nanocore | 1dad2a1611e2a00c1515fccad642d3a2d144b2ec98a9ec5990bba15069d2aaf0

General

Target

INV 25527777 REVIEW 779.exe
Size

533KB
MD5

d19fe1e1749edf58558c1e2a5e857853
SHA1

70da6330ffde9c61b12a8299a4c2a5099126c59e
SHA256

9ca497f6231180ec374837cf77e099a25e8c5cffa16c6599739c92ee03a94d34
SHA512

0d5d2bc03a186f0421d401e6fdc74a1e546ba5164233da80e431772bba541438249cea0d14539a8f357c0d093f748c822fb1f2216dd34d4d4e7d366c1b1c744b

Score

10^/10

nanocore evasion keylogger spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

looipoko.loseyourip.com:5088

titiaty.duckdns.org:5088

Mutex

62d96b8a-7e31-4a94-94dd-9033707313e4

Attributes

activate_away_mode
true
backup_connection_host
titiaty.duckdns.org
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2020-05-14T21:42:17.597528436Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
5088
default_group
ssales
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
62d96b8a-7e31-4a94-94dd-9033707313e4
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
looipoko.loseyourip.com
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

INV 25527777 REVIEW 779.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	INV 25527777 REVIEW 779.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

INV 25527777 REVIEW 779.exe

description pid process target process

PID 1836 set thread context of 1668 1836 INV 25527777 REVIEW 779.exe INV 25527777 REVIEW 779.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1016 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

INV 25527777 REVIEW 779.exeINV 25527777 REVIEW 779.exe

pid process

1836 INV 25527777 REVIEW 779.exe
1668 INV 25527777 REVIEW 779.exe
1668 INV 25527777 REVIEW 779.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

INV 25527777 REVIEW 779.exe

pid process

1668 INV 25527777 REVIEW 779.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

INV 25527777 REVIEW 779.exeINV 25527777 REVIEW 779.exe

description pid process

Token: SeDebugPrivilege 1836 INV 25527777 REVIEW 779.exe
Token: SeDebugPrivilege 1668 INV 25527777 REVIEW 779.exe

description	pid	process	target process
PID 1836 set thread context of 1668	1836	INV 25527777 REVIEW 779.exe	INV 25527777 REVIEW 779.exe

pid	process
1016	schtasks.exe

pid	process
1836	INV 25527777 REVIEW 779.exe
1668	INV 25527777 REVIEW 779.exe
1668	INV 25527777 REVIEW 779.exe

pid	process
1668	INV 25527777 REVIEW 779.exe

description	pid	process
Token: SeDebugPrivilege	1836	INV 25527777 REVIEW 779.exe
Token: SeDebugPrivilege	1668	INV 25527777 REVIEW 779.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

INV 25527777 REVIEW 779.exe

description	pid	process	target process
PID 1836 wrote to memory of 1016	1836	INV 25527777 REVIEW 779.exe	schtasks.exe
PID 1836 wrote to memory of 1016	1836	INV 25527777 REVIEW 779.exe	schtasks.exe
PID 1836 wrote to memory of 1016	1836	INV 25527777 REVIEW 779.exe	schtasks.exe
PID 1836 wrote to memory of 1016	1836	INV 25527777 REVIEW 779.exe	schtasks.exe
PID 1836 wrote to memory of 1668	1836	INV 25527777 REVIEW 779.exe	INV 25527777 REVIEW 779.exe
PID 1836 wrote to memory of 1668	1836	INV 25527777 REVIEW 779.exe	INV 25527777 REVIEW 779.exe
PID 1836 wrote to memory of 1668	1836	INV 25527777 REVIEW 779.exe	INV 25527777 REVIEW 779.exe
PID 1836 wrote to memory of 1668	1836	INV 25527777 REVIEW 779.exe	INV 25527777 REVIEW 779.exe
PID 1836 wrote to memory of 1668	1836	INV 25527777 REVIEW 779.exe	INV 25527777 REVIEW 779.exe
PID 1836 wrote to memory of 1668	1836	INV 25527777 REVIEW 779.exe	INV 25527777 REVIEW 779.exe
PID 1836 wrote to memory of 1668	1836	INV 25527777 REVIEW 779.exe	INV 25527777 REVIEW 779.exe
PID 1836 wrote to memory of 1668	1836	INV 25527777 REVIEW 779.exe	INV 25527777 REVIEW 779.exe
PID 1836 wrote to memory of 1668	1836	INV 25527777 REVIEW 779.exe	INV 25527777 REVIEW 779.exe

C:\Users\Admin\AppData\Local\Temp\INV 25527777 REVIEW 779.exe
"C:\Users\Admin\AppData\Local\Temp\INV 25527777 REVIEW 779.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1836

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\&startupname&" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCD4E.tmp"
2⤵
- Creates scheduled task(s)
PID:1016

C:\Users\Admin\AppData\Local\Temp\INV 25527777 REVIEW 779.exe
"C:\Users\Admin\AppData\Local\Temp\INV 25527777 REVIEW 779.exe"
2⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1668

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpCD4E.tmp
Filesize
1KB

MD5
c5e5a486021e6137551a468cae265a0f

SHA1
3f6695a9cb933ec75a064cd18dbb6fb5e8e9ac75

SHA256
bfce6d0113e09a260e399ae12b7620c7ac495ca8fedf8093a50b9e55b687bf02

SHA512
5947c65bbf87b30f7213aae37c024c8645c4499531846a4fd8318e854a357a1dca928080b481626c2c1606b9e8ebdafd88dd1830e09a11fc5aeb8bc057b028cf

Download Submit
memory/1016-59-0x0000000000000000-mapping.dmp

Download
memory/1668-67-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1668-70-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1668-76-0x00000000006F0000-0x00000000006FA000-memory.dmp

Filesize
40KB

Download
memory/1668-75-0x0000000000720000-0x000000000073E000-memory.dmp

Filesize
120KB

Download
memory/1668-74-0x0000000000500000-0x000000000050A000-memory.dmp

Filesize
40KB

Download
memory/1668-61-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1668-62-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1668-64-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1668-65-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1668-68-0x000000000041E792-mapping.dmp

Download
memory/1668-72-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1836-55-0x0000000076011000-0x0000000076013000-memory.dmp

Filesize
8KB

Download
memory/1836-54-0x0000000001390000-0x000000000141C000-memory.dmp

Filesize
560KB

Download
memory/1836-57-0x0000000004960000-0x00000000049B2000-memory.dmp

Filesize
328KB

Download
memory/1836-56-0x00000000005B0000-0x00000000005BA000-memory.dmp

Filesize
40KB

Download
memory/1836-58-0x0000000004FB0000-0x0000000004FEA000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads