nanocore | 60c096f7da5a6501ecbc8360ad687aa8e631af3a1d641384e806b1f61de012f1

General

Target

60c096f7da5a6501ecbc8360ad687aa8e631af3a1d641384e806b1f61de012f1.exe
Size

346KB
MD5

6ed084ce771b176b6e560e83b11f0065
SHA1

7b42bfe26b7248abb5fd6be844f3fa34605f77b3
SHA256

60c096f7da5a6501ecbc8360ad687aa8e631af3a1d641384e806b1f61de012f1
SHA512

e479b93124a21b02ffd89030401a97da9f66f413d060c56dcaa59ee39abaea620bfd9dbe0bbc1b744c7153ad4189e9c4e55aee0a45f5a7f467ae6a475f9b2c4e

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

31.220.7.204:1626

Mutex

907487f9-556a-489f-9f70-b8462086f0d7

Attributes

activate_away_mode
true
backup_connection_host
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2018-09-10T07:36:15.786172136Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
false
clear_zone_identifier
false
connect_delay
4000
connection_port
1626
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
907487f9-556a-489f-9f70-b8462086f0d7
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
31.220.7.204
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

60c096f7da5a6501ecbc8360ad687aa8e631af3a1d641384e806b1f61de012f1.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation	60c096f7da5a6501ecbc8360ad687aa8e631af3a1d641384e806b1f61de012f1.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

60c096f7da5a6501ecbc8360ad687aa8e631af3a1d641384e806b1f61de012f1.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\IMAP Monitor = "C:\\Program Files (x86)\\IMAP Monitor\\imapmon.exe"	60c096f7da5a6501ecbc8360ad687aa8e631af3a1d641384e806b1f61de012f1.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

60c096f7da5a6501ecbc8360ad687aa8e631af3a1d641384e806b1f61de012f1.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	60c096f7da5a6501ecbc8360ad687aa8e631af3a1d641384e806b1f61de012f1.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

60c096f7da5a6501ecbc8360ad687aa8e631af3a1d641384e806b1f61de012f1.exe

description	pid	process	target process
PID 5040 set thread context of 1984	5040	60c096f7da5a6501ecbc8360ad687aa8e631af3a1d641384e806b1f61de012f1.exe	60c096f7da5a6501ecbc8360ad687aa8e631af3a1d641384e806b1f61de012f1.exe

Drops file in Program Files directory 2 IoCs

Processes:

60c096f7da5a6501ecbc8360ad687aa8e631af3a1d641384e806b1f61de012f1.exe

description	ioc	process
File created	C:\Program Files (x86)\IMAP Monitor\imapmon.exe	60c096f7da5a6501ecbc8360ad687aa8e631af3a1d641384e806b1f61de012f1.exe
File opened for modification	C:\Program Files (x86)\IMAP Monitor\imapmon.exe	60c096f7da5a6501ecbc8360ad687aa8e631af3a1d641384e806b1f61de012f1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4628 schtasks.exe

pid	process
4628	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

60c096f7da5a6501ecbc8360ad687aa8e631af3a1d641384e806b1f61de012f1.exe60c096f7da5a6501ecbc8360ad687aa8e631af3a1d641384e806b1f61de012f1.exe

pid	process
5040	60c096f7da5a6501ecbc8360ad687aa8e631af3a1d641384e806b1f61de012f1.exe
5040	60c096f7da5a6501ecbc8360ad687aa8e631af3a1d641384e806b1f61de012f1.exe
1984	60c096f7da5a6501ecbc8360ad687aa8e631af3a1d641384e806b1f61de012f1.exe
1984	60c096f7da5a6501ecbc8360ad687aa8e631af3a1d641384e806b1f61de012f1.exe
1984	60c096f7da5a6501ecbc8360ad687aa8e631af3a1d641384e806b1f61de012f1.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

60c096f7da5a6501ecbc8360ad687aa8e631af3a1d641384e806b1f61de012f1.exe

pid process

1984 60c096f7da5a6501ecbc8360ad687aa8e631af3a1d641384e806b1f61de012f1.exe

pid	process
1984	60c096f7da5a6501ecbc8360ad687aa8e631af3a1d641384e806b1f61de012f1.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

60c096f7da5a6501ecbc8360ad687aa8e631af3a1d641384e806b1f61de012f1.exe60c096f7da5a6501ecbc8360ad687aa8e631af3a1d641384e806b1f61de012f1.exe

description	pid	process
Token: SeDebugPrivilege	5040	60c096f7da5a6501ecbc8360ad687aa8e631af3a1d641384e806b1f61de012f1.exe
Token: SeDebugPrivilege	1984	60c096f7da5a6501ecbc8360ad687aa8e631af3a1d641384e806b1f61de012f1.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

60c096f7da5a6501ecbc8360ad687aa8e631af3a1d641384e806b1f61de012f1.exe

description	pid	process	target process
PID 5040 wrote to memory of 4628	5040	60c096f7da5a6501ecbc8360ad687aa8e631af3a1d641384e806b1f61de012f1.exe	schtasks.exe
PID 5040 wrote to memory of 4628	5040	60c096f7da5a6501ecbc8360ad687aa8e631af3a1d641384e806b1f61de012f1.exe	schtasks.exe
PID 5040 wrote to memory of 4628	5040	60c096f7da5a6501ecbc8360ad687aa8e631af3a1d641384e806b1f61de012f1.exe	schtasks.exe
PID 5040 wrote to memory of 1984	5040	60c096f7da5a6501ecbc8360ad687aa8e631af3a1d641384e806b1f61de012f1.exe	60c096f7da5a6501ecbc8360ad687aa8e631af3a1d641384e806b1f61de012f1.exe
PID 5040 wrote to memory of 1984	5040	60c096f7da5a6501ecbc8360ad687aa8e631af3a1d641384e806b1f61de012f1.exe	60c096f7da5a6501ecbc8360ad687aa8e631af3a1d641384e806b1f61de012f1.exe
PID 5040 wrote to memory of 1984	5040	60c096f7da5a6501ecbc8360ad687aa8e631af3a1d641384e806b1f61de012f1.exe	60c096f7da5a6501ecbc8360ad687aa8e631af3a1d641384e806b1f61de012f1.exe
PID 5040 wrote to memory of 1984	5040	60c096f7da5a6501ecbc8360ad687aa8e631af3a1d641384e806b1f61de012f1.exe	60c096f7da5a6501ecbc8360ad687aa8e631af3a1d641384e806b1f61de012f1.exe
PID 5040 wrote to memory of 1984	5040	60c096f7da5a6501ecbc8360ad687aa8e631af3a1d641384e806b1f61de012f1.exe	60c096f7da5a6501ecbc8360ad687aa8e631af3a1d641384e806b1f61de012f1.exe
PID 5040 wrote to memory of 1984	5040	60c096f7da5a6501ecbc8360ad687aa8e631af3a1d641384e806b1f61de012f1.exe	60c096f7da5a6501ecbc8360ad687aa8e631af3a1d641384e806b1f61de012f1.exe
PID 5040 wrote to memory of 1984	5040	60c096f7da5a6501ecbc8360ad687aa8e631af3a1d641384e806b1f61de012f1.exe	60c096f7da5a6501ecbc8360ad687aa8e631af3a1d641384e806b1f61de012f1.exe
PID 5040 wrote to memory of 1984	5040	60c096f7da5a6501ecbc8360ad687aa8e631af3a1d641384e806b1f61de012f1.exe	60c096f7da5a6501ecbc8360ad687aa8e631af3a1d641384e806b1f61de012f1.exe

C:\Users\Admin\AppData\Local\Temp\60c096f7da5a6501ecbc8360ad687aa8e631af3a1d641384e806b1f61de012f1.exe
"C:\Users\Admin\AppData\Local\Temp\60c096f7da5a6501ecbc8360ad687aa8e631af3a1d641384e806b1f61de012f1.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5040
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FFEmQopy" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6244.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:4628
- C:\Users\Admin\AppData\Local\Temp\60c096f7da5a6501ecbc8360ad687aa8e631af3a1d641384e806b1f61de012f1.exe
  "C:\Users\Admin\AppData\Local\Temp\60c096f7da5a6501ecbc8360ad687aa8e631af3a1d641384e806b1f61de012f1.exe"
  2⤵
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:1984

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\60c096f7da5a6501ecbc8360ad687aa8e631af3a1d641384e806b1f61de012f1.exe.log

Filesize
594B

MD5
fdb26b3b547022b45cfaeee57eafd566

SHA1
11c6798b8a59233f404014c5e79b3363cd564b37

SHA256
2707fc7f074413881b7bafca05079327b188db6005709951e7f69d39a2af97c0

SHA512
44d9bb8c0f0b341690d00eda86e15a50f7f29ce9595925c1a2a7e19ad26202d10049a7a97bea278ecb7d429ad555de8edceeffff664d4b06309a9410a09bb700

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6244.tmp

Filesize
1KB

MD5
bf17a4ef661e9aeaa479722d2f4ea95b

SHA1
bc8ad6e17f5f3e5e5e63c08141699ab1ce449b13

SHA256
985d37ea99c8de64c29e843a3a29d753eab6dd5838e66648dac5e09d1761f9ed

SHA512
21180d100bdc2a59a1f5d7662de539f9d13f351e83696c812cffc6710748323d526ca10d8629a8bd30cdd412984e07d7aa7a57c7122677206d28ab36efeed60f

Download Submit
memory/1984-134-0x0000000000000000-mapping.dmp

Download
memory/1984-135-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1984-138-0x0000000075380000-0x0000000075931000-memory.dmp

Filesize
5.7MB

Download
memory/1984-139-0x0000000075380000-0x0000000075931000-memory.dmp

Filesize
5.7MB

Download
memory/4628-132-0x0000000000000000-mapping.dmp

Download
memory/5040-130-0x0000000075380000-0x0000000075931000-memory.dmp

Filesize
5.7MB

Download
memory/5040-131-0x0000000075380000-0x0000000075931000-memory.dmp

Filesize
5.7MB

Download
memory/5040-137-0x0000000075380000-0x0000000075931000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads