nanocore | 805858e3f9bbe0408705aa14a4f7f496da20ceae892546b751e8e54b06596168

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
03-10-2022 01:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

805858e3f9bbe0408705aa14a4f7f496da20ceae892546b751e8e54b06596168.exe
Size

1.0MB
MD5

6479bab24edb6fcbf6a9e30f1ede5350
SHA1

074aa404d459bedd54f1458ff050425d3b13595d
SHA256

805858e3f9bbe0408705aa14a4f7f496da20ceae892546b751e8e54b06596168
SHA512

0b8d169265288303846863a387f736c83105beba498b3f6a6a13df0daefb00a8ea5a97cc162e943973c9677c2171c659e06fc2fc5c8b1f0992358a21121af6f0
SSDEEP

24576:WTyR+/tkb+5aXDpguXYyeQ+uAjOyRmc2J+5fM:WmR+EuaX2uXUzDOyRh2I5

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.2

333.icodework.com:333

Mutex

ee78121e-0e59-4e43-80a8-77aa27911566

Attributes

activate_away_mode
true
backup_connection_host
333.icodework.com
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2015-04-09T09:30:24.848521036Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
333
default_group
Unused
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
ee78121e-0e59-4e43-80a8-77aa27911566
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
333.icodework.com
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.2
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Executes dropped EXE 5 IoCs

Processes:

Setupx.exechrome.exeSetup.exeSetup.tmpchrome.exe

pid process

224 Setupx.exe
2600 chrome.exe
1292 Setup.exe
1868 Setup.tmp
1404 chrome.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Setupx.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation Setupx.exe

pid	process
224	Setupx.exe
2600	chrome.exe
1292	Setup.exe
1868	Setup.tmp
1404	chrome.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Setupx.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

chrome.exe805858e3f9bbe0408705aa14a4f7f496da20ceae892546b751e8e54b06596168.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Update = "C:\\Users\\Admin\\AppData\\Roaming\\Googlr\\chrome.exe"	chrome.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	805858e3f9bbe0408705aa14a4f7f496da20ceae892546b751e8e54b06596168.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	805858e3f9bbe0408705aa14a4f7f496da20ceae892546b751e8e54b06596168.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

chrome.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA chrome.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

chrome.exe

description pid process target process

PID 2600 set thread context of 1404 2600 chrome.exe chrome.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

chrome.exe

pid process

1404 chrome.exe
1404 chrome.exe
1404 chrome.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

chrome.exe

pid process

1404 chrome.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

chrome.exe

description pid process

Token: SeDebugPrivilege 1404 chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	chrome.exe

description	pid	process	target process
PID 2600 set thread context of 1404	2600	chrome.exe	chrome.exe

pid	process
1404	chrome.exe
1404	chrome.exe
1404	chrome.exe

pid	process
1404	chrome.exe

description	pid	process
Token: SeDebugPrivilege	1404	chrome.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

805858e3f9bbe0408705aa14a4f7f496da20ceae892546b751e8e54b06596168.exeSetupx.exeSetup.exechrome.exe

description	pid	process	target process
PID 2404 wrote to memory of 224	2404	805858e3f9bbe0408705aa14a4f7f496da20ceae892546b751e8e54b06596168.exe	Setupx.exe
PID 2404 wrote to memory of 224	2404	805858e3f9bbe0408705aa14a4f7f496da20ceae892546b751e8e54b06596168.exe	Setupx.exe
PID 2404 wrote to memory of 224	2404	805858e3f9bbe0408705aa14a4f7f496da20ceae892546b751e8e54b06596168.exe	Setupx.exe
PID 224 wrote to memory of 2600	224	Setupx.exe	chrome.exe
PID 224 wrote to memory of 2600	224	Setupx.exe	chrome.exe
PID 224 wrote to memory of 2600	224	Setupx.exe	chrome.exe
PID 2404 wrote to memory of 1292	2404	805858e3f9bbe0408705aa14a4f7f496da20ceae892546b751e8e54b06596168.exe	Setup.exe
PID 2404 wrote to memory of 1292	2404	805858e3f9bbe0408705aa14a4f7f496da20ceae892546b751e8e54b06596168.exe	Setup.exe
PID 2404 wrote to memory of 1292	2404	805858e3f9bbe0408705aa14a4f7f496da20ceae892546b751e8e54b06596168.exe	Setup.exe
PID 1292 wrote to memory of 1868	1292	Setup.exe	Setup.tmp
PID 1292 wrote to memory of 1868	1292	Setup.exe	Setup.tmp
PID 1292 wrote to memory of 1868	1292	Setup.exe	Setup.tmp
PID 2600 wrote to memory of 1404	2600	chrome.exe	chrome.exe
PID 2600 wrote to memory of 1404	2600	chrome.exe	chrome.exe
PID 2600 wrote to memory of 1404	2600	chrome.exe	chrome.exe
PID 2600 wrote to memory of 1404	2600	chrome.exe	chrome.exe
PID 2600 wrote to memory of 1404	2600	chrome.exe	chrome.exe
PID 2600 wrote to memory of 1404	2600	chrome.exe	chrome.exe
PID 2600 wrote to memory of 1404	2600	chrome.exe	chrome.exe
PID 2600 wrote to memory of 1404	2600	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\805858e3f9bbe0408705aa14a4f7f496da20ceae892546b751e8e54b06596168.exe
"C:\Users\Admin\AppData\Local\Temp\805858e3f9bbe0408705aa14a4f7f496da20ceae892546b751e8e54b06596168.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2404

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Setupx.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Setupx.exe
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:224

C:\Users\Admin\AppData\Roaming\Googlr\chrome.exe
"C:\Users\Admin\AppData\Roaming\Googlr\chrome.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2600

C:\Users\Admin\AppData\Roaming\Googlr\chrome.exe
"C:\Users\Admin\AppData\Roaming\Googlr\chrome.exe"
4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1404

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Setup.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Setup.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1292

C:\Users\Admin\AppData\Local\Temp\is-4O3TI.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-4O3TI.tmp\Setup.tmp" /SL5="$701B6,161280,0,C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Setup.exe"
3⤵
- Executes dropped EXE
PID:1868

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\chrome.exe.log
Filesize
400B

MD5
0a9b4592cd49c3c21f6767c2dabda92f

SHA1
f534297527ae5ccc0ecb2221ddeb8e58daeb8b74

SHA256
c7effe9cb81a70d738dee863991afefab040290d4c4b78b4202383bcb9f88fcd

SHA512
6b878df474e5bbfb8e9e265f15a76560c2ef151dcebc6388c82d7f6f86ffaf83f5ade5a09f1842e493cb6c8fd63b0b88d088c728fd725f7139f965a5ee332307

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Setup.exe
Filesize
652KB

MD5
bc4f968b1813215e9f92943a226ac021

SHA1
9dfc83eee341a6657e57be8397b19ed13b9e9af0

SHA256
f270fde71d7ba34e1af716606f607a9e18db9c3b53f82b6ff32d6389cbc637e4

SHA512
f201997727df4ec0b5c5007f5779a57281982eef4a76469b18122399488cbaaf959fedbf9cffdaa597cbc6eb663ae1bcca068243a504dc047478beb55ffd4adb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Setup.exe
Filesize
652KB

MD5
bc4f968b1813215e9f92943a226ac021

SHA1
9dfc83eee341a6657e57be8397b19ed13b9e9af0

SHA256
f270fde71d7ba34e1af716606f607a9e18db9c3b53f82b6ff32d6389cbc637e4

SHA512
f201997727df4ec0b5c5007f5779a57281982eef4a76469b18122399488cbaaf959fedbf9cffdaa597cbc6eb663ae1bcca068243a504dc047478beb55ffd4adb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Setupx.exe
Filesize
521KB

MD5
8df64f35b96bd65186b515edd8ce6225

SHA1
ee69ea1443fb0ad3fcd0148c3778fb2856ee2ae1

SHA256
2ba8f77e6ab2950ec530d6c766ac49d3116e6edf86b1d5f61ea5643d3852d372

SHA512
de7ae72cc03bfb2fc13ee784582adbc7c0b2c3307ca85ee54c46a5a28a6934baf54dc040963eb8df751ce4e3fc33834c0fed354cfaf0e6b5e2ac3ede7b1770a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Setupx.exe
Filesize
521KB

MD5
8df64f35b96bd65186b515edd8ce6225

SHA1
ee69ea1443fb0ad3fcd0148c3778fb2856ee2ae1

SHA256
2ba8f77e6ab2950ec530d6c766ac49d3116e6edf86b1d5f61ea5643d3852d372

SHA512
de7ae72cc03bfb2fc13ee784582adbc7c0b2c3307ca85ee54c46a5a28a6934baf54dc040963eb8df751ce4e3fc33834c0fed354cfaf0e6b5e2ac3ede7b1770a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4O3TI.tmp\Setup.tmp
Filesize
1.2MB

MD5
719be85f31c91590e100af7b519fc925

SHA1
4de2833297efa60dbbfed238d83e5250fdf504b8

SHA256
b1a84898d2764002f8d4db7ba229facaef1796706864c068ccfb298c14d198cf

SHA512
8cb123b840427e9a30a8c0a312b62388c92b8ff7f657d336196e4d77309b1d7c756f511427e008687c69dca5dd3825926795aa4c1caab4179ccd6a6ccc9ef864

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4O3TI.tmp\Setup.tmp
Filesize
1.2MB

MD5
719be85f31c91590e100af7b519fc925

SHA1
4de2833297efa60dbbfed238d83e5250fdf504b8

SHA256
b1a84898d2764002f8d4db7ba229facaef1796706864c068ccfb298c14d198cf

SHA512
8cb123b840427e9a30a8c0a312b62388c92b8ff7f657d336196e4d77309b1d7c756f511427e008687c69dca5dd3825926795aa4c1caab4179ccd6a6ccc9ef864

Download Submit
C:\Users\Admin\AppData\Roaming\Googlr\chrome.exe
Filesize
315KB

MD5
018a269bbc04adc31df96d5fe3d83827

SHA1
f5cf468c4c7edd1a1f4889dcd38f6d9f09b7cd76

SHA256
e3d78b0d9001bc61a38de11ce414bd70f58b89d742a6a439a1c0eb4425a5cf95

SHA512
834326268f309d803c60a106b9a85f4c9e84c42925049c903712d0e22269774673e0648c0b2ef1a2bdcd599cab6810fd6e2407d268818320d8d12852b1d675f8

Download Submit
C:\Users\Admin\AppData\Roaming\Googlr\chrome.exe
Filesize
315KB

MD5
018a269bbc04adc31df96d5fe3d83827

SHA1
f5cf468c4c7edd1a1f4889dcd38f6d9f09b7cd76

SHA256
e3d78b0d9001bc61a38de11ce414bd70f58b89d742a6a439a1c0eb4425a5cf95

SHA512
834326268f309d803c60a106b9a85f4c9e84c42925049c903712d0e22269774673e0648c0b2ef1a2bdcd599cab6810fd6e2407d268818320d8d12852b1d675f8

Download Submit
C:\Users\Admin\AppData\Roaming\Googlr\chrome.exe
Filesize
315KB

MD5
018a269bbc04adc31df96d5fe3d83827

SHA1
f5cf468c4c7edd1a1f4889dcd38f6d9f09b7cd76

SHA256
e3d78b0d9001bc61a38de11ce414bd70f58b89d742a6a439a1c0eb4425a5cf95

SHA512
834326268f309d803c60a106b9a85f4c9e84c42925049c903712d0e22269774673e0648c0b2ef1a2bdcd599cab6810fd6e2407d268818320d8d12852b1d675f8

Download Submit
C:\Users\Admin\AppData\Roaming\Googlr\chrome.exe.config
Filesize
153B

MD5
71b937bf243c20e451b482dba7e9cdca

SHA1
607c0296581ec60b61792136e07987d120a6092a

SHA256
fb2d50d4766fc31153e47bfa9c1d92ea46825f3c5c16331b15da9ff03387d78d

SHA512
f5e3a67f08271f5e59c247388a9424a5cee30e852e85486f0193d322e576b384f6184e26fd967c6f7af4d358fec0207e7f0664aefe5daeedea516b9e406f4a37

Download Submit
memory/224-132-0x0000000000000000-mapping.dmp

Download
memory/1292-139-0x0000000000000000-mapping.dmp

Download
memory/1292-142-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1292-145-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1292-158-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1404-151-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1404-150-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1404-149-0x0000000000000000-mapping.dmp

Download
memory/1404-152-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1404-157-0x00000000749A0000-0x0000000074F51000-memory.dmp

Filesize
5.7MB

Download
memory/1404-159-0x00000000749A0000-0x0000000074F51000-memory.dmp

Filesize
5.7MB

Download
memory/1868-146-0x0000000000000000-mapping.dmp

Download
memory/2600-144-0x00000000749A0000-0x0000000074F51000-memory.dmp

Filesize
5.7MB

Download
memory/2600-156-0x00000000749A0000-0x0000000074F51000-memory.dmp

Filesize
5.7MB

Download
memory/2600-135-0x0000000000000000-mapping.dmp

Download