nanocore | a88da432201bddf63c6468d7ab3cd2a69f29e222c6c7543fd8c4a0b6ae75f66a

General

Target

Incentive Doc.exe
Size

391KB
MD5

6b48de13978e73af6eafabeeefebab51
SHA1

e7118497e55b204f7b1d4b5500a5ae332507d109
SHA256

2a9cf930b5e11dee35842ff73179a0467f820a95e23560d774f7ea05111de351
SHA512

40a76b85aa60446c1cf4beb31960bdf9269ef895500773f639afacf6a7ed909a564f9ea585d6e47fcab4ba64eac4894056913039ef2970260e2d4b67d9fe4f49

Score

10^/10

nanocore evasion keylogger spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

masterwork.ydns.eu:2310

127.0.0.1:2310

Mutex

7dacfffd-e900-45d5-a878-74cb2c59d5c1

Attributes

activate_away_mode
true
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2020-05-24T15:02:46.236911836Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
2310
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
true
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
7dacfffd-e900-45d5-a878-74cb2c59d5c1
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
masterwork.ydns.eu
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Incentive Doc.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Incentive Doc.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Incentive Doc.exe

description pid process target process

PID 336 set thread context of 1956 336 Incentive Doc.exe Incentive Doc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1308 schtasks.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

Incentive Doc.exeIncentive Doc.exe

pid process

336 Incentive Doc.exe
336 Incentive Doc.exe
336 Incentive Doc.exe
1956 Incentive Doc.exe
1956 Incentive Doc.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Incentive Doc.exe

pid process

1956 Incentive Doc.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Incentive Doc.exeIncentive Doc.exe

description pid process

Token: SeDebugPrivilege 336 Incentive Doc.exe
Token: SeDebugPrivilege 1956 Incentive Doc.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Incentive Doc.exe

description	pid	process	target process
PID 336 set thread context of 1956	336	Incentive Doc.exe	Incentive Doc.exe

pid	process
1308	schtasks.exe

pid	process
336	Incentive Doc.exe
336	Incentive Doc.exe
336	Incentive Doc.exe
1956	Incentive Doc.exe
1956	Incentive Doc.exe

pid	process
1956	Incentive Doc.exe

description	pid	process
Token: SeDebugPrivilege	336	Incentive Doc.exe
Token: SeDebugPrivilege	1956	Incentive Doc.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

Incentive Doc.exe

description	pid	process	target process
PID 336 wrote to memory of 1308	336	Incentive Doc.exe	schtasks.exe
PID 336 wrote to memory of 1308	336	Incentive Doc.exe	schtasks.exe
PID 336 wrote to memory of 1308	336	Incentive Doc.exe	schtasks.exe
PID 336 wrote to memory of 1308	336	Incentive Doc.exe	schtasks.exe
PID 336 wrote to memory of 1956	336	Incentive Doc.exe	Incentive Doc.exe
PID 336 wrote to memory of 1956	336	Incentive Doc.exe	Incentive Doc.exe
PID 336 wrote to memory of 1956	336	Incentive Doc.exe	Incentive Doc.exe
PID 336 wrote to memory of 1956	336	Incentive Doc.exe	Incentive Doc.exe
PID 336 wrote to memory of 1956	336	Incentive Doc.exe	Incentive Doc.exe
PID 336 wrote to memory of 1956	336	Incentive Doc.exe	Incentive Doc.exe
PID 336 wrote to memory of 1956	336	Incentive Doc.exe	Incentive Doc.exe
PID 336 wrote to memory of 1956	336	Incentive Doc.exe	Incentive Doc.exe
PID 336 wrote to memory of 1956	336	Incentive Doc.exe	Incentive Doc.exe

C:\Users\Admin\AppData\Local\Temp\Incentive Doc.exe
"C:\Users\Admin\AppData\Local\Temp\Incentive Doc.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:336

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QQTkQqFCJswyiG" /XML "C:\Users\Admin\AppData\Local\Temp\tmp207D.tmp"
2⤵
- Creates scheduled task(s)
PID:1308

C:\Users\Admin\AppData\Local\Temp\Incentive Doc.exe
"{path}"
2⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1956

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp207D.tmp
Filesize
1KB

MD5
8094481d003d6ade61756549a9f84f87

SHA1
b7366c82e0419edf363e044e9a4ecaa19d88e86e

SHA256
f3c294f46f914ba865db12435013f66907ab03a968755b5daa382ab74674899b

SHA512
b1f84af3c47200bd95e20bd1f9b03ba14a4abe06d49ceb04be404ad7863d5fa53ca43d2df568a0a96085358de612984f84a0d23ae089d5529cde1c486e70ede7

Download Submit
memory/336-54-0x0000000001330000-0x0000000001398000-memory.dmp

Filesize
416KB

Download
memory/336-55-0x0000000075711000-0x0000000075713000-memory.dmp

Filesize
8KB

Download
memory/336-56-0x00000000006E0000-0x00000000006EA000-memory.dmp

Filesize
40KB

Download
memory/336-57-0x0000000000B60000-0x0000000000BBE000-memory.dmp

Filesize
376KB

Download
memory/336-58-0x0000000001250000-0x0000000001288000-memory.dmp

Filesize
224KB

Download
memory/1308-59-0x0000000000000000-mapping.dmp

Download
memory/1956-62-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1956-61-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1956-64-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1956-65-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1956-67-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1956-68-0x000000000041E792-mapping.dmp

Download
memory/1956-70-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1956-72-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1956-74-0x0000000000440000-0x000000000044A000-memory.dmp

Filesize
40KB

Download
memory/1956-75-0x0000000000450000-0x000000000046E000-memory.dmp

Filesize
120KB

Download
memory/1956-76-0x0000000000570000-0x000000000057A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads