nanocore | 2bcd2cd9b7ba2e16ee457931ea8cb0b188655aacd4d7516fc5589009b7199a01

Analysis

max time kernel
149s
max time network
153s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
13-10-2022 18:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b4733e911f3e2e9ecde05cd2f5106b28.exe
Size

1.1MB
MD5

b4733e911f3e2e9ecde05cd2f5106b28
SHA1

da0fd8a7bd060292ba75e379c62c940e7de11b17
SHA256

2bcd2cd9b7ba2e16ee457931ea8cb0b188655aacd4d7516fc5589009b7199a01
SHA512

bd86cebb93cc757c48ae58ee2584f41ec52952d8d22306aa9c9e9ab719f68701c036a5f42dbe4e983437d88e8f1ca70b228cc35e9dd779e10c1d4e6f1c5b8859
SSDEEP

24576:0AOcZ2i759JjImFgQB/QaJRZylYglQTQD3tAFRosq:iS96JQB/5ZylYgaGtArZq

Score

10^/10

nanocore keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

jasonbourne.bounceme.net:4032

127.0.0.1:4032

Mutex

9c6d4c8a-884b-4287-8ce0-7edf4a237b07

Attributes

activate_away_mode
true
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2022-06-24T09:47:26.371156736Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
4032
default_group
X File
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
9c6d4c8a-884b-4287-8ce0-7edf4a237b07
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
jasonbourne.bounceme.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Executes dropped EXE 1 IoCs

Processes:

mvrhic.exe

pid process

1020 mvrhic.exe
Loads dropped DLL 1 IoCs

Processes:

WScript.exe

pid process

892 WScript.exe

pid	process
892	WScript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RegSvcs.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AGP Manager = "C:\\Program Files (x86)\\AGP Manager\\agpmgr.exe"	RegSvcs.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

mvrhic.exe

description pid process target process

PID 1020 set thread context of 1180 1020 mvrhic.exe RegSvcs.exe

description	pid	process	target process
PID 1020 set thread context of 1180	1020	mvrhic.exe	RegSvcs.exe

Drops file in Program Files directory 2 IoCs

Processes:

RegSvcs.exe

description	ioc	process
File created	C:\Program Files (x86)\AGP Manager\agpmgr.exe	RegSvcs.exe
File opened for modification	C:\Program Files (x86)\AGP Manager\agpmgr.exe	RegSvcs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1688 schtasks.exe
1372 schtasks.exe

pid	process
1688	schtasks.exe
1372	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

mvrhic.exeRegSvcs.exe

pid	process
1020	mvrhic.exe
1020	mvrhic.exe
1020	mvrhic.exe
1180	RegSvcs.exe
1180	RegSvcs.exe
1180	RegSvcs.exe
1180	RegSvcs.exe
1020	mvrhic.exe
1020	mvrhic.exe
1180	RegSvcs.exe
1180	RegSvcs.exe
1180	RegSvcs.exe
1180	RegSvcs.exe
1020	mvrhic.exe
1020	mvrhic.exe
1020	mvrhic.exe
1020	mvrhic.exe
1020	mvrhic.exe
1020	mvrhic.exe
1020	mvrhic.exe
1020	mvrhic.exe
1020	mvrhic.exe
1020	mvrhic.exe
1020	mvrhic.exe
1020	mvrhic.exe
1020	mvrhic.exe
1020	mvrhic.exe
1020	mvrhic.exe
1020	mvrhic.exe
1020	mvrhic.exe
1020	mvrhic.exe
1020	mvrhic.exe
1020	mvrhic.exe
1020	mvrhic.exe
1020	mvrhic.exe
1020	mvrhic.exe
1020	mvrhic.exe
1020	mvrhic.exe
1020	mvrhic.exe
1020	mvrhic.exe
1020	mvrhic.exe
1020	mvrhic.exe
1020	mvrhic.exe
1020	mvrhic.exe
1020	mvrhic.exe
1020	mvrhic.exe
1020	mvrhic.exe
1020	mvrhic.exe
1020	mvrhic.exe
1020	mvrhic.exe
1020	mvrhic.exe
1020	mvrhic.exe
1020	mvrhic.exe
1020	mvrhic.exe
1020	mvrhic.exe
1020	mvrhic.exe
1020	mvrhic.exe
1020	mvrhic.exe
1020	mvrhic.exe
1020	mvrhic.exe
1020	mvrhic.exe
1020	mvrhic.exe
1020	mvrhic.exe
1020	mvrhic.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

RegSvcs.exe

pid process

1180 RegSvcs.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegSvcs.exe

description pid process

Token: SeDebugPrivilege 1180 RegSvcs.exe

pid	process
1180	RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	1180	RegSvcs.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

b4733e911f3e2e9ecde05cd2f5106b28.exeWScript.exemvrhic.exeRegSvcs.exe

description	pid	process	target process
PID 1200 wrote to memory of 892	1200	b4733e911f3e2e9ecde05cd2f5106b28.exe	WScript.exe
PID 1200 wrote to memory of 892	1200	b4733e911f3e2e9ecde05cd2f5106b28.exe	WScript.exe
PID 1200 wrote to memory of 892	1200	b4733e911f3e2e9ecde05cd2f5106b28.exe	WScript.exe
PID 1200 wrote to memory of 892	1200	b4733e911f3e2e9ecde05cd2f5106b28.exe	WScript.exe
PID 892 wrote to memory of 1020	892	WScript.exe	mvrhic.exe
PID 892 wrote to memory of 1020	892	WScript.exe	mvrhic.exe
PID 892 wrote to memory of 1020	892	WScript.exe	mvrhic.exe
PID 892 wrote to memory of 1020	892	WScript.exe	mvrhic.exe
PID 892 wrote to memory of 1020	892	WScript.exe	mvrhic.exe
PID 892 wrote to memory of 1020	892	WScript.exe	mvrhic.exe
PID 892 wrote to memory of 1020	892	WScript.exe	mvrhic.exe
PID 1020 wrote to memory of 1180	1020	mvrhic.exe	RegSvcs.exe
PID 1020 wrote to memory of 1180	1020	mvrhic.exe	RegSvcs.exe
PID 1020 wrote to memory of 1180	1020	mvrhic.exe	RegSvcs.exe
PID 1020 wrote to memory of 1180	1020	mvrhic.exe	RegSvcs.exe
PID 1020 wrote to memory of 1180	1020	mvrhic.exe	RegSvcs.exe
PID 1020 wrote to memory of 1180	1020	mvrhic.exe	RegSvcs.exe
PID 1020 wrote to memory of 1180	1020	mvrhic.exe	RegSvcs.exe
PID 1020 wrote to memory of 1180	1020	mvrhic.exe	RegSvcs.exe
PID 1020 wrote to memory of 1180	1020	mvrhic.exe	RegSvcs.exe
PID 1180 wrote to memory of 1372	1180	RegSvcs.exe	schtasks.exe
PID 1180 wrote to memory of 1372	1180	RegSvcs.exe	schtasks.exe
PID 1180 wrote to memory of 1372	1180	RegSvcs.exe	schtasks.exe
PID 1180 wrote to memory of 1372	1180	RegSvcs.exe	schtasks.exe
PID 1180 wrote to memory of 1688	1180	RegSvcs.exe	schtasks.exe
PID 1180 wrote to memory of 1688	1180	RegSvcs.exe	schtasks.exe
PID 1180 wrote to memory of 1688	1180	RegSvcs.exe	schtasks.exe
PID 1180 wrote to memory of 1688	1180	RegSvcs.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\b4733e911f3e2e9ecde05cd2f5106b28.exe
"C:\Users\Admin\AppData\Local\Temp\b4733e911f3e2e9ecde05cd2f5106b28.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1200

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\temp\8_16\ioph.vbe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:892

C:\Users\Admin\AppData\Local\Temp\8_16\mvrhic.exe
"C:\Users\Admin\AppData\Local\Temp\8_16\mvrhic.exe" gvooo.gcv
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1020

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
4⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1180

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "AGP Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmp52F1.tmp"
5⤵
- Creates scheduled task(s)
PID:1372

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "AGP Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp5534.tmp"
5⤵
- Creates scheduled task(s)
PID:1688

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8_16\gvooo.gcv
Filesize
98.6MB

MD5
a929d147bd552d23287515a577c1e756

SHA1
82edddd779b245108043b5a317be1918f1e8c546

SHA256
74821f38593d876d658c0207ce94bd341949435b81b50518fa305767663ce39c

SHA512
398656b9e48c125a86b77d2d3838c32797760ea3bdd289d10b2f44ec8c26c1777a4ff55c7c3d16c21c0de2b3151c8a27826c73c92bfa15169836ef22ad6e451f

Download Submit
C:\Users\Admin\AppData\Local\Temp\8_16\hqqqdurddh.dll
Filesize
45KB

MD5
11c4258fae4132483ae587cfa06b10ae

SHA1
497b09bfe0792bedb0587cecbb344939e9a99f34

SHA256
115229acb4316435cffaa2725b8ba660c17fb073d8fbe28e52e008b15543b76e

SHA512
3b222a55b9fc13f49159030921ebbcc3aee1b8763447a7cdf1f6cecc5b6ad9d8dba091ac2067e220074137b9d709791e3b48cc508649290ff2c68ff06736aed6

Download Submit
C:\Users\Admin\AppData\Local\Temp\8_16\mvrhic.exe
Filesize
1.1MB

MD5
7e849c0f23d25130da6e79b4e31c7a13

SHA1
8a7e6683f9643addbd5eeb5f11c686a7f03c951b

SHA256
b93035f0e55b1034d8e3d412bd9279b5e3021100c42d292b7929fd7f62901187

SHA512
e94eca514f970acbad039b9bdd2183a8c7c5e2123608714e6311aadc20660491a86bd10a8172d109d46348da00676a808da603620fff181601dbaa2e777e3379

Download Submit
C:\Users\Admin\AppData\Local\Temp\8_16\mvrhic.exe
Filesize
1.1MB

MD5
7e849c0f23d25130da6e79b4e31c7a13

SHA1
8a7e6683f9643addbd5eeb5f11c686a7f03c951b

SHA256
b93035f0e55b1034d8e3d412bd9279b5e3021100c42d292b7929fd7f62901187

SHA512
e94eca514f970acbad039b9bdd2183a8c7c5e2123608714e6311aadc20660491a86bd10a8172d109d46348da00676a808da603620fff181601dbaa2e777e3379

Download Submit
C:\Users\Admin\AppData\Local\Temp\8_16\surlhhtvn.cpl
Filesize
406KB

MD5
e454b076fe7207baf7bff4e63dd68505

SHA1
561886a7b8367a50221bac48ac76cd39c79326d2

SHA256
a165db7b671c66380e5ccbea689e7e8200bbc6ac16594321853d9ed850a6946a

SHA512
7b45b66e87b9e18eea49b0dc287ee1308512ff890e28fb2062267accf668e2d8319ce8171a86bd254c422e9acf1a5c2d28b22f91012ecac990a689206bd0b3ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp52F1.tmp
Filesize
1KB

MD5
8cad1b41587ced0f1e74396794f31d58

SHA1
11054bf74fcf5e8e412768035e4dae43aa7b710f

SHA256
3086d914f6b23268f8a12cb1a05516cd5465c2577e1d1e449f1b45c8e5e8f83c

SHA512
99c2ef89029de51a866df932841684b7fc912df21e10e2dd0d09e400203bbdc6cba6319a31780b7bf8b286d2cea8ea3fc7d084348bf2f002ab4f5a34218ccbef

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5534.tmp
Filesize
1KB

MD5
885d6dd30570594e167fadb59d9ca0ea

SHA1
9981e583644c4eb9cf5056615a0e1c2913c8983b

SHA256
7155bc082d1713d77c2797575ee0ade8467fb7012f5376c1d6f4aa618141a7d2

SHA512
1623218143c2c25a7c85fa9da8e0f251f04a5eb848c4d0aa10bfb78688518b82393a2b3c7f287a9dc06a366ef9f46d0d4e2d246ad4cef4554a74c0bb6ff9dd2a

Download Submit
C:\Users\Admin\AppData\Local\temp\8_16\ioph.vbe
Filesize
25KB

MD5
37d66ad4e808f22215a2d176f079009a

SHA1
cbb36ecd56b54b92bf9d89ea92f8107c474608f7

SHA256
a89a9287cb9fa2326af7edc414a6f6e2382030332d690f603bbb88f1bca99c25

SHA512
d3939fbef1231b66ea58ace89e86494c08142e800d95e988f71a73e79ee561a2829928e46b9ab5c576ac4bf341d81fedd1e91b3326d9356da8ac87a95e4f785c

Download Submit
\Users\Admin\AppData\Local\Temp\8_16\mvrhic.exe
Filesize
1.1MB

MD5
7e849c0f23d25130da6e79b4e31c7a13

SHA1
8a7e6683f9643addbd5eeb5f11c686a7f03c951b

SHA256
b93035f0e55b1034d8e3d412bd9279b5e3021100c42d292b7929fd7f62901187

SHA512
e94eca514f970acbad039b9bdd2183a8c7c5e2123608714e6311aadc20660491a86bd10a8172d109d46348da00676a808da603620fff181601dbaa2e777e3379

Download Submit
memory/892-55-0x0000000000000000-mapping.dmp

Download
memory/1020-60-0x0000000000000000-mapping.dmp

Download
memory/1180-87-0x0000000002770000-0x0000000002782000-memory.dmp

Filesize
72KB

Download
memory/1180-90-0x00000000049E0000-0x00000000049F4000-memory.dmp

Filesize
80KB

Download
memory/1180-71-0x0000000000340000-0x0000000000A21000-memory.dmp

Filesize
6.9MB

Download
memory/1180-73-0x0000000000340000-0x0000000000A21000-memory.dmp

Filesize
6.9MB

Download
memory/1180-74-0x0000000000340000-0x0000000000378000-memory.dmp

Filesize
224KB

Download
memory/1180-95-0x00000000053B0000-0x00000000053C4000-memory.dmp

Filesize
80KB

Download
memory/1180-68-0x0000000000340000-0x0000000000A21000-memory.dmp

Filesize
6.9MB

Download
memory/1180-94-0x0000000005240000-0x000000000526E000-memory.dmp

Filesize
184KB

Download
memory/1180-66-0x0000000000340000-0x0000000000A21000-memory.dmp

Filesize
6.9MB

Download
memory/1180-80-0x0000000000BA0000-0x0000000000BAA000-memory.dmp

Filesize
40KB

Download
memory/1180-81-0x0000000001180000-0x000000000119E000-memory.dmp

Filesize
120KB

Download
memory/1180-82-0x0000000000BB0000-0x0000000000BBA000-memory.dmp

Filesize
40KB

Download
memory/1180-83-0x0000000004A05000-0x0000000004A16000-memory.dmp

Filesize
68KB

Download
memory/1180-84-0x0000000001300000-0x0000000001312000-memory.dmp

Filesize
72KB

Download
memory/1180-85-0x0000000001310000-0x000000000132A000-memory.dmp

Filesize
104KB

Download
memory/1180-86-0x0000000001340000-0x000000000134E000-memory.dmp

Filesize
56KB

Download
memory/1180-93-0x0000000004A50000-0x0000000004A5E000-memory.dmp

Filesize
56KB

Download
memory/1180-88-0x0000000002880000-0x000000000288E000-memory.dmp

Filesize
56KB

Download
memory/1180-89-0x0000000002890000-0x000000000289C000-memory.dmp

Filesize
48KB

Download
memory/1180-69-0x000000000035E792-mapping.dmp

Download
memory/1180-91-0x00000000049F0000-0x0000000004A00000-memory.dmp

Filesize
64KB

Download
memory/1180-92-0x0000000004A40000-0x0000000004A54000-memory.dmp

Filesize
80KB

Download
memory/1200-54-0x0000000075AC1000-0x0000000075AC3000-memory.dmp

Filesize
8KB

Download
memory/1372-76-0x0000000000000000-mapping.dmp

Download
memory/1688-78-0x0000000000000000-mapping.dmp

Download