nanocore | 2eb65616fa13c101059d6b4ab7d3e187352c101bc3b6a4a2ee6f2827e269b5ee

General

Target

ORDER PO.exe
Size

344KB
MD5

99add6be1d338385cad84d1a7d0f4fec
SHA1

8b8f6f3dfc3b273204a6081105d044e57996e513
SHA256

2eb65616fa13c101059d6b4ab7d3e187352c101bc3b6a4a2ee6f2827e269b5ee
SHA512

9a2e9e601895bc589c4851603f290770bf0ec35641b79a338501d88408b83b1cc90e015824e9e4a51feb783383bb6e65089f7071934c7fb00eed3504f474bba1
SSDEEP

6144:mbE/HUbZnM3ixqIagI5WtKZNEF9qskfZTLJCNIKMfw1/KzqikdNHSCI:mb/ZnM3ixw5XogfJ6IKj1/cdkdlSCI

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

chibuikelight.ddns.net:1122

Mutex

d2cbe170-91e2-41f9-913f-0880782b9838

Attributes

activate_away_mode
true
backup_connection_host
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2022-07-30T23:43:32.343213436Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
1122
default_group
love
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
d2cbe170-91e2-41f9-913f-0880782b9838
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
chibuikelight.ddns.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Executes dropped EXE 1 IoCs

Processes:

bfebcfkic.exe

pid process

1068 bfebcfkic.exe
Loads dropped DLL 3 IoCs

Processes:

ORDER PO.exebfebcfkic.exebfebcfkic.exe

pid process

1408 ORDER PO.exe
1068 bfebcfkic.exe
2016 bfebcfkic.exe

pid	process
1068	bfebcfkic.exe

pid	process
1408	ORDER PO.exe
1068	bfebcfkic.exe
2016	bfebcfkic.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

bfebcfkic.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yiagbtsdnurbt = "C:\\Users\\Admin\\AppData\\Roaming\\uhmvgbdsbaj\\atvxtbxb.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\bfebcfkic.exe\""	bfebcfkic.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

bfebcfkic.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bfebcfkic.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

bfebcfkic.exe

description pid process target process

PID 1068 set thread context of 2016 1068 bfebcfkic.exe bfebcfkic.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

bfebcfkic.exe

pid process

2016 bfebcfkic.exe
2016 bfebcfkic.exe
2016 bfebcfkic.exe
2016 bfebcfkic.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

bfebcfkic.exe

pid process

2016 bfebcfkic.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

bfebcfkic.exe

description pid process

Token: SeDebugPrivilege 2016 bfebcfkic.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bfebcfkic.exe

description	pid	process	target process
PID 1068 set thread context of 2016	1068	bfebcfkic.exe	bfebcfkic.exe

pid	process
2016	bfebcfkic.exe
2016	bfebcfkic.exe
2016	bfebcfkic.exe
2016	bfebcfkic.exe

pid	process
2016	bfebcfkic.exe

description	pid	process
Token: SeDebugPrivilege	2016	bfebcfkic.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

ORDER PO.exebfebcfkic.exe

description	pid	process	target process
PID 1408 wrote to memory of 1068	1408	ORDER PO.exe	bfebcfkic.exe
PID 1408 wrote to memory of 1068	1408	ORDER PO.exe	bfebcfkic.exe
PID 1408 wrote to memory of 1068	1408	ORDER PO.exe	bfebcfkic.exe
PID 1408 wrote to memory of 1068	1408	ORDER PO.exe	bfebcfkic.exe
PID 1068 wrote to memory of 2016	1068	bfebcfkic.exe	bfebcfkic.exe
PID 1068 wrote to memory of 2016	1068	bfebcfkic.exe	bfebcfkic.exe
PID 1068 wrote to memory of 2016	1068	bfebcfkic.exe	bfebcfkic.exe
PID 1068 wrote to memory of 2016	1068	bfebcfkic.exe	bfebcfkic.exe
PID 1068 wrote to memory of 2016	1068	bfebcfkic.exe	bfebcfkic.exe

C:\Users\Admin\AppData\Local\Temp\ORDER PO.exe
"C:\Users\Admin\AppData\Local\Temp\ORDER PO.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1408

C:\Users\Admin\AppData\Local\Temp\bfebcfkic.exe
"C:\Users\Admin\AppData\Local\Temp\bfebcfkic.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1068

C:\Users\Admin\AppData\Local\Temp\bfebcfkic.exe
"C:\Users\Admin\AppData\Local\Temp\bfebcfkic.exe"
3⤵
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2016

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bfebcfkic.exe

Filesize
59KB

MD5
e774fd33a526fceef14de265816460c4

SHA1
b12e8626d7cb55ea32eed89ce4625170d38207d6

SHA256
ba1eb752afae894307bd37809262879411532dd3958d3bb14aa3fddd3ce21e4f

SHA512
0c761dc499a19be0191d5d638eb605938ca13e8d327945077c9b5cdfda58547ccfecd1bbd259a4755dd0f265aee784907ee115d25c40dccfd028ba9baab6bcfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\bfebcfkic.exe

Filesize
59KB

MD5
e774fd33a526fceef14de265816460c4

SHA1
b12e8626d7cb55ea32eed89ce4625170d38207d6

SHA256
ba1eb752afae894307bd37809262879411532dd3958d3bb14aa3fddd3ce21e4f

SHA512
0c761dc499a19be0191d5d638eb605938ca13e8d327945077c9b5cdfda58547ccfecd1bbd259a4755dd0f265aee784907ee115d25c40dccfd028ba9baab6bcfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\bfebcfkic.exe

Filesize
59KB

MD5
e774fd33a526fceef14de265816460c4

SHA1
b12e8626d7cb55ea32eed89ce4625170d38207d6

SHA256
ba1eb752afae894307bd37809262879411532dd3958d3bb14aa3fddd3ce21e4f

SHA512
0c761dc499a19be0191d5d638eb605938ca13e8d327945077c9b5cdfda58547ccfecd1bbd259a4755dd0f265aee784907ee115d25c40dccfd028ba9baab6bcfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\idfak.xs

Filesize
280KB

MD5
caea4f29bd6873e6809ea2acafcaa8c0

SHA1
fa225306497ff311b9596c494d7d1472c80bfaa7

SHA256
0791ff2121f8ddaa7ea1fe4dac4d736379a450a7a244f5f868b6f57dd622ba65

SHA512
b478474e5a6a61755f41d0b768a7e8960daa78f6f48ecd0f8d04fb8734735f4a7df1913017f7b1bb5251686e6352eb999d07df5b27d69240055a379ca0a1182a

Download Submit
C:\Users\Admin\AppData\Local\Temp\pxiulwelu.tz

Filesize
6KB

MD5
68b675f933e1a79b8fc5be13521423fe

SHA1
a12446029976f08101d7bb17e90259d89216c1ad

SHA256
c70d677e8a8019db54a83275756284b19a2d609d87304dbd47eef9abc7430b1d

SHA512
2b21c8d9b20ab33d0656e734695da29be00b16a5d19998aae2f51981d2de09bc44863ab3b13ba772aa5109315524e49b0c280bb5c35787252572c1c962960047

Download Submit
\Users\Admin\AppData\Local\Temp\bfebcfkic.exe

Filesize
59KB

MD5
e774fd33a526fceef14de265816460c4

SHA1
b12e8626d7cb55ea32eed89ce4625170d38207d6

SHA256
ba1eb752afae894307bd37809262879411532dd3958d3bb14aa3fddd3ce21e4f

SHA512
0c761dc499a19be0191d5d638eb605938ca13e8d327945077c9b5cdfda58547ccfecd1bbd259a4755dd0f265aee784907ee115d25c40dccfd028ba9baab6bcfe

Download Submit
\Users\Admin\AppData\Local\Temp\bfebcfkic.exe

Filesize
59KB

MD5
e774fd33a526fceef14de265816460c4

SHA1
b12e8626d7cb55ea32eed89ce4625170d38207d6

SHA256
ba1eb752afae894307bd37809262879411532dd3958d3bb14aa3fddd3ce21e4f

SHA512
0c761dc499a19be0191d5d638eb605938ca13e8d327945077c9b5cdfda58547ccfecd1bbd259a4755dd0f265aee784907ee115d25c40dccfd028ba9baab6bcfe

Download Submit
memory/1068-56-0x0000000000000000-mapping.dmp

Download
memory/1408-54-0x0000000074B51000-0x0000000074B53000-memory.dmp

Filesize
8KB

Download
memory/2016-68-0x0000000000A10000-0x0000000000A2E000-memory.dmp

Filesize
120KB

Download
memory/2016-74-0x0000000002070000-0x000000000207E000-memory.dmp

Filesize
56KB

Download
memory/2016-67-0x0000000000A00000-0x0000000000A0A000-memory.dmp

Filesize
40KB

Download
memory/2016-63-0x0000000000401896-mapping.dmp

Download
memory/2016-69-0x0000000000A70000-0x0000000000A7A000-memory.dmp

Filesize
40KB

Download
memory/2016-70-0x0000000000AD0000-0x0000000000AE2000-memory.dmp

Filesize
72KB

Download
memory/2016-71-0x0000000001F10000-0x0000000001F2A000-memory.dmp

Filesize
104KB

Download
memory/2016-72-0x0000000001F40000-0x0000000001F4E000-memory.dmp

Filesize
56KB

Download
memory/2016-73-0x0000000001F50000-0x0000000001F62000-memory.dmp

Filesize
72KB

Download
memory/2016-66-0x00000000004C0000-0x00000000004F8000-memory.dmp

Filesize
224KB

Download
memory/2016-75-0x0000000002080000-0x000000000208C000-memory.dmp

Filesize
48KB

Download
memory/2016-76-0x0000000002090000-0x00000000020A4000-memory.dmp

Filesize
80KB

Download
memory/2016-77-0x00000000020E0000-0x00000000020F0000-memory.dmp

Filesize
64KB

Download
memory/2016-78-0x0000000004130000-0x0000000004144000-memory.dmp

Filesize
80KB

Download
memory/2016-79-0x0000000004140000-0x000000000414E000-memory.dmp

Filesize
56KB

Download
memory/2016-80-0x00000000043E0000-0x000000000440E000-memory.dmp

Filesize
184KB

Download
memory/2016-81-0x00000000041A0000-0x00000000041B4000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing