nanocore | 87129abfc88787d86562d13e016a1a4662ad0c74a649be8f7722800cef23f36d

General

Target

b38c61df6a227a6f87afb3f7be94e28b.exe
Size

863KB
MD5

b38c61df6a227a6f87afb3f7be94e28b
SHA1

dad142a9dc2d1b61146fc4d78b0883f95cfa1d3f
SHA256

87129abfc88787d86562d13e016a1a4662ad0c74a649be8f7722800cef23f36d
SHA512

2625aadd9b0cd8fa7134aa390694aad577a32f2dbec0dfba836350723e3f41d74b480c5f366a08cd4d876bf0965886a72507ca5bdba273b839b3a4ef4a087c8f
SSDEEP

12288:WPkJE0qpWGUqhHe1+P6XKu47lsIF4Q8vkc9ibVzWno3:O0cOQOkqI6QJbV4C

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

rolandlandson149.bounceme.net:1007

127.0.0.1:1007

Mutex

48099ca8-c1b4-49f3-9fe1-d8dfcbf66c09

Attributes

activate_away_mode
true
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2022-06-13T20:58:05.824762936Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
1007
default_group
sepTmAn
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
48099ca8-c1b4-49f3-9fe1-d8dfcbf66c09
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
rolandlandson149.bounceme.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

b38c61df6a227a6f87afb3f7be94e28b.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DDP Manager = "C:\\Program Files (x86)\\DDP Manager\\ddpmgr.exe"	b38c61df6a227a6f87afb3f7be94e28b.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

b38c61df6a227a6f87afb3f7be94e28b.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	b38c61df6a227a6f87afb3f7be94e28b.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

b38c61df6a227a6f87afb3f7be94e28b.exe

description pid process target process

PID 3992 set thread context of 1256 3992 b38c61df6a227a6f87afb3f7be94e28b.exe b38c61df6a227a6f87afb3f7be94e28b.exe

description	pid	process	target process
PID 3992 set thread context of 1256	3992	b38c61df6a227a6f87afb3f7be94e28b.exe	b38c61df6a227a6f87afb3f7be94e28b.exe

Drops file in Program Files directory 2 IoCs

Processes:

b38c61df6a227a6f87afb3f7be94e28b.exe

description	ioc	process
File created	C:\Program Files (x86)\DDP Manager\ddpmgr.exe	b38c61df6a227a6f87afb3f7be94e28b.exe
File opened for modification	C:\Program Files (x86)\DDP Manager\ddpmgr.exe	b38c61df6a227a6f87afb3f7be94e28b.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3512 schtasks.exe
5036 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

b38c61df6a227a6f87afb3f7be94e28b.exe

pid process

1256 b38c61df6a227a6f87afb3f7be94e28b.exe
1256 b38c61df6a227a6f87afb3f7be94e28b.exe
1256 b38c61df6a227a6f87afb3f7be94e28b.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

b38c61df6a227a6f87afb3f7be94e28b.exe

pid process

1256 b38c61df6a227a6f87afb3f7be94e28b.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

b38c61df6a227a6f87afb3f7be94e28b.exe

description pid process

Token: SeDebugPrivilege 1256 b38c61df6a227a6f87afb3f7be94e28b.exe

pid	process
3512	schtasks.exe
5036	schtasks.exe

pid	process
1256	b38c61df6a227a6f87afb3f7be94e28b.exe
1256	b38c61df6a227a6f87afb3f7be94e28b.exe
1256	b38c61df6a227a6f87afb3f7be94e28b.exe

pid	process
1256	b38c61df6a227a6f87afb3f7be94e28b.exe

description	pid	process
Token: SeDebugPrivilege	1256	b38c61df6a227a6f87afb3f7be94e28b.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

b38c61df6a227a6f87afb3f7be94e28b.exeb38c61df6a227a6f87afb3f7be94e28b.exe

description	pid	process	target process
PID 3992 wrote to memory of 1256	3992	b38c61df6a227a6f87afb3f7be94e28b.exe	b38c61df6a227a6f87afb3f7be94e28b.exe
PID 3992 wrote to memory of 1256	3992	b38c61df6a227a6f87afb3f7be94e28b.exe	b38c61df6a227a6f87afb3f7be94e28b.exe
PID 3992 wrote to memory of 1256	3992	b38c61df6a227a6f87afb3f7be94e28b.exe	b38c61df6a227a6f87afb3f7be94e28b.exe
PID 3992 wrote to memory of 1256	3992	b38c61df6a227a6f87afb3f7be94e28b.exe	b38c61df6a227a6f87afb3f7be94e28b.exe
PID 3992 wrote to memory of 1256	3992	b38c61df6a227a6f87afb3f7be94e28b.exe	b38c61df6a227a6f87afb3f7be94e28b.exe
PID 3992 wrote to memory of 1256	3992	b38c61df6a227a6f87afb3f7be94e28b.exe	b38c61df6a227a6f87afb3f7be94e28b.exe
PID 3992 wrote to memory of 1256	3992	b38c61df6a227a6f87afb3f7be94e28b.exe	b38c61df6a227a6f87afb3f7be94e28b.exe
PID 3992 wrote to memory of 1256	3992	b38c61df6a227a6f87afb3f7be94e28b.exe	b38c61df6a227a6f87afb3f7be94e28b.exe
PID 1256 wrote to memory of 3512	1256	b38c61df6a227a6f87afb3f7be94e28b.exe	schtasks.exe
PID 1256 wrote to memory of 3512	1256	b38c61df6a227a6f87afb3f7be94e28b.exe	schtasks.exe
PID 1256 wrote to memory of 3512	1256	b38c61df6a227a6f87afb3f7be94e28b.exe	schtasks.exe
PID 1256 wrote to memory of 5036	1256	b38c61df6a227a6f87afb3f7be94e28b.exe	schtasks.exe
PID 1256 wrote to memory of 5036	1256	b38c61df6a227a6f87afb3f7be94e28b.exe	schtasks.exe
PID 1256 wrote to memory of 5036	1256	b38c61df6a227a6f87afb3f7be94e28b.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\b38c61df6a227a6f87afb3f7be94e28b.exe
"C:\Users\Admin\AppData\Local\Temp\b38c61df6a227a6f87afb3f7be94e28b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3992

C:\Users\Admin\AppData\Local\Temp\b38c61df6a227a6f87afb3f7be94e28b.exe
"C:\Users\Admin\AppData\Local\Temp\b38c61df6a227a6f87afb3f7be94e28b.exe"
2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1256

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DDP Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmp8D0D.tmp"
3⤵
- Creates scheduled task(s)
PID:3512

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DDP Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp8E66.tmp"
3⤵
- Creates scheduled task(s)
PID:5036

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp8D0D.tmp
Filesize
1KB

MD5
b67b116f38a7cbe8b5169ecb5a6a7e6b

SHA1
ba77e3ca26c419df203c9e218463490074b1ed78

SHA256
93ba8d0bb1247e6e2a2ed64def7492161d6cb5920e0113af656021f359ec6b6e

SHA512
210ee68cfa48173e5f2e90c110c7438b26c2c64e0a3d39d0a8d03fa3d7ad178231718e675a2294b6e7b10d3bf902c129921cc5db4f4975ef77ca209e76ddc55f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8E66.tmp
Filesize
1KB

MD5
677848190631e19222304d1982aa2e1b

SHA1
bed6cf97d3458e4ea59ff9823375d915a9b3d682

SHA256
8bcf16c788d228932fa707bb4250c05151e099bdf7040adc717e53680601be3d

SHA512
f5d41e150011bc63f4c95799e21fe91ffaa25eb05f4ca46ea89f3a3ca5325413ba4e0b7b5d69c0bc189955f3308c4928016a7cc1d6f7c2352639106952e92b1e

Download Submit
memory/1256-138-0x0000000000000000-mapping.dmp

Download
memory/1256-139-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3512-140-0x0000000000000000-mapping.dmp

Download
memory/3992-132-0x0000000000EA0000-0x0000000000F7C000-memory.dmp

Filesize
880KB

Download
memory/3992-133-0x0000000005FE0000-0x0000000006584000-memory.dmp

Filesize
5.6MB

Download
memory/3992-134-0x0000000005930000-0x00000000059C2000-memory.dmp

Filesize
584KB

Download
memory/3992-135-0x0000000005920000-0x000000000592A000-memory.dmp

Filesize
40KB

Download
memory/3992-136-0x0000000009760000-0x00000000097FC000-memory.dmp

Filesize
624KB

Download
memory/3992-137-0x0000000009800000-0x0000000009866000-memory.dmp

Filesize
408KB

Download
memory/5036-142-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads