nanocore | 79c7be0e2d5b02f5ab3d907504d1c31d21acb7abec48bfd6b3ca3bf978ea8a2f

General

Target

NEW ORDER.exe
Size

509KB
MD5

f0f7a4fd4ae11a32f44c846af92e71e0
SHA1

ccba79af34bc38893b7a7a000db0d89377fa547a
SHA256

8ff1070136cd6c74a1c79964233004f87434efb65bfc8dc5caf986bd62f12d86
SHA512

f87c57ee8dd0231c7c0f7d8c82d35d13b8acc07432f1042f09ab7f35398209244af3bfc96ce8a17c106bcb98cb5a766b5f7c8783c8a48536afbdf98a172f1f86

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

som2020.zapto.org:1165

185.140.53.6:1165

Mutex

7222ae52-d704-47b4-8f02-7756162c51c1

Attributes

activate_away_mode
true
backup_connection_host
185.140.53.6
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2020-01-22T11:34:05.203302536Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
1165
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
7222ae52-d704-47b4-8f02-7756162c51c1
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
som2020.zapto.org
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

NEW ORDER.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	NEW ORDER.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

NEW ORDER.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TCP Service = "C:\\Program Files (x86)\\TCP Service\\tcpsvc.exe"	NEW ORDER.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

NEW ORDER.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA NEW ORDER.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

NEW ORDER.exe

description pid process target process

PID 1504 set thread context of 504 1504 NEW ORDER.exe NEW ORDER.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	NEW ORDER.exe

description	pid	process	target process
PID 1504 set thread context of 504	1504	NEW ORDER.exe	NEW ORDER.exe

Drops file in Program Files directory 2 IoCs

Processes:

NEW ORDER.exe

description	ioc	process
File created	C:\Program Files (x86)\TCP Service\tcpsvc.exe	NEW ORDER.exe
File opened for modification	C:\Program Files (x86)\TCP Service\tcpsvc.exe	NEW ORDER.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

1620 schtasks.exe
1916 schtasks.exe
3540 schtasks.exe
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

NEW ORDER.exeNEW ORDER.exe

pid process

1504 NEW ORDER.exe
1504 NEW ORDER.exe
1504 NEW ORDER.exe
1504 NEW ORDER.exe
504 NEW ORDER.exe
504 NEW ORDER.exe
504 NEW ORDER.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

NEW ORDER.exe

pid process

504 NEW ORDER.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

NEW ORDER.exeNEW ORDER.exe

description pid process

Token: SeDebugPrivilege 1504 NEW ORDER.exe
Token: SeDebugPrivilege 504 NEW ORDER.exe

pid	process
1620	schtasks.exe
1916	schtasks.exe
3540	schtasks.exe

pid	process
1504	NEW ORDER.exe
1504	NEW ORDER.exe
1504	NEW ORDER.exe
1504	NEW ORDER.exe
504	NEW ORDER.exe
504	NEW ORDER.exe
504	NEW ORDER.exe

pid	process
504	NEW ORDER.exe

description	pid	process
Token: SeDebugPrivilege	1504	NEW ORDER.exe
Token: SeDebugPrivilege	504	NEW ORDER.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

NEW ORDER.exeNEW ORDER.exe

description	pid	process	target process
PID 1504 wrote to memory of 3540	1504	NEW ORDER.exe	schtasks.exe
PID 1504 wrote to memory of 3540	1504	NEW ORDER.exe	schtasks.exe
PID 1504 wrote to memory of 3540	1504	NEW ORDER.exe	schtasks.exe
PID 1504 wrote to memory of 504	1504	NEW ORDER.exe	NEW ORDER.exe
PID 1504 wrote to memory of 504	1504	NEW ORDER.exe	NEW ORDER.exe
PID 1504 wrote to memory of 504	1504	NEW ORDER.exe	NEW ORDER.exe
PID 1504 wrote to memory of 504	1504	NEW ORDER.exe	NEW ORDER.exe
PID 1504 wrote to memory of 504	1504	NEW ORDER.exe	NEW ORDER.exe
PID 1504 wrote to memory of 504	1504	NEW ORDER.exe	NEW ORDER.exe
PID 1504 wrote to memory of 504	1504	NEW ORDER.exe	NEW ORDER.exe
PID 1504 wrote to memory of 504	1504	NEW ORDER.exe	NEW ORDER.exe
PID 504 wrote to memory of 1620	504	NEW ORDER.exe	schtasks.exe
PID 504 wrote to memory of 1620	504	NEW ORDER.exe	schtasks.exe
PID 504 wrote to memory of 1620	504	NEW ORDER.exe	schtasks.exe
PID 504 wrote to memory of 1916	504	NEW ORDER.exe	schtasks.exe
PID 504 wrote to memory of 1916	504	NEW ORDER.exe	schtasks.exe
PID 504 wrote to memory of 1916	504	NEW ORDER.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\NEW ORDER.exe
"C:\Users\Admin\AppData\Local\Temp\NEW ORDER.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1504

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ntHJzsFhHc" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8BAB.tmp"
2⤵
- Creates scheduled task(s)
PID:3540

C:\Users\Admin\AppData\Local\Temp\NEW ORDER.exe
"{path}"
2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:504

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "TCP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp906D.tmp"
3⤵
- Creates scheduled task(s)
PID:1620

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "TCP Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp9272.tmp"
3⤵
- Creates scheduled task(s)
PID:1916

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\NEW ORDER.exe.log
Filesize
496B

MD5
7baa6583f69f63f7230df9bf98448356

SHA1
fe9eb85b57192362da704a3c130377fe83862320

SHA256
a632504621b4cac1d5ba5465c7ad9b30f3d036e9838682506782124a211bed4f

SHA512
0e72541791281c0fdac1f5fc6beea0b9eb8766b2a386aecb92cb8a44e5b59b7114c79194393ddeff957ffe86021a311caed7ce2731b863d97ad441870efbc051

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8BAB.tmp
Filesize
1KB

MD5
f4fc5a024678772129f7d10b850ef02a

SHA1
8765fb74414c23ea1c8d5dc4b01bf818fb3eb6c0

SHA256
8bbdfe7aeb789c3f77ddc4809ed130752d09d9c94ee7afda563d746ae471a1bd

SHA512
b6faccc15452f9154e72ff68b3479703a9a3d51ceaa9322cb61bd5d19617cd735cf4a0516b8d9411f3f7e24ea315f3d6c9a6b8ab2a240d4ef8443709efa1e554

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp906D.tmp
Filesize
1KB

MD5
c8468ecc846a5610de272f51c99ad2e3

SHA1
5a6a3cbbf0a8187e1366ad33e6cc36441ae33821

SHA256
bdcceee63db950ad4e533dab35b2e6ca12bb7ad2a94021900875ff91bebfeee3

SHA512
4baf133c1f55cb450ac4b437023fd741225c923792f960441370591c723aea8458925dd00eac468e4329bbefca9af57876a7cbf5d9d80f8cff062fbe7680f80c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9272.tmp
Filesize
1KB

MD5
9db6095f31f8b4ae8173fe11424a8dfe

SHA1
4b0655ae95def24a41710ca137649d93bfa49407

SHA256
9911b4513e44521c90c020ddcddea1ddc58095055a72ec638b593bf9ee23aa72

SHA512
5bee977264545a30a2d53e674f54a4066d4529dc9162d46911b9cac957052cdc1ea7c8d60f9c57d3f33db6cb964b1e6bb2347d0e0e2af0a32ac98938c02ffc1c

Download Submit
memory/504-133-0x0000000000000000-mapping.dmp

Download
memory/504-134-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/504-138-0x0000000075510000-0x0000000075AC1000-memory.dmp

Filesize
5.7MB

Download
memory/1504-130-0x0000000075510000-0x0000000075AC1000-memory.dmp

Filesize
5.7MB

Download
memory/1620-136-0x0000000000000000-mapping.dmp

Download
memory/1916-139-0x0000000000000000-mapping.dmp

Download
memory/3540-131-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads