nanocore | 4a006f30188cebe843f8f979bbb0bd3c1808bb8bc46f9e2dbbec566d1e0e9e6b

General

Target

46f93ddbac62282be9a1c50c45fc47af.exe
Size

880KB
MD5

46f93ddbac62282be9a1c50c45fc47af
SHA1

fd33afba3b59b797a44916b55f5edc66b4550679
SHA256

4a006f30188cebe843f8f979bbb0bd3c1808bb8bc46f9e2dbbec566d1e0e9e6b
SHA512

89ea18de5c201acd10b0256733671ccdab52c9d9c7f0c6d0e635a2a08bffac95501b77739edeaa71a2b08d39b149661cc4cf268b67ee0edeb617caa84d7c6e5c
SSDEEP

12288:58eSvB7/el8Z5GW8mnMBtZIHEDmpuWqV1bCBW5twGw9/:5M1eOWt+kDOub1GBW5twt9/

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

rolandlandson149.bounceme.net:1007

127.0.0.1:1007

Mutex

48099ca8-c1b4-49f3-9fe1-d8dfcbf66c09

Attributes

activate_away_mode
true
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2022-06-13T20:58:05.824762936Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
1007
default_group
sepTmAn
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
48099ca8-c1b4-49f3-9fe1-d8dfcbf66c09
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
rolandlandson149.bounceme.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

46f93ddbac62282be9a1c50c45fc47af.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AGP Manager = "C:\\Program Files (x86)\\AGP Manager\\agpmgr.exe"	46f93ddbac62282be9a1c50c45fc47af.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

46f93ddbac62282be9a1c50c45fc47af.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	46f93ddbac62282be9a1c50c45fc47af.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

46f93ddbac62282be9a1c50c45fc47af.exe

description pid process target process

PID 860 set thread context of 1528 860 46f93ddbac62282be9a1c50c45fc47af.exe 46f93ddbac62282be9a1c50c45fc47af.exe

description	pid	process	target process
PID 860 set thread context of 1528	860	46f93ddbac62282be9a1c50c45fc47af.exe	46f93ddbac62282be9a1c50c45fc47af.exe

Drops file in Program Files directory 2 IoCs

Processes:

46f93ddbac62282be9a1c50c45fc47af.exe

description	ioc	process
File created	C:\Program Files (x86)\AGP Manager\agpmgr.exe	46f93ddbac62282be9a1c50c45fc47af.exe
File opened for modification	C:\Program Files (x86)\AGP Manager\agpmgr.exe	46f93ddbac62282be9a1c50c45fc47af.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1128 schtasks.exe
1940 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

46f93ddbac62282be9a1c50c45fc47af.exe

pid process

1528 46f93ddbac62282be9a1c50c45fc47af.exe
1528 46f93ddbac62282be9a1c50c45fc47af.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

46f93ddbac62282be9a1c50c45fc47af.exe

pid process

1528 46f93ddbac62282be9a1c50c45fc47af.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

46f93ddbac62282be9a1c50c45fc47af.exe

description pid process

Token: SeDebugPrivilege 1528 46f93ddbac62282be9a1c50c45fc47af.exe

pid	process
1128	schtasks.exe
1940	schtasks.exe

pid	process
1528	46f93ddbac62282be9a1c50c45fc47af.exe
1528	46f93ddbac62282be9a1c50c45fc47af.exe

pid	process
1528	46f93ddbac62282be9a1c50c45fc47af.exe

description	pid	process
Token: SeDebugPrivilege	1528	46f93ddbac62282be9a1c50c45fc47af.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

46f93ddbac62282be9a1c50c45fc47af.exe46f93ddbac62282be9a1c50c45fc47af.exe

description	pid	process	target process
PID 860 wrote to memory of 1528	860	46f93ddbac62282be9a1c50c45fc47af.exe	46f93ddbac62282be9a1c50c45fc47af.exe
PID 860 wrote to memory of 1528	860	46f93ddbac62282be9a1c50c45fc47af.exe	46f93ddbac62282be9a1c50c45fc47af.exe
PID 860 wrote to memory of 1528	860	46f93ddbac62282be9a1c50c45fc47af.exe	46f93ddbac62282be9a1c50c45fc47af.exe
PID 860 wrote to memory of 1528	860	46f93ddbac62282be9a1c50c45fc47af.exe	46f93ddbac62282be9a1c50c45fc47af.exe
PID 860 wrote to memory of 1528	860	46f93ddbac62282be9a1c50c45fc47af.exe	46f93ddbac62282be9a1c50c45fc47af.exe
PID 860 wrote to memory of 1528	860	46f93ddbac62282be9a1c50c45fc47af.exe	46f93ddbac62282be9a1c50c45fc47af.exe
PID 860 wrote to memory of 1528	860	46f93ddbac62282be9a1c50c45fc47af.exe	46f93ddbac62282be9a1c50c45fc47af.exe
PID 860 wrote to memory of 1528	860	46f93ddbac62282be9a1c50c45fc47af.exe	46f93ddbac62282be9a1c50c45fc47af.exe
PID 860 wrote to memory of 1528	860	46f93ddbac62282be9a1c50c45fc47af.exe	46f93ddbac62282be9a1c50c45fc47af.exe
PID 1528 wrote to memory of 1128	1528	46f93ddbac62282be9a1c50c45fc47af.exe	schtasks.exe
PID 1528 wrote to memory of 1128	1528	46f93ddbac62282be9a1c50c45fc47af.exe	schtasks.exe
PID 1528 wrote to memory of 1128	1528	46f93ddbac62282be9a1c50c45fc47af.exe	schtasks.exe
PID 1528 wrote to memory of 1128	1528	46f93ddbac62282be9a1c50c45fc47af.exe	schtasks.exe
PID 1528 wrote to memory of 1940	1528	46f93ddbac62282be9a1c50c45fc47af.exe	schtasks.exe
PID 1528 wrote to memory of 1940	1528	46f93ddbac62282be9a1c50c45fc47af.exe	schtasks.exe
PID 1528 wrote to memory of 1940	1528	46f93ddbac62282be9a1c50c45fc47af.exe	schtasks.exe
PID 1528 wrote to memory of 1940	1528	46f93ddbac62282be9a1c50c45fc47af.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\46f93ddbac62282be9a1c50c45fc47af.exe
"C:\Users\Admin\AppData\Local\Temp\46f93ddbac62282be9a1c50c45fc47af.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:860

C:\Users\Admin\AppData\Local\Temp\46f93ddbac62282be9a1c50c45fc47af.exe
"C:\Users\Admin\AppData\Local\Temp\46f93ddbac62282be9a1c50c45fc47af.exe"
2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1528

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "AGP Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmpD48F.tmp"
3⤵
- Creates scheduled task(s)
PID:1128

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "AGP Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpD5B8.tmp"
3⤵
- Creates scheduled task(s)
PID:1940

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpD48F.tmp

Filesize
1KB

MD5
06f19a531502f7c18e0e845e9378115e

SHA1
61392960eeefb9048ab40806b73180abe52effa4

SHA256
d84aeda36d3a02bc747dda659a9e3b0d2e0b8d500b2a8fb7de23863d7d6f10e5

SHA512
499cee0a456bdae39473155da1ba6c42bd3b32c28cc53f40a3e52e391345feafe0c0bbe509dca17d9c655754061df580d90b921f9f137f06ce15acd1a233550e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD5B8.tmp

Filesize
1KB

MD5
885d6dd30570594e167fadb59d9ca0ea

SHA1
9981e583644c4eb9cf5056615a0e1c2913c8983b

SHA256
7155bc082d1713d77c2797575ee0ade8467fb7012f5376c1d6f4aa618141a7d2

SHA512
1623218143c2c25a7c85fa9da8e0f251f04a5eb848c4d0aa10bfb78688518b82393a2b3c7f287a9dc06a366ef9f46d0d4e2d246ad4cef4554a74c0bb6ff9dd2a

Download Submit
memory/860-59-0x0000000000E10000-0x0000000000E4A000-memory.dmp

Filesize
232KB

Download
memory/860-58-0x0000000005F40000-0x0000000005FD4000-memory.dmp

Filesize
592KB

Download
memory/860-54-0x0000000001040000-0x0000000001122000-memory.dmp

Filesize
904KB

Download
memory/860-55-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

Filesize
8KB

Download
memory/860-57-0x0000000000490000-0x000000000049C000-memory.dmp

Filesize
48KB

Download
memory/860-56-0x0000000000440000-0x0000000000456000-memory.dmp

Filesize
88KB

Download
memory/1128-73-0x0000000000000000-mapping.dmp

Download
memory/1528-61-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1528-66-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1528-67-0x000000000041E792-mapping.dmp

Download
memory/1528-69-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1528-71-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1528-64-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1528-63-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1528-60-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1528-77-0x00000000005E0000-0x00000000005EA000-memory.dmp

Filesize
40KB

Download
memory/1528-78-0x0000000000600000-0x000000000061E000-memory.dmp

Filesize
120KB

Download
memory/1528-79-0x0000000000840000-0x000000000084A000-memory.dmp

Filesize
40KB

Download
memory/1940-75-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads