nanocore | 97637825f3b03f07721d1913a89386975ed4d9ef6b724cfabac27d4870e1c702

General

Target

r1QLPWfRySIThAz.exe
Size

777KB
MD5

e995458027aeaf560bf2b6a8025c3cd3
SHA1

6fad8d96fa450a5e9c882977153bb629569f5922
SHA256

97637825f3b03f07721d1913a89386975ed4d9ef6b724cfabac27d4870e1c702
SHA512

9b7d0c63a5202ee4044a871949efaeb12c0262e5f9d60297c2e9477775c00778f943b7c3ede3e473f662348e598921c91574aab44429f8c01ecce32d6f053c5d
SSDEEP

12288:X2HvdWhj697z56/jGvuSgZb385xbNBuM2KW0IdcuOQUXS8NY:Echw/EmkZb6xblW0IHOZXNY

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

godisgood1.hopto.org:7712

185.225.73.164:7712

Mutex

bcd7727e-ef56-4958-8ed9-949f5c5ea8f6

Attributes

activate_away_mode
true
backup_connection_host
185.225.73.164
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2022-05-24T09:37:49.129028236Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
7712
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
bcd7727e-ef56-4958-8ed9-949f5c5ea8f6
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
godisgood1.hopto.org
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

r1QLPWfRySIThAz.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NTFS Monitor = "C:\\Program Files (x86)\\NTFS Monitor\\ntfsmon.exe"	r1QLPWfRySIThAz.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

r1QLPWfRySIThAz.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA r1QLPWfRySIThAz.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

r1QLPWfRySIThAz.exe

description pid process target process

PID 936 set thread context of 1364 936 r1QLPWfRySIThAz.exe r1QLPWfRySIThAz.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	r1QLPWfRySIThAz.exe

description	pid	process	target process
PID 936 set thread context of 1364	936	r1QLPWfRySIThAz.exe	r1QLPWfRySIThAz.exe

Drops file in Program Files directory 2 IoCs

Processes:

r1QLPWfRySIThAz.exe

description	ioc	process
File created	C:\Program Files (x86)\NTFS Monitor\ntfsmon.exe	r1QLPWfRySIThAz.exe
File opened for modification	C:\Program Files (x86)\NTFS Monitor\ntfsmon.exe	r1QLPWfRySIThAz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

1500 schtasks.exe
436 schtasks.exe
668 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

r1QLPWfRySIThAz.exe

pid process

1364 r1QLPWfRySIThAz.exe
1364 r1QLPWfRySIThAz.exe
1364 r1QLPWfRySIThAz.exe
1364 r1QLPWfRySIThAz.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

r1QLPWfRySIThAz.exe

pid process

1364 r1QLPWfRySIThAz.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

r1QLPWfRySIThAz.exe

description pid process

Token: SeDebugPrivilege 1364 r1QLPWfRySIThAz.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

r1QLPWfRySIThAz.exe

pid process

936 r1QLPWfRySIThAz.exe
936 r1QLPWfRySIThAz.exe

pid	process
1500	schtasks.exe
436	schtasks.exe
668	schtasks.exe

pid	process
1364	r1QLPWfRySIThAz.exe
1364	r1QLPWfRySIThAz.exe
1364	r1QLPWfRySIThAz.exe
1364	r1QLPWfRySIThAz.exe

pid	process
1364	r1QLPWfRySIThAz.exe

description	pid	process
Token: SeDebugPrivilege	1364	r1QLPWfRySIThAz.exe

pid	process
936	r1QLPWfRySIThAz.exe
936	r1QLPWfRySIThAz.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

r1QLPWfRySIThAz.exer1QLPWfRySIThAz.exe

description	pid	process	target process
PID 936 wrote to memory of 1500	936	r1QLPWfRySIThAz.exe	schtasks.exe
PID 936 wrote to memory of 1500	936	r1QLPWfRySIThAz.exe	schtasks.exe
PID 936 wrote to memory of 1500	936	r1QLPWfRySIThAz.exe	schtasks.exe
PID 936 wrote to memory of 1500	936	r1QLPWfRySIThAz.exe	schtasks.exe
PID 936 wrote to memory of 1364	936	r1QLPWfRySIThAz.exe	r1QLPWfRySIThAz.exe
PID 936 wrote to memory of 1364	936	r1QLPWfRySIThAz.exe	r1QLPWfRySIThAz.exe
PID 936 wrote to memory of 1364	936	r1QLPWfRySIThAz.exe	r1QLPWfRySIThAz.exe
PID 936 wrote to memory of 1364	936	r1QLPWfRySIThAz.exe	r1QLPWfRySIThAz.exe
PID 936 wrote to memory of 1364	936	r1QLPWfRySIThAz.exe	r1QLPWfRySIThAz.exe
PID 936 wrote to memory of 1364	936	r1QLPWfRySIThAz.exe	r1QLPWfRySIThAz.exe
PID 936 wrote to memory of 1364	936	r1QLPWfRySIThAz.exe	r1QLPWfRySIThAz.exe
PID 936 wrote to memory of 1364	936	r1QLPWfRySIThAz.exe	r1QLPWfRySIThAz.exe
PID 936 wrote to memory of 1364	936	r1QLPWfRySIThAz.exe	r1QLPWfRySIThAz.exe
PID 1364 wrote to memory of 436	1364	r1QLPWfRySIThAz.exe	schtasks.exe
PID 1364 wrote to memory of 436	1364	r1QLPWfRySIThAz.exe	schtasks.exe
PID 1364 wrote to memory of 436	1364	r1QLPWfRySIThAz.exe	schtasks.exe
PID 1364 wrote to memory of 436	1364	r1QLPWfRySIThAz.exe	schtasks.exe
PID 1364 wrote to memory of 668	1364	r1QLPWfRySIThAz.exe	schtasks.exe
PID 1364 wrote to memory of 668	1364	r1QLPWfRySIThAz.exe	schtasks.exe
PID 1364 wrote to memory of 668	1364	r1QLPWfRySIThAz.exe	schtasks.exe
PID 1364 wrote to memory of 668	1364	r1QLPWfRySIThAz.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\r1QLPWfRySIThAz.exe
"C:\Users\Admin\AppData\Local\Temp\r1QLPWfRySIThAz.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:936

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZVeYWtaQUaIrep" /XML "C:\Users\Admin\AppData\Local\Temp\tmp937A.tmp"
2⤵
- Creates scheduled task(s)
PID:1500

C:\Users\Admin\AppData\Local\Temp\r1QLPWfRySIThAz.exe
"{path}"
2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1364

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "NTFS Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmpFCE6.tmp"
3⤵
- Creates scheduled task(s)
PID:436

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "NTFS Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp4D3.tmp"
3⤵
- Creates scheduled task(s)
PID:668

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp4D3.tmp
Filesize
1KB

MD5
981e126601526eaa5b0ad45c496c4465

SHA1
d610d6a21a8420cc73fcd3e54ddae75a5897b28b

SHA256
11ae277dfa39e7038b782ca6557339e7fe88533fe83705c356a1500a1402d527

SHA512
a59fb704d931ccb7e1ec1a7b98e24ccd8708be529066c6de4b673098cdebef539f7f50d9e051c43954b5a8e7f810862b3a4ede170f131e080dadc3e763ed4bdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp937A.tmp
Filesize
1KB

MD5
c2e3d798437d3c2da3beba5db1033dd9

SHA1
aa0308bb8195de58af213d9468ae610da0e92da5

SHA256
f179e7bc4c7da7498fd74db4298a406aaace0bbb32ee2816317445d1189417d3

SHA512
10cae0439652fc2e549b3feb5bffed89b3a43e53683b2b80df1ae479a38e6d3f13948c0a110498bdb9e0232a905b3f969b7560388784bf2bab24e8a84cba5d3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFCE6.tmp
Filesize
1KB

MD5
de4dc3d90e4d8663ad34b67bf55a05c0

SHA1
804527cafd60970ceb009e493e1e90cbbbb8648b

SHA256
2322ac8f7991417e50fa27da04f70cc6110304fd6258ce9ca0776d33c6dd9de5

SHA512
79041c971d20e760a7cf150e254ae001f9c7f7fb15c35a3880bf5505d02e16b5b25f9a2b40326fbab3d7133944ade90bf612e4d759be70fdf9445f35b7580373

Download Submit
memory/436-75-0x0000000000000000-mapping.dmp

Download
memory/668-77-0x0000000000000000-mapping.dmp

Download
memory/936-55-0x0000000075A81000-0x0000000075A83000-memory.dmp

Filesize
8KB

Download
memory/936-56-0x0000000004F27000-0x0000000004F38000-memory.dmp

Filesize
68KB

Download
memory/936-57-0x00000000008F0000-0x0000000000910000-memory.dmp

Filesize
128KB

Download
memory/936-58-0x0000000005EF0000-0x0000000005F7C000-memory.dmp

Filesize
560KB

Download
memory/936-59-0x0000000005900000-0x000000000593A000-memory.dmp

Filesize
232KB

Download
memory/936-54-0x0000000000CB0000-0x0000000000D78000-memory.dmp

Filesize
800KB

Download
memory/1364-62-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1364-81-0x00000000005C0000-0x00000000005CA000-memory.dmp

Filesize
40KB

Download
memory/1364-69-0x000000000041E792-mapping.dmp

Download
memory/1364-71-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1364-73-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1364-66-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1364-65-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1364-63-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1364-93-0x0000000000CA0000-0x0000000000CB4000-memory.dmp

Filesize
80KB

Download
memory/1364-79-0x00000000005B0000-0x00000000005BA000-memory.dmp

Filesize
40KB

Download
memory/1364-80-0x00000000005D0000-0x00000000005EE000-memory.dmp

Filesize
120KB

Download
memory/1364-68-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1364-82-0x0000000000710000-0x0000000000722000-memory.dmp

Filesize
72KB

Download
memory/1364-83-0x0000000000720000-0x000000000073A000-memory.dmp

Filesize
104KB

Download
memory/1364-84-0x0000000000790000-0x000000000079E000-memory.dmp

Filesize
56KB

Download
memory/1364-85-0x0000000000830000-0x0000000000842000-memory.dmp

Filesize
72KB

Download
memory/1364-86-0x0000000000840000-0x000000000084C000-memory.dmp

Filesize
48KB

Download
memory/1364-87-0x0000000000B80000-0x0000000000B8E000-memory.dmp

Filesize
56KB

Download
memory/1364-88-0x0000000000B90000-0x0000000000BA4000-memory.dmp

Filesize
80KB

Download
memory/1364-89-0x0000000000BE0000-0x0000000000BF0000-memory.dmp

Filesize
64KB

Download
memory/1364-90-0x0000000000BF0000-0x0000000000C04000-memory.dmp

Filesize
80KB

Download
memory/1364-91-0x0000000000C40000-0x0000000000C4E000-memory.dmp

Filesize
56KB

Download
memory/1364-92-0x0000000004520000-0x000000000454E000-memory.dmp

Filesize
184KB

Download
memory/1500-60-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads