nanocore | aa29265f5e201b2526817c8dde62991a3bb3bdc1dd80e6b20394fbb3d6ea53ad

General

Target

3366d2d7c367362151c83c5b8d270278.exe
Size

741KB
MD5

3366d2d7c367362151c83c5b8d270278
SHA1

f4b6ae0991337713a80efdaeaa45a54bc039e8c7
SHA256

aa29265f5e201b2526817c8dde62991a3bb3bdc1dd80e6b20394fbb3d6ea53ad
SHA512

8adaea612d2bf7f209021d9f163662fc28a044c53c41490d12a90d645a1599f0559d12e113b883aa1405613da7d1a64108db840c102d7c2ab4f6ad080cb11a94
SSDEEP

12288:+AVF75e1ZCe/tmO9afI7iFPtDSysDj/ZyxmduqGU:JVZ52ZhmwNGPtaExkdGU

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

rolandlandson149.bounceme.net:1007

127.0.0.1:1007

Mutex

48099ca8-c1b4-49f3-9fe1-d8dfcbf66c09

Attributes

activate_away_mode
true
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2022-06-13T20:58:05.824762936Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
1007
default_group
sepTmAn
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
48099ca8-c1b4-49f3-9fe1-d8dfcbf66c09
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
rolandlandson149.bounceme.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

3366d2d7c367362151c83c5b8d270278.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SCSI Service = "C:\\Program Files (x86)\\SCSI Service\\scsisvc.exe"	3366d2d7c367362151c83c5b8d270278.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

3366d2d7c367362151c83c5b8d270278.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3366d2d7c367362151c83c5b8d270278.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

3366d2d7c367362151c83c5b8d270278.exe

description pid process target process

PID 1956 set thread context of 1364 1956 3366d2d7c367362151c83c5b8d270278.exe 3366d2d7c367362151c83c5b8d270278.exe

description	pid	process	target process
PID 1956 set thread context of 1364	1956	3366d2d7c367362151c83c5b8d270278.exe	3366d2d7c367362151c83c5b8d270278.exe

Drops file in Program Files directory 2 IoCs

Processes:

3366d2d7c367362151c83c5b8d270278.exe

description	ioc	process
File created	C:\Program Files (x86)\SCSI Service\scsisvc.exe	3366d2d7c367362151c83c5b8d270278.exe
File opened for modification	C:\Program Files (x86)\SCSI Service\scsisvc.exe	3366d2d7c367362151c83c5b8d270278.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1544 schtasks.exe
836 schtasks.exe

pid	process
1544	schtasks.exe
836	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

3366d2d7c367362151c83c5b8d270278.exe

pid	process
1364	3366d2d7c367362151c83c5b8d270278.exe
1364	3366d2d7c367362151c83c5b8d270278.exe
1364	3366d2d7c367362151c83c5b8d270278.exe
1364	3366d2d7c367362151c83c5b8d270278.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

3366d2d7c367362151c83c5b8d270278.exe

pid process

1364 3366d2d7c367362151c83c5b8d270278.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

3366d2d7c367362151c83c5b8d270278.exe

description pid process

Token: SeDebugPrivilege 1364 3366d2d7c367362151c83c5b8d270278.exe

description	pid	process
Token: SeDebugPrivilege	1364	3366d2d7c367362151c83c5b8d270278.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

3366d2d7c367362151c83c5b8d270278.exe3366d2d7c367362151c83c5b8d270278.exe

description	pid	process	target process
PID 1956 wrote to memory of 1364	1956	3366d2d7c367362151c83c5b8d270278.exe	3366d2d7c367362151c83c5b8d270278.exe
PID 1956 wrote to memory of 1364	1956	3366d2d7c367362151c83c5b8d270278.exe	3366d2d7c367362151c83c5b8d270278.exe
PID 1956 wrote to memory of 1364	1956	3366d2d7c367362151c83c5b8d270278.exe	3366d2d7c367362151c83c5b8d270278.exe
PID 1956 wrote to memory of 1364	1956	3366d2d7c367362151c83c5b8d270278.exe	3366d2d7c367362151c83c5b8d270278.exe
PID 1956 wrote to memory of 1364	1956	3366d2d7c367362151c83c5b8d270278.exe	3366d2d7c367362151c83c5b8d270278.exe
PID 1956 wrote to memory of 1364	1956	3366d2d7c367362151c83c5b8d270278.exe	3366d2d7c367362151c83c5b8d270278.exe
PID 1956 wrote to memory of 1364	1956	3366d2d7c367362151c83c5b8d270278.exe	3366d2d7c367362151c83c5b8d270278.exe
PID 1956 wrote to memory of 1364	1956	3366d2d7c367362151c83c5b8d270278.exe	3366d2d7c367362151c83c5b8d270278.exe
PID 1956 wrote to memory of 1364	1956	3366d2d7c367362151c83c5b8d270278.exe	3366d2d7c367362151c83c5b8d270278.exe
PID 1364 wrote to memory of 1544	1364	3366d2d7c367362151c83c5b8d270278.exe	schtasks.exe
PID 1364 wrote to memory of 1544	1364	3366d2d7c367362151c83c5b8d270278.exe	schtasks.exe
PID 1364 wrote to memory of 1544	1364	3366d2d7c367362151c83c5b8d270278.exe	schtasks.exe
PID 1364 wrote to memory of 1544	1364	3366d2d7c367362151c83c5b8d270278.exe	schtasks.exe
PID 1364 wrote to memory of 836	1364	3366d2d7c367362151c83c5b8d270278.exe	schtasks.exe
PID 1364 wrote to memory of 836	1364	3366d2d7c367362151c83c5b8d270278.exe	schtasks.exe
PID 1364 wrote to memory of 836	1364	3366d2d7c367362151c83c5b8d270278.exe	schtasks.exe
PID 1364 wrote to memory of 836	1364	3366d2d7c367362151c83c5b8d270278.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\3366d2d7c367362151c83c5b8d270278.exe
"C:\Users\Admin\AppData\Local\Temp\3366d2d7c367362151c83c5b8d270278.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1956

C:\Users\Admin\AppData\Local\Temp\3366d2d7c367362151c83c5b8d270278.exe
"C:\Users\Admin\AppData\Local\Temp\3366d2d7c367362151c83c5b8d270278.exe"
2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1364

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "SCSI Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmpCAA0.tmp"
3⤵
- Creates scheduled task(s)
PID:1544

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "SCSI Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpCC85.tmp"
3⤵
- Creates scheduled task(s)
PID:836

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpCAA0.tmp
Filesize
1KB

MD5
419681b40dea5ba2b469a06b53392099

SHA1
2bd7efad2ac1ce65b401543920f6c444522e8a09

SHA256
ab07e147239a03c327b6f0d4f872c3ae86da173fc45df99b5d4813315e3a9b89

SHA512
e10d3ef7b1694a7581b181493199face85757f0772a1acb3b3606de327c07b6dded9d717bafe8af7f022e898d60654714092670d54eb6b5b6cb8c5ef40e1f1de

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCC85.tmp
Filesize
1KB

MD5
4e71faa3a77029484cfaba423d96618f

SHA1
9c837d050bb43d69dc608af809c292e13bca4718

SHA256
c470f45efd2e7c4c5b88534a18965a78dce0f8e154d3e45a9d5569ad0e334bdb

SHA512
6d014de41352f2b0b494d94cd58188791e81d4e53578d0722110b6827793b735e19c614877f25c61b26233dea1b5f1998ba1240bdc8fa04c87b7e64a4ca15fe0

Download Submit
memory/836-75-0x0000000000000000-mapping.dmp

Download
memory/1364-63-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1364-84-0x0000000002110000-0x000000000211E000-memory.dmp

Filesize
56KB

Download
memory/1364-77-0x00000000003D0000-0x00000000003DA000-memory.dmp

Filesize
40KB

Download
memory/1364-60-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1364-61-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1364-90-0x0000000004500000-0x000000000452E000-memory.dmp

Filesize
184KB

Download
memory/1364-64-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1364-67-0x000000000041E792-mapping.dmp

Download
memory/1364-66-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1364-69-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1364-71-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1364-89-0x00000000044A0000-0x00000000044AE000-memory.dmp

Filesize
56KB

Download
memory/1364-88-0x0000000004480000-0x0000000004494000-memory.dmp

Filesize
80KB

Download
memory/1364-87-0x0000000004430000-0x0000000004440000-memory.dmp

Filesize
64KB

Download
memory/1364-91-0x0000000004530000-0x0000000004544000-memory.dmp

Filesize
80KB

Download
memory/1364-86-0x0000000004420000-0x0000000004434000-memory.dmp

Filesize
80KB

Download
memory/1364-78-0x00000000003E0000-0x00000000003FE000-memory.dmp

Filesize
120KB

Download
memory/1364-79-0x0000000000660000-0x000000000066A000-memory.dmp

Filesize
40KB

Download
memory/1364-80-0x0000000000720000-0x0000000000732000-memory.dmp

Filesize
72KB

Download
memory/1364-81-0x00000000020E0000-0x00000000020FA000-memory.dmp

Filesize
104KB

Download
memory/1364-82-0x0000000002040000-0x000000000204E000-memory.dmp

Filesize
56KB

Download
memory/1364-83-0x0000000002090000-0x00000000020A2000-memory.dmp

Filesize
72KB

Download
memory/1364-85-0x00000000021A0000-0x00000000021AC000-memory.dmp

Filesize
48KB

Download
memory/1544-73-0x0000000000000000-mapping.dmp

Download
memory/1956-58-0x0000000004CE0000-0x0000000004D74000-memory.dmp

Filesize
592KB

Download
memory/1956-59-0x0000000002210000-0x000000000224A000-memory.dmp

Filesize
232KB

Download
memory/1956-56-0x00000000008B0000-0x00000000008C8000-memory.dmp

Filesize
96KB

Download
memory/1956-57-0x0000000000380000-0x000000000038C000-memory.dmp

Filesize
48KB

Download
memory/1956-54-0x0000000000910000-0x00000000009CE000-memory.dmp

Filesize
760KB

Download
memory/1956-55-0x0000000075141000-0x0000000075143000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads