nanocore | 4a006f30188cebe843f8f979bbb0bd3c1808bb8bc46f9e2dbbec566d1e0e9e6b

General

Target

46f93ddbac62282be9a1c50c45fc47af.exe
Size

880KB
MD5

46f93ddbac62282be9a1c50c45fc47af
SHA1

fd33afba3b59b797a44916b55f5edc66b4550679
SHA256

4a006f30188cebe843f8f979bbb0bd3c1808bb8bc46f9e2dbbec566d1e0e9e6b
SHA512

89ea18de5c201acd10b0256733671ccdab52c9d9c7f0c6d0e635a2a08bffac95501b77739edeaa71a2b08d39b149661cc4cf268b67ee0edeb617caa84d7c6e5c
SSDEEP

12288:58eSvB7/el8Z5GW8mnMBtZIHEDmpuWqV1bCBW5twGw9/:5M1eOWt+kDOub1GBW5twt9/

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

rolandlandson149.bounceme.net:1007

127.0.0.1:1007

Mutex

48099ca8-c1b4-49f3-9fe1-d8dfcbf66c09

Attributes

activate_away_mode
true
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2022-06-13T20:58:05.824762936Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
1007
default_group
sepTmAn
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
48099ca8-c1b4-49f3-9fe1-d8dfcbf66c09
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
rolandlandson149.bounceme.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

46f93ddbac62282be9a1c50c45fc47af.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AGP Monitor = "C:\\Program Files (x86)\\AGP Monitor\\agpmon.exe"	46f93ddbac62282be9a1c50c45fc47af.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

46f93ddbac62282be9a1c50c45fc47af.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	46f93ddbac62282be9a1c50c45fc47af.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

46f93ddbac62282be9a1c50c45fc47af.exe

description pid process target process

PID 4308 set thread context of 2172 4308 46f93ddbac62282be9a1c50c45fc47af.exe 46f93ddbac62282be9a1c50c45fc47af.exe

description	pid	process	target process
PID 4308 set thread context of 2172	4308	46f93ddbac62282be9a1c50c45fc47af.exe	46f93ddbac62282be9a1c50c45fc47af.exe

Drops file in Program Files directory 2 IoCs

Processes:

46f93ddbac62282be9a1c50c45fc47af.exe

description	ioc	process
File created	C:\Program Files (x86)\AGP Monitor\agpmon.exe	46f93ddbac62282be9a1c50c45fc47af.exe
File opened for modification	C:\Program Files (x86)\AGP Monitor\agpmon.exe	46f93ddbac62282be9a1c50c45fc47af.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3468 schtasks.exe
3756 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

46f93ddbac62282be9a1c50c45fc47af.exe

pid process

2172 46f93ddbac62282be9a1c50c45fc47af.exe
2172 46f93ddbac62282be9a1c50c45fc47af.exe
2172 46f93ddbac62282be9a1c50c45fc47af.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

46f93ddbac62282be9a1c50c45fc47af.exe

pid process

2172 46f93ddbac62282be9a1c50c45fc47af.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

46f93ddbac62282be9a1c50c45fc47af.exe

description pid process

Token: SeDebugPrivilege 2172 46f93ddbac62282be9a1c50c45fc47af.exe

pid	process
3468	schtasks.exe
3756	schtasks.exe

pid	process
2172	46f93ddbac62282be9a1c50c45fc47af.exe
2172	46f93ddbac62282be9a1c50c45fc47af.exe
2172	46f93ddbac62282be9a1c50c45fc47af.exe

pid	process
2172	46f93ddbac62282be9a1c50c45fc47af.exe

description	pid	process
Token: SeDebugPrivilege	2172	46f93ddbac62282be9a1c50c45fc47af.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

46f93ddbac62282be9a1c50c45fc47af.exe46f93ddbac62282be9a1c50c45fc47af.exe

description	pid	process	target process
PID 4308 wrote to memory of 2172	4308	46f93ddbac62282be9a1c50c45fc47af.exe	46f93ddbac62282be9a1c50c45fc47af.exe
PID 4308 wrote to memory of 2172	4308	46f93ddbac62282be9a1c50c45fc47af.exe	46f93ddbac62282be9a1c50c45fc47af.exe
PID 4308 wrote to memory of 2172	4308	46f93ddbac62282be9a1c50c45fc47af.exe	46f93ddbac62282be9a1c50c45fc47af.exe
PID 4308 wrote to memory of 2172	4308	46f93ddbac62282be9a1c50c45fc47af.exe	46f93ddbac62282be9a1c50c45fc47af.exe
PID 4308 wrote to memory of 2172	4308	46f93ddbac62282be9a1c50c45fc47af.exe	46f93ddbac62282be9a1c50c45fc47af.exe
PID 4308 wrote to memory of 2172	4308	46f93ddbac62282be9a1c50c45fc47af.exe	46f93ddbac62282be9a1c50c45fc47af.exe
PID 4308 wrote to memory of 2172	4308	46f93ddbac62282be9a1c50c45fc47af.exe	46f93ddbac62282be9a1c50c45fc47af.exe
PID 4308 wrote to memory of 2172	4308	46f93ddbac62282be9a1c50c45fc47af.exe	46f93ddbac62282be9a1c50c45fc47af.exe
PID 2172 wrote to memory of 3468	2172	46f93ddbac62282be9a1c50c45fc47af.exe	schtasks.exe
PID 2172 wrote to memory of 3468	2172	46f93ddbac62282be9a1c50c45fc47af.exe	schtasks.exe
PID 2172 wrote to memory of 3468	2172	46f93ddbac62282be9a1c50c45fc47af.exe	schtasks.exe
PID 2172 wrote to memory of 3756	2172	46f93ddbac62282be9a1c50c45fc47af.exe	schtasks.exe
PID 2172 wrote to memory of 3756	2172	46f93ddbac62282be9a1c50c45fc47af.exe	schtasks.exe
PID 2172 wrote to memory of 3756	2172	46f93ddbac62282be9a1c50c45fc47af.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\46f93ddbac62282be9a1c50c45fc47af.exe
"C:\Users\Admin\AppData\Local\Temp\46f93ddbac62282be9a1c50c45fc47af.exe"
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4308

C:\Users\Admin\AppData\Local\Temp\46f93ddbac62282be9a1c50c45fc47af.exe
"C:\Users\Admin\AppData\Local\Temp\46f93ddbac62282be9a1c50c45fc47af.exe"
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2172

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "AGP Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmp200B.tmp"
- Creates scheduled task(s)
PID:3468

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "AGP Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp2164.tmp"
- Creates scheduled task(s)
PID:3756

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\46f93ddbac62282be9a1c50c45fc47af.exe.log
Filesize
1KB

MD5
e08f822522c617a40840c62e4b0fb45e

SHA1
ae516dca4da5234be6676d3f234c19ec55725be7

SHA256
bd9d5e9f7fe6fcff17d873555d4077d15f7d6cdda1183e7f7d278b735ffe1fd7

SHA512
894a7fb7bbc18ac6ba13378f58a7db80ad00d6080be9a66b01cae8e23e41d9d2d4cd53c1e20669356b73590c8a3ebfda4bdda3258f81240db56c4a81b7313fe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp200B.tmp
Filesize
1KB

MD5
06f19a531502f7c18e0e845e9378115e

SHA1
61392960eeefb9048ab40806b73180abe52effa4

SHA256
d84aeda36d3a02bc747dda659a9e3b0d2e0b8d500b2a8fb7de23863d7d6f10e5

SHA512
499cee0a456bdae39473155da1ba6c42bd3b32c28cc53f40a3e52e391345feafe0c0bbe509dca17d9c655754061df580d90b921f9f137f06ce15acd1a233550e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2164.tmp
Filesize
1KB

MD5
157cd55403665c49c9fd3ca1196c4397

SHA1
4feed6e606b41bb617274471349582963182756b

SHA256
49d903f84313feb16bd189c58b6c206f98b05da00ea0da881e2ff0c893b6ba5e

SHA512
bea7e3caa9c37cadd772a6d3ee0d9ed47de6b3e880cd58649be2939cacd00f70d4edc1ad177e432539267bb520094d9cda3f781cdfc69122f3775242321c11b8

Download Submit
memory/2172-138-0x0000000000000000-mapping.dmp

Download
memory/2172-139-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3468-141-0x0000000000000000-mapping.dmp

Download
memory/3756-143-0x0000000000000000-mapping.dmp

Download
memory/4308-137-0x0000000009710000-0x0000000009776000-memory.dmp

Filesize
408KB

Download
memory/4308-136-0x0000000009670000-0x000000000970C000-memory.dmp

Filesize
624KB

Download
memory/4308-135-0x0000000005A20000-0x0000000005A2A000-memory.dmp

Filesize
40KB

Download
memory/4308-132-0x0000000000EF0000-0x0000000000FD2000-memory.dmp

Filesize
904KB

Download
memory/4308-134-0x0000000005970000-0x0000000005A02000-memory.dmp

Filesize
584KB

Download
memory/4308-133-0x0000000005E80000-0x0000000006424000-memory.dmp

Filesize
5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads