nanocore | be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc

Analysis

max time kernel
153s
max time network
51s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
26/11/2022, 00:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe
Size

2.1MB
MD5

3329f833ac31ac3878721f49e181393d
SHA1

47b79d529e61c1b41c27a53b9c0e886a6f50a1df
SHA256

be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc
SHA512

29d2bb7cd8fcbd22dd6116ca3a75396bd045e9ad5b38cf3a699d4cdb0597e4b86af82662c11dbc8e0c266258fa648ac26768f111cc865f062e989c3055e5c95f
SSDEEP

24576:ptKb3axCoJgKuA0p1kXH2YNRRWH15ZYSR3T1i2UsDHMZWlZUgbVi0TD5mYbt7E:E3eCauJEN+nZYSp1i2UsQKZUaiqUCx

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.1.1

businessdb04.no-ip.biz:9400

businessdb02.noip.me:9400

Mutex

c31c026e-c64b-4780-aa3d-297739f57e00

Attributes

activate_away_mode
true
backup_connection_host
businessdb02.noip.me
backup_dns_server
buffer_size
65535
build_time
2014-11-14T21:30:41.201157736Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
9400
default_group
USA
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
c31c026e-c64b-4780-aa3d-297739f57e00
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
businessdb04.no-ip.biz
primary_dns_server
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.1.1
wan_timeout
8000

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FolderName\\windows.exe"	reg.exe

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2028 set thread context of 1600	2028	be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1712	timeout.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2028	be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe
2028	be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe
2028	be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe
2028	be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe
2028	be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe
1600	be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe
1600	be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe
2028	be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1600	be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2028	be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe
Token: SeDebugPrivilege	1600	be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 280	2028	be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe	27
PID 2028 wrote to memory of 280	2028	be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe	27
PID 2028 wrote to memory of 280	2028	be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe	27
PID 2028 wrote to memory of 280	2028	be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe	27
PID 2028 wrote to memory of 1600	2028	be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe	30
PID 2028 wrote to memory of 1600	2028	be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe	30
PID 2028 wrote to memory of 1600	2028	be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe	30
PID 2028 wrote to memory of 1600	2028	be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe	30
PID 2028 wrote to memory of 1600	2028	be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe	30
PID 2028 wrote to memory of 1600	2028	be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe	30
PID 2028 wrote to memory of 1600	2028	be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe	30
PID 2028 wrote to memory of 1600	2028	be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe	30
PID 2028 wrote to memory of 1600	2028	be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe	30
PID 280 wrote to memory of 1532	280	cmd.exe	29
PID 280 wrote to memory of 1532	280	cmd.exe	29
PID 280 wrote to memory of 1532	280	cmd.exe	29
PID 280 wrote to memory of 1532	280	cmd.exe	29
PID 1532 wrote to memory of 564	1532	wscript.exe	31
PID 1532 wrote to memory of 564	1532	wscript.exe	31
PID 1532 wrote to memory of 564	1532	wscript.exe	31
PID 1532 wrote to memory of 564	1532	wscript.exe	31
PID 564 wrote to memory of 240	564	cmd.exe	33
PID 564 wrote to memory of 240	564	cmd.exe	33
PID 564 wrote to memory of 240	564	cmd.exe	33
PID 564 wrote to memory of 240	564	cmd.exe	33
PID 2028 wrote to memory of 1708	2028	be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe	34
PID 2028 wrote to memory of 1708	2028	be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe	34
PID 2028 wrote to memory of 1708	2028	be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe	34
PID 2028 wrote to memory of 1708	2028	be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe	34
PID 1708 wrote to memory of 1712	1708	cmd.exe	36
PID 1708 wrote to memory of 1712	1708	cmd.exe	36
PID 1708 wrote to memory of 1712	1708	cmd.exe	36
PID 1708 wrote to memory of 1712	1708	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe
"C:\Users\Admin\AppData\Local\Temp\be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\FolderName\mata.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:280
- - C:\Windows\SysWOW64\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\FolderName\invs.vbs" "C:\Users\Admin\AppData\Local\Temp\FolderName\mata2.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1532
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\FolderName\mata2.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:564
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderName\windows.exe" /f
        5⤵
        Modifies WinLogon for persistence
        
        PID:240
- C:\Users\Admin\AppData\Local\Temp\be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe
  C:\Users\Admin\AppData\Local\Temp\be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc.exe
  2⤵
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:1600
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FolderName\svhost.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1708
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 300
    3⤵
    - Delays execution with timeout.exe
    PID:1712

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FolderName\invs.vbs

Filesize
78B

MD5
c578d9653b22800c3eb6b6a51219bbb8

SHA1
a97aa251901bbe179a48dbc7a0c1872e163b1f2d

SHA256
20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2

SHA512
3ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderName\mata.bat

Filesize
70B

MD5
23f72401196919748c14cb64c1d55c3b

SHA1
869e3809cb4391e6f5aee5349a871e40a1e1fb22

SHA256
d09c4054568f89c5de2bd9bae9cbcbcb3ef2dda9a9ded0153e29da26dc405d11

SHA512
2ab844717c31c4819d8773d7604dfc831e950ae9e38fe311acf8178d46f39fafb54b448ebb6b9cf5d1edd47ed36eae11d649c1be346b0a35d380dd07101c79f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderName\mata2.bat

Filesize
270B

MD5
fb61fb483ef4e9b18561f9d73e1aa135

SHA1
0c33b58761fc24453ef6a249503cc493fc22b2ca

SHA256
3db85f877de10a4640f53f29495c7f9783a2497555d627015bd05450a19535a7

SHA512
65c872e06132b527646e1755129d56168042192e278066adbf093649e76566adb9e4e986fad24d8677edc6c533164373f60776dbc2bbf140481ad9ed31d2860b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderName\svhost.bat

Filesize
212B

MD5
b0e98b341bbc605009d9c223f94f253e

SHA1
91676ce4fa39752102918ef62badd8dc4e7d88fc

SHA256
da455367db63e08fb4ea20c2a0688b5f88a9e5b9db331b2183967c1c48420042

SHA512
0e97f3ca37a9dde0b18e75ae36edac7ebccc5b73aafc16f2e53f9b811d184de0ff9857e628f90df727822e42e694fde452e30c25fa3117b5eaab64897a89e055

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderName\windows.exe

Filesize
2.1MB

MD5
3329f833ac31ac3878721f49e181393d

SHA1
47b79d529e61c1b41c27a53b9c0e886a6f50a1df

SHA256
be95c80a2b150348131f2c80f8b9a9416bd9d92c5ba5e8d9f0b932f735180afc

SHA512
29d2bb7cd8fcbd22dd6116ca3a75396bd045e9ad5b38cf3a699d4cdb0597e4b86af82662c11dbc8e0c266258fa648ac26768f111cc865f062e989c3055e5c95f

Download Submit
memory/1600-61-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1600-67-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1600-69-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1600-72-0x0000000074260000-0x000000007480B000-memory.dmp

Filesize
5.7MB

Download
memory/1600-64-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1600-62-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1600-84-0x0000000074260000-0x000000007480B000-memory.dmp

Filesize
5.7MB

Download
memory/1600-59-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1600-58-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2028-78-0x0000000074260000-0x000000007480B000-memory.dmp

Filesize
5.7MB

Download
memory/2028-55-0x0000000074260000-0x000000007480B000-memory.dmp

Filesize
5.7MB

Download
memory/2028-83-0x0000000074260000-0x000000007480B000-memory.dmp

Filesize
5.7MB

Download
memory/2028-54-0x0000000075561000-0x0000000075563000-memory.dmp

Filesize
8KB

Download