nanocore | cd90eab5c964cad9b377fa11e541df36d215eaf724b8c57af48e15f674897e7a

General

Target

scanned.exe
Size

651KB
MD5

a8afecd9d10dbaa715872ff1f0d24e23
SHA1

9c4f08f6f5d143b1c2aa11f5eacef02436f4c07c
SHA256

eb29cff78bd1361ba91bcc9abfba066afe030631bffbb0690a6ac9f407a4b5b6
SHA512

d98f29261a58770591ae1c22bda80daf45d883266d1b6016a9d7b664d70e5d1da1578ddcc87af7fa6a5788b4de3440c061cb5a22eb9ecd044e2172f47c7472ea

Score

10^/10

nanocore keylogger spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

dolphnindia.duckdns.org:6543

Mutex

6d2e093a-b947-44e9-8329-af9bc75608b3

Attributes

activate_away_mode
true
backup_connection_host
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2020-05-15T21:20:47.549058536Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
6543
default_group
inv
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
6d2e093a-b947-44e9-8329-af9bc75608b3
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
dolphnindia.duckdns.org
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

scanned.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation scanned.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

scanned.exe

description pid process target process

PID 3532 set thread context of 4484 3532 scanned.exe MSBuild.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

456 schtasks.exe
4392 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

scanned.exeMSBuild.exe

pid process

3532 scanned.exe
4484 MSBuild.exe
4484 MSBuild.exe
4484 MSBuild.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

MSBuild.exe

pid process

4484 MSBuild.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

scanned.exeMSBuild.exe

description pid process

Token: SeDebugPrivilege 3532 scanned.exe
Token: SeDebugPrivilege 4484 MSBuild.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	scanned.exe

description	pid	process	target process
PID 3532 set thread context of 4484	3532	scanned.exe	MSBuild.exe

pid	process
456	schtasks.exe
4392	schtasks.exe

pid	process
3532	scanned.exe
4484	MSBuild.exe
4484	MSBuild.exe
4484	MSBuild.exe

pid	process
4484	MSBuild.exe

description	pid	process
Token: SeDebugPrivilege	3532	scanned.exe
Token: SeDebugPrivilege	4484	MSBuild.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

scanned.exeMSBuild.exe

description	pid	process	target process
PID 3532 wrote to memory of 456	3532	scanned.exe	schtasks.exe
PID 3532 wrote to memory of 456	3532	scanned.exe	schtasks.exe
PID 3532 wrote to memory of 456	3532	scanned.exe	schtasks.exe
PID 3532 wrote to memory of 4484	3532	scanned.exe	MSBuild.exe
PID 3532 wrote to memory of 4484	3532	scanned.exe	MSBuild.exe
PID 3532 wrote to memory of 4484	3532	scanned.exe	MSBuild.exe
PID 3532 wrote to memory of 4484	3532	scanned.exe	MSBuild.exe
PID 3532 wrote to memory of 4484	3532	scanned.exe	MSBuild.exe
PID 3532 wrote to memory of 4484	3532	scanned.exe	MSBuild.exe
PID 3532 wrote to memory of 4484	3532	scanned.exe	MSBuild.exe
PID 3532 wrote to memory of 4484	3532	scanned.exe	MSBuild.exe
PID 4484 wrote to memory of 4392	4484	MSBuild.exe	schtasks.exe
PID 4484 wrote to memory of 4392	4484	MSBuild.exe	schtasks.exe
PID 4484 wrote to memory of 4392	4484	MSBuild.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\scanned.exe
"C:\Users\Admin\AppData\Local\Temp\scanned.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3532
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LImnhk" /XML "C:\Users\Admin\AppData\Local\Temp\tmp25B3.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:456
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4484
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /create /f /tn "TCP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp81DD.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:4392

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp25B3.tmp

Filesize
1KB

MD5
0fe977c13be9aa805390ade56c0684ff

SHA1
9724a22efd746133b0f5ce6994d7d8e38bf8c2a5

SHA256
89b20476988e9ae4981fa007a743f7eeff71dd07e676a9155d3b6c75f7d896ca

SHA512
c58bdc21da33ddfe1533a884e9b443d6456e76d4be33a8f9a5211119a1febc6354372a1de05824a22400908ae70ecca3d81ab54a2c21780262936deb9dc78630

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp81DD.tmp

Filesize
1KB

MD5
3e2b26ed8b75ae83a269595180e84ef6

SHA1
d30a0335fcce406bca8ba5764288235e6192f608

SHA256
108be30aeb8eb31c185a39a6726f26dacbc4e4124951c61a29ade4b7038c71ea

SHA512
b6981c68fcb886cc8379a068b96931b9d4f5cc5aa9bdc467e36c4168fe6c5273a2a84d8850b12c11703ec03ac6b1f1950d1e669efcb59fc2402ce4bba9dc03d3

Download Submit
memory/456-136-0x0000000000000000-mapping.dmp

Download
memory/3532-130-0x0000000000A60000-0x0000000000B08000-memory.dmp

Filesize
672KB

Download
memory/3532-131-0x00000000054C0000-0x000000000555C000-memory.dmp

Filesize
624KB

Download
memory/3532-132-0x0000000005B10000-0x00000000060B4000-memory.dmp

Filesize
5.6MB

Download
memory/3532-133-0x0000000005560000-0x00000000055F2000-memory.dmp

Filesize
584KB

Download
memory/3532-134-0x00000000054A0000-0x00000000054AA000-memory.dmp

Filesize
40KB

Download
memory/3532-135-0x0000000005660000-0x00000000056B6000-memory.dmp

Filesize
344KB

Download
memory/4392-140-0x0000000000000000-mapping.dmp

Download
memory/4484-138-0x0000000000000000-mapping.dmp

Download
memory/4484-139-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads