nanocore | b0c5a3e2456d9df495e299db88e2431ab0133ea2327d885f6234ecf8ba5805e9

Analysis

max time kernel
151s
max time network
155s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
11-10-2022 09:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEWORDER736648833.scr.exe
Size

1.2MB
MD5

35e0c0fe9fbec6f870542d34703544a3
SHA1

c11b28d1a26745b9eb19f84619d1362c64d05df8
SHA256

b0c5a3e2456d9df495e299db88e2431ab0133ea2327d885f6234ecf8ba5805e9
SHA512

e52163770da3030b034f700b7d46f4f2a7ba5db9b5b06244598b0d843fcc3ca9184a9cf134f2d4e711c74f037401cf8a5b4e90703cf705ca60ddbf86e9f70863
SSDEEP

24576:0AOcZ2i7H0AknChev6tUM2y0waKKV8gyUcztVqEubl83o9ZkbgH:iG0Pnx5yvqV8gJWfqEUU2ZkE

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

mrjeffy.duckdns.org:43147

Mutex

762143b0-4a71-4961-bdc0-dc92d1e3db2b

Attributes

activate_away_mode
true
backup_connection_host
mrjeffy.duckdns.org
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2022-07-15T08:44:26.326041736Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
43147
default_group
MY TIME HAS COME
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
762143b0-4a71-4961-bdc0-dc92d1e3db2b
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
mrjeffy.duckdns.org
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Executes dropped EXE 2 IoCs

Processes:

avbndwivx.exeRegSvcs.exe

pid process

1320 avbndwivx.exe
676 RegSvcs.exe
Loads dropped DLL 2 IoCs

Processes:

WScript.exeavbndwivx.exe

pid process

1316 WScript.exe
1320 avbndwivx.exe

pid	process
1316	WScript.exe
1320	avbndwivx.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

avbndwivx.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	avbndwivx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\GOOGLECHROME = "0\\6_93\\avbndwivx.exe 0\\6_93\\muhveetsa.mba"	avbndwivx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AutoUpdate = "0\\6_93\\Update.vbs"	avbndwivx.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

avbndwivx.exeRegSvcs.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	avbndwivx.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegSvcs.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

avbndwivx.exe

description pid process target process

PID 1320 set thread context of 676 1320 avbndwivx.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 1320 set thread context of 676	1320	avbndwivx.exe	RegSvcs.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

avbndwivx.exeRegSvcs.exe

pid	process
1320	avbndwivx.exe
1320	avbndwivx.exe
1320	avbndwivx.exe
676	RegSvcs.exe
676	RegSvcs.exe
676	RegSvcs.exe
676	RegSvcs.exe
1320	avbndwivx.exe
1320	avbndwivx.exe
676	RegSvcs.exe
676	RegSvcs.exe
1320	avbndwivx.exe
1320	avbndwivx.exe
676	RegSvcs.exe
676	RegSvcs.exe
1320	avbndwivx.exe
1320	avbndwivx.exe
1320	avbndwivx.exe
1320	avbndwivx.exe
1320	avbndwivx.exe
1320	avbndwivx.exe
1320	avbndwivx.exe
1320	avbndwivx.exe
1320	avbndwivx.exe
1320	avbndwivx.exe
1320	avbndwivx.exe
1320	avbndwivx.exe
1320	avbndwivx.exe
1320	avbndwivx.exe
1320	avbndwivx.exe
1320	avbndwivx.exe
1320	avbndwivx.exe
1320	avbndwivx.exe
1320	avbndwivx.exe
1320	avbndwivx.exe
1320	avbndwivx.exe
1320	avbndwivx.exe
1320	avbndwivx.exe
1320	avbndwivx.exe
1320	avbndwivx.exe
1320	avbndwivx.exe
1320	avbndwivx.exe
1320	avbndwivx.exe
1320	avbndwivx.exe
1320	avbndwivx.exe
1320	avbndwivx.exe
1320	avbndwivx.exe
1320	avbndwivx.exe
1320	avbndwivx.exe
1320	avbndwivx.exe
1320	avbndwivx.exe
1320	avbndwivx.exe
1320	avbndwivx.exe
1320	avbndwivx.exe
1320	avbndwivx.exe
1320	avbndwivx.exe
1320	avbndwivx.exe
1320	avbndwivx.exe
1320	avbndwivx.exe
1320	avbndwivx.exe
1320	avbndwivx.exe
1320	avbndwivx.exe
1320	avbndwivx.exe
1320	avbndwivx.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

RegSvcs.exe

pid process

676 RegSvcs.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegSvcs.exe

description pid process

Token: SeDebugPrivilege 676 RegSvcs.exe

pid	process
676	RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	676	RegSvcs.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

NEWORDER736648833.scr.exeWScript.exeavbndwivx.exe

description	pid	process	target process
PID 1348 wrote to memory of 1316	1348	NEWORDER736648833.scr.exe	WScript.exe
PID 1348 wrote to memory of 1316	1348	NEWORDER736648833.scr.exe	WScript.exe
PID 1348 wrote to memory of 1316	1348	NEWORDER736648833.scr.exe	WScript.exe
PID 1348 wrote to memory of 1316	1348	NEWORDER736648833.scr.exe	WScript.exe
PID 1316 wrote to memory of 1320	1316	WScript.exe	avbndwivx.exe
PID 1316 wrote to memory of 1320	1316	WScript.exe	avbndwivx.exe
PID 1316 wrote to memory of 1320	1316	WScript.exe	avbndwivx.exe
PID 1316 wrote to memory of 1320	1316	WScript.exe	avbndwivx.exe
PID 1316 wrote to memory of 1320	1316	WScript.exe	avbndwivx.exe
PID 1316 wrote to memory of 1320	1316	WScript.exe	avbndwivx.exe
PID 1316 wrote to memory of 1320	1316	WScript.exe	avbndwivx.exe
PID 1320 wrote to memory of 676	1320	avbndwivx.exe	RegSvcs.exe
PID 1320 wrote to memory of 676	1320	avbndwivx.exe	RegSvcs.exe
PID 1320 wrote to memory of 676	1320	avbndwivx.exe	RegSvcs.exe
PID 1320 wrote to memory of 676	1320	avbndwivx.exe	RegSvcs.exe
PID 1320 wrote to memory of 676	1320	avbndwivx.exe	RegSvcs.exe
PID 1320 wrote to memory of 676	1320	avbndwivx.exe	RegSvcs.exe
PID 1320 wrote to memory of 676	1320	avbndwivx.exe	RegSvcs.exe
PID 1320 wrote to memory of 676	1320	avbndwivx.exe	RegSvcs.exe
PID 1320 wrote to memory of 676	1320	avbndwivx.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\NEWORDER736648833.scr.exe
"C:\Users\Admin\AppData\Local\Temp\NEWORDER736648833.scr.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1348

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\temp\6_93\bqxwed.vbe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1316

C:\Users\Admin\AppData\Local\Temp\6_93\avbndwivx.exe
"C:\Users\Admin\AppData\Local\Temp\6_93\avbndwivx.exe" muhveetsa.mba
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1320

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:676

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6_93\avbndwivx.exe
Filesize
999KB

MD5
1dbba7abb9198c4247cbfb258fe5233d

SHA1
cd5a35e75ec61b6d7c3bbeb7b882d0d2d79b05be

SHA256
6a18e69d28b177619e672f93fd97bdbfd13160faecd63f942728dc18254afb88

SHA512
503cb461c0f60c62bada9b1aefa787ed97480192d8f91455e08ac8781919c1b61751a091ce647d9c92995e925429f0ae616f4d7c2187717397f7a1e6fd811e98

Download Submit
C:\Users\Admin\AppData\Local\Temp\6_93\avbndwivx.exe
Filesize
999KB

MD5
1dbba7abb9198c4247cbfb258fe5233d

SHA1
cd5a35e75ec61b6d7c3bbeb7b882d0d2d79b05be

SHA256
6a18e69d28b177619e672f93fd97bdbfd13160faecd63f942728dc18254afb88

SHA512
503cb461c0f60c62bada9b1aefa787ed97480192d8f91455e08ac8781919c1b61751a091ce647d9c92995e925429f0ae616f4d7c2187717397f7a1e6fd811e98

Download Submit
C:\Users\Admin\AppData\Local\Temp\6_93\kvfqovb.qlg
Filesize
405KB

MD5
b1f6ffe2cfd1a5f5d074cc7daeb4977c

SHA1
e437b81e6dae9091fee8e441a171a9bdcfc9155f

SHA256
a9290d9bc4b74469df41a4721cda0c03b51f492fbd4d58e8e2e29d208c8af849

SHA512
10f35fddf12cdb140c6a86d2aa4a8ac09064a05088c1bc0510c7d960d70fb4c409a81da50cd05b30e5702262eec85aba116d60b651e0824b3e4563434bd22fc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\6_93\monagbatm.bmp
Filesize
60KB

MD5
05e06967ce6f8f18c257e89dad1d9ccf

SHA1
c3294181a626cd6f854d3a39f997976e63410aff

SHA256
3917ced15bbde2fda1f313285a878900718e61624b9bd09304243c6f647b4ae6

SHA512
07cbc2da758b9e38062a10792835212826ede71a3185d3b41b41ca6ac6622b710bd6464daa124332e6b7e0be5520ac92c9769469847fa53a29a0b093b6a711ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\6_93\muhveetsa.mba
Filesize
153.9MB

MD5
f2785eec51e8dabfd92f0499e819ff06

SHA1
3cd670814b88fb1eb175e195f3cc0797dee09e5d

SHA256
e8c63a6ef9f95c810f0c0af05e15a7a0f0405ed00172ea761297bd340b67f8f0

SHA512
4f9d119ac3d55e1ab0b5bb377ac87e9bcac65204004183af2972cf350c40c66796d75c1fe26ea8b7ab2f535f4e9c99c23ed95928dd6ed6dced3446ab8e5fd542

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
Filesize
44KB

MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
Filesize
44KB

MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
C:\Users\Admin\AppData\Local\temp\6_93\bqxwed.vbe
Filesize
32KB

MD5
c5cf50f07a23884e342b75707653b90d

SHA1
511141c70c3cce8ffa0299a9de39ecc081ec5ce2

SHA256
5005fb971703554085a1ca21509adc432d3b28d4abf075061a6126fd049b57a9

SHA512
df444357933e5e6427d242dd046aca63482a412d296bf8ed8652dfff29d7f554805c56733daab9a6256bdcf90c0d4bf1b57f568ed388301374ea338d4aa6dfc7

Download Submit
\Users\Admin\AppData\Local\Temp\6_93\avbndwivx.exe
Filesize
999KB

MD5
1dbba7abb9198c4247cbfb258fe5233d

SHA1
cd5a35e75ec61b6d7c3bbeb7b882d0d2d79b05be

SHA256
6a18e69d28b177619e672f93fd97bdbfd13160faecd63f942728dc18254afb88

SHA512
503cb461c0f60c62bada9b1aefa787ed97480192d8f91455e08ac8781919c1b61751a091ce647d9c92995e925429f0ae616f4d7c2187717397f7a1e6fd811e98

Download Submit
\Users\Admin\AppData\Local\Temp\RegSvcs.exe
Filesize
44KB

MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
memory/676-75-0x0000000000420000-0x00000000009BB000-memory.dmp

Filesize
5.6MB

Download
memory/676-86-0x0000000000F90000-0x0000000000F9C000-memory.dmp

Filesize
48KB

Download
memory/676-69-0x0000000000420000-0x00000000009BB000-memory.dmp

Filesize
5.6MB

Download
memory/676-93-0x0000000001080000-0x0000000001094000-memory.dmp

Filesize
80KB

Download
memory/676-70-0x000000000043E792-mapping.dmp

Download
memory/676-73-0x0000000000420000-0x00000000009BB000-memory.dmp

Filesize
5.6MB

Download
memory/676-92-0x0000000001040000-0x000000000106E000-memory.dmp

Filesize
184KB

Download
memory/676-91-0x0000000000FE0000-0x0000000000FEE000-memory.dmp

Filesize
56KB

Download
memory/676-77-0x0000000000420000-0x0000000000458000-memory.dmp

Filesize
224KB

Download
memory/676-79-0x0000000000BC0000-0x0000000000BCA000-memory.dmp

Filesize
40KB

Download
memory/676-80-0x0000000000BD0000-0x0000000000BEE000-memory.dmp

Filesize
120KB

Download
memory/676-81-0x0000000000BF0000-0x0000000000BFA000-memory.dmp

Filesize
40KB

Download
memory/676-82-0x0000000000E40000-0x0000000000E52000-memory.dmp

Filesize
72KB

Download
memory/676-83-0x0000000000EA0000-0x0000000000EBA000-memory.dmp

Filesize
104KB

Download
memory/676-84-0x0000000000F10000-0x0000000000F1E000-memory.dmp

Filesize
56KB

Download
memory/676-85-0x0000000000F70000-0x0000000000F82000-memory.dmp

Filesize
72KB

Download
memory/676-67-0x0000000000420000-0x00000000009BB000-memory.dmp

Filesize
5.6MB

Download
memory/676-87-0x0000000000FA0000-0x0000000000FAE000-memory.dmp

Filesize
56KB

Download
memory/676-88-0x0000000000FB0000-0x0000000000FC4000-memory.dmp

Filesize
80KB

Download
memory/676-89-0x0000000000FC0000-0x0000000000FD0000-memory.dmp

Filesize
64KB

Download
memory/676-90-0x0000000000FD0000-0x0000000000FE4000-memory.dmp

Filesize
80KB

Download
memory/1316-55-0x0000000000000000-mapping.dmp

Download
memory/1320-60-0x0000000000000000-mapping.dmp

Download
memory/1348-54-0x0000000075601000-0x0000000075603000-memory.dmp

Filesize
8KB

Download