nanocore | 32952c9096e02e8b210e74d459cc45e2e1b5b3e81ba18c21d4144dfc682d62da

General

Target

Purchase order#54.exe
Size

562KB
MD5

1dfe52d38f7819e0117483241e5d2b43
SHA1

f6013c4762c6357fb672248ff522625f8548e397
SHA256

b3278c2b73f1b45d1d440b080dd563191b03794243f1ded305ff62b288accd75
SHA512

296b767294a9783df427da72e60486be5c65d5e3f9b6a50545af00ae591c41cc6e53edb0fb7639289c40ba36a3cfa2cd31fc4fa9ee9396f29a466fbdcd0ee218

Score

10^/10

nanocore keylogger spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

onyekaj.hopto.org:6634

185.140.53.34:6634

Mutex

b2aa75e1-3a74-4a5f-b74d-28e6dd90be29

Attributes

activate_away_mode
true
backup_connection_host
185.140.53.34
backup_dns_server
185.140.53.34
buffer_size
65535
build_time
2020-05-11T01:26:52.110301936Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
6634
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
b2aa75e1-3a74-4a5f-b74d-28e6dd90be29
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
onyekaj.hopto.org
primary_dns_server
onyekaj.hopto.org
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Unexpected DNS network traffic destination 3 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 185.140.53.34
Destination IP 185.140.53.34
Destination IP 185.140.53.34
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

Purchase order#54.exe

description pid process target process

PID 1816 set thread context of 1940 1816 Purchase order#54.exe vbc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1168 schtasks.exe
1872 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Purchase order#54.exevbc.exe

pid process

1816 Purchase order#54.exe
1816 Purchase order#54.exe
1940 vbc.exe
1940 vbc.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Purchase order#54.exevbc.exe

description pid process

Token: SeDebugPrivilege 1816 Purchase order#54.exe
Token: SeDebugPrivilege 1940 vbc.exe

description	ioc
Destination IP	185.140.53.34
Destination IP	185.140.53.34
Destination IP	185.140.53.34

description	pid	process	target process
PID 1816 set thread context of 1940	1816	Purchase order#54.exe	vbc.exe

pid	process
1168	schtasks.exe
1872	schtasks.exe

pid	process
1816	Purchase order#54.exe
1816	Purchase order#54.exe
1940	vbc.exe
1940	vbc.exe

description	pid	process
Token: SeDebugPrivilege	1816	Purchase order#54.exe
Token: SeDebugPrivilege	1940	vbc.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

Purchase order#54.exevbc.exe

description	pid	process	target process
PID 1816 wrote to memory of 1168	1816	Purchase order#54.exe	schtasks.exe
PID 1816 wrote to memory of 1168	1816	Purchase order#54.exe	schtasks.exe
PID 1816 wrote to memory of 1168	1816	Purchase order#54.exe	schtasks.exe
PID 1816 wrote to memory of 1168	1816	Purchase order#54.exe	schtasks.exe
PID 1816 wrote to memory of 1940	1816	Purchase order#54.exe	vbc.exe
PID 1816 wrote to memory of 1940	1816	Purchase order#54.exe	vbc.exe
PID 1816 wrote to memory of 1940	1816	Purchase order#54.exe	vbc.exe
PID 1816 wrote to memory of 1940	1816	Purchase order#54.exe	vbc.exe
PID 1816 wrote to memory of 1940	1816	Purchase order#54.exe	vbc.exe
PID 1816 wrote to memory of 1940	1816	Purchase order#54.exe	vbc.exe
PID 1816 wrote to memory of 1940	1816	Purchase order#54.exe	vbc.exe
PID 1816 wrote to memory of 1940	1816	Purchase order#54.exe	vbc.exe
PID 1816 wrote to memory of 1940	1816	Purchase order#54.exe	vbc.exe
PID 1940 wrote to memory of 1872	1940	vbc.exe	schtasks.exe
PID 1940 wrote to memory of 1872	1940	vbc.exe	schtasks.exe
PID 1940 wrote to memory of 1872	1940	vbc.exe	schtasks.exe
PID 1940 wrote to memory of 1872	1940	vbc.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\Purchase order#54.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase order#54.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1816

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\&startupname&" /XML "C:\Users\Admin\AppData\Local\Temp\tmp393A.tmp"
2⤵
- Creates scheduled task(s)
PID:1168

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1940

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "WPA Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp3D11.tmp"
3⤵
- Creates scheduled task(s)
PID:1872

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp393A.tmp
Filesize
1KB

MD5
c5e5a486021e6137551a468cae265a0f

SHA1
3f6695a9cb933ec75a064cd18dbb6fb5e8e9ac75

SHA256
bfce6d0113e09a260e399ae12b7620c7ac495ca8fedf8093a50b9e55b687bf02

SHA512
5947c65bbf87b30f7213aae37c024c8645c4499531846a4fd8318e854a357a1dca928080b481626c2c1606b9e8ebdafd88dd1830e09a11fc5aeb8bc057b028cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3D11.tmp
Filesize
1KB

MD5
808c6e96c170c90d0db522e8947eb2bd

SHA1
44583694c3c23410d637bb96c0df0921363533ad

SHA256
c6b75fb7740d34d55d74b8664ff1ea778638a4916c2b52348ea34de60edd3afc

SHA512
928b85e9fddfd7c93623e954dc53367aaf355f74a14601d77e45612ebdb77f3d6c0fc853e154f91f61e64306361885467c16fc211cf1bbdc023658ad35dba1eb

Download Submit
memory/1168-59-0x0000000000000000-mapping.dmp

Download
memory/1816-54-0x0000000000200000-0x0000000000292000-memory.dmp

Filesize
584KB

Download
memory/1816-55-0x0000000075D21000-0x0000000075D23000-memory.dmp

Filesize
8KB

Download
memory/1816-56-0x0000000000590000-0x000000000059A000-memory.dmp

Filesize
40KB

Download
memory/1816-57-0x00000000072C0000-0x0000000007312000-memory.dmp

Filesize
328KB

Download
memory/1816-58-0x0000000007310000-0x000000000734A000-memory.dmp

Filesize
232KB

Download
memory/1872-74-0x0000000000000000-mapping.dmp

Download
memory/1940-64-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1940-67-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1940-65-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1940-68-0x000000000041E792-mapping.dmp

Download
memory/1940-70-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1940-72-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1940-62-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1940-61-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1940-76-0x0000000000960000-0x000000000096A000-memory.dmp

Filesize
40KB

Download
memory/1940-77-0x0000000000970000-0x000000000098E000-memory.dmp

Filesize
120KB

Download
memory/1940-78-0x0000000000990000-0x000000000099A000-memory.dmp

Filesize
40KB

Download
memory/1940-79-0x0000000004A35000-0x0000000004A46000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads