nanocore | 6c8576cf231fd3e4c6812399704820c6b9d462e99d696181adf071015b92ea27

General

Target

2.exe
Size

935KB
MD5

0b8f3695483e73596116685a0559a905
SHA1

6b779e00915d671c7fca6833f56091173b275f01
SHA256

6c8576cf231fd3e4c6812399704820c6b9d462e99d696181adf071015b92ea27
SHA512

d13353828ff7d79e200a9625a02ec196cd658cff9186afafac11fda4e77a2bbb68e14d0c5debde37b045098e29744c5cf5e67564f1e205f6072e4918ff629b13
SSDEEP

12288:YSPCmh8lylSx1bAtzrwgqcWB4HrkB6slio+7ySrmqB5PREbXbM58fj0jXBm1U8Qd:YSPC9RMWiHyco8yN0SM580jXB4yBjr

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

brewsterchristophe.ddns.net:5899

194,147,5,75:5899

Mutex

b8aebc29-8c64-444f-99e6-dc4122e9bbfc

Attributes

activate_away_mode
true
backup_connection_host
194,147,5,75
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2022-04-29T03:26:40.572298236Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
5899
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
b8aebc29-8c64-444f-99e6-dc4122e9bbfc
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
brewsterchristophe.ddns.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

2.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 2.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	2.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

2.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DDP Host = "C:\\Program Files (x86)\\DDP Host\\ddphost.exe"	2.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

2.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 2.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

2.exe

description pid process target process

PID 5044 set thread context of 3052 5044 2.exe 2.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2.exe

description	pid	process	target process
PID 5044 set thread context of 3052	5044	2.exe	2.exe

Drops file in Program Files directory 2 IoCs

Processes:

2.exe

description	ioc	process
File created	C:\Program Files (x86)\DDP Host\ddphost.exe	2.exe
File opened for modification	C:\Program Files (x86)\DDP Host\ddphost.exe	2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

3600 schtasks.exe
3900 schtasks.exe
3296 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

2.exe

pid process

3052 2.exe
3052 2.exe
3052 2.exe
3052 2.exe
3052 2.exe
3052 2.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

2.exe

pid process

3052 2.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

2.exe

description pid process

Token: SeDebugPrivilege 3052 2.exe

pid	process
3600	schtasks.exe
3900	schtasks.exe
3296	schtasks.exe

pid	process
3052	2.exe
3052	2.exe
3052	2.exe
3052	2.exe
3052	2.exe
3052	2.exe

pid	process
3052	2.exe

description	pid	process
Token: SeDebugPrivilege	3052	2.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

2.exe2.exe

description	pid	process	target process
PID 5044 wrote to memory of 3600	5044	2.exe	schtasks.exe
PID 5044 wrote to memory of 3600	5044	2.exe	schtasks.exe
PID 5044 wrote to memory of 3600	5044	2.exe	schtasks.exe
PID 5044 wrote to memory of 3052	5044	2.exe	2.exe
PID 5044 wrote to memory of 3052	5044	2.exe	2.exe
PID 5044 wrote to memory of 3052	5044	2.exe	2.exe
PID 5044 wrote to memory of 3052	5044	2.exe	2.exe
PID 5044 wrote to memory of 3052	5044	2.exe	2.exe
PID 5044 wrote to memory of 3052	5044	2.exe	2.exe
PID 5044 wrote to memory of 3052	5044	2.exe	2.exe
PID 5044 wrote to memory of 3052	5044	2.exe	2.exe
PID 3052 wrote to memory of 3900	3052	2.exe	schtasks.exe
PID 3052 wrote to memory of 3900	3052	2.exe	schtasks.exe
PID 3052 wrote to memory of 3900	3052	2.exe	schtasks.exe
PID 3052 wrote to memory of 3296	3052	2.exe	schtasks.exe
PID 3052 wrote to memory of 3296	3052	2.exe	schtasks.exe
PID 3052 wrote to memory of 3296	3052	2.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\2.exe
"C:\Users\Admin\AppData\Local\Temp\2.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5044

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YyfhUwSgAP" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF84F.tmp"
2⤵
- Creates scheduled task(s)
PID:3600

C:\Users\Admin\AppData\Local\Temp\2.exe
"{path}"
2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3052

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DDP Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmpFCD3.tmp"
3⤵
- Creates scheduled task(s)
PID:3900

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DDP Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpFD32.tmp"
3⤵
- Creates scheduled task(s)
PID:3296

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\2.exe.log
Filesize
1KB

MD5
84e77a587d94307c0ac1357eb4d3d46f

SHA1
83cc900f9401f43d181207d64c5adba7a85edc1e

SHA256
e16024b092a026a9dc00df69d4b9bbcab7b2dc178dc5291fc308a1abc9304a99

SHA512
aefb5c62200b3ed97718d20a89990954d4d8acdc0a6a73c5a420f1bba619cb79e70c2cd0a579b9f52dc6b09e1de2cea6cd6cac4376cfee92d94e2c01d310f691

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF84F.tmp
Filesize
1KB

MD5
b82d837ac9b8f6fd99e50d531309e6fb

SHA1
0b2efeae8e68f9630c3fb37e83902899c1cc5a1d

SHA256
aa5c49c89d3b73c3922304f4328db2e2c66d5750b39237b17082ad361dd23dd4

SHA512
5d121199e138c34c5545a64753f8f640e7ebbb4f1370f51be10247ef81a03e3e31779181a69b4aed6eb53e8a4c904055a55ec29c306aca6b74dd323510a8f3ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFCD3.tmp
Filesize
1KB

MD5
1c7a53cdeb6870948f4610b272abf015

SHA1
525d54be54c6b4dc0b6c5f331d52668f663c48a1

SHA256
eec146cb0e09f66742cb9fd6bda108bd61278ecc7e25e6b9fb4e1da4c69bfb4d

SHA512
34e630b3bae600f2bdb9fd505255e49c863377b071576ff5e9d1b446ed17ba82577ea876e03ce4263cfefc479ff1dfd2433a1e7551145fb777ddd1625c214877

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFD32.tmp
Filesize
1KB

MD5
2271642ca970891700e3f48439739ed8

SHA1
cd472df2349f7db9e1e460d0ee28acd97b8a8793

SHA256
7aba66abbcb0b13455609174db23aed495a9adbef0e0acd28baa9c92445eda68

SHA512
4669a4ef8ec28cdb852ffc1401576b1bf9a9d837797d7d92bc88c18b3097404f36854e50167b309706fef400cabc43c876569ce2797ba85eb169a2783b8fe807

Download Submit
memory/3052-140-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3052-139-0x0000000000000000-mapping.dmp

Download
memory/3052-146-0x00000000069F0000-0x0000000006A56000-memory.dmp

Filesize
408KB

Download
memory/3296-144-0x0000000000000000-mapping.dmp

Download
memory/3600-137-0x0000000000000000-mapping.dmp

Download
memory/3900-142-0x0000000000000000-mapping.dmp

Download
memory/5044-132-0x00000000002A0000-0x0000000000390000-memory.dmp

Filesize
960KB

Download
memory/5044-134-0x0000000004C60000-0x0000000004CF2000-memory.dmp

Filesize
584KB

Download
memory/5044-133-0x0000000005210000-0x00000000057B4000-memory.dmp

Filesize
5.6MB

Download
memory/5044-136-0x0000000004BE0000-0x0000000004BEA000-memory.dmp

Filesize
40KB

Download
memory/5044-135-0x0000000004D00000-0x0000000004D9C000-memory.dmp

Filesize
624KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads