nanocore | 3bcdebfae009e22bd85921170567886ba793e9475dcce0560ab39e75ec756b28

General

Target

3bcdebfae009e22bd85921170567886ba793e9475dcce0560ab39e75ec756b28.exe
Size

732KB
MD5

5a7daf9c6ffca459f9f7b52c682cc0ff
SHA1

1dbdf451554848528d60d7cf4023ec822499c511
SHA256

3bcdebfae009e22bd85921170567886ba793e9475dcce0560ab39e75ec756b28
SHA512

f599dcc53e1917c2b18e98b25dae05214e590019ab646500ced4955edfc92ff109db31366d9c89f9ee3b1e025fd8f58a8c15e1c3913675525a65d0555f59ceca

Score

10^/10

nanocore evasion keylogger spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

212.7.208.94:3413

Mutex

5b6af941-fda6-43f6-be1a-bb052e8fa4d9

Attributes

activate_away_mode
true
backup_connection_host
212.7.208.94
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2018-09-15T09:16:35.620530336Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
3413
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
5b6af941-fda6-43f6-be1a-bb052e8fa4d9
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
212.7.208.94
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

RegAsm.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegAsm.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegAsm.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

3bcdebfae009e22bd85921170567886ba793e9475dcce0560ab39e75ec756b28.exe

description	pid	process	target process
PID 1684 set thread context of 2032	1684	3bcdebfae009e22bd85921170567886ba793e9475dcce0560ab39e75ec756b28.exe	RegAsm.exe

Drops file in Windows directory 1 IoCs

Processes:

3bcdebfae009e22bd85921170567886ba793e9475dcce0560ab39e75ec756b28.exe

description	ioc	process
File opened for modification	C:\Windows\debug\WIA\fjEVuHISE.exe	3bcdebfae009e22bd85921170567886ba793e9475dcce0560ab39e75ec756b28.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1276 schtasks.exe
1240 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

3bcdebfae009e22bd85921170567886ba793e9475dcce0560ab39e75ec756b28.exeRegAsm.exe

pid process

1684 3bcdebfae009e22bd85921170567886ba793e9475dcce0560ab39e75ec756b28.exe
2032 RegAsm.exe
2032 RegAsm.exe

pid	process
1276	schtasks.exe
1240	schtasks.exe

pid	process
1684	3bcdebfae009e22bd85921170567886ba793e9475dcce0560ab39e75ec756b28.exe
2032	RegAsm.exe
2032	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

3bcdebfae009e22bd85921170567886ba793e9475dcce0560ab39e75ec756b28.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	1684	3bcdebfae009e22bd85921170567886ba793e9475dcce0560ab39e75ec756b28.exe
Token: SeDebugPrivilege	2032	RegAsm.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

3bcdebfae009e22bd85921170567886ba793e9475dcce0560ab39e75ec756b28.exeRegAsm.exe

description	pid	process	target process
PID 1684 wrote to memory of 1276	1684	3bcdebfae009e22bd85921170567886ba793e9475dcce0560ab39e75ec756b28.exe	schtasks.exe
PID 1684 wrote to memory of 1276	1684	3bcdebfae009e22bd85921170567886ba793e9475dcce0560ab39e75ec756b28.exe	schtasks.exe
PID 1684 wrote to memory of 1276	1684	3bcdebfae009e22bd85921170567886ba793e9475dcce0560ab39e75ec756b28.exe	schtasks.exe
PID 1684 wrote to memory of 1276	1684	3bcdebfae009e22bd85921170567886ba793e9475dcce0560ab39e75ec756b28.exe	schtasks.exe
PID 1684 wrote to memory of 2032	1684	3bcdebfae009e22bd85921170567886ba793e9475dcce0560ab39e75ec756b28.exe	RegAsm.exe
PID 1684 wrote to memory of 2032	1684	3bcdebfae009e22bd85921170567886ba793e9475dcce0560ab39e75ec756b28.exe	RegAsm.exe
PID 1684 wrote to memory of 2032	1684	3bcdebfae009e22bd85921170567886ba793e9475dcce0560ab39e75ec756b28.exe	RegAsm.exe
PID 1684 wrote to memory of 2032	1684	3bcdebfae009e22bd85921170567886ba793e9475dcce0560ab39e75ec756b28.exe	RegAsm.exe
PID 1684 wrote to memory of 2032	1684	3bcdebfae009e22bd85921170567886ba793e9475dcce0560ab39e75ec756b28.exe	RegAsm.exe
PID 1684 wrote to memory of 2032	1684	3bcdebfae009e22bd85921170567886ba793e9475dcce0560ab39e75ec756b28.exe	RegAsm.exe
PID 1684 wrote to memory of 2032	1684	3bcdebfae009e22bd85921170567886ba793e9475dcce0560ab39e75ec756b28.exe	RegAsm.exe
PID 1684 wrote to memory of 2032	1684	3bcdebfae009e22bd85921170567886ba793e9475dcce0560ab39e75ec756b28.exe	RegAsm.exe
PID 1684 wrote to memory of 2032	1684	3bcdebfae009e22bd85921170567886ba793e9475dcce0560ab39e75ec756b28.exe	RegAsm.exe
PID 1684 wrote to memory of 2032	1684	3bcdebfae009e22bd85921170567886ba793e9475dcce0560ab39e75ec756b28.exe	RegAsm.exe
PID 1684 wrote to memory of 2032	1684	3bcdebfae009e22bd85921170567886ba793e9475dcce0560ab39e75ec756b28.exe	RegAsm.exe
PID 1684 wrote to memory of 2032	1684	3bcdebfae009e22bd85921170567886ba793e9475dcce0560ab39e75ec756b28.exe	RegAsm.exe
PID 2032 wrote to memory of 1240	2032	RegAsm.exe	schtasks.exe
PID 2032 wrote to memory of 1240	2032	RegAsm.exe	schtasks.exe
PID 2032 wrote to memory of 1240	2032	RegAsm.exe	schtasks.exe
PID 2032 wrote to memory of 1240	2032	RegAsm.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\3bcdebfae009e22bd85921170567886ba793e9475dcce0560ab39e75ec756b28.exe
"C:\Users\Admin\AppData\Local\Temp\3bcdebfae009e22bd85921170567886ba793e9475dcce0560ab39e75ec756b28.exe"
1⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fjEVuHISE" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC717.tmp"
2⤵
- Creates scheduled task(s)
PID:1276

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "ARP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp4635.tmp"
3⤵
- Creates scheduled task(s)
PID:1240

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp4635.tmp
Filesize
1KB

MD5
c6f0625bf4c1cdfb699980c9243d3b22

SHA1
43de1fe580576935516327f17b5da0c656c72851

SHA256
8dfc4e937f0b2374e3ced25fce344b0731cf44b8854625b318d50ece2da8f576

SHA512
9ef2dbd4142ad0e1e6006929376ecb8011e7ffc801ee2101e906787d70325ad82752df65839de9972391fa52e1e5974ec1a5c7465a88aa56257633ebb7d70969

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC717.tmp
Filesize
1KB

MD5
c59c76e7b20e890c41dbc79b538eb97c

SHA1
db1a5b197429b831d17a7231084b6ca22fb79e25

SHA256
9129efa20d8d6b851f1eb02381f480e5f57712bf5231d5e6424ceaed80c73a15

SHA512
386929273a1bd07eb721977154fe4f6d7914b5073a368a9b570a6114fa0f72489262de1706fcbe1ae3198adec7d8adabfe9e80dbf493ae2b69eaf8729b6459c4

Download Submit
memory/1240-74-0x0000000000000000-mapping.dmp

Download
memory/1276-57-0x0000000000000000-mapping.dmp

Download
memory/1684-54-0x0000000076431000-0x0000000076433000-memory.dmp

Filesize
8KB

Download
memory/1684-55-0x0000000074640000-0x0000000074BEB000-memory.dmp

Filesize
5.7MB

Download
memory/1684-56-0x0000000074640000-0x0000000074BEB000-memory.dmp

Filesize
5.7MB

Download
memory/1684-70-0x0000000074640000-0x0000000074BEB000-memory.dmp

Filesize
5.7MB

Download
memory/2032-63-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2032-65-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2032-66-0x000000000041E792-mapping.dmp

Download
memory/2032-68-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2032-71-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2032-62-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2032-73-0x00000000742A0000-0x000000007484B000-memory.dmp

Filesize
5.7MB

Download
memory/2032-60-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2032-59-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2032-76-0x00000000742A0000-0x000000007484B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads