

4168 RxAiLsC8IM0TZpd.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RxAiLsC8IM0TZpd.exe

description pid process

Token: SeDebugPrivilege 4168 RxAiLsC8IM0TZpd.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RxAiLsC8IM0TZpd.exe

description	pid	process	target process
PID 2672 set thread context of 4168	2672	RxAiLsC8IM0TZpd.exe	RxAiLsC8IM0TZpd.exe

pid	process
3976	schtasks.exe
4680	schtasks.exe

pid	process
4168	RxAiLsC8IM0TZpd.exe
4168	RxAiLsC8IM0TZpd.exe
4168	RxAiLsC8IM0TZpd.exe

pid	process
4168	RxAiLsC8IM0TZpd.exe

description	pid	process
Token: SeDebugPrivilege	4168	RxAiLsC8IM0TZpd.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

RxAiLsC8IM0TZpd.exeRxAiLsC8IM0TZpd.exe

description	pid	process	target process
PID 2672 wrote to memory of 3976	2672	RxAiLsC8IM0TZpd.exe	schtasks.exe
PID 2672 wrote to memory of 3976	2672	RxAiLsC8IM0TZpd.exe	schtasks.exe
PID 2672 wrote to memory of 3976	2672	RxAiLsC8IM0TZpd.exe	schtasks.exe
PID 2672 wrote to memory of 4168	2672	RxAiLsC8IM0TZpd.exe	RxAiLsC8IM0TZpd.exe
PID 2672 wrote to memory of 4168	2672	RxAiLsC8IM0TZpd.exe	RxAiLsC8IM0TZpd.exe
PID 2672 wrote to memory of 4168	2672	RxAiLsC8IM0TZpd.exe	RxAiLsC8IM0TZpd.exe
PID 2672 wrote to memory of 4168	2672	RxAiLsC8IM0TZpd.exe	RxAiLsC8IM0TZpd.exe
PID 2672 wrote to memory of 4168	2672	RxAiLsC8IM0TZpd.exe	RxAiLsC8IM0TZpd.exe
PID 2672 wrote to memory of 4168	2672	RxAiLsC8IM0TZpd.exe	RxAiLsC8IM0TZpd.exe
PID 2672 wrote to memory of 4168	2672	RxAiLsC8IM0TZpd.exe	RxAiLsC8IM0TZpd.exe
PID 2672 wrote to memory of 4168	2672	RxAiLsC8IM0TZpd.exe	RxAiLsC8IM0TZpd.exe
PID 4168 wrote to memory of 4680	4168	RxAiLsC8IM0TZpd.exe	schtasks.exe
PID 4168 wrote to memory of 4680	4168	RxAiLsC8IM0TZpd.exe	schtasks.exe
PID 4168 wrote to memory of 4680	4168	RxAiLsC8IM0TZpd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\RxAiLsC8IM0TZpd.exe
"C:\Users\Admin\AppData\Local\Temp\RxAiLsC8IM0TZpd.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2672

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pnOnsQElhkAyZ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp64E4.tmp"
2⤵
- Creates scheduled task(s)
PID:3976

C:\Users\Admin\AppData\Local\Temp\RxAiLsC8IM0TZpd.exe
"{path}"
2⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4168

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "TCP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp755F.tmp"
3⤵
- Creates scheduled task(s)
PID:4680

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RxAiLsC8IM0TZpd.exe.log
Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp64E4.tmp
Filesize
1KB

MD5
83b183259007f6c9c6de92bd2810f687

SHA1
71ca94fc62aacf87117cafed5f0a309639f9e8eb

SHA256
f2ad6deed6fed222b0ed0653cb12de26e7e711f5ed34cf4474e1466c1a9ae477

SHA512
bdf283cbb2ac436192094056ad76067e27498223ae8e8bb5c71e3f36fa63d343bf5df0c4cd5aa94c9ca7b7fb097326e5201a23ff332c731951a33320aebb684c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp755F.tmp
Filesize
1KB

MD5
02e5054b4a2078b944da99494c6f44e7

SHA1
352b828db80967ba438b904f388ac1ea486aeb1c

SHA256
a01d2ce2a8c09589d52cfbd82a903e6d056cfbb2a0e0dde4dd26f7fdcbd117ef

SHA512
bcb12336d2ac83cca7bbc77013151f3e76421fa394f22f4a2338734e006012c2002de5494f3581d49e127174e05f66599bf62b18f889e8006f27d6ccff8f737a

Download Submit
memory/2672-130-0x0000000000350000-0x00000000003C4000-memory.dmp

Filesize
464KB

Download
memory/2672-131-0x0000000005220000-0x00000000057C4000-memory.dmp

Filesize
5.6MB

Download
memory/2672-132-0x0000000004D60000-0x0000000004DF2000-memory.dmp

Filesize
584KB

Download
memory/2672-133-0x0000000004F10000-0x0000000004F1A000-memory.dmp

Filesize
40KB

Download
memory/2672-134-0x0000000008A30000-0x0000000008ACC000-memory.dmp

Filesize
624KB

Download
memory/3976-135-0x0000000000000000-mapping.dmp

Download
memory/4168-137-0x0000000000000000-mapping.dmp

Download
memory/4168-138-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4680-140-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads