nanocore | 8aeb263a14ae386d1926b1885db7954af6e124fe1885cf9f3075ae7cd2025a16

General

Target

New Order PDF.exe
Size

824KB
MD5

2010151b23cf4e4fb41b586293a05f67
SHA1

5ded93668295d7c1ca31c6616410cc44a749dc81
SHA256

6ac9298fc6f29358afc13c6a0a28286352165f2d67c25a8622e464c171810f7c
SHA512

1aa8279daf5ab104707c286dcc6172b52af8a83df34a4533d786e78cb54372bec3b956240b2f024898f719b1d8ea813deedb817fc824051168ada9d62863f0a7

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

bbenson.ddns.net:3080

Mutex

eda53875-a284-4c1e-9e92-bae099ad007c

Attributes

activate_away_mode
true
backup_connection_host
bbenson.ddns.net
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2020-05-10T13:56:14.708459336Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
3080
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
eda53875-a284-4c1e-9e92-bae099ad007c
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
bbenson.ddns.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

New Order PDF.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	New Order PDF.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

New Order PDF.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SCSI Subsystem = "C:\\Program Files (x86)\\SCSI Subsystem\\scsiss.exe"	New Order PDF.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

New Order PDF.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA New Order PDF.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

New Order PDF.exe

description pid process target process

PID 4776 set thread context of 5020 4776 New Order PDF.exe New Order PDF.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	New Order PDF.exe

description	pid	process	target process
PID 4776 set thread context of 5020	4776	New Order PDF.exe	New Order PDF.exe

Drops file in Program Files directory 2 IoCs

Processes:

New Order PDF.exe

description	ioc	process
File created	C:\Program Files (x86)\SCSI Subsystem\scsiss.exe	New Order PDF.exe
File opened for modification	C:\Program Files (x86)\SCSI Subsystem\scsiss.exe	New Order PDF.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

1728 schtasks.exe
4256 schtasks.exe
212 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

New Order PDF.exeNew Order PDF.exe

pid process

4776 New Order PDF.exe
5020 New Order PDF.exe
5020 New Order PDF.exe
5020 New Order PDF.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

New Order PDF.exe

pid process

5020 New Order PDF.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

New Order PDF.exeNew Order PDF.exe

description pid process

Token: SeDebugPrivilege 4776 New Order PDF.exe
Token: SeDebugPrivilege 5020 New Order PDF.exe

pid	process
1728	schtasks.exe
4256	schtasks.exe
212	schtasks.exe

pid	process
4776	New Order PDF.exe
5020	New Order PDF.exe
5020	New Order PDF.exe
5020	New Order PDF.exe

pid	process
5020	New Order PDF.exe

description	pid	process
Token: SeDebugPrivilege	4776	New Order PDF.exe
Token: SeDebugPrivilege	5020	New Order PDF.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

New Order PDF.exeNew Order PDF.exe

description	pid	process	target process
PID 4776 wrote to memory of 1728	4776	New Order PDF.exe	schtasks.exe
PID 4776 wrote to memory of 1728	4776	New Order PDF.exe	schtasks.exe
PID 4776 wrote to memory of 1728	4776	New Order PDF.exe	schtasks.exe
PID 4776 wrote to memory of 5020	4776	New Order PDF.exe	New Order PDF.exe
PID 4776 wrote to memory of 5020	4776	New Order PDF.exe	New Order PDF.exe
PID 4776 wrote to memory of 5020	4776	New Order PDF.exe	New Order PDF.exe
PID 4776 wrote to memory of 5020	4776	New Order PDF.exe	New Order PDF.exe
PID 4776 wrote to memory of 5020	4776	New Order PDF.exe	New Order PDF.exe
PID 4776 wrote to memory of 5020	4776	New Order PDF.exe	New Order PDF.exe
PID 4776 wrote to memory of 5020	4776	New Order PDF.exe	New Order PDF.exe
PID 4776 wrote to memory of 5020	4776	New Order PDF.exe	New Order PDF.exe
PID 5020 wrote to memory of 4256	5020	New Order PDF.exe	schtasks.exe
PID 5020 wrote to memory of 4256	5020	New Order PDF.exe	schtasks.exe
PID 5020 wrote to memory of 4256	5020	New Order PDF.exe	schtasks.exe
PID 5020 wrote to memory of 212	5020	New Order PDF.exe	schtasks.exe
PID 5020 wrote to memory of 212	5020	New Order PDF.exe	schtasks.exe
PID 5020 wrote to memory of 212	5020	New Order PDF.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\New Order PDF.exe
"C:\Users\Admin\AppData\Local\Temp\New Order PDF.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4776

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jRolbSAyfuRH" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB2A6.tmp"
2⤵
- Creates scheduled task(s)
PID:1728

C:\Users\Admin\AppData\Local\Temp\New Order PDF.exe
"C:\Users\Admin\AppData\Local\Temp\New Order PDF.exe"
2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5020

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "SCSI Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmpBB9F.tmp"
3⤵
- Creates scheduled task(s)
PID:4256

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "SCSI Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpBD46.tmp"
3⤵
- Creates scheduled task(s)
PID:212

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpB2A6.tmp

Filesize
1KB

MD5
a7622de96a0536149685897a9429d029

SHA1
214efed60f47192da78320cb42d044eb607ad334

SHA256
1867a37332a668da43adf8cbb4fd630cd6f819ebbb84e30c430ccf7a6186422d

SHA512
1d8cd3173656e4a0cfae29c6bd1e0c2446d6f7c2861c04b172f6fd7e586cd1271f111db3fb6e79da2e0dfdefd6a74aa7c215733ce294b724025fce2a4f480254

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBB9F.tmp

Filesize
1KB

MD5
87014e2cb57aaeadfd636576411d8c4a

SHA1
6a2889017090dbf4a68fcacd635cec532e2a604c

SHA256
eb66cdfb963f5a579b58d652cfb6163a9b4f3683a7206af45f110579fca85e56

SHA512
6d5a4a2f100965c597be01c9a1a8f7c92a85481cbb3f6a5374a2f1dd7ab7cd3753fd1d12247c88498dfb6d432d59d8757b696102b13a6bb06e55eae48ddfbe08

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBD46.tmp

Filesize
1KB

MD5
bd110f9fc6c1a842f1d9b269010b0611

SHA1
ef71c062902602faef9b66dcd1cfc9fe5baaf389

SHA256
8135c4e4eeaa741f752c0ab8f4ee33e3bb8a0cac5923812234f2e5177d50eb5b

SHA512
b8a7943a3126880b26407800bbdad5402c5b0e2aa106e7dbbb35d0cb145ca9de114401573a6aa66042a2e13674cfbcc2981d66b813f9b923fff5302210afba1f

Download Submit
memory/212-143-0x0000000000000000-mapping.dmp

Download
memory/1728-137-0x0000000000000000-mapping.dmp

Download
memory/4256-141-0x0000000000000000-mapping.dmp

Download
memory/4776-136-0x0000000004F00000-0x0000000004F66000-memory.dmp

Filesize
408KB

Download
memory/4776-130-0x0000000000070000-0x0000000000144000-memory.dmp

Filesize
848KB

Download
memory/4776-135-0x0000000004CD0000-0x0000000004D26000-memory.dmp

Filesize
344KB

Download
memory/4776-134-0x0000000002680000-0x000000000268A000-memory.dmp

Filesize
40KB

Download
memory/4776-133-0x0000000004C20000-0x0000000004CB2000-memory.dmp

Filesize
584KB

Download
memory/4776-132-0x0000000005280000-0x0000000005824000-memory.dmp

Filesize
5.6MB

Download
memory/4776-131-0x0000000004AE0000-0x0000000004B7C000-memory.dmp

Filesize
624KB

Download
memory/5020-139-0x0000000000000000-mapping.dmp

Download
memory/5020-140-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads