nanocore | f360431bc55ce6bbbd77f26a9bcb86b6267c3b82220d06ee4c67b44be2273735

General

Target

APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Size

1.1MB
MD5

c5ca6bf1a4d668abae8a1bd58da7fa89
SHA1

1fb0c57d1ea566b703be21a5dd2334166f5a918e
SHA256

f360431bc55ce6bbbd77f26a9bcb86b6267c3b82220d06ee4c67b44be2273735
SHA512

18401e658d3d97a845d8ed05a750eb702337d9c4e1d25ccedc5a6024beb09cc333668c6f16a60e11523e79908dcd5d7d439a396724b9d5329d44648f6996fdc7
SSDEEP

24576:LrArSrrSV1DCOzMFd1bFfxR6ImZlNRU3jrx:OV/+9fxAXU

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

godisgood1.hopto.org:7712

185.225.73.164:7712

Mutex

bcd7727e-ef56-4958-8ed9-949f5c5ea8f6

Attributes

activate_away_mode
true
backup_connection_host
185.225.73.164
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2022-05-24T09:37:49.129028236Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
7712
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
bcd7727e-ef56-4958-8ed9-949f5c5ea8f6
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
godisgood1.hopto.org
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SCSI Service = "C:\\Program Files (x86)\\SCSI Service\\scsisvc.exe"	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe

description	pid	process	target process
PID 1636 set thread context of 956	1636	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe

Drops file in Program Files directory 2 IoCs

Processes:

APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe

description	ioc	process
File created	C:\Program Files (x86)\SCSI Service\scsisvc.exe	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
File opened for modification	C:\Program Files (x86)\SCSI Service\scsisvc.exe	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

1496 schtasks.exe
1700 schtasks.exe
824 schtasks.exe

pid	process
1496	schtasks.exe
1700	schtasks.exe
824	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe

pid	process
956	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
956	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
956	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
956	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe

pid process

956 APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe

description pid process

Token: SeDebugPrivilege 956 APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe

description	pid	process
Token: SeDebugPrivilege	956	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exeAPPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe

description	pid	process	target process
PID 1636 wrote to memory of 1496	1636	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	schtasks.exe
PID 1636 wrote to memory of 1496	1636	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	schtasks.exe
PID 1636 wrote to memory of 1496	1636	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	schtasks.exe
PID 1636 wrote to memory of 1496	1636	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	schtasks.exe
PID 1636 wrote to memory of 956	1636	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
PID 1636 wrote to memory of 956	1636	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
PID 1636 wrote to memory of 956	1636	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
PID 1636 wrote to memory of 956	1636	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
PID 1636 wrote to memory of 956	1636	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
PID 1636 wrote to memory of 956	1636	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
PID 1636 wrote to memory of 956	1636	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
PID 1636 wrote to memory of 956	1636	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
PID 1636 wrote to memory of 956	1636	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
PID 956 wrote to memory of 1700	956	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	schtasks.exe
PID 956 wrote to memory of 1700	956	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	schtasks.exe
PID 956 wrote to memory of 1700	956	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	schtasks.exe
PID 956 wrote to memory of 1700	956	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	schtasks.exe
PID 956 wrote to memory of 824	956	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	schtasks.exe
PID 956 wrote to memory of 824	956	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	schtasks.exe
PID 956 wrote to memory of 824	956	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	schtasks.exe
PID 956 wrote to memory of 824	956	APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
"C:\Users\Admin\AppData\Local\Temp\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1636

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JLsbuY" /XML "C:\Users\Admin\AppData\Local\Temp\tmp763A.tmp"
2⤵
- Creates scheduled task(s)
PID:1496

C:\Users\Admin\AppData\Local\Temp\APPLICATION FORM MASTER SDPO Brilinskiy NEW U.exe
"{path}"
2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:956

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "SCSI Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp7AFB.tmp"
3⤵
- Creates scheduled task(s)
PID:1700

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "SCSI Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp7BD6.tmp"
3⤵
- Creates scheduled task(s)
PID:824

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp763A.tmp
Filesize
1KB

MD5
a483e7c75aa25da7af73ffa8eb881761

SHA1
f0d7f06c2d8a6ebc6e6da146c0d22f7a6f077e8d

SHA256
04f53324f040aac2ebe34e5edfa0f546857132014daef723dd94bb3a98550398

SHA512
181591006deed51eb43d6d0309043b5cceff66cb5f12bf93526a900e11a0fb7082950088d19093e6e3d0b300f9d27c629e070c30f0b9f607211f3007e7588a05

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7AFB.tmp
Filesize
1KB

MD5
756e3c36fb9bc5a04c39328c911ba30d

SHA1
e65ff9b79e4e999f693a5d9201b15f90311310f5

SHA256
2296c400d5ac0337a720eb0853eec50082b8372e9f8d36ea9705facf03c67e22

SHA512
273aa5a878fee132469c399a369d902aad47ec7a7c2157c8dbfc58b710d525a466d2990f85aaa23bdcb0ef0abaceeb22f3577632a76fbd1aedcd65174da7bcce

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7BD6.tmp
Filesize
1KB

MD5
4e71faa3a77029484cfaba423d96618f

SHA1
9c837d050bb43d69dc608af809c292e13bca4718

SHA256
c470f45efd2e7c4c5b88534a18965a78dce0f8e154d3e45a9d5569ad0e334bdb

SHA512
6d014de41352f2b0b494d94cd58188791e81d4e53578d0722110b6827793b735e19c614877f25c61b26233dea1b5f1998ba1240bdc8fa04c87b7e64a4ca15fe0

Download Submit
memory/824-76-0x0000000000000000-mapping.dmp

Download
memory/956-62-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/956-78-0x00000000005E0000-0x00000000005EA000-memory.dmp

Filesize
40KB

Download
memory/956-92-0x00000000021C0000-0x00000000021D4000-memory.dmp

Filesize
80KB

Download
memory/956-61-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/956-91-0x0000000002190000-0x00000000021BE000-memory.dmp

Filesize
184KB

Download
memory/956-64-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/956-65-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/956-67-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/956-68-0x000000000041E792-mapping.dmp

Download
memory/956-70-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/956-72-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/956-90-0x0000000002170000-0x000000000217E000-memory.dmp

Filesize
56KB

Download
memory/956-89-0x00000000009D0000-0x00000000009E4000-memory.dmp

Filesize
80KB

Download
memory/956-88-0x00000000009C0000-0x00000000009D0000-memory.dmp

Filesize
64KB

Download
memory/956-87-0x00000000009B0000-0x00000000009C4000-memory.dmp

Filesize
80KB

Download
memory/956-86-0x00000000009A0000-0x00000000009AE000-memory.dmp

Filesize
56KB

Download
memory/956-79-0x00000000005F0000-0x000000000060E000-memory.dmp

Filesize
120KB

Download
memory/956-80-0x0000000000610000-0x000000000061A000-memory.dmp

Filesize
40KB

Download
memory/956-81-0x0000000000680000-0x0000000000692000-memory.dmp

Filesize
72KB

Download
memory/956-82-0x00000000006D0000-0x00000000006EA000-memory.dmp

Filesize
104KB

Download
memory/956-83-0x0000000000740000-0x000000000074E000-memory.dmp

Filesize
56KB

Download
memory/956-84-0x0000000000760000-0x0000000000772000-memory.dmp

Filesize
72KB

Download
memory/956-85-0x0000000000980000-0x000000000098C000-memory.dmp

Filesize
48KB

Download
memory/1496-59-0x0000000000000000-mapping.dmp

Download
memory/1636-55-0x00000000762F1000-0x00000000762F3000-memory.dmp

Filesize
8KB

Download
memory/1636-56-0x0000000000570000-0x0000000000590000-memory.dmp

Filesize
128KB

Download
memory/1636-57-0x0000000005C20000-0x0000000005CBC000-memory.dmp

Filesize
624KB

Download
memory/1636-54-0x0000000000070000-0x0000000000198000-memory.dmp

Filesize
1.2MB

Download
memory/1636-58-0x0000000002000000-0x000000000204C000-memory.dmp

Filesize
304KB

Download
memory/1700-74-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads