nanocore | a7bc7021fb57ad2b0ee8a75ed7a7a11d5fff57c72ee0be680d1a58fc6262183c

General

Target

a7bc7021fb57ad2b0ee8a75ed7a7a11d5fff57c72ee0be680d1a58fc6262183c.exe
Size

513KB
MD5

d4d8d5561f956ce6152c0bdef9ab0330
SHA1

b3b8f4be8a671c3b24a9dc18055b611e2ba4357d
SHA256

a7bc7021fb57ad2b0ee8a75ed7a7a11d5fff57c72ee0be680d1a58fc6262183c
SHA512

fcb26b648477c71ebb7dd277430f009992fe5d393406cc117c7fa2c08666416f8caad843613866d6a0caf7fd7c524cd34c49e87b6ba28d2d92d6ee1074278521
SSDEEP

12288:737VWUQUXrv6c2Q1JDB1sCbj21Hln4Ye0rXDc:XKUXj6cbJl1DXeln4Z0rXDc

Score

10^/10

nanocore evasion keylogger spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.1.1

C2

87.231.21.54:4242

192.168.0.18:4242

Mutex

322262ce-9696-4b85-b0b7-24f45dfb3e97

Attributes

activate_away_mode
true
backup_connection_host
192.168.0.18
backup_dns_server
buffer_size
65535
build_time
2014-10-27T20:39:29.987250736Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
4242
default_group
TheGr8Spread
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
322262ce-9696-4b85-b0b7-24f45dfb3e97
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
87.231.21.54
primary_dns_server
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.1.1
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Executes dropped EXE 1 IoCs

Processes:

notepad .exe

pid process

1708 notepad .exe
Loads dropped DLL 1 IoCs

Processes:

a7bc7021fb57ad2b0ee8a75ed7a7a11d5fff57c72ee0be680d1a58fc6262183c.exe

pid process

784 a7bc7021fb57ad2b0ee8a75ed7a7a11d5fff57c72ee0be680d1a58fc6262183c.exe
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

notepad .exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA notepad .exe

pid	process
1708	notepad .exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	notepad .exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

a7bc7021fb57ad2b0ee8a75ed7a7a11d5fff57c72ee0be680d1a58fc6262183c.exe

description	pid	process	target process
PID 784 set thread context of 1708	784	a7bc7021fb57ad2b0ee8a75ed7a7a11d5fff57c72ee0be680d1a58fc6262183c.exe	notepad .exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

a7bc7021fb57ad2b0ee8a75ed7a7a11d5fff57c72ee0be680d1a58fc6262183c.exenotepad .exe

pid	process
784	a7bc7021fb57ad2b0ee8a75ed7a7a11d5fff57c72ee0be680d1a58fc6262183c.exe
784	a7bc7021fb57ad2b0ee8a75ed7a7a11d5fff57c72ee0be680d1a58fc6262183c.exe
784	a7bc7021fb57ad2b0ee8a75ed7a7a11d5fff57c72ee0be680d1a58fc6262183c.exe
784	a7bc7021fb57ad2b0ee8a75ed7a7a11d5fff57c72ee0be680d1a58fc6262183c.exe
784	a7bc7021fb57ad2b0ee8a75ed7a7a11d5fff57c72ee0be680d1a58fc6262183c.exe
784	a7bc7021fb57ad2b0ee8a75ed7a7a11d5fff57c72ee0be680d1a58fc6262183c.exe
1708	notepad .exe
1708	notepad .exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

a7bc7021fb57ad2b0ee8a75ed7a7a11d5fff57c72ee0be680d1a58fc6262183c.exenotepad .exe

description	pid	process
Token: SeDebugPrivilege	784	a7bc7021fb57ad2b0ee8a75ed7a7a11d5fff57c72ee0be680d1a58fc6262183c.exe
Token: 33	784	a7bc7021fb57ad2b0ee8a75ed7a7a11d5fff57c72ee0be680d1a58fc6262183c.exe
Token: SeIncBasePriorityPrivilege	784	a7bc7021fb57ad2b0ee8a75ed7a7a11d5fff57c72ee0be680d1a58fc6262183c.exe
Token: SeDebugPrivilege	1708	notepad .exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

a7bc7021fb57ad2b0ee8a75ed7a7a11d5fff57c72ee0be680d1a58fc6262183c.execmd.exe

description	pid	process	target process
PID 784 wrote to memory of 1496	784	a7bc7021fb57ad2b0ee8a75ed7a7a11d5fff57c72ee0be680d1a58fc6262183c.exe	cmd.exe
PID 784 wrote to memory of 1496	784	a7bc7021fb57ad2b0ee8a75ed7a7a11d5fff57c72ee0be680d1a58fc6262183c.exe	cmd.exe
PID 784 wrote to memory of 1496	784	a7bc7021fb57ad2b0ee8a75ed7a7a11d5fff57c72ee0be680d1a58fc6262183c.exe	cmd.exe
PID 784 wrote to memory of 1496	784	a7bc7021fb57ad2b0ee8a75ed7a7a11d5fff57c72ee0be680d1a58fc6262183c.exe	cmd.exe
PID 784 wrote to memory of 1708	784	a7bc7021fb57ad2b0ee8a75ed7a7a11d5fff57c72ee0be680d1a58fc6262183c.exe	notepad .exe
PID 784 wrote to memory of 1708	784	a7bc7021fb57ad2b0ee8a75ed7a7a11d5fff57c72ee0be680d1a58fc6262183c.exe	notepad .exe
PID 784 wrote to memory of 1708	784	a7bc7021fb57ad2b0ee8a75ed7a7a11d5fff57c72ee0be680d1a58fc6262183c.exe	notepad .exe
PID 784 wrote to memory of 1708	784	a7bc7021fb57ad2b0ee8a75ed7a7a11d5fff57c72ee0be680d1a58fc6262183c.exe	notepad .exe
PID 784 wrote to memory of 1708	784	a7bc7021fb57ad2b0ee8a75ed7a7a11d5fff57c72ee0be680d1a58fc6262183c.exe	notepad .exe
PID 784 wrote to memory of 1708	784	a7bc7021fb57ad2b0ee8a75ed7a7a11d5fff57c72ee0be680d1a58fc6262183c.exe	notepad .exe
PID 784 wrote to memory of 1708	784	a7bc7021fb57ad2b0ee8a75ed7a7a11d5fff57c72ee0be680d1a58fc6262183c.exe	notepad .exe
PID 784 wrote to memory of 1708	784	a7bc7021fb57ad2b0ee8a75ed7a7a11d5fff57c72ee0be680d1a58fc6262183c.exe	notepad .exe
PID 784 wrote to memory of 1708	784	a7bc7021fb57ad2b0ee8a75ed7a7a11d5fff57c72ee0be680d1a58fc6262183c.exe	notepad .exe
PID 1496 wrote to memory of 848	1496	cmd.exe	wscript.exe
PID 1496 wrote to memory of 848	1496	cmd.exe	wscript.exe
PID 1496 wrote to memory of 848	1496	cmd.exe	wscript.exe
PID 1496 wrote to memory of 848	1496	cmd.exe	wscript.exe

C:\Users\Admin\AppData\Local\Temp\a7bc7021fb57ad2b0ee8a75ed7a7a11d5fff57c72ee0be680d1a58fc6262183c.exe
"C:\Users\Admin\AppData\Local\Temp\a7bc7021fb57ad2b0ee8a75ed7a7a11d5fff57c72ee0be680d1a58fc6262183c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:784

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\wow\mata.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1496

C:\Windows\SysWOW64\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\wow\invs.vbs" "C:\Users\Admin\AppData\Local\Temp\wow\mata2.bat"
3⤵
PID:848

C:\Users\Admin\AppData\Local\Temp\notepad .exe
"C:\Users\Admin\AppData\Local\Temp\notepad .exe"
2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1708

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\notepad .exe
Filesize
52KB

MD5
278edbd499374bf73621f8c1f969d894

SHA1
a81170af14747781c5f5f51bb1215893136f0bc0

SHA256
c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391

SHA512
93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\notepad .exe
Filesize
52KB

MD5
278edbd499374bf73621f8c1f969d894

SHA1
a81170af14747781c5f5f51bb1215893136f0bc0

SHA256
c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391

SHA512
93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\wow\mata.bat
Filesize
56B

MD5
0f428c2415ad312d6f3c2b9a1fc9f832

SHA1
762de8bb44af9ef27a7ab7a9b02fd4a6546d5fc6

SHA256
7fc0b52ca38c4654518ff63ae7adc1d1a952f6f16203ef4e5a32581ae8befc5f

SHA512
e7e69d1f28091365e2fedb4a495ddbaf3df7a0fdbb1f967f7363a206d66074346b8f7b40e44d0574ae7b0a69b3ff1c83ca63cba8d2e49d237aad86f7f93dbb74

Download Submit
\Users\Admin\AppData\Local\Temp\notepad .exe
Filesize
52KB

MD5
278edbd499374bf73621f8c1f969d894

SHA1
a81170af14747781c5f5f51bb1215893136f0bc0

SHA256
c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391

SHA512
93b0b5c3324bd2df83310f96d34c9176c94d2d676766599c1af33c98ba1efe63187056671f7c6f80c956e5bd0a725f108804021ad93326286bb9c3a96f6550b9

Download Submit
memory/784-54-0x0000000075FC1000-0x0000000075FC3000-memory.dmp

Filesize
8KB

Download
memory/784-55-0x0000000074200000-0x00000000747AB000-memory.dmp

Filesize
5.7MB

Download
memory/784-56-0x0000000074200000-0x00000000747AB000-memory.dmp

Filesize
5.7MB

Download
memory/784-77-0x0000000074200000-0x00000000747AB000-memory.dmp

Filesize
5.7MB

Download
memory/848-76-0x0000000000000000-mapping.dmp

Download
memory/1496-57-0x0000000000000000-mapping.dmp

Download
memory/1708-65-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1708-66-0x000000000041EDAE-mapping.dmp

Download
memory/1708-69-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1708-71-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1708-63-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1708-74-0x0000000074200000-0x00000000747AB000-memory.dmp

Filesize
5.7MB

Download
memory/1708-62-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1708-60-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1708-59-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1708-78-0x0000000074200000-0x00000000747AB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads