nanocore | ccd8fc18705b53aca63ce82b944858323498512cf5087696aed7fee39358cc2f

General

Target

ccd8fc18705b53aca63ce82b944858323498512cf5087696aed7fee39358cc2f.exe
Size

521KB
MD5

87ff74c6fc7166d9365f6376fa260026
SHA1

a91a2e81a4cd43dbe12aa1219bd0585ffd555002
SHA256

ccd8fc18705b53aca63ce82b944858323498512cf5087696aed7fee39358cc2f
SHA512

1186569a4655486cecbb3067ac2d480a1a7fca9926e1a6764325b4a477b829ee97e07e32119b8c9998a15caff6feecca7e477ccfba1fe64e52aac20c397c2b6f
SSDEEP

12288:mJZrZfSXwNFqo4R3Zbs4ys7U7cgt/GFr1PIxW1qM:sVFTAJFA/t/YRPIxxM

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.1.1

C2

87.231.21.54:4242

192.168.0.18:4242

Mutex

cb32a65b-351e-4743-9439-5a68c0b610bb

Attributes

activate_away_mode
true
backup_connection_host
192.168.0.18
backup_dns_server
buffer_size
65535
build_time
2014-10-30T07:51:34.058785536Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
4242
default_group
Owww
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
cb32a65b-351e-4743-9439-5a68c0b610bb
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
87.231.21.54
primary_dns_server
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.1.1
wan_timeout
8000

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FolderName\\file.exe"	reg.exe

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Executes dropped EXE 1 IoCs

Processes:

notepad .exe

pid process

752 notepad .exe
Loads dropped DLL 1 IoCs

Processes:

ccd8fc18705b53aca63ce82b944858323498512cf5087696aed7fee39358cc2f.exe

pid process

2032 ccd8fc18705b53aca63ce82b944858323498512cf5087696aed7fee39358cc2f.exe
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

notepad .exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA notepad .exe

pid	process
752	notepad .exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	notepad .exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

ccd8fc18705b53aca63ce82b944858323498512cf5087696aed7fee39358cc2f.exe

description	pid	process	target process
PID 2032 set thread context of 752	2032	ccd8fc18705b53aca63ce82b944858323498512cf5087696aed7fee39358cc2f.exe	notepad .exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

ccd8fc18705b53aca63ce82b944858323498512cf5087696aed7fee39358cc2f.exenotepad .exe

pid	process
2032	ccd8fc18705b53aca63ce82b944858323498512cf5087696aed7fee39358cc2f.exe
2032	ccd8fc18705b53aca63ce82b944858323498512cf5087696aed7fee39358cc2f.exe
2032	ccd8fc18705b53aca63ce82b944858323498512cf5087696aed7fee39358cc2f.exe
2032	ccd8fc18705b53aca63ce82b944858323498512cf5087696aed7fee39358cc2f.exe
2032	ccd8fc18705b53aca63ce82b944858323498512cf5087696aed7fee39358cc2f.exe
752	notepad .exe
752	notepad .exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

notepad .exe

pid process

752 notepad .exe

pid	process
752	notepad .exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

ccd8fc18705b53aca63ce82b944858323498512cf5087696aed7fee39358cc2f.exenotepad .exe

description	pid	process
Token: SeDebugPrivilege	2032	ccd8fc18705b53aca63ce82b944858323498512cf5087696aed7fee39358cc2f.exe
Token: 33	2032	ccd8fc18705b53aca63ce82b944858323498512cf5087696aed7fee39358cc2f.exe
Token: SeIncBasePriorityPrivilege	2032	ccd8fc18705b53aca63ce82b944858323498512cf5087696aed7fee39358cc2f.exe
Token: SeDebugPrivilege	752	notepad .exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

ccd8fc18705b53aca63ce82b944858323498512cf5087696aed7fee39358cc2f.execmd.exewscript.execmd.exe

description	pid	process	target process
PID 2032 wrote to memory of 1368	2032	ccd8fc18705b53aca63ce82b944858323498512cf5087696aed7fee39358cc2f.exe	cmd.exe
PID 2032 wrote to memory of 1368	2032	ccd8fc18705b53aca63ce82b944858323498512cf5087696aed7fee39358cc2f.exe	cmd.exe
PID 2032 wrote to memory of 1368	2032	ccd8fc18705b53aca63ce82b944858323498512cf5087696aed7fee39358cc2f.exe	cmd.exe
PID 2032 wrote to memory of 1368	2032	ccd8fc18705b53aca63ce82b944858323498512cf5087696aed7fee39358cc2f.exe	cmd.exe
PID 2032 wrote to memory of 752	2032	ccd8fc18705b53aca63ce82b944858323498512cf5087696aed7fee39358cc2f.exe	notepad .exe
PID 2032 wrote to memory of 752	2032	ccd8fc18705b53aca63ce82b944858323498512cf5087696aed7fee39358cc2f.exe	notepad .exe
PID 2032 wrote to memory of 752	2032	ccd8fc18705b53aca63ce82b944858323498512cf5087696aed7fee39358cc2f.exe	notepad .exe
PID 2032 wrote to memory of 752	2032	ccd8fc18705b53aca63ce82b944858323498512cf5087696aed7fee39358cc2f.exe	notepad .exe
PID 2032 wrote to memory of 752	2032	ccd8fc18705b53aca63ce82b944858323498512cf5087696aed7fee39358cc2f.exe	notepad .exe
PID 2032 wrote to memory of 752	2032	ccd8fc18705b53aca63ce82b944858323498512cf5087696aed7fee39358cc2f.exe	notepad .exe
PID 2032 wrote to memory of 752	2032	ccd8fc18705b53aca63ce82b944858323498512cf5087696aed7fee39358cc2f.exe	notepad .exe
PID 2032 wrote to memory of 752	2032	ccd8fc18705b53aca63ce82b944858323498512cf5087696aed7fee39358cc2f.exe	notepad .exe
PID 2032 wrote to memory of 752	2032	ccd8fc18705b53aca63ce82b944858323498512cf5087696aed7fee39358cc2f.exe	notepad .exe
PID 1368 wrote to memory of 1916	1368	cmd.exe	wscript.exe
PID 1368 wrote to memory of 1916	1368	cmd.exe	wscript.exe
PID 1368 wrote to memory of 1916	1368	cmd.exe	wscript.exe
PID 1368 wrote to memory of 1916	1368	cmd.exe	wscript.exe
PID 1916 wrote to memory of 704	1916	wscript.exe	cmd.exe
PID 1916 wrote to memory of 704	1916	wscript.exe	cmd.exe
PID 1916 wrote to memory of 704	1916	wscript.exe	cmd.exe
PID 1916 wrote to memory of 704	1916	wscript.exe	cmd.exe
PID 704 wrote to memory of 1056	704	cmd.exe	reg.exe
PID 704 wrote to memory of 1056	704	cmd.exe	reg.exe
PID 704 wrote to memory of 1056	704	cmd.exe	reg.exe
PID 704 wrote to memory of 1056	704	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\ccd8fc18705b53aca63ce82b944858323498512cf5087696aed7fee39358cc2f.exe
"C:\Users\Admin\AppData\Local\Temp\ccd8fc18705b53aca63ce82b944858323498512cf5087696aed7fee39358cc2f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\FolderName\mata.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1368

C:\Windows\SysWOW64\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\FolderName\invs.vbs" "C:\Users\Admin\AppData\Local\Temp\FolderName\mata2.bat"
3⤵
- Suspicious use of WriteProcessMemory
PID:1916

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FolderName\mata2.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:704

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderName\file.exe" /f
5⤵
- Modifies WinLogon for persistence
PID:1056

C:\Users\Admin\AppData\Local\Temp\notepad .exe
"C:\Users\Admin\AppData\Local\Temp\notepad .exe"
2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:752

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FolderName\file.exe
Filesize
521KB

MD5
87ff74c6fc7166d9365f6376fa260026

SHA1
a91a2e81a4cd43dbe12aa1219bd0585ffd555002

SHA256
ccd8fc18705b53aca63ce82b944858323498512cf5087696aed7fee39358cc2f

SHA512
1186569a4655486cecbb3067ac2d480a1a7fca9926e1a6764325b4a477b829ee97e07e32119b8c9998a15caff6feecca7e477ccfba1fe64e52aac20c397c2b6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderName\invs.vbs
Filesize
78B

MD5
c578d9653b22800c3eb6b6a51219bbb8

SHA1
a97aa251901bbe179a48dbc7a0c1872e163b1f2d

SHA256
20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2

SHA512
3ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderName\mata.bat
Filesize
70B

MD5
23f72401196919748c14cb64c1d55c3b

SHA1
869e3809cb4391e6f5aee5349a871e40a1e1fb22

SHA256
d09c4054568f89c5de2bd9bae9cbcbcb3ef2dda9a9ded0153e29da26dc405d11

SHA512
2ab844717c31c4819d8773d7604dfc831e950ae9e38fe311acf8178d46f39fafb54b448ebb6b9cf5d1edd47ed36eae11d649c1be346b0a35d380dd07101c79f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderName\mata2.bat
Filesize
264B

MD5
d7166ea756390e4e16c5176350bf6003

SHA1
ff236999834b796b9c6b2eb34279639e26648e32

SHA256
9d9d8433939149503dc16d674b1975cc688a0f7e48457bc3f93bf26f1c89726d

SHA512
04b99b8dacbd2198e50e33b687f4f3dda2769f3e55ef9bd290a4b18f8b45af03baca46bb476c3ea025c9fd313f64e1fee02392b182dae3a4da34b60d725a48ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\notepad .exe
Filesize
52KB

MD5
278edbd499374bf73621f8c1f969d894

SHA1
a81170af14747781c5f5f51bb1215893136f0bc0

SHA256
c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391

SHA512
93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\notepad .exe
Filesize
52KB

MD5
278edbd499374bf73621f8c1f969d894

SHA1
a81170af14747781c5f5f51bb1215893136f0bc0

SHA256
c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391

SHA512
93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

Download Submit
\Users\Admin\AppData\Local\Temp\notepad .exe
Filesize
52KB

MD5
278edbd499374bf73621f8c1f969d894

SHA1
a81170af14747781c5f5f51bb1215893136f0bc0

SHA256
c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391

SHA512
93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

Download Submit
memory/704-78-0x0000000000000000-mapping.dmp

Download
memory/752-60-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/752-66-0x000000000041EDAE-mapping.dmp

Download
memory/752-62-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/752-69-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/752-71-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/752-63-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/752-83-0x0000000074130000-0x00000000746DB000-memory.dmp

Filesize
5.7MB

Download
memory/752-80-0x0000000074130000-0x00000000746DB000-memory.dmp

Filesize
5.7MB

Download
memory/752-59-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/752-65-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1056-79-0x0000000000000000-mapping.dmp

Download
memory/1368-56-0x0000000000000000-mapping.dmp

Download
memory/1916-74-0x0000000000000000-mapping.dmp

Download
memory/2032-54-0x00000000753F1000-0x00000000753F3000-memory.dmp

Filesize
8KB

Download
memory/2032-55-0x0000000074130000-0x00000000746DB000-memory.dmp

Filesize
5.7MB

Download
memory/2032-82-0x0000000074130000-0x00000000746DB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads