nanocore | 2eb65616fa13c101059d6b4ab7d3e187352c101bc3b6a4a2ee6f2827e269b5ee

General

Target

ORDER PO.exe
Size

344KB
MD5

99add6be1d338385cad84d1a7d0f4fec
SHA1

8b8f6f3dfc3b273204a6081105d044e57996e513
SHA256

2eb65616fa13c101059d6b4ab7d3e187352c101bc3b6a4a2ee6f2827e269b5ee
SHA512

9a2e9e601895bc589c4851603f290770bf0ec35641b79a338501d88408b83b1cc90e015824e9e4a51feb783383bb6e65089f7071934c7fb00eed3504f474bba1
SSDEEP

6144:mbE/HUbZnM3ixqIagI5WtKZNEF9qskfZTLJCNIKMfw1/KzqikdNHSCI:mb/ZnM3ixw5XogfJ6IKj1/cdkdlSCI

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Executes dropped EXE 1 IoCs

Processes:

bfebcfkic.exe

pid process

1996 bfebcfkic.exe
Loads dropped DLL 1 IoCs

Processes:

bfebcfkic.exe

pid process

1488 bfebcfkic.exe

pid	process
1996	bfebcfkic.exe

pid	process
1488	bfebcfkic.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

bfebcfkic.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yiagbtsdnurbt = "C:\\Users\\Admin\\AppData\\Roaming\\uhmvgbdsbaj\\atvxtbxb.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\bfebcfkic.exe\""	bfebcfkic.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

bfebcfkic.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bfebcfkic.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

bfebcfkic.exe

description pid process target process

PID 1996 set thread context of 1488 1996 bfebcfkic.exe bfebcfkic.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3604 1996 WerFault.exe bfebcfkic.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

bfebcfkic.exe

pid process

1488 bfebcfkic.exe
1488 bfebcfkic.exe
1488 bfebcfkic.exe
1488 bfebcfkic.exe
1488 bfebcfkic.exe
1488 bfebcfkic.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

bfebcfkic.exe

pid process

1488 bfebcfkic.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

bfebcfkic.exe

description pid process

Token: SeDebugPrivilege 1488 bfebcfkic.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bfebcfkic.exe

description	pid	process	target process
PID 1996 set thread context of 1488	1996	bfebcfkic.exe	bfebcfkic.exe

pid	pid_target	process	target process
3604	1996	WerFault.exe	bfebcfkic.exe

pid	process
1488	bfebcfkic.exe
1488	bfebcfkic.exe
1488	bfebcfkic.exe
1488	bfebcfkic.exe
1488	bfebcfkic.exe
1488	bfebcfkic.exe

pid	process
1488	bfebcfkic.exe

description	pid	process
Token: SeDebugPrivilege	1488	bfebcfkic.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

ORDER PO.exebfebcfkic.exe

description	pid	process	target process
PID 4200 wrote to memory of 1996	4200	ORDER PO.exe	bfebcfkic.exe
PID 4200 wrote to memory of 1996	4200	ORDER PO.exe	bfebcfkic.exe
PID 4200 wrote to memory of 1996	4200	ORDER PO.exe	bfebcfkic.exe
PID 1996 wrote to memory of 1488	1996	bfebcfkic.exe	bfebcfkic.exe
PID 1996 wrote to memory of 1488	1996	bfebcfkic.exe	bfebcfkic.exe
PID 1996 wrote to memory of 1488	1996	bfebcfkic.exe	bfebcfkic.exe
PID 1996 wrote to memory of 1488	1996	bfebcfkic.exe	bfebcfkic.exe

C:\Users\Admin\AppData\Local\Temp\ORDER PO.exe
"C:\Users\Admin\AppData\Local\Temp\ORDER PO.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4200

C:\Users\Admin\AppData\Local\Temp\bfebcfkic.exe
"C:\Users\Admin\AppData\Local\Temp\bfebcfkic.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1996

C:\Users\Admin\AppData\Local\Temp\bfebcfkic.exe
"C:\Users\Admin\AppData\Local\Temp\bfebcfkic.exe"
3⤵
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 700
3⤵
- Program crash
PID:3604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1996 -ip 1996
1⤵
PID:524

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bfebcfkic.exe
Filesize
59KB

MD5
e774fd33a526fceef14de265816460c4

SHA1
b12e8626d7cb55ea32eed89ce4625170d38207d6

SHA256
ba1eb752afae894307bd37809262879411532dd3958d3bb14aa3fddd3ce21e4f

SHA512
0c761dc499a19be0191d5d638eb605938ca13e8d327945077c9b5cdfda58547ccfecd1bbd259a4755dd0f265aee784907ee115d25c40dccfd028ba9baab6bcfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\bfebcfkic.exe
Filesize
59KB

MD5
e774fd33a526fceef14de265816460c4

SHA1
b12e8626d7cb55ea32eed89ce4625170d38207d6

SHA256
ba1eb752afae894307bd37809262879411532dd3958d3bb14aa3fddd3ce21e4f

SHA512
0c761dc499a19be0191d5d638eb605938ca13e8d327945077c9b5cdfda58547ccfecd1bbd259a4755dd0f265aee784907ee115d25c40dccfd028ba9baab6bcfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\bfebcfkic.exe
Filesize
59KB

MD5
e774fd33a526fceef14de265816460c4

SHA1
b12e8626d7cb55ea32eed89ce4625170d38207d6

SHA256
ba1eb752afae894307bd37809262879411532dd3958d3bb14aa3fddd3ce21e4f

SHA512
0c761dc499a19be0191d5d638eb605938ca13e8d327945077c9b5cdfda58547ccfecd1bbd259a4755dd0f265aee784907ee115d25c40dccfd028ba9baab6bcfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\idfak.xs
Filesize
280KB

MD5
caea4f29bd6873e6809ea2acafcaa8c0

SHA1
fa225306497ff311b9596c494d7d1472c80bfaa7

SHA256
0791ff2121f8ddaa7ea1fe4dac4d736379a450a7a244f5f868b6f57dd622ba65

SHA512
b478474e5a6a61755f41d0b768a7e8960daa78f6f48ecd0f8d04fb8734735f4a7df1913017f7b1bb5251686e6352eb999d07df5b27d69240055a379ca0a1182a

Download Submit
C:\Users\Admin\AppData\Local\Temp\pxiulwelu.tz
Filesize
6KB

MD5
68b675f933e1a79b8fc5be13521423fe

SHA1
a12446029976f08101d7bb17e90259d89216c1ad

SHA256
c70d677e8a8019db54a83275756284b19a2d609d87304dbd47eef9abc7430b1d

SHA512
2b21c8d9b20ab33d0656e734695da29be00b16a5d19998aae2f51981d2de09bc44863ab3b13ba772aa5109315524e49b0c280bb5c35787252572c1c962960047

Download Submit
memory/1488-137-0x0000000000000000-mapping.dmp

Download
memory/1488-139-0x00000000056A0000-0x0000000005C44000-memory.dmp

Filesize
5.6MB

Download
memory/1488-140-0x0000000005190000-0x0000000005222000-memory.dmp

Filesize
584KB

Download
memory/1488-141-0x00000000052D0000-0x000000000536C000-memory.dmp

Filesize
624KB

Download
memory/1488-142-0x0000000005180000-0x000000000518A000-memory.dmp

Filesize
40KB

Download
memory/1488-143-0x0000000006E40000-0x0000000006EA6000-memory.dmp

Filesize
408KB

Download
memory/1996-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing