nanocore | 6d882e7cb1b1000693eddf517cc22e2baa1537e3cd86e019da3c5a7638ca6f5f

General

Target

EUR98690-Swift99976675.js
Size

369KB
MD5

8d1f47a877f4578f0d4f5a1469c5726f
SHA1

98663d5461ce37cffe7d1e1c300e5eb36b8e0360
SHA256

6d882e7cb1b1000693eddf517cc22e2baa1537e3cd86e019da3c5a7638ca6f5f
SHA512

9e4aa1efbecb021888409fdf65f4799215cc118f8eb683b9020f82cd951afe47c44bca1e1afd038555ff84bf6f92b97961bcc68e5fe80132eec8fea69294c63c
SSDEEP

6144:AIHct39Zx15CrTTzRfhlSvt3n60opyt8ugNX2zd1TKO54HzirgTIbANP4n/pzJLR:AT515CfuXZoweGJ/0I2gxzJR3

Score

10^/10

nanocore evasion keylogger spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

[email protected]:54984

127.0.0.1:54984

Mutex

ca97c66b-4a70-4c2d-bb40-2424e5fdce5c

Attributes

activate_away_mode
true
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2022-06-10T10:11:01.057108436Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
54984
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
ca97c66b-4a70-4c2d-bb40-2424e5fdce5c
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
[email protected]
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Executes dropped EXE 1 IoCs

Processes:

nano.exe

pid process

332 nano.exe
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

nano.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA nano.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

nano.exe

pid process

332 nano.exe
332 nano.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

nano.exe

pid process

332 nano.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

nano.exe

description pid process

Token: SeDebugPrivilege 332 nano.exe

pid	process
332	nano.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	nano.exe

pid	process
332	nano.exe
332	nano.exe

pid	process
332	nano.exe

description	pid	process
Token: SeDebugPrivilege	332	nano.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

wscript.exe

description	pid	process	target process
PID 1132 wrote to memory of 1608	1132	wscript.exe	wscript.exe
PID 1132 wrote to memory of 1608	1132	wscript.exe	wscript.exe
PID 1132 wrote to memory of 1608	1132	wscript.exe	wscript.exe
PID 1132 wrote to memory of 332	1132	wscript.exe	nano.exe
PID 1132 wrote to memory of 332	1132	wscript.exe	nano.exe
PID 1132 wrote to memory of 332	1132	wscript.exe	nano.exe
PID 1132 wrote to memory of 332	1132	wscript.exe	nano.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\EUR98690-Swift99976675.js
1⤵
- Suspicious use of WriteProcessMemory
PID:1132
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\uPwkqOdwmL.js"
  2⤵
  PID:1608
- C:\Users\Admin\AppData\Roaming\nano.exe
  "C:\Users\Admin\AppData\Roaming\nano.exe"
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:332

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\nano.exe

Filesize
202KB

MD5
e132a3665bf8187deead9364cbdc5017

SHA1
ca29f9fc578210fa07fd2acc87774f17a9564eab

SHA256
2b65cf2fcbab35105403c2bff2a50ae05599e687d4d8ca0919a41980a3d60ab8

SHA512
d27cbf55583638dbbf5bc82b1bd399f0ec6a3f4e09ec6e4894292188364bc57bca3b10fda832aeecea42bceb07af4058e6d0be43401fd1327a2643da4d4b69e4

Download Submit
C:\Users\Admin\AppData\Roaming\nano.exe

Filesize
202KB

MD5
e132a3665bf8187deead9364cbdc5017

SHA1
ca29f9fc578210fa07fd2acc87774f17a9564eab

SHA256
2b65cf2fcbab35105403c2bff2a50ae05599e687d4d8ca0919a41980a3d60ab8

SHA512
d27cbf55583638dbbf5bc82b1bd399f0ec6a3f4e09ec6e4894292188364bc57bca3b10fda832aeecea42bceb07af4058e6d0be43401fd1327a2643da4d4b69e4

Download Submit
C:\Users\Admin\AppData\Roaming\uPwkqOdwmL.js

Filesize
2KB

MD5
f4fce6b0de17ae8b75c462ebfd562c51

SHA1
9e2a2b0e22ee29e8268f104c63e776cbccf24777

SHA256
36fcb70b43c321e5bcea43a39603296eb10d5387187f4f6d248b76f4f87964fd

SHA512
b9f04a7cd0b4077f873a58e1a01ab8a10e4b60e50c911c87ece6cbcdf1e54f97b5a1887e9e8215dc7cca92c1127451905a1620974f4f1c0919b338566b20d71a

Download Submit
memory/332-57-0x0000000000000000-mapping.dmp

Download
memory/332-60-0x0000000075561000-0x0000000075563000-memory.dmp

Filesize
8KB

Download
memory/332-61-0x0000000074260000-0x000000007480B000-memory.dmp

Filesize
5.7MB

Download
memory/332-62-0x0000000074260000-0x000000007480B000-memory.dmp

Filesize
5.7MB

Download
memory/1132-54-0x000007FEFB8D1000-0x000007FEFB8D3000-memory.dmp

Filesize
8KB

Download
memory/1608-55-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing