nanocore | 8aeb263a14ae386d1926b1885db7954af6e124fe1885cf9f3075ae7cd2025a16

General

Target

New Order PDF.exe
Size

824KB
MD5

2010151b23cf4e4fb41b586293a05f67
SHA1

5ded93668295d7c1ca31c6616410cc44a749dc81
SHA256

6ac9298fc6f29358afc13c6a0a28286352165f2d67c25a8622e464c171810f7c
SHA512

1aa8279daf5ab104707c286dcc6172b52af8a83df34a4533d786e78cb54372bec3b956240b2f024898f719b1d8ea813deedb817fc824051168ada9d62863f0a7

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

bbenson.ddns.net:3080

Mutex

eda53875-a284-4c1e-9e92-bae099ad007c

Attributes

activate_away_mode
true
backup_connection_host
bbenson.ddns.net
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2020-05-10T13:56:14.708459336Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
3080
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
eda53875-a284-4c1e-9e92-bae099ad007c
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
bbenson.ddns.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

New Order PDF.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ARP Service = "C:\\Program Files (x86)\\ARP Service\\arpsvc.exe"	New Order PDF.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

New Order PDF.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA New Order PDF.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

New Order PDF.exe

description pid process target process

PID 1364 set thread context of 520 1364 New Order PDF.exe New Order PDF.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	New Order PDF.exe

description	pid	process	target process
PID 1364 set thread context of 520	1364	New Order PDF.exe	New Order PDF.exe

Drops file in Program Files directory 2 IoCs

Processes:

New Order PDF.exe

description	ioc	process
File created	C:\Program Files (x86)\ARP Service\arpsvc.exe	New Order PDF.exe
File opened for modification	C:\Program Files (x86)\ARP Service\arpsvc.exe	New Order PDF.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

952 schtasks.exe
1092 schtasks.exe
1504 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

New Order PDF.exeNew Order PDF.exe

pid process

1364 New Order PDF.exe
520 New Order PDF.exe
520 New Order PDF.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

New Order PDF.exe

pid process

520 New Order PDF.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

New Order PDF.exeNew Order PDF.exe

description pid process

Token: SeDebugPrivilege 1364 New Order PDF.exe
Token: SeDebugPrivilege 520 New Order PDF.exe

pid	process
952	schtasks.exe
1092	schtasks.exe
1504	schtasks.exe

pid	process
1364	New Order PDF.exe
520	New Order PDF.exe
520	New Order PDF.exe

pid	process
520	New Order PDF.exe

description	pid	process
Token: SeDebugPrivilege	1364	New Order PDF.exe
Token: SeDebugPrivilege	520	New Order PDF.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

New Order PDF.exeNew Order PDF.exe

description	pid	process	target process
PID 1364 wrote to memory of 952	1364	New Order PDF.exe	schtasks.exe
PID 1364 wrote to memory of 952	1364	New Order PDF.exe	schtasks.exe
PID 1364 wrote to memory of 952	1364	New Order PDF.exe	schtasks.exe
PID 1364 wrote to memory of 952	1364	New Order PDF.exe	schtasks.exe
PID 1364 wrote to memory of 520	1364	New Order PDF.exe	New Order PDF.exe
PID 1364 wrote to memory of 520	1364	New Order PDF.exe	New Order PDF.exe
PID 1364 wrote to memory of 520	1364	New Order PDF.exe	New Order PDF.exe
PID 1364 wrote to memory of 520	1364	New Order PDF.exe	New Order PDF.exe
PID 1364 wrote to memory of 520	1364	New Order PDF.exe	New Order PDF.exe
PID 1364 wrote to memory of 520	1364	New Order PDF.exe	New Order PDF.exe
PID 1364 wrote to memory of 520	1364	New Order PDF.exe	New Order PDF.exe
PID 1364 wrote to memory of 520	1364	New Order PDF.exe	New Order PDF.exe
PID 1364 wrote to memory of 520	1364	New Order PDF.exe	New Order PDF.exe
PID 520 wrote to memory of 1092	520	New Order PDF.exe	schtasks.exe
PID 520 wrote to memory of 1092	520	New Order PDF.exe	schtasks.exe
PID 520 wrote to memory of 1092	520	New Order PDF.exe	schtasks.exe
PID 520 wrote to memory of 1092	520	New Order PDF.exe	schtasks.exe
PID 520 wrote to memory of 1504	520	New Order PDF.exe	schtasks.exe
PID 520 wrote to memory of 1504	520	New Order PDF.exe	schtasks.exe
PID 520 wrote to memory of 1504	520	New Order PDF.exe	schtasks.exe
PID 520 wrote to memory of 1504	520	New Order PDF.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\New Order PDF.exe
"C:\Users\Admin\AppData\Local\Temp\New Order PDF.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1364

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jRolbSAyfuRH" /XML "C:\Users\Admin\AppData\Local\Temp\tmp651A.tmp"
2⤵
- Creates scheduled task(s)
PID:952

C:\Users\Admin\AppData\Local\Temp\New Order PDF.exe
"C:\Users\Admin\AppData\Local\Temp\New Order PDF.exe"
2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:520

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "ARP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp9ACA.tmp"
3⤵
- Creates scheduled task(s)
PID:1092

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "ARP Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp9C51.tmp"
3⤵
- Creates scheduled task(s)
PID:1504

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp651A.tmp
Filesize
1KB

MD5
61e5d4548961954ccf0ad44b80b53f1c

SHA1
62a33e1cda8e250f958fd33313404719f1aa8e4a

SHA256
c24fd004118a4caa3f9ebd8d19da54412deac21052570e6e57ec826ec863933f

SHA512
ede47646e66bc2a3c9adf6e87166037b1dade868401541606cff2d24b45a9133afc59fbf2170c49c94323ab9a6eddd2a7d4f85bfdb562ee2d18fee84e703ccea

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9ACA.tmp
Filesize
1KB

MD5
87014e2cb57aaeadfd636576411d8c4a

SHA1
6a2889017090dbf4a68fcacd635cec532e2a604c

SHA256
eb66cdfb963f5a579b58d652cfb6163a9b4f3683a7206af45f110579fca85e56

SHA512
6d5a4a2f100965c597be01c9a1a8f7c92a85481cbb3f6a5374a2f1dd7ab7cd3753fd1d12247c88498dfb6d432d59d8757b696102b13a6bb06e55eae48ddfbe08

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9C51.tmp
Filesize
1KB

MD5
1badb6e2b29a1c4bfff3c179d53ab96b

SHA1
4b2ad3e5f3826d252d1c8bf1c8f0702f39129fa1

SHA256
6259ac4e6859a1b528d77ccea12b378f7dfa1eff359d9b8899414b4b1c484699

SHA512
36338e2a74fd85c5f2c84be009981a7260692c1bcb121a42018209031082da69bf65640702d53e28b54871f9d44e65fdbebaf4771c530699c3e93981b58129b4

Download Submit
memory/520-78-0x00000000005A0000-0x00000000005AA000-memory.dmp

Filesize
40KB

Download
memory/520-72-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/520-79-0x00000000005D0000-0x00000000005EE000-memory.dmp

Filesize
120KB

Download
memory/520-80-0x00000000005B0000-0x00000000005BA000-memory.dmp

Filesize
40KB

Download
memory/520-61-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/520-62-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/520-64-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/520-65-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/520-67-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/520-68-0x000000000041E792-mapping.dmp

Download
memory/520-70-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/952-59-0x0000000000000000-mapping.dmp

Download
memory/1092-74-0x0000000000000000-mapping.dmp

Download
memory/1364-54-0x0000000000320000-0x00000000003F4000-memory.dmp

Filesize
848KB

Download
memory/1364-58-0x0000000001E80000-0x0000000001EBA000-memory.dmp

Filesize
232KB

Download
memory/1364-57-0x0000000004E80000-0x0000000004ED4000-memory.dmp

Filesize
336KB

Download
memory/1364-56-0x0000000000660000-0x000000000066A000-memory.dmp

Filesize
40KB

Download
memory/1364-55-0x0000000075951000-0x0000000075953000-memory.dmp

Filesize
8KB

Download
memory/1504-76-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads