nanocore | 70a93613417666b6510d74c43274e63eaf29fa1e382abf8f21f4b011fbb07440

General

Target

Shipment receipt.exe
Size

231KB
MD5

8af8789eac67de3b398fd91caad301c7
SHA1

46a834f5f2a07eefec376232b8785187c46bab5d
SHA256

0439c7d1f0b9dd75617a6cd78c086139feccd6a2eb91d43e3d09e6194f14bebd
SHA512

831f6d22a66a272cbe603d638a9e02685b587ce97ef7730f930c72a70f68a285afa005d090d950797bcb0c4fbb45d6a6f5401d29f7fd2037670086f656ffe7da
SSDEEP

3072:NW3q9x4CuQqhAp05FIGRnNadfS5AmqKnoeN:NmqvyhAp05FnNKmqKoe

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

ratagain.gleeze.com:5050

ratagainbk.gleeze.com:5050

Mutex

facea582-6bb8-4111-bf8c-c4bbbdd42ea8

Attributes

activate_away_mode
true
backup_connection_host
ratagainbk.gleeze.com
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2022-01-24T09:08:07.151828536Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
5050
default_group
April
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
facea582-6bb8-4111-bf8c-c4bbbdd42ea8
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
ratagain.gleeze.com
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Shipment receipt.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Shipment receipt.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Shipment receipt.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Zxaxoqehw = "\"C:\\Users\\Admin\\AppData\\Roaming\\Nxbjycx\\Zxaxoqehw.exe\""	Shipment receipt.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

RegAsm.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegAsm.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Shipment receipt.exe

description pid process target process

PID 1504 set thread context of 2608 1504 Shipment receipt.exe RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

5032 timeout.exe
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

powershell.exeShipment receipt.exeRegAsm.exe

pid process

1792 powershell.exe
1792 powershell.exe
1504 Shipment receipt.exe
1504 Shipment receipt.exe
2608 RegAsm.exe
2608 RegAsm.exe
2608 RegAsm.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

RegAsm.exe

pid process

2608 RegAsm.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Shipment receipt.exepowershell.exeRegAsm.exe

description pid process

Token: SeDebugPrivilege 1504 Shipment receipt.exe
Token: SeDebugPrivilege 1792 powershell.exe
Token: SeDebugPrivilege 2608 RegAsm.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegAsm.exe

description	pid	process	target process
PID 1504 set thread context of 2608	1504	Shipment receipt.exe	RegAsm.exe

pid	process
5032	timeout.exe

pid	process
1792	powershell.exe
1792	powershell.exe
1504	Shipment receipt.exe
1504	Shipment receipt.exe
2608	RegAsm.exe
2608	RegAsm.exe
2608	RegAsm.exe

pid	process
2608	RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	1504	Shipment receipt.exe
Token: SeDebugPrivilege	1792	powershell.exe
Token: SeDebugPrivilege	2608	RegAsm.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

Shipment receipt.execmd.exe

description	pid	process	target process
PID 1504 wrote to memory of 2476	1504	Shipment receipt.exe	cmd.exe
PID 1504 wrote to memory of 2476	1504	Shipment receipt.exe	cmd.exe
PID 1504 wrote to memory of 2476	1504	Shipment receipt.exe	cmd.exe
PID 2476 wrote to memory of 5032	2476	cmd.exe	timeout.exe
PID 2476 wrote to memory of 5032	2476	cmd.exe	timeout.exe
PID 2476 wrote to memory of 5032	2476	cmd.exe	timeout.exe
PID 1504 wrote to memory of 1792	1504	Shipment receipt.exe	powershell.exe
PID 1504 wrote to memory of 1792	1504	Shipment receipt.exe	powershell.exe
PID 1504 wrote to memory of 1792	1504	Shipment receipt.exe	powershell.exe
PID 1504 wrote to memory of 2608	1504	Shipment receipt.exe	RegAsm.exe
PID 1504 wrote to memory of 2608	1504	Shipment receipt.exe	RegAsm.exe
PID 1504 wrote to memory of 2608	1504	Shipment receipt.exe	RegAsm.exe
PID 1504 wrote to memory of 2608	1504	Shipment receipt.exe	RegAsm.exe
PID 1504 wrote to memory of 2608	1504	Shipment receipt.exe	RegAsm.exe
PID 1504 wrote to memory of 2608	1504	Shipment receipt.exe	RegAsm.exe
PID 1504 wrote to memory of 2608	1504	Shipment receipt.exe	RegAsm.exe
PID 1504 wrote to memory of 2608	1504	Shipment receipt.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\Shipment receipt.exe
"C:\Users\Admin\AppData\Local\Temp\Shipment receipt.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1504

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
2⤵
- Suspicious use of WriteProcessMemory
PID:2476

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:5032

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACcAQwA6AFwAJwAsACcAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAXABOAHgAYgBqAHkAYwB4AFwAWgB4AGEAeABvAHEAZQBoAHcALgBlAHgAZQAnAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
2⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2608

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1504-132-0x0000000000AF0000-0x0000000000B30000-memory.dmp

Filesize
256KB

Download
memory/1504-133-0x0000000005AC0000-0x0000000006064000-memory.dmp

Filesize
5.6MB

Download
memory/1504-134-0x0000000005510000-0x00000000055A2000-memory.dmp

Filesize
584KB

Download
memory/1504-135-0x00000000054C0000-0x00000000054CA000-memory.dmp

Filesize
40KB

Download
memory/1792-144-0x0000000005D70000-0x0000000005D8E000-memory.dmp

Filesize
120KB

Download
memory/1792-147-0x0000000006310000-0x000000000632E000-memory.dmp

Filesize
120KB

Download
memory/1792-138-0x0000000000000000-mapping.dmp

Download
memory/1792-139-0x00000000027B0000-0x00000000027E6000-memory.dmp

Filesize
216KB

Download
memory/1792-140-0x0000000004E60000-0x0000000005488000-memory.dmp

Filesize
6.2MB

Download
memory/1792-141-0x0000000004DC0000-0x0000000004DE2000-memory.dmp

Filesize
136KB

Download
memory/1792-142-0x0000000005510000-0x0000000005576000-memory.dmp

Filesize
408KB

Download
memory/1792-143-0x0000000005730000-0x0000000005796000-memory.dmp

Filesize
408KB

Download
memory/1792-154-0x00000000073A0000-0x00000000073A8000-memory.dmp

Filesize
32KB

Download
memory/1792-145-0x0000000006F30000-0x0000000006F62000-memory.dmp

Filesize
200KB

Download
memory/1792-146-0x000000006FE40000-0x000000006FE8C000-memory.dmp

Filesize
304KB

Download
memory/1792-153-0x00000000073C0000-0x00000000073DA000-memory.dmp

Filesize
104KB

Download
memory/1792-148-0x00000000076C0000-0x0000000007D3A000-memory.dmp

Filesize
6.5MB

Download
memory/1792-149-0x0000000007070000-0x000000000708A000-memory.dmp

Filesize
104KB

Download
memory/1792-150-0x00000000070F0000-0x00000000070FA000-memory.dmp

Filesize
40KB

Download
memory/1792-151-0x0000000007300000-0x0000000007396000-memory.dmp

Filesize
600KB

Download
memory/1792-152-0x00000000072B0000-0x00000000072BE000-memory.dmp

Filesize
56KB

Download
memory/2476-136-0x0000000000000000-mapping.dmp

Download
memory/2608-155-0x0000000000000000-mapping.dmp

Download
memory/2608-156-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2608-157-0x00000000051D0000-0x000000000526C000-memory.dmp

Filesize
624KB

Download
memory/5032-137-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads