nanocore | df438c4bbf20acdf17c9a267e7c26173a8d9155a477b752e7fd29e364d7e7c2f

General

Target

New-Inquiry 01052020.scr
Size

564KB
MD5

cdffac03c7fa1a3cfb6865955a631890
SHA1

c997e313898deac7078b3e43439e4cb5aaf7779a
SHA256

51ece6274349758948b6af8836b151e12d2ae97b0e7806bc016dee0af026412b
SHA512

d94f0e7a24eb4b14375b63c678ff396aae43233426f5cf36cfcb66dacb2420856b5fd0c95a4688aada6328e7058c99c65deae9d8b921cbea5948239a8e99ad15

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

smartslaves.hopto.org:40007

Mutex

7dcdaa32-9e90-4729-889e-4f20cee37920

Attributes

activate_away_mode
true
backup_connection_host
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2020-01-21T10:47:07.758061536Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
40007
default_group
slaves
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
7dcdaa32-9e90-4729-889e-4f20cee37920
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
smartslaves.hopto.org
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

New-Inquiry 01052020.scr

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	New-Inquiry 01052020.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	New-Inquiry 01052020.scr

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

MSBuild.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WPA Subsystem = "C:\\Program Files (x86)\\WPA Subsystem\\wpass.exe"	MSBuild.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

New-Inquiry 01052020.scr

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	New-Inquiry 01052020.scr
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	New-Inquiry 01052020.scr

Suspicious use of SetThreadContext 1 IoCs

Processes:

New-Inquiry 01052020.scr

description pid process target process

PID 1676 set thread context of 268 1676 New-Inquiry 01052020.scr MSBuild.exe

description	pid	process	target process
PID 1676 set thread context of 268	1676	New-Inquiry 01052020.scr	MSBuild.exe

Drops file in Program Files directory 2 IoCs

Processes:

MSBuild.exe

description	ioc	process
File created	C:\Program Files (x86)\WPA Subsystem\wpass.exe	MSBuild.exe
File opened for modification	C:\Program Files (x86)\WPA Subsystem\wpass.exe	MSBuild.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

1752 schtasks.exe
900 schtasks.exe
1968 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

New-Inquiry 01052020.scrMSBuild.exe

pid process

1676 New-Inquiry 01052020.scr
268 MSBuild.exe
268 MSBuild.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

New-Inquiry 01052020.scrMSBuild.exe

description pid process

Token: SeDebugPrivilege 1676 New-Inquiry 01052020.scr
Token: SeDebugPrivilege 268 MSBuild.exe

pid	process
1752	schtasks.exe
900	schtasks.exe
1968	schtasks.exe

pid	process
1676	New-Inquiry 01052020.scr
268	MSBuild.exe
268	MSBuild.exe

description	pid	process
Token: SeDebugPrivilege	1676	New-Inquiry 01052020.scr
Token: SeDebugPrivilege	268	MSBuild.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

New-Inquiry 01052020.scrMSBuild.exe

description	pid	process	target process
PID 1676 wrote to memory of 1752	1676	New-Inquiry 01052020.scr	schtasks.exe
PID 1676 wrote to memory of 1752	1676	New-Inquiry 01052020.scr	schtasks.exe
PID 1676 wrote to memory of 1752	1676	New-Inquiry 01052020.scr	schtasks.exe
PID 1676 wrote to memory of 1752	1676	New-Inquiry 01052020.scr	schtasks.exe
PID 1676 wrote to memory of 268	1676	New-Inquiry 01052020.scr	MSBuild.exe
PID 1676 wrote to memory of 268	1676	New-Inquiry 01052020.scr	MSBuild.exe
PID 1676 wrote to memory of 268	1676	New-Inquiry 01052020.scr	MSBuild.exe
PID 1676 wrote to memory of 268	1676	New-Inquiry 01052020.scr	MSBuild.exe
PID 1676 wrote to memory of 268	1676	New-Inquiry 01052020.scr	MSBuild.exe
PID 1676 wrote to memory of 268	1676	New-Inquiry 01052020.scr	MSBuild.exe
PID 1676 wrote to memory of 268	1676	New-Inquiry 01052020.scr	MSBuild.exe
PID 1676 wrote to memory of 268	1676	New-Inquiry 01052020.scr	MSBuild.exe
PID 1676 wrote to memory of 268	1676	New-Inquiry 01052020.scr	MSBuild.exe
PID 268 wrote to memory of 900	268	MSBuild.exe	schtasks.exe
PID 268 wrote to memory of 900	268	MSBuild.exe	schtasks.exe
PID 268 wrote to memory of 900	268	MSBuild.exe	schtasks.exe
PID 268 wrote to memory of 900	268	MSBuild.exe	schtasks.exe
PID 268 wrote to memory of 1968	268	MSBuild.exe	schtasks.exe
PID 268 wrote to memory of 1968	268	MSBuild.exe	schtasks.exe
PID 268 wrote to memory of 1968	268	MSBuild.exe	schtasks.exe
PID 268 wrote to memory of 1968	268	MSBuild.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\New-Inquiry 01052020.scr
"C:\Users\Admin\AppData\Local\Temp\New-Inquiry 01052020.scr" /S
1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tZxKyuBR" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4F69.tmp"
2⤵
- Creates scheduled task(s)
PID:1752

C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
"{path}"
2⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:268

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "WPA Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp171A.tmp"
3⤵
- Creates scheduled task(s)
PID:900

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "WPA Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp1E8A.tmp"
3⤵
- Creates scheduled task(s)
PID:1968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp171A.tmp

Filesize
1KB

MD5
ae766004c0d8792953bafffe8f6a2e3b

SHA1
14b12f27543a401e2fe0af8052e116cab0032426

SHA256
1abdd9b6a6b84e4ba1af1282dc84ce276c59ba253f4c4af05fea498a4fd99540

SHA512
e530da4a5d4336fc37838d0e93b5eb3804b9c489c71f6954a47fc81a4c655bb72ec493e109cf96e6e3617d7623ac80697ad3bbd5ffc6281bafc8b34dca5e6567

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1E8A.tmp

Filesize
1KB

MD5
4365cd1ae65923a319ef2683a45891fe

SHA1
85dde233112660e31c53884aedfbad52e4547e09

SHA256
84b6ce4ba26fa6fb57fa70b9ad191f7c42c71e259897955b5d514385bcd91b58

SHA512
d1bd24f504c5c2ecaa3ae98268ccc2e400ea3e16980c6caf394eadf7738225e4d5578fbe62bbe2de3fe0cb56a0d76bb3fc84cef3b9cd2f3d8be6d0becefdc035

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4F69.tmp

Filesize
1KB

MD5
2589116bf3cd3e0f485aa865a3aa52c3

SHA1
fdcf63c1eee6db4c66c7c15ea84a6aa3b113ff2a

SHA256
2fe6b756ba0cb732b0a7c8bd65012186a722ca7757c94482028eb23d041306a6

SHA512
46651d29040f66b0d99713325cbbfd53f4bec4c3b8ffd2403b9113a29deac4e9d8e47f1017f6a8f19144427881d1e471a71ce824a19c894f6422dcf76a512d69

Download Submit
memory/268-65-0x000000000041E792-mapping.dmp

Download
memory/268-67-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/268-59-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/268-61-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/268-62-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/268-71-0x0000000074B40000-0x00000000750EB000-memory.dmp

Filesize
5.7MB

Download
memory/268-64-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/268-58-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/268-69-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/900-72-0x0000000000000000-mapping.dmp

Download
memory/1676-54-0x0000000075761000-0x0000000075763000-memory.dmp

Filesize
8KB

Download
memory/1676-55-0x0000000074B40000-0x00000000750EB000-memory.dmp

Filesize
5.7MB

Download
memory/1752-56-0x0000000000000000-mapping.dmp

Download
memory/1968-74-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads