nanocore | e570625ec08dbce7baa985a2f55b089be87c610da66ae0c380fa0009be720a80

General

Target

file.exe
Size

478KB
MD5

17474288d46bec313d81e0c0a418ebce
SHA1

98eec9e6b8ad986077e96071112db24ee0ce118a
SHA256

f036e2aa7615446d2cb3ab689b13aac4055bf2cb8b19b0999db08d7052a80bf1
SHA512

ca1f2d3a3b07802811b59c8b1a848c9910feafdf7c16b460e6972e243460d17d9669d277f97f79ecad3ba0f38917422ee6b63b1e064a20c0f9cea595799ff22e

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

megida123.ddns.net:9900

Mutex

64aa071e-5b44-426b-ad7e-e6d42b713d32

Attributes

activate_away_mode
true
backup_connection_host
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2020-03-01T17:02:01.784418836Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
9900
default_group
00000
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
64aa071e-5b44-426b-ad7e-e6d42b713d32
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
megida123.ddns.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

file.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	file.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

file.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation file.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	file.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

MSBuild.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SCSI Subsystem = "C:\\Program Files (x86)\\SCSI Subsystem\\scsiss.exe"	MSBuild.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

file.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	file.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	file.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

file.exe

description pid process target process

PID 3692 set thread context of 4848 3692 file.exe MSBuild.exe

description	pid	process	target process
PID 3692 set thread context of 4848	3692	file.exe	MSBuild.exe

Drops file in Program Files directory 2 IoCs

Processes:

MSBuild.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\SCSI Subsystem\scsiss.exe	MSBuild.exe
File created	C:\Program Files (x86)\SCSI Subsystem\scsiss.exe	MSBuild.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3220 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

file.exeMSBuild.exe

pid process

3692 file.exe
4848 MSBuild.exe
4848 MSBuild.exe
4848 MSBuild.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

MSBuild.exe

pid process

4848 MSBuild.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

file.exeMSBuild.exe

description pid process

Token: SeDebugPrivilege 3692 file.exe
Token: SeDebugPrivilege 4848 MSBuild.exe

pid	process
3220	schtasks.exe

pid	process
3692	file.exe
4848	MSBuild.exe
4848	MSBuild.exe
4848	MSBuild.exe

pid	process
4848	MSBuild.exe

description	pid	process
Token: SeDebugPrivilege	3692	file.exe
Token: SeDebugPrivilege	4848	MSBuild.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

file.exe

description	pid	process	target process
PID 3692 wrote to memory of 3220	3692	file.exe	schtasks.exe
PID 3692 wrote to memory of 3220	3692	file.exe	schtasks.exe
PID 3692 wrote to memory of 3220	3692	file.exe	schtasks.exe
PID 3692 wrote to memory of 4848	3692	file.exe	MSBuild.exe
PID 3692 wrote to memory of 4848	3692	file.exe	MSBuild.exe
PID 3692 wrote to memory of 4848	3692	file.exe	MSBuild.exe
PID 3692 wrote to memory of 4848	3692	file.exe	MSBuild.exe
PID 3692 wrote to memory of 4848	3692	file.exe	MSBuild.exe
PID 3692 wrote to memory of 4848	3692	file.exe	MSBuild.exe
PID 3692 wrote to memory of 4848	3692	file.exe	MSBuild.exe
PID 3692 wrote to memory of 4848	3692	file.exe	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3692

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GHjTzl" /XML "C:\Users\Admin\AppData\Local\Temp\tmp70E5.tmp"
2⤵
- Creates scheduled task(s)
PID:3220

C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
"{path}"
2⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4848

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

5

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

4

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp70E5.tmp
Filesize
1KB

MD5
4b8f05c5e7240953865516deed507c89

SHA1
d27eb1926385c870b8db7d6f188cecafe95139b2

SHA256
ecfb2807def1c72780dcc446b07a1fd9e344728f62e016c807741f511aad9b6d

SHA512
cf54ab5fdbcb069d968acd1d982073ca4c07a4a4e2a7816aa5f5272d0c718e98d016b7d2e53bc82c33a96f691e11b7926cfb8f81254cf8a8f6e93384b8e7dbb2

Download Submit
memory/3220-131-0x0000000000000000-mapping.dmp

Download
memory/3692-130-0x00000000748D0000-0x0000000074E81000-memory.dmp

Filesize
5.7MB

Download
memory/4848-133-0x0000000000000000-mapping.dmp

Download
memory/4848-134-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4848-135-0x00000000748D0000-0x0000000074E81000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads