nanocore | 03dbb8d164dd7caaaedd098efc8f707d24034bfb4d0d77521b33de6c76f10ee7

General

Target

RFQ23449.exe
Size

697KB
MD5

fae41eae9136f5afc4dc6cdff251b863
SHA1

050eaa1fa847f19f56f1e83981415d9f720fa291
SHA256

03dbb8d164dd7caaaedd098efc8f707d24034bfb4d0d77521b33de6c76f10ee7
SHA512

4f15ed9094d5a48850d354c186a690e43f94b4471d258ca8de070c045e9a43a4816f3efe84913017764b21dca9010d6f656f1c9d70a2dd14155241ecc2980836
SSDEEP

12288:Pf0F75e0+W1VOwPr0V/7579+wfi7gutAdf2B3j7QR2b:PMZ5L1gwPc/VJ+wfi7dtAgxQ

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

brightnano1.ddns.net:1989

171.22.30.97:1989

Mutex

fba1bbc6-2cc8-4c94-b6c0-dda5a12fd7fe

Attributes

activate_away_mode
true
backup_connection_host
171.22.30.97
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2022-06-10T14:34:05.030247036Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
1989
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
fba1bbc6-2cc8-4c94-b6c0-dda5a12fd7fe
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
brightnano1.ddns.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RFQ23449.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	RFQ23449.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RFQ23449.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DDP Host = "C:\\Program Files (x86)\\DDP Host\\ddphost.exe"	RFQ23449.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

RFQ23449.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RFQ23449.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

RFQ23449.exe

description pid process target process

PID 1464 set thread context of 1864 1464 RFQ23449.exe RFQ23449.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RFQ23449.exe

description	pid	process	target process
PID 1464 set thread context of 1864	1464	RFQ23449.exe	RFQ23449.exe

Drops file in Program Files directory 2 IoCs

Processes:

RFQ23449.exe

description	ioc	process
File created	C:\Program Files (x86)\DDP Host\ddphost.exe	RFQ23449.exe
File opened for modification	C:\Program Files (x86)\DDP Host\ddphost.exe	RFQ23449.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

3856 schtasks.exe
3732 schtasks.exe
4472 schtasks.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exeRFQ23449.exe

pid process

4480 powershell.exe
4480 powershell.exe
1864 RFQ23449.exe
1864 RFQ23449.exe
1864 RFQ23449.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

RFQ23449.exe

pid process

1864 RFQ23449.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exeRFQ23449.exe

description pid process

Token: SeDebugPrivilege 4480 powershell.exe
Token: SeDebugPrivilege 1864 RFQ23449.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

RFQ23449.exe

pid process

1464 RFQ23449.exe
1464 RFQ23449.exe

pid	process
3856	schtasks.exe
3732	schtasks.exe
4472	schtasks.exe

pid	process
4480	powershell.exe
4480	powershell.exe
1864	RFQ23449.exe
1864	RFQ23449.exe
1864	RFQ23449.exe

pid	process
1864	RFQ23449.exe

description	pid	process
Token: SeDebugPrivilege	4480	powershell.exe
Token: SeDebugPrivilege	1864	RFQ23449.exe

pid	process
1464	RFQ23449.exe
1464	RFQ23449.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

RFQ23449.exeRFQ23449.exe

description	pid	process	target process
PID 1464 wrote to memory of 4480	1464	RFQ23449.exe	powershell.exe
PID 1464 wrote to memory of 4480	1464	RFQ23449.exe	powershell.exe
PID 1464 wrote to memory of 4480	1464	RFQ23449.exe	powershell.exe
PID 1464 wrote to memory of 3856	1464	RFQ23449.exe	schtasks.exe
PID 1464 wrote to memory of 3856	1464	RFQ23449.exe	schtasks.exe
PID 1464 wrote to memory of 3856	1464	RFQ23449.exe	schtasks.exe
PID 1464 wrote to memory of 1864	1464	RFQ23449.exe	RFQ23449.exe
PID 1464 wrote to memory of 1864	1464	RFQ23449.exe	RFQ23449.exe
PID 1464 wrote to memory of 1864	1464	RFQ23449.exe	RFQ23449.exe
PID 1464 wrote to memory of 1864	1464	RFQ23449.exe	RFQ23449.exe
PID 1464 wrote to memory of 1864	1464	RFQ23449.exe	RFQ23449.exe
PID 1464 wrote to memory of 1864	1464	RFQ23449.exe	RFQ23449.exe
PID 1464 wrote to memory of 1864	1464	RFQ23449.exe	RFQ23449.exe
PID 1464 wrote to memory of 1864	1464	RFQ23449.exe	RFQ23449.exe
PID 1864 wrote to memory of 3732	1864	RFQ23449.exe	schtasks.exe
PID 1864 wrote to memory of 3732	1864	RFQ23449.exe	schtasks.exe
PID 1864 wrote to memory of 3732	1864	RFQ23449.exe	schtasks.exe
PID 1864 wrote to memory of 4472	1864	RFQ23449.exe	schtasks.exe
PID 1864 wrote to memory of 4472	1864	RFQ23449.exe	schtasks.exe
PID 1864 wrote to memory of 4472	1864	RFQ23449.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\RFQ23449.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ23449.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1464
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\kXiyGbfiFAbV.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4480
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kXiyGbfiFAbV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3604.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:3856
- C:\Users\Admin\AppData\Local\Temp\RFQ23449.exe
  "C:\Users\Admin\AppData\Local\Temp\RFQ23449.exe"
  2⤵
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1864
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /create /f /tn "DDP Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmp3A0B.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:3732
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /create /f /tn "DDP Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp3AB8.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:4472

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RFQ23449.exe.log

Filesize
1KB

MD5
e08f822522c617a40840c62e4b0fb45e

SHA1
ae516dca4da5234be6676d3f234c19ec55725be7

SHA256
bd9d5e9f7fe6fcff17d873555d4077d15f7d6cdda1183e7f7d278b735ffe1fd7

SHA512
894a7fb7bbc18ac6ba13378f58a7db80ad00d6080be9a66b01cae8e23e41d9d2d4cd53c1e20669356b73590c8a3ebfda4bdda3258f81240db56c4a81b7313fe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3604.tmp

Filesize
1KB

MD5
37c82d6cb6003dede29fffa08ba454c5

SHA1
1a82994c4751f259f574a9349cd7e22766225eec

SHA256
4f22425aaa790444d47a97b5a2e4007891e285578f6eadd16419fe0dc7421f54

SHA512
982d5b19f057f2778d9fc6d318c41f2863c66426989cb15aa19eed5aeba877cd2613b37f35136e583a980628bf1fd216bb58a981fd8432c3254edfb26fd91da2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3A0B.tmp

Filesize
1KB

MD5
b8f832d23bc48d417e6b9901877d00b7

SHA1
d6923f5198fb39a7aa024484d7388fa6bfd9017d

SHA256
80b077004d9d103b06edc57b3be3f9d7b029d6b0f46b85c24e6f1ea012127d75

SHA512
b3de6a199126182d3619c3ee2faaa1ef2503157cd2fbccf55abcebba4de89ef94d49f49808d5d219f30d1bb05a2c8f3f4acf99043fb92d3016f6b5102bc90850

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3AB8.tmp

Filesize
1KB

MD5
2271642ca970891700e3f48439739ed8

SHA1
cd472df2349f7db9e1e460d0ee28acd97b8a8793

SHA256
7aba66abbcb0b13455609174db23aed495a9adbef0e0acd28baa9c92445eda68

SHA512
4669a4ef8ec28cdb852ffc1401576b1bf9a9d837797d7d92bc88c18b3097404f36854e50167b309706fef400cabc43c876569ce2797ba85eb169a2783b8fe807

Download Submit
memory/1464-135-0x00000000053A0000-0x00000000053AA000-memory.dmp

Filesize
40KB

Download
memory/1464-137-0x0000000009250000-0x00000000092B6000-memory.dmp

Filesize
408KB

Download
memory/1464-136-0x00000000092C0000-0x000000000935C000-memory.dmp

Filesize
624KB

Download
memory/1464-132-0x0000000000940000-0x00000000009F4000-memory.dmp

Filesize
720KB

Download
memory/1464-134-0x00000000053D0000-0x0000000005462000-memory.dmp

Filesize
584KB

Download
memory/1464-133-0x0000000005980000-0x0000000005F24000-memory.dmp

Filesize
5.6MB

Download
memory/1864-145-0x0000000000000000-mapping.dmp

Download
memory/1864-146-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3732-149-0x0000000000000000-mapping.dmp

Download
memory/3856-139-0x0000000000000000-mapping.dmp

Download
memory/4472-151-0x0000000000000000-mapping.dmp

Download
memory/4480-154-0x0000000074F70000-0x0000000074FBC000-memory.dmp

Filesize
304KB

Download
memory/4480-153-0x0000000006B10000-0x0000000006B42000-memory.dmp

Filesize
200KB

Download
memory/4480-141-0x00000000056A0000-0x0000000005CC8000-memory.dmp

Filesize
6.2MB

Download
memory/4480-140-0x0000000002C10000-0x0000000002C46000-memory.dmp

Filesize
216KB

Download
memory/4480-155-0x0000000006AD0000-0x0000000006AEE000-memory.dmp

Filesize
120KB

Download
memory/4480-138-0x0000000000000000-mapping.dmp

Download
memory/4480-148-0x0000000006540000-0x000000000655E000-memory.dmp

Filesize
120KB

Download
memory/4480-144-0x0000000005E80000-0x0000000005EE6000-memory.dmp

Filesize
408KB

Download
memory/4480-143-0x0000000005DE0000-0x0000000005E02000-memory.dmp

Filesize
136KB

Download
memory/4480-156-0x0000000007E80000-0x00000000084FA000-memory.dmp

Filesize
6.5MB

Download
memory/4480-157-0x0000000007840000-0x000000000785A000-memory.dmp

Filesize
104KB

Download
memory/4480-158-0x00000000078B0000-0x00000000078BA000-memory.dmp

Filesize
40KB

Download
memory/4480-159-0x0000000007AC0000-0x0000000007B56000-memory.dmp

Filesize
600KB

Download
memory/4480-160-0x0000000007A70000-0x0000000007A7E000-memory.dmp

Filesize
56KB

Download
memory/4480-161-0x0000000007B80000-0x0000000007B9A000-memory.dmp

Filesize
104KB

Download
memory/4480-162-0x0000000007B60000-0x0000000007B68000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads