nanocore | 5f203844e8cb82ad24fcef815c4fcb03fa14789663e8fa83b459e6f1f1852f27 | Triage

Analysis

max time kernel
80s
max time network
153s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
22/09/2022, 08:06 UTC

Sharing

Report Analysis Logs

General

Target

SecuriteInfo.com.Win32.PWSX-gen.10719.exe
Size

747KB
MD5

af42b0292f68c682ee25ebeeeed252f1
SHA1

c5cbd951d312ff199fe96bf66d10fb6432b60538
SHA256

5f203844e8cb82ad24fcef815c4fcb03fa14789663e8fa83b459e6f1f1852f27
SHA512

d2264f4f63800519ce59df43cea2329ae615e90abb282fe50caff91c3db520de3f3d466748af4ff4dc8e14474743717da26430d45ea86c9d394f5e06ecc2bfea
SSDEEP

12288:uHTxVKKXlj5wM67OVKPBf2dbL+RlIgcFP3gZVkkHOrK:e/xmPBUeRlIDKKkHO

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

brewsterchristophe.ddns.net:5899

194,147,5,75:5899

Mutex

b8aebc29-8c64-444f-99e6-dc4122e9bbfc

Attributes

activate_away_mode
true
backup_connection_host
194,147,5,75
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2022-04-29T03:26:40.572298236Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
5899
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
b8aebc29-8c64-444f-99e6-dc4122e9bbfc
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
brewsterchristophe.ddns.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UDP Service = "C:\\Program Files (x86)\\UDP Service\\udpsv.exe"	SecuriteInfo.com.Win32.PWSX-gen.10719.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SecuriteInfo.com.Win32.PWSX-gen.10719.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1872 set thread context of 1680	1872	SecuriteInfo.com.Win32.PWSX-gen.10719.exe	29

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\UDP Service\udpsv.exe	SecuriteInfo.com.Win32.PWSX-gen.10719.exe
File opened for modification	C:\Program Files (x86)\UDP Service\udpsv.exe	SecuriteInfo.com.Win32.PWSX-gen.10719.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

Scheduled Task

pid	Process
1636	schtasks.exe
1364	schtasks.exe
1760	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1680	SecuriteInfo.com.Win32.PWSX-gen.10719.exe
1680	SecuriteInfo.com.Win32.PWSX-gen.10719.exe
1680	SecuriteInfo.com.Win32.PWSX-gen.10719.exe
1680	SecuriteInfo.com.Win32.PWSX-gen.10719.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1680	SecuriteInfo.com.Win32.PWSX-gen.10719.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1680	SecuriteInfo.com.Win32.PWSX-gen.10719.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1872 wrote to memory of 1636	1872	SecuriteInfo.com.Win32.PWSX-gen.10719.exe	27
PID 1872 wrote to memory of 1636	1872	SecuriteInfo.com.Win32.PWSX-gen.10719.exe	27
PID 1872 wrote to memory of 1636	1872	SecuriteInfo.com.Win32.PWSX-gen.10719.exe	27
PID 1872 wrote to memory of 1636	1872	SecuriteInfo.com.Win32.PWSX-gen.10719.exe	27
PID 1872 wrote to memory of 1680	1872	SecuriteInfo.com.Win32.PWSX-gen.10719.exe	29
PID 1872 wrote to memory of 1680	1872	SecuriteInfo.com.Win32.PWSX-gen.10719.exe	29
PID 1872 wrote to memory of 1680	1872	SecuriteInfo.com.Win32.PWSX-gen.10719.exe	29
PID 1872 wrote to memory of 1680	1872	SecuriteInfo.com.Win32.PWSX-gen.10719.exe	29
PID 1872 wrote to memory of 1680	1872	SecuriteInfo.com.Win32.PWSX-gen.10719.exe	29
PID 1872 wrote to memory of 1680	1872	SecuriteInfo.com.Win32.PWSX-gen.10719.exe	29
PID 1872 wrote to memory of 1680	1872	SecuriteInfo.com.Win32.PWSX-gen.10719.exe	29
PID 1872 wrote to memory of 1680	1872	SecuriteInfo.com.Win32.PWSX-gen.10719.exe	29
PID 1872 wrote to memory of 1680	1872	SecuriteInfo.com.Win32.PWSX-gen.10719.exe	29
PID 1680 wrote to memory of 1364	1680	SecuriteInfo.com.Win32.PWSX-gen.10719.exe	30
PID 1680 wrote to memory of 1364	1680	SecuriteInfo.com.Win32.PWSX-gen.10719.exe	30
PID 1680 wrote to memory of 1364	1680	SecuriteInfo.com.Win32.PWSX-gen.10719.exe	30
PID 1680 wrote to memory of 1364	1680	SecuriteInfo.com.Win32.PWSX-gen.10719.exe	30
PID 1680 wrote to memory of 1760	1680	SecuriteInfo.com.Win32.PWSX-gen.10719.exe	32
PID 1680 wrote to memory of 1760	1680	SecuriteInfo.com.Win32.PWSX-gen.10719.exe	32
PID 1680 wrote to memory of 1760	1680	SecuriteInfo.com.Win32.PWSX-gen.10719.exe	32
PID 1680 wrote to memory of 1760	1680	SecuriteInfo.com.Win32.PWSX-gen.10719.exe	32

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.10719.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.10719.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1872
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NFjJzBjHKAes" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB194.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1636
- C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.10719.exe
  "{path}"
  2⤵
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1680
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /create /f /tn "UDP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmpB78D.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:1364
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /create /f /tn "UDP Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpB8A7.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:1760

Network

DNS

brewsterchristophe.ddns.net

SecuriteInfo.com.Win32.PWSX-gen.10719.exe

Remote address:

8.8.8.8:53

Request

brewsterchristophe.ddns.net

IN A

Response

brewsterchristophe.ddns.net

IN A

185.216.71.196

185.216.71.196:5899

brewsterchristophe.ddns.net

SecuriteInfo.com.Win32.PWSX-gen.10719.exe

10.5kB
373.7kB
198
342

8.8.8.8:53

brewsterchristophe.ddns.net

dns

SecuriteInfo.com.Win32.PWSX-gen.10719.exe

73 B
89 B
1
1

DNS Request

brewsterchristophe.ddns.net

DNS Response

185.216.71.196

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpB194.tmp

Filesize
1KB

MD5
eddb37a1cf3fcc89f95d5a198fb9ab35

SHA1
8abbc5047ce98bbf6dbc5b2a0a22f5444922ddb9

SHA256
670f93b230e0423e45862f14ed9086901dd3d94052718a7299f53aa782bc580e

SHA512
c10644c5ba60f5e5d62e9a2b1719f29bc762928899256a0b3544feb9d95909cd6d5a37ee3944008752d2ee4000f64a20a81e3ddc0789c456662f6600e6ff8f28

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB78D.tmp

Filesize
1KB

MD5
80e1e6028a0c057f65d6069635a6d588

SHA1
f923f8bf361ca483437c0699d22e91c25a04d80c

SHA256
db23555b47d3b79a7e0e3d6d69cc3bb2ea4db771b47d2cf9fbc7778e2cda7e69

SHA512
b9808938234f20b4653469a80f97bbc5d400fe809dac6da52a758b529f30ce08493615908f62288896108bacebddaf471afb81ec9f515f284db8f64fac79b8de

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB8A7.tmp

Filesize
1KB

MD5
0a24db62cb5b84309c4803346caaa25d

SHA1
67660778f61bb44168c33ed3fe56ed86cf9583e8

SHA256
38d38647af394a04ee6add9f05c43244f04e64a6b96257f4b241a5038efa82df

SHA512
d25d9df063f44595d5e0bf890755bd387655131ff369eeedf3d11ffcc6202ca4455bbb33a8a926dd06839cbd1ddec3d06809b3c66a82c6518aa14beaa469a548

Download Submit
memory/1680-62-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1680-79-0x0000000000980000-0x000000000099E000-memory.dmp

Filesize
120KB

Download
memory/1680-61-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1680-92-0x00000000010D0000-0x00000000010E4000-memory.dmp

Filesize
80KB

Download
memory/1680-64-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1680-65-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1680-67-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1680-70-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1680-72-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1680-91-0x00000000048C0000-0x00000000048EE000-memory.dmp

Filesize
184KB

Download
memory/1680-90-0x00000000010B0000-0x00000000010BE000-memory.dmp

Filesize
56KB

Download
memory/1680-89-0x0000000001060000-0x0000000001074000-memory.dmp

Filesize
80KB

Download
memory/1680-88-0x0000000001050000-0x0000000001060000-memory.dmp

Filesize
64KB

Download
memory/1680-78-0x0000000000720000-0x000000000072A000-memory.dmp

Filesize
40KB

Download
memory/1680-87-0x0000000001000000-0x0000000001014000-memory.dmp

Filesize
80KB

Download
memory/1680-80-0x0000000000730000-0x000000000073A000-memory.dmp

Filesize
40KB

Download
memory/1680-81-0x0000000000DF0000-0x0000000000E02000-memory.dmp

Filesize
72KB

Download
memory/1680-82-0x0000000000E40000-0x0000000000E5A000-memory.dmp

Filesize
104KB

Download
memory/1680-83-0x0000000000E70000-0x0000000000E7E000-memory.dmp

Filesize
56KB

Download
memory/1680-84-0x0000000000E90000-0x0000000000EA2000-memory.dmp

Filesize
72KB

Download
memory/1680-85-0x0000000000EE0000-0x0000000000EEE000-memory.dmp

Filesize
56KB

Download
memory/1680-86-0x0000000000FF0000-0x0000000000FFC000-memory.dmp

Filesize
48KB

Download
memory/1872-58-0x0000000000C70000-0x0000000000CAA000-memory.dmp

Filesize
232KB

Download
memory/1872-55-0x0000000075841000-0x0000000075843000-memory.dmp

Filesize
8KB

Download
memory/1872-56-0x0000000000970000-0x0000000000990000-memory.dmp

Filesize
128KB

Download
memory/1872-57-0x0000000005E40000-0x0000000005ECA000-memory.dmp

Filesize
552KB

Download
memory/1872-54-0x00000000010E0000-0x00000000011A0000-memory.dmp

Filesize
768KB

Download