nanocore | 0d68c0b7843fa97aa4a8820ee1c7a8de70d2f1b36d1150a3af9dfd19bb70e888

Analysis

max time kernel
153s
max time network
178s
platform
windows7_x64
resource
win7-20220414-en
submitted
25-06-2022 17:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0D68C0B7843FA97AA4A8820EE1C7A8DE70D2F1B36D115.exe
Size

1.8MB
MD5

74014427b135871d2597e75e67c57200
SHA1

6a69db7d0e6eff14400b497da1a3a38f3183e753
SHA256

0d68c0b7843fa97aa4a8820ee1c7a8de70d2f1b36d1150a3af9dfd19bb70e888
SHA512

e5d6b0aad5fe75104b9d0b830972a7b46d22f06cb7b7d611c0e3055cb81209647557342e6a9422b1a14bc73fa6914bae4fbca0a748a8389c89d5d20a2bcbd438

Score

10^/10

nanocore netwire botnet evasion keylogger persistence rat spyware stealer trojan

Malware Config

Extracted

Family

netwire

alex419.duckdns.org:60622

178.239.21.185:60622

Attributes

activex_autorun
false
copy_executable
true
delete_original
false
host_id
GRACE101
install_path
%AppData%\Install\file.exe
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
NwgwuGDR
offline_keylogger
true
password
Password
registry_autorun
true
startup_name
Abobex
use_mutex
true

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

NetWire RAT payload 7 IoCs

rat

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\Host.exe	netwire
\Users\Admin\AppData\Local\Temp\Host.exe	netwire
C:\Users\Admin\AppData\Local\Temp\Host.exe	netwire
C:\Users\Admin\AppData\Local\Temp\Host.exe	netwire
\Users\Admin\AppData\Roaming\Install\file.exe	netwire
\Users\Admin\AppData\Roaming\Install\file.exe	netwire
C:\Users\Admin\AppData\Roaming\Install\file.exe	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 4 IoCs

Processes:

Host.exefile.exeexpliorers.exeexpliorers.exe

pid process

1828 Host.exe
780 file.exe
332 expliorers.exe
2036 expliorers.exe

pid	process
1828	Host.exe
780	file.exe
332	expliorers.exe
2036	expliorers.exe

Loads dropped DLL 6 IoCs

Processes:

0D68C0B7843FA97AA4A8820EE1C7A8DE70D2F1B36D115.exeHost.exe

pid	process
1864	0D68C0B7843FA97AA4A8820EE1C7A8DE70D2F1B36D115.exe
1864	0D68C0B7843FA97AA4A8820EE1C7A8DE70D2F1B36D115.exe
1828	Host.exe
1828	Host.exe
1864	0D68C0B7843FA97AA4A8820EE1C7A8DE70D2F1B36D115.exe
1864	0D68C0B7843FA97AA4A8820EE1C7A8DE70D2F1B36D115.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

file.exeexpliorers.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	file.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\Abobex = "C:\\Users\\Admin\\AppData\\Roaming\\Install\\file.exe"	file.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ARP Service = "C:\\Program Files (x86)\\ARP Service\\arpsvc.exe"	expliorers.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

expliorers.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA expliorers.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

expliorers.exe

description pid process target process

PID 332 set thread context of 2036 332 expliorers.exe expliorers.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	expliorers.exe

description	pid	process	target process
PID 332 set thread context of 2036	332	expliorers.exe	expliorers.exe

Drops file in Program Files directory 2 IoCs

Processes:

expliorers.exe

description	ioc	process
File created	C:\Program Files (x86)\ARP Service\arpsvc.exe	expliorers.exe
File opened for modification	C:\Program Files (x86)\ARP Service\arpsvc.exe	expliorers.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

expliorers.exe

pid process

2036 expliorers.exe
2036 expliorers.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

expliorers.exe

description pid process

Token: SeDebugPrivilege 2036 expliorers.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

0D68C0B7843FA97AA4A8820EE1C7A8DE70D2F1B36D115.exeexpliorers.exe

pid process

1864 0D68C0B7843FA97AA4A8820EE1C7A8DE70D2F1B36D115.exe
332 expliorers.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

expliorers.exe

pid process

2036 expliorers.exe

pid	process
2036	expliorers.exe
2036	expliorers.exe

description	pid	process
Token: SeDebugPrivilege	2036	expliorers.exe

pid	process
2036	expliorers.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

0D68C0B7843FA97AA4A8820EE1C7A8DE70D2F1B36D115.exeHost.exeexpliorers.exe

description	pid	process	target process
PID 1864 wrote to memory of 1828	1864	0D68C0B7843FA97AA4A8820EE1C7A8DE70D2F1B36D115.exe	Host.exe
PID 1864 wrote to memory of 1828	1864	0D68C0B7843FA97AA4A8820EE1C7A8DE70D2F1B36D115.exe	Host.exe
PID 1864 wrote to memory of 1828	1864	0D68C0B7843FA97AA4A8820EE1C7A8DE70D2F1B36D115.exe	Host.exe
PID 1864 wrote to memory of 1828	1864	0D68C0B7843FA97AA4A8820EE1C7A8DE70D2F1B36D115.exe	Host.exe
PID 1864 wrote to memory of 964	1864	0D68C0B7843FA97AA4A8820EE1C7A8DE70D2F1B36D115.exe	WScript.exe
PID 1864 wrote to memory of 964	1864	0D68C0B7843FA97AA4A8820EE1C7A8DE70D2F1B36D115.exe	WScript.exe
PID 1864 wrote to memory of 964	1864	0D68C0B7843FA97AA4A8820EE1C7A8DE70D2F1B36D115.exe	WScript.exe
PID 1864 wrote to memory of 964	1864	0D68C0B7843FA97AA4A8820EE1C7A8DE70D2F1B36D115.exe	WScript.exe
PID 1828 wrote to memory of 780	1828	Host.exe	file.exe
PID 1828 wrote to memory of 780	1828	Host.exe	file.exe
PID 1828 wrote to memory of 780	1828	Host.exe	file.exe
PID 1828 wrote to memory of 780	1828	Host.exe	file.exe
PID 1864 wrote to memory of 332	1864	0D68C0B7843FA97AA4A8820EE1C7A8DE70D2F1B36D115.exe	expliorers.exe
PID 1864 wrote to memory of 332	1864	0D68C0B7843FA97AA4A8820EE1C7A8DE70D2F1B36D115.exe	expliorers.exe
PID 1864 wrote to memory of 332	1864	0D68C0B7843FA97AA4A8820EE1C7A8DE70D2F1B36D115.exe	expliorers.exe
PID 1864 wrote to memory of 332	1864	0D68C0B7843FA97AA4A8820EE1C7A8DE70D2F1B36D115.exe	expliorers.exe
PID 332 wrote to memory of 2036	332	expliorers.exe	expliorers.exe
PID 332 wrote to memory of 2036	332	expliorers.exe	expliorers.exe
PID 332 wrote to memory of 2036	332	expliorers.exe	expliorers.exe
PID 332 wrote to memory of 2036	332	expliorers.exe	expliorers.exe

C:\Users\Admin\AppData\Local\Temp\0D68C0B7843FA97AA4A8820EE1C7A8DE70D2F1B36D115.exe
"C:\Users\Admin\AppData\Local\Temp\0D68C0B7843FA97AA4A8820EE1C7A8DE70D2F1B36D115.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1864

C:\Users\Admin\AppData\Local\Temp\Host.exe
"C:\Users\Admin\AppData\Local\Temp\Host.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1828

C:\Users\Admin\AppData\Roaming\Install\file.exe
"C:\Users\Admin\AppData\Roaming\Install\file.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:780

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\subfolder\expliorers.vbs"
2⤵
PID:964

C:\Users\Admin\subfolder\expliorers.exe
"C:\Users\Admin\subfolder\expliorers.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:332

C:\Users\Admin\subfolder\expliorers.exe
C:\Users\Admin\subfolder\expliorers.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:2036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Host.exe

Filesize
148KB

MD5
b50aeef02f35381208f2bdc7536fecb6

SHA1
73197a36a09b21901da085e67c600b5e84606668

SHA256
8f168eecbe8608addbffe143cdcccc4be9ec45a5caf52fa00528a2b14ebe0a47

SHA512
275121d6114a8d22500ddd8ed722ea553084e4b289614484e932af076d52f375f3810191c937dd38f36889788bb07ac4fb4c7c140dd8adeb4cfdafc874c7bff9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Host.exe

Filesize
148KB

MD5
b50aeef02f35381208f2bdc7536fecb6

SHA1
73197a36a09b21901da085e67c600b5e84606668

SHA256
8f168eecbe8608addbffe143cdcccc4be9ec45a5caf52fa00528a2b14ebe0a47

SHA512
275121d6114a8d22500ddd8ed722ea553084e4b289614484e932af076d52f375f3810191c937dd38f36889788bb07ac4fb4c7c140dd8adeb4cfdafc874c7bff9

Download Submit
C:\Users\Admin\AppData\Roaming\Install\file.exe

Filesize
148KB

MD5
b50aeef02f35381208f2bdc7536fecb6

SHA1
73197a36a09b21901da085e67c600b5e84606668

SHA256
8f168eecbe8608addbffe143cdcccc4be9ec45a5caf52fa00528a2b14ebe0a47

SHA512
275121d6114a8d22500ddd8ed722ea553084e4b289614484e932af076d52f375f3810191c937dd38f36889788bb07ac4fb4c7c140dd8adeb4cfdafc874c7bff9

Download Submit
C:\Users\Admin\subfolder\expliorers.exe

Filesize
1.8MB

MD5
74014427b135871d2597e75e67c57200

SHA1
6a69db7d0e6eff14400b497da1a3a38f3183e753

SHA256
0d68c0b7843fa97aa4a8820ee1c7a8de70d2f1b36d1150a3af9dfd19bb70e888

SHA512
e5d6b0aad5fe75104b9d0b830972a7b46d22f06cb7b7d611c0e3055cb81209647557342e6a9422b1a14bc73fa6914bae4fbca0a748a8389c89d5d20a2bcbd438

Download Submit
C:\Users\Admin\subfolder\expliorers.exe

Filesize
1.8MB

MD5
74014427b135871d2597e75e67c57200

SHA1
6a69db7d0e6eff14400b497da1a3a38f3183e753

SHA256
0d68c0b7843fa97aa4a8820ee1c7a8de70d2f1b36d1150a3af9dfd19bb70e888

SHA512
e5d6b0aad5fe75104b9d0b830972a7b46d22f06cb7b7d611c0e3055cb81209647557342e6a9422b1a14bc73fa6914bae4fbca0a748a8389c89d5d20a2bcbd438

Download Submit
C:\Users\Admin\subfolder\expliorers.exe

Filesize
1.8MB

MD5
74014427b135871d2597e75e67c57200

SHA1
6a69db7d0e6eff14400b497da1a3a38f3183e753

SHA256
0d68c0b7843fa97aa4a8820ee1c7a8de70d2f1b36d1150a3af9dfd19bb70e888

SHA512
e5d6b0aad5fe75104b9d0b830972a7b46d22f06cb7b7d611c0e3055cb81209647557342e6a9422b1a14bc73fa6914bae4fbca0a748a8389c89d5d20a2bcbd438

Download Submit
C:\Users\Admin\subfolder\expliorers.vbs

Filesize
1024B

MD5
265ec95775a963cbcb73a1378a1ae2d6

SHA1
2a8e744cf34cc8bf77b01dedcd4452a206899243

SHA256
37584c8a0f350f12d350907cacc6f500f0ba3c278c2a758d8116f6a043a88d70

SHA512
8c0f1966098fdc46e625d070fa645c24208da9b6ffc584d7bfe2130521acf3c4c0fabf676d55d9f3151aa09328e501fbe0bf0b0b6d8b7f551b5695cbf8e89bd2

Download Submit
\Users\Admin\AppData\Local\Temp\Host.exe

Filesize
148KB

MD5
b50aeef02f35381208f2bdc7536fecb6

SHA1
73197a36a09b21901da085e67c600b5e84606668

SHA256
8f168eecbe8608addbffe143cdcccc4be9ec45a5caf52fa00528a2b14ebe0a47

SHA512
275121d6114a8d22500ddd8ed722ea553084e4b289614484e932af076d52f375f3810191c937dd38f36889788bb07ac4fb4c7c140dd8adeb4cfdafc874c7bff9

Download Submit
\Users\Admin\AppData\Local\Temp\Host.exe

Filesize
148KB

MD5
b50aeef02f35381208f2bdc7536fecb6

SHA1
73197a36a09b21901da085e67c600b5e84606668

SHA256
8f168eecbe8608addbffe143cdcccc4be9ec45a5caf52fa00528a2b14ebe0a47

SHA512
275121d6114a8d22500ddd8ed722ea553084e4b289614484e932af076d52f375f3810191c937dd38f36889788bb07ac4fb4c7c140dd8adeb4cfdafc874c7bff9

Download Submit
\Users\Admin\AppData\Roaming\Install\file.exe

Filesize
148KB

MD5
b50aeef02f35381208f2bdc7536fecb6

SHA1
73197a36a09b21901da085e67c600b5e84606668

SHA256
8f168eecbe8608addbffe143cdcccc4be9ec45a5caf52fa00528a2b14ebe0a47

SHA512
275121d6114a8d22500ddd8ed722ea553084e4b289614484e932af076d52f375f3810191c937dd38f36889788bb07ac4fb4c7c140dd8adeb4cfdafc874c7bff9

Download Submit
\Users\Admin\AppData\Roaming\Install\file.exe

Filesize
148KB

MD5
b50aeef02f35381208f2bdc7536fecb6

SHA1
73197a36a09b21901da085e67c600b5e84606668

SHA256
8f168eecbe8608addbffe143cdcccc4be9ec45a5caf52fa00528a2b14ebe0a47

SHA512
275121d6114a8d22500ddd8ed722ea553084e4b289614484e932af076d52f375f3810191c937dd38f36889788bb07ac4fb4c7c140dd8adeb4cfdafc874c7bff9

Download Submit
\Users\Admin\subfolder\expliorers.exe

Filesize
1.8MB

MD5
74014427b135871d2597e75e67c57200

SHA1
6a69db7d0e6eff14400b497da1a3a38f3183e753

SHA256
0d68c0b7843fa97aa4a8820ee1c7a8de70d2f1b36d1150a3af9dfd19bb70e888

SHA512
e5d6b0aad5fe75104b9d0b830972a7b46d22f06cb7b7d611c0e3055cb81209647557342e6a9422b1a14bc73fa6914bae4fbca0a748a8389c89d5d20a2bcbd438

Download Submit
\Users\Admin\subfolder\expliorers.exe

Filesize
1.8MB

MD5
74014427b135871d2597e75e67c57200

SHA1
6a69db7d0e6eff14400b497da1a3a38f3183e753

SHA256
0d68c0b7843fa97aa4a8820ee1c7a8de70d2f1b36d1150a3af9dfd19bb70e888

SHA512
e5d6b0aad5fe75104b9d0b830972a7b46d22f06cb7b7d611c0e3055cb81209647557342e6a9422b1a14bc73fa6914bae4fbca0a748a8389c89d5d20a2bcbd438

Download Submit
memory/332-86-0x0000000076E50000-0x0000000076FF9000-memory.dmp

Filesize
1.7MB

Download
memory/332-87-0x0000000077030000-0x00000000771B0000-memory.dmp

Filesize
1.5MB

Download
memory/332-77-0x0000000000000000-mapping.dmp

Download
memory/780-72-0x0000000000000000-mapping.dmp

Download
memory/964-65-0x0000000000000000-mapping.dmp

Download
memory/1828-63-0x0000000000000000-mapping.dmp

Download
memory/1864-81-0x0000000077030000-0x00000000771B0000-memory.dmp

Filesize
1.5MB

Download
memory/1864-60-0x0000000000250000-0x0000000000257000-memory.dmp

Filesize
28KB

Download
memory/1864-57-0x0000000075A61000-0x0000000075A63000-memory.dmp

Filesize
8KB

Download
memory/1864-58-0x0000000076E50000-0x0000000076FF9000-memory.dmp

Filesize
1.7MB

Download
memory/1864-59-0x0000000077030000-0x00000000771B0000-memory.dmp

Filesize
1.5MB

Download
memory/1864-56-0x0000000000250000-0x0000000000257000-memory.dmp

Filesize
28KB

Download
memory/2036-89-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2036-84-0x00000000004A80A2-mapping.dmp

Download
memory/2036-90-0x0000000000400000-0x00000000005C8000-memory.dmp

Filesize
1.8MB

Download
memory/2036-91-0x0000000008A70000-0x0000000009568000-memory.dmp

Filesize
11.0MB

Download
memory/2036-92-0x0000000076E50000-0x0000000076FF9000-memory.dmp

Filesize
1.7MB

Download
memory/2036-94-0x0000000073C20000-0x00000000741CB000-memory.dmp

Filesize
5.7MB

Download
memory/2036-93-0x0000000009570000-0x0000000009D0C000-memory.dmp

Filesize
7.6MB

Download
memory/2036-95-0x00000000001B0000-0x00000000001B7000-memory.dmp

Filesize
28KB

Download
memory/2036-96-0x0000000073C20000-0x00000000741CB000-memory.dmp

Filesize
5.7MB

Download