nanocore | 6de59ba9ae89955fac2a6fda448cf36fddd092df3bdca623aa64fd6e688de6f2

General

Target

DOC-5629026378927-01263896626________________.js
Size

375KB
MD5

d194e3fda4edc0012e10ba5b89eaf23b
SHA1

7c4ec6fe2bc68b4fcf0ca98f3f14a2da09837042
SHA256

6de59ba9ae89955fac2a6fda448cf36fddd092df3bdca623aa64fd6e688de6f2
SHA512

aaf3bef9e251d41f0cb6e22f06569129caf4f56e15fae3009b1e3c776580fe96254e6a6f041a0fc2aef784914c2dbafc5afe95c538365188fbf8e148213bda5d
SSDEEP

6144:W+KBpCSQkoSiW+YrVGx+Bvh9lILpa/3CDCG9J7x8fF5KVYfUlRBDeY0L1G:W+2QkVTJh9t3Q8zK++RWL1G

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

vasticbless.hopto.org:408

80.76.51.88:408

Mutex

779bee15-ee15-4d9f-8c7e-232e7691a569

Attributes

activate_away_mode
true
backup_connection_host
80.76.51.88
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2022-06-11T01:54:40.768762336Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
408
default_group
WONDERS
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
779bee15-ee15-4d9f-8c7e-232e7691a569
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
vasticbless.hopto.org
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Executes dropped EXE 1 IoCs

Processes:

MY NAN STUB.exe

pid process

224 MY NAN STUB.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

wscript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation wscript.exe

pid	process
224	MY NAN STUB.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	wscript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

MY NAN STUB.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DDP Manager = "C:\\Program Files (x86)\\DDP Manager\\ddpmgr.exe"	MY NAN STUB.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

MY NAN STUB.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MY NAN STUB.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MY NAN STUB.exe

Drops file in Program Files directory 2 IoCs

Processes:

MY NAN STUB.exe

description	ioc	process
File created	C:\Program Files (x86)\DDP Manager\ddpmgr.exe	MY NAN STUB.exe
File opened for modification	C:\Program Files (x86)\DDP Manager\ddpmgr.exe	MY NAN STUB.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2084 schtasks.exe
3200 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

MY NAN STUB.exe

pid process

224 MY NAN STUB.exe
224 MY NAN STUB.exe
224 MY NAN STUB.exe
224 MY NAN STUB.exe
224 MY NAN STUB.exe
224 MY NAN STUB.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

MY NAN STUB.exe

pid process

224 MY NAN STUB.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

MY NAN STUB.exe

description pid process

Token: SeDebugPrivilege 224 MY NAN STUB.exe

pid	process
2084	schtasks.exe
3200	schtasks.exe

pid	process
224	MY NAN STUB.exe
224	MY NAN STUB.exe
224	MY NAN STUB.exe
224	MY NAN STUB.exe
224	MY NAN STUB.exe
224	MY NAN STUB.exe

pid	process
224	MY NAN STUB.exe

description	pid	process
Token: SeDebugPrivilege	224	MY NAN STUB.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

wscript.exeMY NAN STUB.exe

description	pid	process	target process
PID 1788 wrote to memory of 2468	1788	wscript.exe	wscript.exe
PID 1788 wrote to memory of 2468	1788	wscript.exe	wscript.exe
PID 1788 wrote to memory of 224	1788	wscript.exe	MY NAN STUB.exe
PID 1788 wrote to memory of 224	1788	wscript.exe	MY NAN STUB.exe
PID 1788 wrote to memory of 224	1788	wscript.exe	MY NAN STUB.exe
PID 224 wrote to memory of 2084	224	MY NAN STUB.exe	schtasks.exe
PID 224 wrote to memory of 2084	224	MY NAN STUB.exe	schtasks.exe
PID 224 wrote to memory of 2084	224	MY NAN STUB.exe	schtasks.exe
PID 224 wrote to memory of 3200	224	MY NAN STUB.exe	schtasks.exe
PID 224 wrote to memory of 3200	224	MY NAN STUB.exe	schtasks.exe
PID 224 wrote to memory of 3200	224	MY NAN STUB.exe	schtasks.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\DOC-5629026378927-01263896626________________.js
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1788
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\GkIINJHzvf.js"
  2⤵
  PID:2468
- C:\Users\Admin\AppData\Roaming\MY NAN STUB.exe
  "C:\Users\Admin\AppData\Roaming\MY NAN STUB.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:224
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /create /f /tn "DDP Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmp4B3.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:2084
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /create /f /tn "DDP Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp64A.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:3200

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp4B3.tmp

Filesize
1KB

MD5
efec9d1da6f9b8c43598503f63d7057e

SHA1
53e7d8b039bf9866f63c24601883168408bdbba2

SHA256
9c503d5502db3d6548907f063e2882121980872f5957079c506dba5a9e44a71d

SHA512
2d9ec398907b1cfad9b870141873feb644bbddfe52fb6b7de9d88dcc0d9ff33e0c2ce973540d21081518f19a862fa8b6e58f552d060ed8493290d3553c6d3c75

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp64A.tmp

Filesize
1KB

MD5
677848190631e19222304d1982aa2e1b

SHA1
bed6cf97d3458e4ea59ff9823375d915a9b3d682

SHA256
8bcf16c788d228932fa707bb4250c05151e099bdf7040adc717e53680601be3d

SHA512
f5d41e150011bc63f4c95799e21fe91ffaa25eb05f4ca46ea89f3a3ca5325413ba4e0b7b5d69c0bc189955f3308c4928016a7cc1d6f7c2352639106952e92b1e

Download Submit
C:\Users\Admin\AppData\Roaming\GkIINJHzvf.js

Filesize
2KB

MD5
1ff9d13010262605ad190f7c357842c0

SHA1
65b81a05e993a92bcb9e517ff36fc4aba24873d8

SHA256
f19539d580dd16f82afabf7c2ec350a4273e9f1cb131a269f9e34f6ae75b4119

SHA512
ec0902dc259ac279c8c60ff98d4e87826c6fb1ae9729db97685daac7f640f9c7d9c469ef42e68e08e8af2ae41ebfbc6508be8780f99b91c1fc4e2a2bb416a10e

Download Submit
C:\Users\Admin\AppData\Roaming\MY NAN STUB.exe

Filesize
203KB

MD5
76658348d014ff1282ee9e9cd178da1c

SHA1
b4eeb8debd8a52f5c9d889363ab6205349b39de9

SHA256
1a3e3f202267a54aa75ec2f157f5762412f21b8d9fa375e2ccf46149e3775770

SHA512
42fd035c8b6719545580e893286d0a3cb6626874e45a945b52a2c06522d9539e0ab9292c417e047198f5e2814ca6b8290205390613f42015e383fa7c2af1f305

Download Submit
C:\Users\Admin\AppData\Roaming\MY NAN STUB.exe

Filesize
203KB

MD5
76658348d014ff1282ee9e9cd178da1c

SHA1
b4eeb8debd8a52f5c9d889363ab6205349b39de9

SHA256
1a3e3f202267a54aa75ec2f157f5762412f21b8d9fa375e2ccf46149e3775770

SHA512
42fd035c8b6719545580e893286d0a3cb6626874e45a945b52a2c06522d9539e0ab9292c417e047198f5e2814ca6b8290205390613f42015e383fa7c2af1f305

Download Submit
memory/224-134-0x0000000000000000-mapping.dmp

Download
memory/224-137-0x0000000074E90000-0x0000000075441000-memory.dmp

Filesize
5.7MB

Download
memory/224-142-0x0000000074E90000-0x0000000075441000-memory.dmp

Filesize
5.7MB

Download
memory/2084-138-0x0000000000000000-mapping.dmp

Download
memory/2468-132-0x0000000000000000-mapping.dmp

Download
memory/3200-140-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads