nanocore | 99f9974d7d26d72a09760f3337451e1f094cb07439ead254674f29030f80de69

General

Target

BLWhbk1QHVWt40L46pdf.scr.exe
Size

915KB
MD5

b96b781520a1ae7bf775f59132666ead
SHA1

a5ce921bb5bf24b0537b4750191d59a794c24789
SHA256

99f9974d7d26d72a09760f3337451e1f094cb07439ead254674f29030f80de69
SHA512

23174a91247a52d94ea1def63fecdace294773eb410424f8377fc09d19a0d85930af1cc6a4162ab4c7e2bc9922f9614e48b47d9d262a549bef58a84cf78b84e6
SSDEEP

12288:r3V65m/hXgCdd8hbnEfelWrlJr9OPwQF+kUQD2ZfEu587+k4ee:rKm/h18hbhGltywQoU

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

power22.myftp.org:3421

Mutex

dbdb690f-8b48-40aa-8353-6db2541a2119

Attributes

activate_away_mode
true
backup_connection_host
power22.myftp.org
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2022-08-01T11:35:16.039173836Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
3421
default_group
WIN$$
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
dbdb690f-8b48-40aa-8353-6db2541a2119
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
power22.myftp.org
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

BLWhbk1QHVWt40L46pdf.scr.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	BLWhbk1QHVWt40L46pdf.scr.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

BLWhbk1QHVWt40L46pdf.scr.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AGP Monitor = "C:\\Program Files (x86)\\AGP Monitor\\agpmon.exe"	BLWhbk1QHVWt40L46pdf.scr.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

BLWhbk1QHVWt40L46pdf.scr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BLWhbk1QHVWt40L46pdf.scr.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

BLWhbk1QHVWt40L46pdf.scr.exe

description pid process target process

PID 4968 set thread context of 4456 4968 BLWhbk1QHVWt40L46pdf.scr.exe BLWhbk1QHVWt40L46pdf.scr.exe

description	pid	process	target process
PID 4968 set thread context of 4456	4968	BLWhbk1QHVWt40L46pdf.scr.exe	BLWhbk1QHVWt40L46pdf.scr.exe

Drops file in Program Files directory 2 IoCs

Processes:

BLWhbk1QHVWt40L46pdf.scr.exe

description	ioc	process
File created	C:\Program Files (x86)\AGP Monitor\agpmon.exe	BLWhbk1QHVWt40L46pdf.scr.exe
File opened for modification	C:\Program Files (x86)\AGP Monitor\agpmon.exe	BLWhbk1QHVWt40L46pdf.scr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

3984 schtasks.exe
4340 schtasks.exe
4568 schtasks.exe

pid	process
3984	schtasks.exe
4340	schtasks.exe
4568	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

BLWhbk1QHVWt40L46pdf.scr.exepowershell.exeBLWhbk1QHVWt40L46pdf.scr.exe

pid	process
4968	BLWhbk1QHVWt40L46pdf.scr.exe
4968	BLWhbk1QHVWt40L46pdf.scr.exe
3564	powershell.exe
3564	powershell.exe
4456	BLWhbk1QHVWt40L46pdf.scr.exe
4456	BLWhbk1QHVWt40L46pdf.scr.exe
4456	BLWhbk1QHVWt40L46pdf.scr.exe
4456	BLWhbk1QHVWt40L46pdf.scr.exe
4456	BLWhbk1QHVWt40L46pdf.scr.exe
4456	BLWhbk1QHVWt40L46pdf.scr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

BLWhbk1QHVWt40L46pdf.scr.exe

pid process

4456 BLWhbk1QHVWt40L46pdf.scr.exe

pid	process
4456	BLWhbk1QHVWt40L46pdf.scr.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

BLWhbk1QHVWt40L46pdf.scr.exepowershell.exeBLWhbk1QHVWt40L46pdf.scr.exe

description	pid	process
Token: SeDebugPrivilege	4968	BLWhbk1QHVWt40L46pdf.scr.exe
Token: SeDebugPrivilege	3564	powershell.exe
Token: SeDebugPrivilege	4456	BLWhbk1QHVWt40L46pdf.scr.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

BLWhbk1QHVWt40L46pdf.scr.exeBLWhbk1QHVWt40L46pdf.scr.exe

description	pid	process	target process
PID 4968 wrote to memory of 3564	4968	BLWhbk1QHVWt40L46pdf.scr.exe	powershell.exe
PID 4968 wrote to memory of 3564	4968	BLWhbk1QHVWt40L46pdf.scr.exe	powershell.exe
PID 4968 wrote to memory of 3564	4968	BLWhbk1QHVWt40L46pdf.scr.exe	powershell.exe
PID 4968 wrote to memory of 3984	4968	BLWhbk1QHVWt40L46pdf.scr.exe	schtasks.exe
PID 4968 wrote to memory of 3984	4968	BLWhbk1QHVWt40L46pdf.scr.exe	schtasks.exe
PID 4968 wrote to memory of 3984	4968	BLWhbk1QHVWt40L46pdf.scr.exe	schtasks.exe
PID 4968 wrote to memory of 4456	4968	BLWhbk1QHVWt40L46pdf.scr.exe	BLWhbk1QHVWt40L46pdf.scr.exe
PID 4968 wrote to memory of 4456	4968	BLWhbk1QHVWt40L46pdf.scr.exe	BLWhbk1QHVWt40L46pdf.scr.exe
PID 4968 wrote to memory of 4456	4968	BLWhbk1QHVWt40L46pdf.scr.exe	BLWhbk1QHVWt40L46pdf.scr.exe
PID 4968 wrote to memory of 4456	4968	BLWhbk1QHVWt40L46pdf.scr.exe	BLWhbk1QHVWt40L46pdf.scr.exe
PID 4968 wrote to memory of 4456	4968	BLWhbk1QHVWt40L46pdf.scr.exe	BLWhbk1QHVWt40L46pdf.scr.exe
PID 4968 wrote to memory of 4456	4968	BLWhbk1QHVWt40L46pdf.scr.exe	BLWhbk1QHVWt40L46pdf.scr.exe
PID 4968 wrote to memory of 4456	4968	BLWhbk1QHVWt40L46pdf.scr.exe	BLWhbk1QHVWt40L46pdf.scr.exe
PID 4968 wrote to memory of 4456	4968	BLWhbk1QHVWt40L46pdf.scr.exe	BLWhbk1QHVWt40L46pdf.scr.exe
PID 4456 wrote to memory of 4340	4456	BLWhbk1QHVWt40L46pdf.scr.exe	schtasks.exe
PID 4456 wrote to memory of 4340	4456	BLWhbk1QHVWt40L46pdf.scr.exe	schtasks.exe
PID 4456 wrote to memory of 4340	4456	BLWhbk1QHVWt40L46pdf.scr.exe	schtasks.exe
PID 4456 wrote to memory of 4568	4456	BLWhbk1QHVWt40L46pdf.scr.exe	schtasks.exe
PID 4456 wrote to memory of 4568	4456	BLWhbk1QHVWt40L46pdf.scr.exe	schtasks.exe
PID 4456 wrote to memory of 4568	4456	BLWhbk1QHVWt40L46pdf.scr.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\BLWhbk1QHVWt40L46pdf.scr.exe
"C:\Users\Admin\AppData\Local\Temp\BLWhbk1QHVWt40L46pdf.scr.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4968

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\OGaPrntx.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3564

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OGaPrntx" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2100.tmp"
2⤵
- Creates scheduled task(s)
PID:3984

C:\Users\Admin\AppData\Local\Temp\BLWhbk1QHVWt40L46pdf.scr.exe
"C:\Users\Admin\AppData\Local\Temp\BLWhbk1QHVWt40L46pdf.scr.exe"
2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4456

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "AGP Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmp26BD.tmp"
3⤵
- Creates scheduled task(s)
PID:4340

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "AGP Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp274B.tmp"
3⤵
- Creates scheduled task(s)
PID:4568

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp2100.tmp

Filesize
1KB

MD5
7831d4d82ca35da3d336c7d37c900126

SHA1
2555263909b1caf0b2c134fd21d6c754c293c1e2

SHA256
884902f265c78481e526b5321732fda7b319cd7f4441c19c7a7732166a4b566e

SHA512
09b4828b9a5cd058ee3d3c0dfbd6254d8f453451e71da1e229255fd84360bac80454c140867a01e51853aa0b7ad4f14961c696d280b79b7e5936310bab19b3b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp26BD.tmp

Filesize
1KB

MD5
04f59a991f71e5f990df15c9bb24e6fd

SHA1
084babe0fb6fba12e0c830235314131f036dd027

SHA256
0addc222295d6e9ce719edae3cd6b9763dbfa7d7c61f740569f408f7c5505fc3

SHA512
492b07b46e731cb055c5b9653523cbeb54b96a22c41dd17d62b02e51cb77d5959a2f96810d6811fcaf609039a7851258cd5649342ce0f4b304ffe557dcd734da

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp274B.tmp

Filesize
1KB

MD5
157cd55403665c49c9fd3ca1196c4397

SHA1
4feed6e606b41bb617274471349582963182756b

SHA256
49d903f84313feb16bd189c58b6c206f98b05da00ea0da881e2ff0c893b6ba5e

SHA512
bea7e3caa9c37cadd772a6d3ee0d9ed47de6b3e880cd58649be2939cacd00f70d4edc1ad177e432539267bb520094d9cda3f781cdfc69122f3775242321c11b8

Download Submit
memory/3564-153-0x0000000071DB0000-0x0000000071DFC000-memory.dmp

Filesize
304KB

Download
memory/3564-154-0x0000000006520000-0x000000000653E000-memory.dmp

Filesize
120KB

Download
memory/3564-161-0x00000000075B0000-0x00000000075B8000-memory.dmp

Filesize
32KB

Download
memory/3564-138-0x0000000000000000-mapping.dmp

Download
memory/3564-160-0x00000000075D0000-0x00000000075EA000-memory.dmp

Filesize
104KB

Download
memory/3564-159-0x00000000074C0000-0x00000000074CE000-memory.dmp

Filesize
56KB

Download
memory/3564-141-0x0000000002670000-0x00000000026A6000-memory.dmp

Filesize
216KB

Download
memory/3564-142-0x00000000051A0000-0x00000000057C8000-memory.dmp

Filesize
6.2MB

Download
memory/3564-158-0x0000000007500000-0x0000000007596000-memory.dmp

Filesize
600KB

Download
memory/3564-157-0x0000000007300000-0x000000000730A000-memory.dmp

Filesize
40KB

Download
memory/3564-145-0x0000000005800000-0x0000000005822000-memory.dmp

Filesize
136KB

Download
memory/3564-146-0x00000000058A0000-0x0000000005906000-memory.dmp

Filesize
408KB

Download
memory/3564-156-0x0000000007280000-0x000000000729A000-memory.dmp

Filesize
104KB

Download
memory/3564-155-0x00000000078D0000-0x0000000007F4A000-memory.dmp

Filesize
6.5MB

Download
memory/3564-152-0x0000000006540000-0x0000000006572000-memory.dmp

Filesize
200KB

Download
memory/3564-151-0x0000000004CE0000-0x0000000004CFE000-memory.dmp

Filesize
120KB

Download
memory/3984-139-0x0000000000000000-mapping.dmp

Download
memory/4340-147-0x0000000000000000-mapping.dmp

Download
memory/4456-144-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4456-143-0x0000000000000000-mapping.dmp

Download
memory/4568-149-0x0000000000000000-mapping.dmp

Download
memory/4968-133-0x0000000007790000-0x0000000007D34000-memory.dmp

Filesize
5.6MB

Download
memory/4968-132-0x00000000002B0000-0x000000000039C000-memory.dmp

Filesize
944KB

Download
memory/4968-136-0x000000000D0D0000-0x000000000D16C000-memory.dmp

Filesize
624KB

Download
memory/4968-134-0x0000000007280000-0x0000000007312000-memory.dmp

Filesize
584KB

Download
memory/4968-135-0x0000000004E50000-0x0000000004E5A000-memory.dmp

Filesize
40KB

Download
memory/4968-137-0x000000000D4E0000-0x000000000D546000-memory.dmp

Filesize
408KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads