nanocore | 6c8576cf231fd3e4c6812399704820c6b9d462e99d696181adf071015b92ea27

General

Target

2.exe
Size

935KB
MD5

0b8f3695483e73596116685a0559a905
SHA1

6b779e00915d671c7fca6833f56091173b275f01
SHA256

6c8576cf231fd3e4c6812399704820c6b9d462e99d696181adf071015b92ea27
SHA512

d13353828ff7d79e200a9625a02ec196cd658cff9186afafac11fda4e77a2bbb68e14d0c5debde37b045098e29744c5cf5e67564f1e205f6072e4918ff629b13
SSDEEP

12288:YSPCmh8lylSx1bAtzrwgqcWB4HrkB6slio+7ySrmqB5PREbXbM58fj0jXBm1U8Qd:YSPC9RMWiHyco8yN0SM580jXB4yBjr

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

brewsterchristophe.ddns.net:5899

194,147,5,75:5899

Mutex

b8aebc29-8c64-444f-99e6-dc4122e9bbfc

Attributes

activate_away_mode
true
backup_connection_host
194,147,5,75
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2022-04-29T03:26:40.572298236Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
5899
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
b8aebc29-8c64-444f-99e6-dc4122e9bbfc
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
brewsterchristophe.ddns.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

2.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NTFS Monitor = "C:\\Program Files (x86)\\NTFS Monitor\\ntfsmon.exe"	2.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

2.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 2.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

2.exe

description pid process target process

PID 536 set thread context of 900 536 2.exe 2.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2.exe

description	pid	process	target process
PID 536 set thread context of 900	536	2.exe	2.exe

Drops file in Program Files directory 2 IoCs

Processes:

2.exe

description	ioc	process
File created	C:\Program Files (x86)\NTFS Monitor\ntfsmon.exe	2.exe
File opened for modification	C:\Program Files (x86)\NTFS Monitor\ntfsmon.exe	2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

2024 schtasks.exe
1284 schtasks.exe
1748 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

2.exe

pid process

900 2.exe
900 2.exe
900 2.exe
900 2.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

2.exe

pid process

900 2.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

2.exe

description pid process

Token: SeDebugPrivilege 900 2.exe

pid	process
2024	schtasks.exe
1284	schtasks.exe
1748	schtasks.exe

pid	process
900	2.exe
900	2.exe
900	2.exe
900	2.exe

pid	process
900	2.exe

description	pid	process
Token: SeDebugPrivilege	900	2.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

2.exe2.exe

description	pid	process	target process
PID 536 wrote to memory of 2024	536	2.exe	schtasks.exe
PID 536 wrote to memory of 2024	536	2.exe	schtasks.exe
PID 536 wrote to memory of 2024	536	2.exe	schtasks.exe
PID 536 wrote to memory of 2024	536	2.exe	schtasks.exe
PID 536 wrote to memory of 900	536	2.exe	2.exe
PID 536 wrote to memory of 900	536	2.exe	2.exe
PID 536 wrote to memory of 900	536	2.exe	2.exe
PID 536 wrote to memory of 900	536	2.exe	2.exe
PID 536 wrote to memory of 900	536	2.exe	2.exe
PID 536 wrote to memory of 900	536	2.exe	2.exe
PID 536 wrote to memory of 900	536	2.exe	2.exe
PID 536 wrote to memory of 900	536	2.exe	2.exe
PID 536 wrote to memory of 900	536	2.exe	2.exe
PID 900 wrote to memory of 1284	900	2.exe	schtasks.exe
PID 900 wrote to memory of 1284	900	2.exe	schtasks.exe
PID 900 wrote to memory of 1284	900	2.exe	schtasks.exe
PID 900 wrote to memory of 1284	900	2.exe	schtasks.exe
PID 900 wrote to memory of 1748	900	2.exe	schtasks.exe
PID 900 wrote to memory of 1748	900	2.exe	schtasks.exe
PID 900 wrote to memory of 1748	900	2.exe	schtasks.exe
PID 900 wrote to memory of 1748	900	2.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\2.exe
"C:\Users\Admin\AppData\Local\Temp\2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:536

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YyfhUwSgAP" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9F2D.tmp"
2⤵
- Creates scheduled task(s)
PID:2024

C:\Users\Admin\AppData\Local\Temp\2.exe
"{path}"
2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:900

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "NTFS Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmpA381.tmp"
3⤵
- Creates scheduled task(s)
PID:1284

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "NTFS Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpA45C.tmp"
3⤵
- Creates scheduled task(s)
PID:1748

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp9F2D.tmp
Filesize
1KB

MD5
f4a3c84366e4c32e68e7eb67131dd9ec

SHA1
471bad2ec7df2256572e6edee01133a0244e93ba

SHA256
14ed2e640c6ca265f7c6a13dfefef03c63ed44893562553511a55a332cf3c4c2

SHA512
9afdd1a4f32c967f0652bc1fc6ff943c7c04b1b0345565e9a516e0e47ca05739014d3c71d7f610a8f476275a98e88b78733104061b31b81cc4ab550d9be90fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA381.tmp
Filesize
1KB

MD5
1c7a53cdeb6870948f4610b272abf015

SHA1
525d54be54c6b4dc0b6c5f331d52668f663c48a1

SHA256
eec146cb0e09f66742cb9fd6bda108bd61278ecc7e25e6b9fb4e1da4c69bfb4d

SHA512
34e630b3bae600f2bdb9fd505255e49c863377b071576ff5e9d1b446ed17ba82577ea876e03ce4263cfefc479ff1dfd2433a1e7551145fb777ddd1625c214877

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA45C.tmp
Filesize
1KB

MD5
981e126601526eaa5b0ad45c496c4465

SHA1
d610d6a21a8420cc73fcd3e54ddae75a5897b28b

SHA256
11ae277dfa39e7038b782ca6557339e7fe88533fe83705c356a1500a1402d527

SHA512
a59fb704d931ccb7e1ec1a7b98e24ccd8708be529066c6de4b673098cdebef539f7f50d9e051c43954b5a8e7f810862b3a4ede170f131e080dadc3e763ed4bdb

Download Submit
memory/536-54-0x0000000000800000-0x00000000008F0000-memory.dmp

Filesize
960KB

Download
memory/536-55-0x0000000076831000-0x0000000076833000-memory.dmp

Filesize
8KB

Download
memory/536-56-0x00000000006A0000-0x00000000006C0000-memory.dmp

Filesize
128KB

Download
memory/536-57-0x00000000057B0000-0x0000000005876000-memory.dmp

Filesize
792KB

Download
memory/536-58-0x0000000005B10000-0x0000000005B86000-memory.dmp

Filesize
472KB

Download
memory/900-62-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/900-86-0x00000000020B0000-0x00000000020BC000-memory.dmp

Filesize
48KB

Download
memory/900-65-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/900-67-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/900-68-0x000000000041E792-mapping.dmp

Download
memory/900-70-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/900-72-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/900-92-0x0000000002280000-0x0000000002294000-memory.dmp

Filesize
80KB

Download
memory/900-61-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/900-91-0x0000000002210000-0x000000000223E000-memory.dmp

Filesize
184KB

Download
memory/900-90-0x0000000002170000-0x000000000217E000-memory.dmp

Filesize
56KB

Download
memory/900-78-0x00000000004F0000-0x00000000004FA000-memory.dmp

Filesize
40KB

Download
memory/900-79-0x0000000000500000-0x000000000051E000-memory.dmp

Filesize
120KB

Download
memory/900-80-0x0000000000520000-0x000000000052A000-memory.dmp

Filesize
40KB

Download
memory/900-81-0x0000000000690000-0x00000000006A2000-memory.dmp

Filesize
72KB

Download
memory/900-82-0x00000000007D0000-0x00000000007EA000-memory.dmp

Filesize
104KB

Download
memory/900-83-0x0000000000780000-0x000000000078E000-memory.dmp

Filesize
56KB

Download
memory/900-84-0x0000000002090000-0x00000000020A2000-memory.dmp

Filesize
72KB

Download
memory/900-85-0x00000000020A0000-0x00000000020AE000-memory.dmp

Filesize
56KB

Download
memory/900-64-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/900-87-0x0000000002140000-0x0000000002154000-memory.dmp

Filesize
80KB

Download
memory/900-88-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/900-89-0x0000000002160000-0x0000000002174000-memory.dmp

Filesize
80KB

Download
memory/1284-74-0x0000000000000000-mapping.dmp

Download
memory/1748-76-0x0000000000000000-mapping.dmp

Download
memory/2024-59-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads