nanocore | 32952c9096e02e8b210e74d459cc45e2e1b5b3e81ba18c21d4144dfc682d62da

General

Target

Purchase order#54.exe
Size

562KB
MD5

1dfe52d38f7819e0117483241e5d2b43
SHA1

f6013c4762c6357fb672248ff522625f8548e397
SHA256

b3278c2b73f1b45d1d440b080dd563191b03794243f1ded305ff62b288accd75
SHA512

296b767294a9783df427da72e60486be5c65d5e3f9b6a50545af00ae591c41cc6e53edb0fb7639289c40ba36a3cfa2cd31fc4fa9ee9396f29a466fbdcd0ee218

Score

10^/10

nanocore keylogger spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

onyekaj.hopto.org:6634

185.140.53.34:6634

Mutex

b2aa75e1-3a74-4a5f-b74d-28e6dd90be29

Attributes

activate_away_mode
true
backup_connection_host
185.140.53.34
backup_dns_server
185.140.53.34
buffer_size
65535
build_time
2020-05-11T01:26:52.110301936Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
6634
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
b2aa75e1-3a74-4a5f-b74d-28e6dd90be29
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
onyekaj.hopto.org
primary_dns_server
onyekaj.hopto.org
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Purchase order#54.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	Purchase order#54.exe

Unexpected DNS network traffic destination 2 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 185.140.53.34
Destination IP 185.140.53.34
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

Purchase order#54.exe

description pid process target process

PID 4772 set thread context of 3736 4772 Purchase order#54.exe vbc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1988 schtasks.exe
2284 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

Purchase order#54.exevbc.exe

pid process

4772 Purchase order#54.exe
4772 Purchase order#54.exe
4772 Purchase order#54.exe
3736 vbc.exe
3736 vbc.exe
3736 vbc.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

vbc.exe

pid process

3736 vbc.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Purchase order#54.exevbc.exe

description pid process

Token: SeDebugPrivilege 4772 Purchase order#54.exe
Token: SeDebugPrivilege 3736 vbc.exe

description	ioc
Destination IP	185.140.53.34
Destination IP	185.140.53.34

description	pid	process	target process
PID 4772 set thread context of 3736	4772	Purchase order#54.exe	vbc.exe

pid	process
1988	schtasks.exe
2284	schtasks.exe

pid	process
4772	Purchase order#54.exe
4772	Purchase order#54.exe
4772	Purchase order#54.exe
3736	vbc.exe
3736	vbc.exe
3736	vbc.exe

pid	process
3736	vbc.exe

description	pid	process
Token: SeDebugPrivilege	4772	Purchase order#54.exe
Token: SeDebugPrivilege	3736	vbc.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

Purchase order#54.exevbc.exe

description	pid	process	target process
PID 4772 wrote to memory of 1988	4772	Purchase order#54.exe	schtasks.exe
PID 4772 wrote to memory of 1988	4772	Purchase order#54.exe	schtasks.exe
PID 4772 wrote to memory of 1988	4772	Purchase order#54.exe	schtasks.exe
PID 4772 wrote to memory of 3736	4772	Purchase order#54.exe	vbc.exe
PID 4772 wrote to memory of 3736	4772	Purchase order#54.exe	vbc.exe
PID 4772 wrote to memory of 3736	4772	Purchase order#54.exe	vbc.exe
PID 4772 wrote to memory of 3736	4772	Purchase order#54.exe	vbc.exe
PID 4772 wrote to memory of 3736	4772	Purchase order#54.exe	vbc.exe
PID 4772 wrote to memory of 3736	4772	Purchase order#54.exe	vbc.exe
PID 4772 wrote to memory of 3736	4772	Purchase order#54.exe	vbc.exe
PID 4772 wrote to memory of 3736	4772	Purchase order#54.exe	vbc.exe
PID 3736 wrote to memory of 2284	3736	vbc.exe	schtasks.exe
PID 3736 wrote to memory of 2284	3736	vbc.exe	schtasks.exe
PID 3736 wrote to memory of 2284	3736	vbc.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\Purchase order#54.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase order#54.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4772

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\&startupname&" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3F37.tmp"
2⤵
- Creates scheduled task(s)
PID:1988

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3736

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "SCSI Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp49C6.tmp"
3⤵
- Creates scheduled task(s)
PID:2284

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp3F37.tmp
Filesize
1KB

MD5
d49b1a0b5a08ed1df869f23aedb3c8ca

SHA1
f22cc9413d67d36b88bec3a3788c0eef02b64577

SHA256
4adeb4eedb7bcda76f1b6f910fbb87d34f776e6fce58521c2398243585d6dfe6

SHA512
0f5626ba83c2173a43fc6e552030258ef8f87ce92bd340ab1b94ec873dbd7040b3d478af057d9294abf8e3368c330abf4c02c70f5809c51112cfc5798d508255

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp49C6.tmp
Filesize
1KB

MD5
808c6e96c170c90d0db522e8947eb2bd

SHA1
44583694c3c23410d637bb96c0df0921363533ad

SHA256
c6b75fb7740d34d55d74b8664ff1ea778638a4916c2b52348ea34de60edd3afc

SHA512
928b85e9fddfd7c93623e954dc53367aaf355f74a14601d77e45612ebdb77f3d6c0fc853e154f91f61e64306361885467c16fc211cf1bbdc023658ad35dba1eb

Download Submit
memory/1988-136-0x0000000000000000-mapping.dmp

Download
memory/2284-140-0x0000000000000000-mapping.dmp

Download
memory/3736-138-0x0000000000000000-mapping.dmp

Download
memory/3736-139-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4772-130-0x00000000001B0000-0x0000000000242000-memory.dmp

Filesize
584KB

Download
memory/4772-131-0x0000000007440000-0x00000000074DC000-memory.dmp

Filesize
624KB

Download
memory/4772-132-0x0000000007A90000-0x0000000008034000-memory.dmp

Filesize
5.6MB

Download
memory/4772-133-0x0000000007580000-0x0000000007612000-memory.dmp

Filesize
584KB

Download
memory/4772-134-0x0000000007430000-0x000000000743A000-memory.dmp

Filesize
40KB

Download
memory/4772-135-0x0000000007720000-0x0000000007776000-memory.dmp

Filesize
344KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads