nanocore | 172b1b4196ed3fe45e2918e5203da55fe1442f84b233a4e73fdcb4ce5ae173d5

General

Target

FPS BOOST V1.2.exe
Size

5.6MB
MD5

43b3f6b0372279b1979c5436cc95e81b
SHA1

2e423915abb7f2d0218d9242efb80c316807cc2d
SHA256

172b1b4196ed3fe45e2918e5203da55fe1442f84b233a4e73fdcb4ce5ae173d5
SHA512

9a16837d76ce2d753bd56efadcb2a9de4cc444e7ceb0440f145fd2cefe2963ebaeb69bdb0105ad619c8d33c651f36cc1f436f211ee0d045eb96d129c1271b0d8
SSDEEP

98304:bS73Dg1TPX2WE5FKkNJoOBCOz6IJd/EsTaMxv1h:bSzDghVEnlofAV5

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

this-france.at.playit.gg:5433

Mutex

08391501-f9bf-4d33-aed0-472eea26a9d6

Attributes

activate_away_mode
false
backup_connection_host
this-france.at.playit.gg
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2022-07-06T10:40:06.892555136Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
false
clear_zone_identifier
false
connect_delay
4000
connection_port
5433
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
08391501-f9bf-4d33-aed0-472eea26a9d6
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
this-france.at.playit.gg
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Executes dropped EXE 2 IoCs

Processes:

fps Boost.exeHost.exe

pid process

4404 fps Boost.exe
1444 Host.exe

pid	process
4404	fps Boost.exe
1444	Host.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

FPS BOOST V1.2.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	FPS BOOST V1.2.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Host.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DDP Host = "C:\\Program Files (x86)\\DDP Host\\ddphost.exe"	Host.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Host.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Host.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Host.exe

Drops file in Program Files directory 14 IoCs

Processes:

javaw.exeHost.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\ntdll.pdb	javaw.exe
File created	C:\Program Files (x86)\DDP Host\ddphost.exe	Host.exe
File opened for modification	C:\Program Files (x86)\DDP Host\ddphost.exe	Host.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ntdll.pdb	javaw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

FPS BOOST V1.2.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	FPS BOOST V1.2.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

Host.exe

pid process

1444 Host.exe
1444 Host.exe
1444 Host.exe
1444 Host.exe
1444 Host.exe
1444 Host.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Host.exe

pid process

1444 Host.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Host.exe

description pid process

Token: SeDebugPrivilege 1444 Host.exe

pid	process
1444	Host.exe
1444	Host.exe
1444	Host.exe
1444	Host.exe
1444	Host.exe
1444	Host.exe

pid	process
1444	Host.exe

description	pid	process
Token: SeDebugPrivilege	1444	Host.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

FPS BOOST V1.2.exefps Boost.exe

description	pid	process	target process
PID 4828 wrote to memory of 4404	4828	FPS BOOST V1.2.exe	fps Boost.exe
PID 4828 wrote to memory of 4404	4828	FPS BOOST V1.2.exe	fps Boost.exe
PID 4828 wrote to memory of 4404	4828	FPS BOOST V1.2.exe	fps Boost.exe
PID 4404 wrote to memory of 4992	4404	fps Boost.exe	javaw.exe
PID 4404 wrote to memory of 4992	4404	fps Boost.exe	javaw.exe
PID 4828 wrote to memory of 1444	4828	FPS BOOST V1.2.exe	Host.exe
PID 4828 wrote to memory of 1444	4828	FPS BOOST V1.2.exe	Host.exe
PID 4828 wrote to memory of 1444	4828	FPS BOOST V1.2.exe	Host.exe

C:\Users\Admin\AppData\Local\Temp\FPS BOOST V1.2.exe
"C:\Users\Admin\AppData\Local\Temp\FPS BOOST V1.2.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4828

C:\Users\Admin\AppData\Local\Temp\fps Boost.exe
"C:\Users\Admin\AppData\Local\Temp\fps Boost.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4404

C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "C:\Users\Admin\AppData\Local\Temp\fps Boost.exe" org.develnext.jphp.ext.javafx.FXLauncher
3⤵
- Drops file in Program Files directory
PID:4992

C:\Users\Admin\AppData\Local\Temp\Host.exe
"C:\Users\Admin\AppData\Local\Temp\Host.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1444

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Host.exe
Filesize
209KB

MD5
221ecab58265b79e3d97194221086fa4

SHA1
419df93c4c839fea14ff64a145ba1068c2a5cf58

SHA256
c310539c980e3124593e9c499cefcd3b6ce5873b3dd10c30800f22533bb382ed

SHA512
1666c773d57d188e74762f62eddb115e92cbad00d19f2e7380c1becd8eff350e6a4f6ac41052e38de51d2af17963e506e98bbe43cd5b0541365154204c3341ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\Host.exe
Filesize
209KB

MD5
221ecab58265b79e3d97194221086fa4

SHA1
419df93c4c839fea14ff64a145ba1068c2a5cf58

SHA256
c310539c980e3124593e9c499cefcd3b6ce5873b3dd10c30800f22533bb382ed

SHA512
1666c773d57d188e74762f62eddb115e92cbad00d19f2e7380c1becd8eff350e6a4f6ac41052e38de51d2af17963e506e98bbe43cd5b0541365154204c3341ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\fps Boost.exe
Filesize
3.3MB

MD5
7d9c85a11d773f2ba1512845b50ceccf

SHA1
ddc233cef3698a3fa1fc50ed29ad2c0c82a6c8d9

SHA256
2ad82df832d5150b9f33abc658f9254b152fa993752b17bd545d25ff09dfc224

SHA512
4b790b04ac0424f70a878a91e646856e85a71a1cd293a2f33d61f13a7448fc7373f313cc3616a72303b10f1178c795bd773d39e834270184e43e18a10b469ffc

Download Submit
C:\Users\Admin\AppData\Local\Temp\fps Boost.exe
Filesize
3.3MB

MD5
7d9c85a11d773f2ba1512845b50ceccf

SHA1
ddc233cef3698a3fa1fc50ed29ad2c0c82a6c8d9

SHA256
2ad82df832d5150b9f33abc658f9254b152fa993752b17bd545d25ff09dfc224

SHA512
4b790b04ac0424f70a878a91e646856e85a71a1cd293a2f33d61f13a7448fc7373f313cc3616a72303b10f1178c795bd773d39e834270184e43e18a10b469ffc

Download Submit
memory/1444-143-0x0000000000000000-mapping.dmp

Download
memory/1444-157-0x0000000074B30000-0x00000000750E1000-memory.dmp

Filesize
5.7MB

Download
memory/1444-159-0x0000000074B30000-0x00000000750E1000-memory.dmp

Filesize
5.7MB

Download
memory/4404-133-0x0000000000000000-mapping.dmp

Download
memory/4828-132-0x0000000000400000-0x00000000009A3000-memory.dmp

Filesize
5.6MB

Download
memory/4992-141-0x0000000002C10000-0x0000000003C10000-memory.dmp

Filesize
16.0MB

Download
memory/4992-136-0x0000000000000000-mapping.dmp

Download
memory/4992-158-0x0000000002C10000-0x0000000003C10000-memory.dmp

Filesize
16.0MB

Download
memory/4992-160-0x0000000002C10000-0x0000000003C10000-memory.dmp

Filesize
16.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads