nanocore | 9804e6106f033720485576c68d4c1abe9a6c52ca020c2e59686bc533b8e2495a

General

Target

c47d4e835ec66bd96f6139bf712ec155.exe
Size

525KB
MD5

c47d4e835ec66bd96f6139bf712ec155
SHA1

13710b381acbfe1a0b8fa013f0237507758ebc51
SHA256

9804e6106f033720485576c68d4c1abe9a6c52ca020c2e59686bc533b8e2495a
SHA512

ff8ff1e0d4302ff6828d8e75da8effce8e23faedba99fc9d3ad8fe98088355436baa83d6da3c7bd0d49806d886b4ac813f215c7d5682d01ae56c1a7ff5bf94f7
SSDEEP

12288:WVnh7wW+nNYu+0mVAxxGsw9msINpccz3dljo:A8NYu+DV/IMe0

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

tzitziklishop.ddns.net:1665

Mutex

f6041bb2-7c7b-4774-acc8-84a131b635ab

Attributes

activate_away_mode
true
backup_connection_host
tzitziklishop.ddns.net
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2022-07-22T04:21:36.365135136Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
1665
default_group
OCTOBER
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
f6041bb2-7c7b-4774-acc8-84a131b635ab
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
tzitziklishop.ddns.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

c47d4e835ec66bd96f6139bf712ec155.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NTFS Monitor = "C:\\Program Files (x86)\\NTFS Monitor\\ntfsmon.exe"	c47d4e835ec66bd96f6139bf712ec155.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

c47d4e835ec66bd96f6139bf712ec155.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	c47d4e835ec66bd96f6139bf712ec155.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

c47d4e835ec66bd96f6139bf712ec155.exe

description pid process target process

PID 948 set thread context of 1716 948 c47d4e835ec66bd96f6139bf712ec155.exe c47d4e835ec66bd96f6139bf712ec155.exe

description	pid	process	target process
PID 948 set thread context of 1716	948	c47d4e835ec66bd96f6139bf712ec155.exe	c47d4e835ec66bd96f6139bf712ec155.exe

Drops file in Program Files directory 2 IoCs

Processes:

c47d4e835ec66bd96f6139bf712ec155.exe

description	ioc	process
File created	C:\Program Files (x86)\NTFS Monitor\ntfsmon.exe	c47d4e835ec66bd96f6139bf712ec155.exe
File opened for modification	C:\Program Files (x86)\NTFS Monitor\ntfsmon.exe	c47d4e835ec66bd96f6139bf712ec155.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

564 schtasks.exe
1540 schtasks.exe

pid	process
564	schtasks.exe
1540	schtasks.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

c47d4e835ec66bd96f6139bf712ec155.exec47d4e835ec66bd96f6139bf712ec155.exe

pid	process
948	c47d4e835ec66bd96f6139bf712ec155.exe
948	c47d4e835ec66bd96f6139bf712ec155.exe
948	c47d4e835ec66bd96f6139bf712ec155.exe
1716	c47d4e835ec66bd96f6139bf712ec155.exe
1716	c47d4e835ec66bd96f6139bf712ec155.exe
1716	c47d4e835ec66bd96f6139bf712ec155.exe
1716	c47d4e835ec66bd96f6139bf712ec155.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

c47d4e835ec66bd96f6139bf712ec155.exe

pid process

1716 c47d4e835ec66bd96f6139bf712ec155.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

c47d4e835ec66bd96f6139bf712ec155.exec47d4e835ec66bd96f6139bf712ec155.exe

description pid process

Token: SeDebugPrivilege 948 c47d4e835ec66bd96f6139bf712ec155.exe
Token: SeDebugPrivilege 1716 c47d4e835ec66bd96f6139bf712ec155.exe

pid	process
1716	c47d4e835ec66bd96f6139bf712ec155.exe

description	pid	process
Token: SeDebugPrivilege	948	c47d4e835ec66bd96f6139bf712ec155.exe
Token: SeDebugPrivilege	1716	c47d4e835ec66bd96f6139bf712ec155.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

c47d4e835ec66bd96f6139bf712ec155.exec47d4e835ec66bd96f6139bf712ec155.exe

C:\Users\Admin\AppData\Local\Temp\c47d4e835ec66bd96f6139bf712ec155.exe
"C:\Users\Admin\AppData\Local\Temp\c47d4e835ec66bd96f6139bf712ec155.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:948

C:\Users\Admin\AppData\Local\Temp\c47d4e835ec66bd96f6139bf712ec155.exe
"C:\Users\Admin\AppData\Local\Temp\c47d4e835ec66bd96f6139bf712ec155.exe"
2⤵
PID:1220

C:\Users\Admin\AppData\Local\Temp\c47d4e835ec66bd96f6139bf712ec155.exe
"C:\Users\Admin\AppData\Local\Temp\c47d4e835ec66bd96f6139bf712ec155.exe"
2⤵
PID:1224

C:\Users\Admin\AppData\Local\Temp\c47d4e835ec66bd96f6139bf712ec155.exe
"C:\Users\Admin\AppData\Local\Temp\c47d4e835ec66bd96f6139bf712ec155.exe"
2⤵
PID:1344

C:\Users\Admin\AppData\Local\Temp\c47d4e835ec66bd96f6139bf712ec155.exe
"C:\Users\Admin\AppData\Local\Temp\c47d4e835ec66bd96f6139bf712ec155.exe"
2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1716

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "NTFS Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmpA555.tmp"
3⤵
- Creates scheduled task(s)
PID:564

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "NTFS Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpA759.tmp"
3⤵
- Creates scheduled task(s)
PID:1540

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpA555.tmp
Filesize
1KB

MD5
081e17890adc38e8e3933dcdb5ca3ece

SHA1
b3ae4507af06da0e89e50bf72d8c398d450714fd

SHA256
d1f79f59ae6a51a3389c09def32e4cba24235ec7532171f8e8c08e8814b25bac

SHA512
858975476d478ca233da5b5b737d86f8749b3a7700643b48bab4dd087d3f7b79e3511fb7fa030979af37fefef21d0117f344f9fe009fe54e0b6a9c4ab3c46147

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA759.tmp
Filesize
1KB

MD5
981e126601526eaa5b0ad45c496c4465

SHA1
d610d6a21a8420cc73fcd3e54ddae75a5897b28b

SHA256
11ae277dfa39e7038b782ca6557339e7fe88533fe83705c356a1500a1402d527

SHA512
a59fb704d931ccb7e1ec1a7b98e24ccd8708be529066c6de4b673098cdebef539f7f50d9e051c43954b5a8e7f810862b3a4ede170f131e080dadc3e763ed4bdb

Download Submit
memory/564-78-0x0000000000000000-mapping.dmp

Download
memory/948-57-0x00000000002C0000-0x00000000002CA000-memory.dmp

Filesize
40KB

Download
memory/948-54-0x00000000001A0000-0x0000000000228000-memory.dmp

Filesize
544KB

Download
memory/948-59-0x0000000004CD5000-0x0000000004CE6000-memory.dmp

Filesize
68KB

Download
memory/948-61-0x00000000002C0000-0x00000000002CA000-memory.dmp

Filesize
40KB

Download
memory/948-60-0x00000000002C0000-0x00000000002CA000-memory.dmp

Filesize
40KB

Download
memory/948-62-0x00000000002C0000-0x00000000002CC000-memory.dmp

Filesize
48KB

Download
memory/948-63-0x0000000005020000-0x0000000005094000-memory.dmp

Filesize
464KB

Download
memory/948-64-0x0000000000710000-0x000000000074A000-memory.dmp

Filesize
232KB

Download
memory/948-82-0x0000000004CD5000-0x0000000004CE6000-memory.dmp

Filesize
68KB

Download
memory/948-58-0x00000000002C0000-0x00000000002CA000-memory.dmp

Filesize
40KB

Download
memory/948-56-0x0000000000290000-0x00000000002A8000-memory.dmp

Filesize
96KB

Download
memory/948-55-0x0000000074AB1000-0x0000000074AB3000-memory.dmp

Filesize
8KB

Download
memory/1540-80-0x0000000000000000-mapping.dmp

Download
memory/1716-74-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1716-86-0x00000000007E0000-0x00000000007F2000-memory.dmp

Filesize
72KB

Download
memory/1716-72-0x000000000041E792-mapping.dmp

Download
memory/1716-71-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1716-69-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1716-68-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1716-66-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1716-65-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1716-83-0x00000000006C0000-0x00000000006CA000-memory.dmp

Filesize
40KB

Download
memory/1716-84-0x0000000000730000-0x000000000074E000-memory.dmp

Filesize
120KB

Download
memory/1716-85-0x00000000006D0000-0x00000000006DA000-memory.dmp

Filesize
40KB

Download
memory/1716-76-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1716-87-0x0000000000870000-0x000000000088A000-memory.dmp

Filesize
104KB

Download
memory/1716-88-0x00000000020B0000-0x00000000020BE000-memory.dmp

Filesize
56KB

Download
memory/1716-89-0x0000000002110000-0x0000000002122000-memory.dmp

Filesize
72KB

Download
memory/1716-90-0x0000000002120000-0x000000000212E000-memory.dmp

Filesize
56KB

Download
memory/1716-91-0x0000000002170000-0x000000000217C000-memory.dmp

Filesize
48KB

Download
memory/1716-92-0x0000000004280000-0x0000000004294000-memory.dmp

Filesize
80KB

Download
memory/1716-93-0x00000000042D0000-0x00000000042E0000-memory.dmp

Filesize
64KB

Download
memory/1716-94-0x00000000042E0000-0x00000000042F4000-memory.dmp

Filesize
80KB

Download
memory/1716-95-0x00000000042F0000-0x00000000042FE000-memory.dmp

Filesize
56KB

Download
memory/1716-96-0x0000000004E40000-0x0000000004E6E000-memory.dmp

Filesize
184KB

Download
memory/1716-97-0x0000000004350000-0x0000000004364000-memory.dmp

Filesize
80KB

Download

description	pid	process	target process
PID 948 wrote to memory of 1220	948	c47d4e835ec66bd96f6139bf712ec155.exe	c47d4e835ec66bd96f6139bf712ec155.exe
PID 948 wrote to memory of 1220	948	c47d4e835ec66bd96f6139bf712ec155.exe	c47d4e835ec66bd96f6139bf712ec155.exe
PID 948 wrote to memory of 1220	948	c47d4e835ec66bd96f6139bf712ec155.exe	c47d4e835ec66bd96f6139bf712ec155.exe
PID 948 wrote to memory of 1220	948	c47d4e835ec66bd96f6139bf712ec155.exe	c47d4e835ec66bd96f6139bf712ec155.exe
PID 948 wrote to memory of 1224	948	c47d4e835ec66bd96f6139bf712ec155.exe	c47d4e835ec66bd96f6139bf712ec155.exe
PID 948 wrote to memory of 1224	948	c47d4e835ec66bd96f6139bf712ec155.exe	c47d4e835ec66bd96f6139bf712ec155.exe
PID 948 wrote to memory of 1224	948	c47d4e835ec66bd96f6139bf712ec155.exe	c47d4e835ec66bd96f6139bf712ec155.exe
PID 948 wrote to memory of 1224	948	c47d4e835ec66bd96f6139bf712ec155.exe	c47d4e835ec66bd96f6139bf712ec155.exe
PID 948 wrote to memory of 1344	948	c47d4e835ec66bd96f6139bf712ec155.exe	c47d4e835ec66bd96f6139bf712ec155.exe
PID 948 wrote to memory of 1344	948	c47d4e835ec66bd96f6139bf712ec155.exe	c47d4e835ec66bd96f6139bf712ec155.exe
PID 948 wrote to memory of 1344	948	c47d4e835ec66bd96f6139bf712ec155.exe	c47d4e835ec66bd96f6139bf712ec155.exe
PID 948 wrote to memory of 1344	948	c47d4e835ec66bd96f6139bf712ec155.exe	c47d4e835ec66bd96f6139bf712ec155.exe
PID 948 wrote to memory of 1716	948	c47d4e835ec66bd96f6139bf712ec155.exe	c47d4e835ec66bd96f6139bf712ec155.exe
PID 948 wrote to memory of 1716	948	c47d4e835ec66bd96f6139bf712ec155.exe	c47d4e835ec66bd96f6139bf712ec155.exe
PID 948 wrote to memory of 1716	948	c47d4e835ec66bd96f6139bf712ec155.exe	c47d4e835ec66bd96f6139bf712ec155.exe
PID 948 wrote to memory of 1716	948	c47d4e835ec66bd96f6139bf712ec155.exe	c47d4e835ec66bd96f6139bf712ec155.exe
PID 948 wrote to memory of 1716	948	c47d4e835ec66bd96f6139bf712ec155.exe	c47d4e835ec66bd96f6139bf712ec155.exe
PID 948 wrote to memory of 1716	948	c47d4e835ec66bd96f6139bf712ec155.exe	c47d4e835ec66bd96f6139bf712ec155.exe
PID 948 wrote to memory of 1716	948	c47d4e835ec66bd96f6139bf712ec155.exe	c47d4e835ec66bd96f6139bf712ec155.exe
PID 948 wrote to memory of 1716	948	c47d4e835ec66bd96f6139bf712ec155.exe	c47d4e835ec66bd96f6139bf712ec155.exe
PID 948 wrote to memory of 1716	948	c47d4e835ec66bd96f6139bf712ec155.exe	c47d4e835ec66bd96f6139bf712ec155.exe
PID 1716 wrote to memory of 564	1716	c47d4e835ec66bd96f6139bf712ec155.exe	schtasks.exe
PID 1716 wrote to memory of 564	1716	c47d4e835ec66bd96f6139bf712ec155.exe	schtasks.exe
PID 1716 wrote to memory of 564	1716	c47d4e835ec66bd96f6139bf712ec155.exe	schtasks.exe
PID 1716 wrote to memory of 564	1716	c47d4e835ec66bd96f6139bf712ec155.exe	schtasks.exe
PID 1716 wrote to memory of 1540	1716	c47d4e835ec66bd96f6139bf712ec155.exe	schtasks.exe
PID 1716 wrote to memory of 1540	1716	c47d4e835ec66bd96f6139bf712ec155.exe	schtasks.exe
PID 1716 wrote to memory of 1540	1716	c47d4e835ec66bd96f6139bf712ec155.exe	schtasks.exe
PID 1716 wrote to memory of 1540	1716	c47d4e835ec66bd96f6139bf712ec155.exe	schtasks.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads