nanocore | 2bcd2cd9b7ba2e16ee457931ea8cb0b188655aacd4d7516fc5589009b7199a01

General

Target

b4733e911f3e2e9ecde05cd2f5106b28.exe
Size

1.1MB
MD5

b4733e911f3e2e9ecde05cd2f5106b28
SHA1

da0fd8a7bd060292ba75e379c62c940e7de11b17
SHA256

2bcd2cd9b7ba2e16ee457931ea8cb0b188655aacd4d7516fc5589009b7199a01
SHA512

bd86cebb93cc757c48ae58ee2584f41ec52952d8d22306aa9c9e9ab719f68701c036a5f42dbe4e983437d88e8f1ca70b228cc35e9dd779e10c1d4e6f1c5b8859
SSDEEP

24576:0AOcZ2i759JjImFgQB/QaJRZylYglQTQD3tAFRosq:iS96JQB/5ZylYgaGtArZq

Score

10^/10

nanocore keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

jasonbourne.bounceme.net:4032

127.0.0.1:4032

Mutex

9c6d4c8a-884b-4287-8ce0-7edf4a237b07

Attributes

activate_away_mode
true
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2022-06-24T09:47:26.371156736Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
4032
default_group
X File
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
9c6d4c8a-884b-4287-8ce0-7edf4a237b07
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
jasonbourne.bounceme.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Executes dropped EXE 1 IoCs

Processes:

mvrhic.exe

pid process

4956 mvrhic.exe

pid	process
4956	mvrhic.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b4733e911f3e2e9ecde05cd2f5106b28.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	b4733e911f3e2e9ecde05cd2f5106b28.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RegSvcs.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AGP Monitor = "C:\\Program Files (x86)\\AGP Monitor\\agpmon.exe"	RegSvcs.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

mvrhic.exe

description pid process target process

PID 4956 set thread context of 3160 4956 mvrhic.exe RegSvcs.exe

description	pid	process	target process
PID 4956 set thread context of 3160	4956	mvrhic.exe	RegSvcs.exe

Drops file in Program Files directory 2 IoCs

Processes:

RegSvcs.exe

description	ioc	process
File created	C:\Program Files (x86)\AGP Monitor\agpmon.exe	RegSvcs.exe
File opened for modification	C:\Program Files (x86)\AGP Monitor\agpmon.exe	RegSvcs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4924 schtasks.exe
112 schtasks.exe

pid	process
4924	schtasks.exe
112	schtasks.exe

Modifies registry class 2 IoCs

Processes:

b4733e911f3e2e9ecde05cd2f5106b28.exeWScript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	b4733e911f3e2e9ecde05cd2f5106b28.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

RegSvcs.exemvrhic.exe

pid	process
3160	RegSvcs.exe
3160	RegSvcs.exe
3160	RegSvcs.exe
3160	RegSvcs.exe
4956	mvrhic.exe
4956	mvrhic.exe
4956	mvrhic.exe
4956	mvrhic.exe
4956	mvrhic.exe
4956	mvrhic.exe
4956	mvrhic.exe
4956	mvrhic.exe
3160	RegSvcs.exe
3160	RegSvcs.exe
3160	RegSvcs.exe
4956	mvrhic.exe
4956	mvrhic.exe
4956	mvrhic.exe
4956	mvrhic.exe
3160	RegSvcs.exe
3160	RegSvcs.exe
3160	RegSvcs.exe
4956	mvrhic.exe
4956	mvrhic.exe
4956	mvrhic.exe
4956	mvrhic.exe
4956	mvrhic.exe
4956	mvrhic.exe
4956	mvrhic.exe
4956	mvrhic.exe
4956	mvrhic.exe
4956	mvrhic.exe
4956	mvrhic.exe
4956	mvrhic.exe
4956	mvrhic.exe
4956	mvrhic.exe
4956	mvrhic.exe
4956	mvrhic.exe
4956	mvrhic.exe
4956	mvrhic.exe
4956	mvrhic.exe
4956	mvrhic.exe
4956	mvrhic.exe
4956	mvrhic.exe
4956	mvrhic.exe
4956	mvrhic.exe
4956	mvrhic.exe
4956	mvrhic.exe
4956	mvrhic.exe
4956	mvrhic.exe
4956	mvrhic.exe
4956	mvrhic.exe
4956	mvrhic.exe
4956	mvrhic.exe
4956	mvrhic.exe
4956	mvrhic.exe
4956	mvrhic.exe
4956	mvrhic.exe
4956	mvrhic.exe
4956	mvrhic.exe
4956	mvrhic.exe
4956	mvrhic.exe
4956	mvrhic.exe
4956	mvrhic.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

RegSvcs.exe

pid process

3160 RegSvcs.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegSvcs.exe

description pid process

Token: SeDebugPrivilege 3160 RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	3160	RegSvcs.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

b4733e911f3e2e9ecde05cd2f5106b28.exeWScript.exemvrhic.exeRegSvcs.exe

description	pid	process	target process
PID 3676 wrote to memory of 4912	3676	b4733e911f3e2e9ecde05cd2f5106b28.exe	WScript.exe
PID 3676 wrote to memory of 4912	3676	b4733e911f3e2e9ecde05cd2f5106b28.exe	WScript.exe
PID 3676 wrote to memory of 4912	3676	b4733e911f3e2e9ecde05cd2f5106b28.exe	WScript.exe
PID 4912 wrote to memory of 4956	4912	WScript.exe	mvrhic.exe
PID 4912 wrote to memory of 4956	4912	WScript.exe	mvrhic.exe
PID 4912 wrote to memory of 4956	4912	WScript.exe	mvrhic.exe
PID 4956 wrote to memory of 3160	4956	mvrhic.exe	RegSvcs.exe
PID 4956 wrote to memory of 3160	4956	mvrhic.exe	RegSvcs.exe
PID 4956 wrote to memory of 3160	4956	mvrhic.exe	RegSvcs.exe
PID 4956 wrote to memory of 3160	4956	mvrhic.exe	RegSvcs.exe
PID 4956 wrote to memory of 3160	4956	mvrhic.exe	RegSvcs.exe
PID 3160 wrote to memory of 4924	3160	RegSvcs.exe	schtasks.exe
PID 3160 wrote to memory of 4924	3160	RegSvcs.exe	schtasks.exe
PID 3160 wrote to memory of 4924	3160	RegSvcs.exe	schtasks.exe
PID 3160 wrote to memory of 112	3160	RegSvcs.exe	schtasks.exe
PID 3160 wrote to memory of 112	3160	RegSvcs.exe	schtasks.exe
PID 3160 wrote to memory of 112	3160	RegSvcs.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\b4733e911f3e2e9ecde05cd2f5106b28.exe
"C:\Users\Admin\AppData\Local\Temp\b4733e911f3e2e9ecde05cd2f5106b28.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3676

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\temp\8_16\ioph.vbe"
2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4912

C:\Users\Admin\AppData\Local\Temp\8_16\mvrhic.exe
"C:\Users\Admin\AppData\Local\Temp\8_16\mvrhic.exe" gvooo.gcv
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
4⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3160

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "AGP Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmpEA16.tmp"
5⤵
- Creates scheduled task(s)
PID:4924

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "AGP Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpEC3A.tmp"
5⤵
- Creates scheduled task(s)
PID:112

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8_16\gvooo.gcv

Filesize
98.6MB

MD5
a929d147bd552d23287515a577c1e756

SHA1
82edddd779b245108043b5a317be1918f1e8c546

SHA256
74821f38593d876d658c0207ce94bd341949435b81b50518fa305767663ce39c

SHA512
398656b9e48c125a86b77d2d3838c32797760ea3bdd289d10b2f44ec8c26c1777a4ff55c7c3d16c21c0de2b3151c8a27826c73c92bfa15169836ef22ad6e451f

Download Submit
C:\Users\Admin\AppData\Local\Temp\8_16\hqqqdurddh.dll

Filesize
45KB

MD5
11c4258fae4132483ae587cfa06b10ae

SHA1
497b09bfe0792bedb0587cecbb344939e9a99f34

SHA256
115229acb4316435cffaa2725b8ba660c17fb073d8fbe28e52e008b15543b76e

SHA512
3b222a55b9fc13f49159030921ebbcc3aee1b8763447a7cdf1f6cecc5b6ad9d8dba091ac2067e220074137b9d709791e3b48cc508649290ff2c68ff06736aed6

Download Submit
C:\Users\Admin\AppData\Local\Temp\8_16\mvrhic.exe

Filesize
1.1MB

MD5
7e849c0f23d25130da6e79b4e31c7a13

SHA1
8a7e6683f9643addbd5eeb5f11c686a7f03c951b

SHA256
b93035f0e55b1034d8e3d412bd9279b5e3021100c42d292b7929fd7f62901187

SHA512
e94eca514f970acbad039b9bdd2183a8c7c5e2123608714e6311aadc20660491a86bd10a8172d109d46348da00676a808da603620fff181601dbaa2e777e3379

Download Submit
C:\Users\Admin\AppData\Local\Temp\8_16\mvrhic.exe

Filesize
1.1MB

MD5
7e849c0f23d25130da6e79b4e31c7a13

SHA1
8a7e6683f9643addbd5eeb5f11c686a7f03c951b

SHA256
b93035f0e55b1034d8e3d412bd9279b5e3021100c42d292b7929fd7f62901187

SHA512
e94eca514f970acbad039b9bdd2183a8c7c5e2123608714e6311aadc20660491a86bd10a8172d109d46348da00676a808da603620fff181601dbaa2e777e3379

Download Submit
C:\Users\Admin\AppData\Local\Temp\8_16\surlhhtvn.cpl

Filesize
406KB

MD5
e454b076fe7207baf7bff4e63dd68505

SHA1
561886a7b8367a50221bac48ac76cd39c79326d2

SHA256
a165db7b671c66380e5ccbea689e7e8200bbc6ac16594321853d9ed850a6946a

SHA512
7b45b66e87b9e18eea49b0dc287ee1308512ff890e28fb2062267accf668e2d8319ce8171a86bd254c422e9acf1a5c2d28b22f91012ecac990a689206bd0b3ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEA16.tmp

Filesize
1KB

MD5
8cad1b41587ced0f1e74396794f31d58

SHA1
11054bf74fcf5e8e412768035e4dae43aa7b710f

SHA256
3086d914f6b23268f8a12cb1a05516cd5465c2577e1d1e449f1b45c8e5e8f83c

SHA512
99c2ef89029de51a866df932841684b7fc912df21e10e2dd0d09e400203bbdc6cba6319a31780b7bf8b286d2cea8ea3fc7d084348bf2f002ab4f5a34218ccbef

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEC3A.tmp

Filesize
1KB

MD5
157cd55403665c49c9fd3ca1196c4397

SHA1
4feed6e606b41bb617274471349582963182756b

SHA256
49d903f84313feb16bd189c58b6c206f98b05da00ea0da881e2ff0c893b6ba5e

SHA512
bea7e3caa9c37cadd772a6d3ee0d9ed47de6b3e880cd58649be2939cacd00f70d4edc1ad177e432539267bb520094d9cda3f781cdfc69122f3775242321c11b8

Download Submit
C:\Users\Admin\AppData\Local\temp\8_16\ioph.vbe

Filesize
25KB

MD5
37d66ad4e808f22215a2d176f079009a

SHA1
cbb36ecd56b54b92bf9d89ea92f8107c474608f7

SHA256
a89a9287cb9fa2326af7edc414a6f6e2382030332d690f603bbb88f1bca99c25

SHA512
d3939fbef1231b66ea58ace89e86494c08142e800d95e988f71a73e79ee561a2829928e46b9ab5c576ac4bf341d81fedd1e91b3326d9356da8ac87a95e4f785c

Download Submit
memory/112-149-0x0000000000000000-mapping.dmp

Download
memory/3160-142-0x0000000001200000-0x0000000001238000-memory.dmp

Filesize
224KB

Download
memory/3160-143-0x0000000006690000-0x0000000006C34000-memory.dmp

Filesize
5.6MB

Download
memory/3160-144-0x00000000060E0000-0x0000000006172000-memory.dmp

Filesize
584KB

Download
memory/3160-145-0x0000000006180000-0x000000000621C000-memory.dmp

Filesize
624KB

Download
memory/3160-146-0x0000000006080000-0x000000000608A000-memory.dmp

Filesize
40KB

Download
memory/3160-141-0x000000000121E792-mapping.dmp

Download
memory/3160-140-0x0000000001200000-0x0000000001943000-memory.dmp

Filesize
7.3MB

Download
memory/3160-151-0x0000000007AC0000-0x0000000007B26000-memory.dmp

Filesize
408KB

Download
memory/4912-132-0x0000000000000000-mapping.dmp

Download
memory/4924-147-0x0000000000000000-mapping.dmp

Download
memory/4956-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads