nanocore | 6de59ba9ae89955fac2a6fda448cf36fddd092df3bdca623aa64fd6e688de6f2

General

Target

DOC-5629026378927-01263896626________________.js
Size

375KB
MD5

d194e3fda4edc0012e10ba5b89eaf23b
SHA1

7c4ec6fe2bc68b4fcf0ca98f3f14a2da09837042
SHA256

6de59ba9ae89955fac2a6fda448cf36fddd092df3bdca623aa64fd6e688de6f2
SHA512

aaf3bef9e251d41f0cb6e22f06569129caf4f56e15fae3009b1e3c776580fe96254e6a6f041a0fc2aef784914c2dbafc5afe95c538365188fbf8e148213bda5d
SSDEEP

6144:W+KBpCSQkoSiW+YrVGx+Bvh9lILpa/3CDCG9J7x8fF5KVYfUlRBDeY0L1G:W+2QkVTJh9t3Q8zK++RWL1G

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

vasticbless.hopto.org:408

80.76.51.88:408

Mutex

779bee15-ee15-4d9f-8c7e-232e7691a569

Attributes

activate_away_mode
true
backup_connection_host
80.76.51.88
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2022-06-11T01:54:40.768762336Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
408
default_group
WONDERS
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
779bee15-ee15-4d9f-8c7e-232e7691a569
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
vasticbless.hopto.org
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Executes dropped EXE 1 IoCs

Processes:

MY NAN STUB.exe

pid process

2036 MY NAN STUB.exe

pid	process
2036	MY NAN STUB.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

MY NAN STUB.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TCP Service = "C:\\Program Files (x86)\\TCP Service\\tcpsvc.exe"	MY NAN STUB.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

MY NAN STUB.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MY NAN STUB.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MY NAN STUB.exe

Drops file in Program Files directory 2 IoCs

Processes:

MY NAN STUB.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\TCP Service\tcpsvc.exe	MY NAN STUB.exe
File created	C:\Program Files (x86)\TCP Service\tcpsvc.exe	MY NAN STUB.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

980 schtasks.exe
856 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

MY NAN STUB.exe

pid process

2036 MY NAN STUB.exe
2036 MY NAN STUB.exe
2036 MY NAN STUB.exe
2036 MY NAN STUB.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

MY NAN STUB.exe

pid process

2036 MY NAN STUB.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

MY NAN STUB.exe

description pid process

Token: SeDebugPrivilege 2036 MY NAN STUB.exe

pid	process
980	schtasks.exe
856	schtasks.exe

pid	process
2036	MY NAN STUB.exe
2036	MY NAN STUB.exe
2036	MY NAN STUB.exe
2036	MY NAN STUB.exe

pid	process
2036	MY NAN STUB.exe

description	pid	process
Token: SeDebugPrivilege	2036	MY NAN STUB.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

wscript.exeMY NAN STUB.exe

description	pid	process	target process
PID 1628 wrote to memory of 1048	1628	wscript.exe	wscript.exe
PID 1628 wrote to memory of 1048	1628	wscript.exe	wscript.exe
PID 1628 wrote to memory of 1048	1628	wscript.exe	wscript.exe
PID 1628 wrote to memory of 2036	1628	wscript.exe	MY NAN STUB.exe
PID 1628 wrote to memory of 2036	1628	wscript.exe	MY NAN STUB.exe
PID 1628 wrote to memory of 2036	1628	wscript.exe	MY NAN STUB.exe
PID 1628 wrote to memory of 2036	1628	wscript.exe	MY NAN STUB.exe
PID 2036 wrote to memory of 980	2036	MY NAN STUB.exe	schtasks.exe
PID 2036 wrote to memory of 980	2036	MY NAN STUB.exe	schtasks.exe
PID 2036 wrote to memory of 980	2036	MY NAN STUB.exe	schtasks.exe
PID 2036 wrote to memory of 980	2036	MY NAN STUB.exe	schtasks.exe
PID 2036 wrote to memory of 856	2036	MY NAN STUB.exe	schtasks.exe
PID 2036 wrote to memory of 856	2036	MY NAN STUB.exe	schtasks.exe
PID 2036 wrote to memory of 856	2036	MY NAN STUB.exe	schtasks.exe
PID 2036 wrote to memory of 856	2036	MY NAN STUB.exe	schtasks.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\DOC-5629026378927-01263896626________________.js
1⤵
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\GkIINJHzvf.js"
  2⤵
  PID:1048
- C:\Users\Admin\AppData\Roaming\MY NAN STUB.exe
  "C:\Users\Admin\AppData\Roaming\MY NAN STUB.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /create /f /tn "TCP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmpBD4.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:980
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /create /f /tn "TCP Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp1019.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:856

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp1019.tmp

Filesize
1KB

MD5
9db6095f31f8b4ae8173fe11424a8dfe

SHA1
4b0655ae95def24a41710ca137649d93bfa49407

SHA256
9911b4513e44521c90c020ddcddea1ddc58095055a72ec638b593bf9ee23aa72

SHA512
5bee977264545a30a2d53e674f54a4066d4529dc9162d46911b9cac957052cdc1ea7c8d60f9c57d3f33db6cb964b1e6bb2347d0e0e2af0a32ac98938c02ffc1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBD4.tmp

Filesize
1KB

MD5
efec9d1da6f9b8c43598503f63d7057e

SHA1
53e7d8b039bf9866f63c24601883168408bdbba2

SHA256
9c503d5502db3d6548907f063e2882121980872f5957079c506dba5a9e44a71d

SHA512
2d9ec398907b1cfad9b870141873feb644bbddfe52fb6b7de9d88dcc0d9ff33e0c2ce973540d21081518f19a862fa8b6e58f552d060ed8493290d3553c6d3c75

Download Submit
C:\Users\Admin\AppData\Roaming\GkIINJHzvf.js

Filesize
2KB

MD5
1ff9d13010262605ad190f7c357842c0

SHA1
65b81a05e993a92bcb9e517ff36fc4aba24873d8

SHA256
f19539d580dd16f82afabf7c2ec350a4273e9f1cb131a269f9e34f6ae75b4119

SHA512
ec0902dc259ac279c8c60ff98d4e87826c6fb1ae9729db97685daac7f640f9c7d9c469ef42e68e08e8af2ae41ebfbc6508be8780f99b91c1fc4e2a2bb416a10e

Download Submit
C:\Users\Admin\AppData\Roaming\MY NAN STUB.exe

Filesize
203KB

MD5
76658348d014ff1282ee9e9cd178da1c

SHA1
b4eeb8debd8a52f5c9d889363ab6205349b39de9

SHA256
1a3e3f202267a54aa75ec2f157f5762412f21b8d9fa375e2ccf46149e3775770

SHA512
42fd035c8b6719545580e893286d0a3cb6626874e45a945b52a2c06522d9539e0ab9292c417e047198f5e2814ca6b8290205390613f42015e383fa7c2af1f305

Download Submit
C:\Users\Admin\AppData\Roaming\MY NAN STUB.exe

Filesize
203KB

MD5
76658348d014ff1282ee9e9cd178da1c

SHA1
b4eeb8debd8a52f5c9d889363ab6205349b39de9

SHA256
1a3e3f202267a54aa75ec2f157f5762412f21b8d9fa375e2ccf46149e3775770

SHA512
42fd035c8b6719545580e893286d0a3cb6626874e45a945b52a2c06522d9539e0ab9292c417e047198f5e2814ca6b8290205390613f42015e383fa7c2af1f305

Download Submit
memory/856-64-0x0000000000000000-mapping.dmp

Download
memory/980-62-0x0000000000000000-mapping.dmp

Download
memory/1048-55-0x0000000000000000-mapping.dmp

Download
memory/1628-54-0x000007FEFB901000-0x000007FEFB903000-memory.dmp

Filesize
8KB

Download
memory/2036-57-0x0000000000000000-mapping.dmp

Download
memory/2036-61-0x0000000074430000-0x00000000749DB000-memory.dmp

Filesize
5.7MB

Download
memory/2036-60-0x00000000760B1000-0x00000000760B3000-memory.dmp

Filesize
8KB

Download
memory/2036-66-0x0000000074430000-0x00000000749DB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads