nanocore | b0c5a3e2456d9df495e299db88e2431ab0133ea2327d885f6234ecf8ba5805e9

General

Target

NEWORDER736648833.scr.exe
Size

1.2MB
MD5

35e0c0fe9fbec6f870542d34703544a3
SHA1

c11b28d1a26745b9eb19f84619d1362c64d05df8
SHA256

b0c5a3e2456d9df495e299db88e2431ab0133ea2327d885f6234ecf8ba5805e9
SHA512

e52163770da3030b034f700b7d46f4f2a7ba5db9b5b06244598b0d843fcc3ca9184a9cf134f2d4e711c74f037401cf8a5b4e90703cf705ca60ddbf86e9f70863
SSDEEP

24576:0AOcZ2i7H0AknChev6tUM2y0waKKV8gyUcztVqEubl83o9ZkbgH:iG0Pnx5yvqV8gJWfqEUU2ZkE

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

mrjeffy.duckdns.org:43147

Mutex

762143b0-4a71-4961-bdc0-dc92d1e3db2b

Attributes

activate_away_mode
true
backup_connection_host
mrjeffy.duckdns.org
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2022-07-15T08:44:26.326041736Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
43147
default_group
MY TIME HAS COME
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
762143b0-4a71-4961-bdc0-dc92d1e3db2b
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
mrjeffy.duckdns.org
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Executes dropped EXE 2 IoCs

Processes:

avbndwivx.exeRegSvcs.exe

pid process

4720 avbndwivx.exe
3476 RegSvcs.exe

pid	process
4720	avbndwivx.exe
3476	RegSvcs.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

NEWORDER736648833.scr.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	NEWORDER736648833.scr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	WScript.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

avbndwivx.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	avbndwivx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\GOOGLECHROME = "0\\6_93\\avbndwivx.exe 0\\6_93\\muhveetsa.mba"	avbndwivx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AutoUpdate = "0\\6_93\\Update.vbs"	avbndwivx.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

avbndwivx.exeRegSvcs.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	avbndwivx.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegSvcs.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

avbndwivx.exe

description pid process target process

PID 4720 set thread context of 3476 4720 avbndwivx.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 4720 set thread context of 3476	4720	avbndwivx.exe	RegSvcs.exe

Modifies registry class 2 IoCs

Processes:

NEWORDER736648833.scr.exeWScript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	NEWORDER736648833.scr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

RegSvcs.exeavbndwivx.exe

pid	process
3476	RegSvcs.exe
3476	RegSvcs.exe
3476	RegSvcs.exe
3476	RegSvcs.exe
4720	avbndwivx.exe
4720	avbndwivx.exe
4720	avbndwivx.exe
4720	avbndwivx.exe
4720	avbndwivx.exe
4720	avbndwivx.exe
4720	avbndwivx.exe
4720	avbndwivx.exe
4720	avbndwivx.exe
4720	avbndwivx.exe
4720	avbndwivx.exe
4720	avbndwivx.exe
4720	avbndwivx.exe
4720	avbndwivx.exe
4720	avbndwivx.exe
4720	avbndwivx.exe
4720	avbndwivx.exe
4720	avbndwivx.exe
4720	avbndwivx.exe
4720	avbndwivx.exe
4720	avbndwivx.exe
4720	avbndwivx.exe
4720	avbndwivx.exe
4720	avbndwivx.exe
4720	avbndwivx.exe
4720	avbndwivx.exe
4720	avbndwivx.exe
4720	avbndwivx.exe
4720	avbndwivx.exe
4720	avbndwivx.exe
4720	avbndwivx.exe
4720	avbndwivx.exe
4720	avbndwivx.exe
4720	avbndwivx.exe
4720	avbndwivx.exe
4720	avbndwivx.exe
4720	avbndwivx.exe
4720	avbndwivx.exe
4720	avbndwivx.exe
4720	avbndwivx.exe
4720	avbndwivx.exe
4720	avbndwivx.exe
4720	avbndwivx.exe
4720	avbndwivx.exe
4720	avbndwivx.exe
4720	avbndwivx.exe
4720	avbndwivx.exe
4720	avbndwivx.exe
4720	avbndwivx.exe
4720	avbndwivx.exe
4720	avbndwivx.exe
4720	avbndwivx.exe
4720	avbndwivx.exe
4720	avbndwivx.exe
4720	avbndwivx.exe
4720	avbndwivx.exe
4720	avbndwivx.exe
4720	avbndwivx.exe
4720	avbndwivx.exe
4720	avbndwivx.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

RegSvcs.exe

pid process

3476 RegSvcs.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegSvcs.exe

description pid process

Token: SeDebugPrivilege 3476 RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	3476	RegSvcs.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

NEWORDER736648833.scr.exeWScript.exeavbndwivx.exe

description	pid	process	target process
PID 4984 wrote to memory of 4360	4984	NEWORDER736648833.scr.exe	WScript.exe
PID 4984 wrote to memory of 4360	4984	NEWORDER736648833.scr.exe	WScript.exe
PID 4984 wrote to memory of 4360	4984	NEWORDER736648833.scr.exe	WScript.exe
PID 4360 wrote to memory of 4720	4360	WScript.exe	avbndwivx.exe
PID 4360 wrote to memory of 4720	4360	WScript.exe	avbndwivx.exe
PID 4360 wrote to memory of 4720	4360	WScript.exe	avbndwivx.exe
PID 4720 wrote to memory of 3476	4720	avbndwivx.exe	RegSvcs.exe
PID 4720 wrote to memory of 3476	4720	avbndwivx.exe	RegSvcs.exe
PID 4720 wrote to memory of 3476	4720	avbndwivx.exe	RegSvcs.exe
PID 4720 wrote to memory of 3476	4720	avbndwivx.exe	RegSvcs.exe
PID 4720 wrote to memory of 3476	4720	avbndwivx.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\NEWORDER736648833.scr.exe
"C:\Users\Admin\AppData\Local\Temp\NEWORDER736648833.scr.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4984

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\temp\6_93\bqxwed.vbe"
2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4360

C:\Users\Admin\AppData\Local\Temp\6_93\avbndwivx.exe
"C:\Users\Admin\AppData\Local\Temp\6_93\avbndwivx.exe" muhveetsa.mba
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4720

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3476

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6_93\avbndwivx.exe
Filesize
999KB

MD5
1dbba7abb9198c4247cbfb258fe5233d

SHA1
cd5a35e75ec61b6d7c3bbeb7b882d0d2d79b05be

SHA256
6a18e69d28b177619e672f93fd97bdbfd13160faecd63f942728dc18254afb88

SHA512
503cb461c0f60c62bada9b1aefa787ed97480192d8f91455e08ac8781919c1b61751a091ce647d9c92995e925429f0ae616f4d7c2187717397f7a1e6fd811e98

Download Submit
C:\Users\Admin\AppData\Local\Temp\6_93\avbndwivx.exe
Filesize
999KB

MD5
1dbba7abb9198c4247cbfb258fe5233d

SHA1
cd5a35e75ec61b6d7c3bbeb7b882d0d2d79b05be

SHA256
6a18e69d28b177619e672f93fd97bdbfd13160faecd63f942728dc18254afb88

SHA512
503cb461c0f60c62bada9b1aefa787ed97480192d8f91455e08ac8781919c1b61751a091ce647d9c92995e925429f0ae616f4d7c2187717397f7a1e6fd811e98

Download Submit
C:\Users\Admin\AppData\Local\Temp\6_93\kvfqovb.qlg
Filesize
405KB

MD5
b1f6ffe2cfd1a5f5d074cc7daeb4977c

SHA1
e437b81e6dae9091fee8e441a171a9bdcfc9155f

SHA256
a9290d9bc4b74469df41a4721cda0c03b51f492fbd4d58e8e2e29d208c8af849

SHA512
10f35fddf12cdb140c6a86d2aa4a8ac09064a05088c1bc0510c7d960d70fb4c409a81da50cd05b30e5702262eec85aba116d60b651e0824b3e4563434bd22fc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\6_93\monagbatm.bmp
Filesize
60KB

MD5
05e06967ce6f8f18c257e89dad1d9ccf

SHA1
c3294181a626cd6f854d3a39f997976e63410aff

SHA256
3917ced15bbde2fda1f313285a878900718e61624b9bd09304243c6f647b4ae6

SHA512
07cbc2da758b9e38062a10792835212826ede71a3185d3b41b41ca6ac6622b710bd6464daa124332e6b7e0be5520ac92c9769469847fa53a29a0b093b6a711ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\6_93\muhveetsa.mba
Filesize
153.9MB

MD5
f2785eec51e8dabfd92f0499e819ff06

SHA1
3cd670814b88fb1eb175e195f3cc0797dee09e5d

SHA256
e8c63a6ef9f95c810f0c0af05e15a7a0f0405ed00172ea761297bd340b67f8f0

SHA512
4f9d119ac3d55e1ab0b5bb377ac87e9bcac65204004183af2972cf350c40c66796d75c1fe26ea8b7ab2f535f4e9c99c23ed95928dd6ed6dced3446ab8e5fd542

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Local\temp\6_93\bqxwed.vbe
Filesize
32KB

MD5
c5cf50f07a23884e342b75707653b90d

SHA1
511141c70c3cce8ffa0299a9de39ecc081ec5ce2

SHA256
5005fb971703554085a1ca21509adc432d3b28d4abf075061a6126fd049b57a9

SHA512
df444357933e5e6427d242dd046aca63482a412d296bf8ed8652dfff29d7f554805c56733daab9a6256bdcf90c0d4bf1b57f568ed388301374ea338d4aa6dfc7

Download Submit
memory/3476-140-0x0000000000500000-0x0000000000B8B000-memory.dmp

Filesize
6.5MB

Download
memory/3476-141-0x000000000051E792-mapping.dmp

Download
memory/3476-144-0x0000000000500000-0x0000000000538000-memory.dmp

Filesize
224KB

Download
memory/3476-145-0x00000000057B0000-0x0000000005D54000-memory.dmp

Filesize
5.6MB

Download
memory/3476-146-0x00000000052A0000-0x0000000005332000-memory.dmp

Filesize
584KB

Download
memory/3476-147-0x00000000053E0000-0x000000000547C000-memory.dmp

Filesize
624KB

Download
memory/3476-148-0x0000000005350000-0x000000000535A000-memory.dmp

Filesize
40KB

Download
memory/3476-149-0x0000000000F80000-0x0000000000FE6000-memory.dmp

Filesize
408KB

Download
memory/4360-132-0x0000000000000000-mapping.dmp

Download
memory/4720-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads