nanocore | a3bff9b4fb3f28a222c1c9658440b31e57d53b1c0ce9e36fda779726f75daa71

General

Target

orxVwulQulmYSAf.exe
Size

968KB
MD5

99b689cff9e00db87bbcf91174b8b7f3
SHA1

0ee1d70a16c7d6b6c1c87a1ce4f76db76eb4b153
SHA256

a3bff9b4fb3f28a222c1c9658440b31e57d53b1c0ce9e36fda779726f75daa71
SHA512

29973550ca4bef56a3d54d61d89717af98f62ec5e6ec480e3bc93dd6917a16d4abb8e27787232651fc41897f196c4e729190c91542af0feac73535d16e7aedae

Score

10^/10

nanocore keylogger persistence spyware stealer suricata trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

smithcity123.ddns.net:57689

194.5.98.180:57689

Mutex

c01c81ab-6469-4a53-a74b-1d51499279d4

Attributes

activate_away_mode
true
backup_connection_host
194.5.98.180
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2022-03-06T19:31:37.368246236Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
57689
default_group
GREAT
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
c01c81ab-6469-4a53-a74b-1d51499279d4
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
smithcity123.ddns.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
suricata: ET MALWARE Possible NanoCore C2 60B
suricata: ET MALWARE Possible NanoCore C2 60B
suricata
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

vbc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PCI Service = "C:\\Program Files (x86)\\PCI Service\\pcisv.exe"	vbc.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

orxVwulQulmYSAf.exe

description pid process target process

PID 852 set thread context of 1648 852 orxVwulQulmYSAf.exe vbc.exe

description	pid	process	target process
PID 852 set thread context of 1648	852	orxVwulQulmYSAf.exe	vbc.exe

Drops file in Program Files directory 2 IoCs

Processes:

vbc.exe

description	ioc	process
File created	C:\Program Files (x86)\PCI Service\pcisv.exe	vbc.exe
File opened for modification	C:\Program Files (x86)\PCI Service\pcisv.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

1084 schtasks.exe
1484 schtasks.exe
1800 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

vbc.exe

pid process

1648 vbc.exe
1648 vbc.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

vbc.exe

pid process

1648 vbc.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

vbc.exe

description pid process

Token: SeDebugPrivilege 1648 vbc.exe

pid	process
1084	schtasks.exe
1484	schtasks.exe
1800	schtasks.exe

pid	process
1648	vbc.exe
1648	vbc.exe

pid	process
1648	vbc.exe

description	pid	process
Token: SeDebugPrivilege	1648	vbc.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

orxVwulQulmYSAf.exevbc.exe

description	pid	process	target process
PID 852 wrote to memory of 1800	852	orxVwulQulmYSAf.exe	schtasks.exe
PID 852 wrote to memory of 1800	852	orxVwulQulmYSAf.exe	schtasks.exe
PID 852 wrote to memory of 1800	852	orxVwulQulmYSAf.exe	schtasks.exe
PID 852 wrote to memory of 1800	852	orxVwulQulmYSAf.exe	schtasks.exe
PID 852 wrote to memory of 1648	852	orxVwulQulmYSAf.exe	vbc.exe
PID 852 wrote to memory of 1648	852	orxVwulQulmYSAf.exe	vbc.exe
PID 852 wrote to memory of 1648	852	orxVwulQulmYSAf.exe	vbc.exe
PID 852 wrote to memory of 1648	852	orxVwulQulmYSAf.exe	vbc.exe
PID 852 wrote to memory of 1648	852	orxVwulQulmYSAf.exe	vbc.exe
PID 852 wrote to memory of 1648	852	orxVwulQulmYSAf.exe	vbc.exe
PID 852 wrote to memory of 1648	852	orxVwulQulmYSAf.exe	vbc.exe
PID 852 wrote to memory of 1648	852	orxVwulQulmYSAf.exe	vbc.exe
PID 852 wrote to memory of 1648	852	orxVwulQulmYSAf.exe	vbc.exe
PID 1648 wrote to memory of 1084	1648	vbc.exe	schtasks.exe
PID 1648 wrote to memory of 1084	1648	vbc.exe	schtasks.exe
PID 1648 wrote to memory of 1084	1648	vbc.exe	schtasks.exe
PID 1648 wrote to memory of 1084	1648	vbc.exe	schtasks.exe
PID 1648 wrote to memory of 1484	1648	vbc.exe	schtasks.exe
PID 1648 wrote to memory of 1484	1648	vbc.exe	schtasks.exe
PID 1648 wrote to memory of 1484	1648	vbc.exe	schtasks.exe
PID 1648 wrote to memory of 1484	1648	vbc.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\orxVwulQulmYSAf.exe
"C:\Users\Admin\AppData\Local\Temp\orxVwulQulmYSAf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:852

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kXNiPNjdbyLARR" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA95A.tmp"
2⤵
- Creates scheduled task(s)
PID:1800

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"{path}"
2⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1648

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "PCI Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmpAE0C.tmp"
3⤵
- Creates scheduled task(s)
PID:1084

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "PCI Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpAF54.tmp"
3⤵
- Creates scheduled task(s)
PID:1484

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpA95A.tmp
Filesize
1KB

MD5
11f2e1d2f89a442ca94cdd3f07138b75

SHA1
a9cb155b0046533cbe16da7acb5307a3dbe4ed80

SHA256
13d40d0daa2f9ba77e9ffa9135ce8e9438645881967f64bb09b015fc2dd69821

SHA512
d357addceb41cb42104dd9cf33c3fcc5c84e98d593e9886c9537ccf0c1b9a8adb94c33bd37350497ba3190f94ccefd93ced67483f79a7ca2a475bc959e9d6711

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAE0C.tmp
Filesize
1KB

MD5
808c6e96c170c90d0db522e8947eb2bd

SHA1
44583694c3c23410d637bb96c0df0921363533ad

SHA256
c6b75fb7740d34d55d74b8664ff1ea778638a4916c2b52348ea34de60edd3afc

SHA512
928b85e9fddfd7c93623e954dc53367aaf355f74a14601d77e45612ebdb77f3d6c0fc853e154f91f61e64306361885467c16fc211cf1bbdc023658ad35dba1eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAF54.tmp
Filesize
1KB

MD5
bbb0d424bb7cb3b0e6aeb68cf82b8f5f

SHA1
7e95dcd21a27ee53e5c23ed5a163df56a43d572a

SHA256
08d6bee474edf0151a0d8ff942ba9e6a1efe069585c63477abd1c7bd8046e130

SHA512
0dc790a415f9717f6e7633c1d5f2749a2eca5582c5bbe114119c3ddba6d4e4d0df48029622e2fe07f94d8ae97c334b88691b7721da50ada261449769ae31d466

Download Submit
memory/852-54-0x0000000000B60000-0x0000000000C58000-memory.dmp

Filesize
992KB

Download
memory/852-55-0x00000000766A1000-0x00000000766A3000-memory.dmp

Filesize
8KB

Download
memory/852-56-0x0000000000280000-0x000000000028A000-memory.dmp

Filesize
40KB

Download
memory/852-57-0x0000000005350000-0x00000000053DC000-memory.dmp

Filesize
560KB

Download
memory/852-58-0x00000000006E0000-0x000000000071A000-memory.dmp

Filesize
232KB

Download
memory/1084-74-0x0000000000000000-mapping.dmp

Download
memory/1484-76-0x0000000000000000-mapping.dmp

Download
memory/1648-65-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1648-67-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1648-68-0x000000000041E792-mapping.dmp

Download
memory/1648-70-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1648-72-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1648-64-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1648-62-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1648-61-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1648-78-0x00000000003E0000-0x00000000003EA000-memory.dmp

Filesize
40KB

Download
memory/1648-79-0x0000000000450000-0x000000000046E000-memory.dmp

Filesize
120KB

Download
memory/1648-80-0x00000000003F0000-0x00000000003FA000-memory.dmp

Filesize
40KB

Download
memory/1648-81-0x0000000000C05000-0x0000000000C16000-memory.dmp

Filesize
68KB

Download
memory/1800-59-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads