nanocore | ee3594cc88a44e60adc7c5ed81ae95732a93e0a31ad0490ae5b3548ebaae8d82

Analysis

max time kernel
154s
max time network
174s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27-11-2022 21:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ee3594cc88a44e60adc7c5ed81ae95732a93e0a31ad0490ae5b3548ebaae8d82.exe
Size

1.0MB
MD5

4cd314d065752bc863a44ac409691560
SHA1

66d0fe99f3d70181970207ee5c77a90a735b5cda
SHA256

ee3594cc88a44e60adc7c5ed81ae95732a93e0a31ad0490ae5b3548ebaae8d82
SHA512

47689aed4323b64e8422c9ff31d537265a3fc5ba9c25619bbafa6191bb58f1bb877a4df17755074b7fe6d4c8c485d52bf7fc5d1f7864fe45973f03f24c829504
SSDEEP

24576:7tb20pkaCqT5TBWgNQ7agvu3QS8Vhx9V6A:4Vg5tQ7agvOQSgp5

Score

10^/10

nanocore keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

adam150994.mooo.com:666

127.0.0.1:666

Mutex

3f5b9758-4849-4f30-aba2-77bb2368243b

Attributes

activate_away_mode
true
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2015-01-10T20:36:58.967694336Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
true
connect_delay
4000
connection_port
666
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
3f5b9758-4849-4f30-aba2-77bb2368243b
mutex_timeout
5000
prevent_system_sleep
true
primary_connection_host
adam150994.mooo.com
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	ee3594cc88a44e60adc7c5ed81ae95732a93e0a31ad0490ae5b3548ebaae8d82.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ee3594cc88a44e60adc7c5ed81ae95732a93e0a31ad0490ae5b3548ebaae8d82.exe"	ee3594cc88a44e60adc7c5ed81ae95732a93e0a31ad0490ae5b3548ebaae8d82.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1780 set thread context of 1200	1780	ee3594cc88a44e60adc7c5ed81ae95732a93e0a31ad0490ae5b3548ebaae8d82.exe	29

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1780	ee3594cc88a44e60adc7c5ed81ae95732a93e0a31ad0490ae5b3548ebaae8d82.exe
1780	ee3594cc88a44e60adc7c5ed81ae95732a93e0a31ad0490ae5b3548ebaae8d82.exe
1780	ee3594cc88a44e60adc7c5ed81ae95732a93e0a31ad0490ae5b3548ebaae8d82.exe
1780	ee3594cc88a44e60adc7c5ed81ae95732a93e0a31ad0490ae5b3548ebaae8d82.exe
1780	ee3594cc88a44e60adc7c5ed81ae95732a93e0a31ad0490ae5b3548ebaae8d82.exe
1200	vbc.exe
1200	vbc.exe
1780	ee3594cc88a44e60adc7c5ed81ae95732a93e0a31ad0490ae5b3548ebaae8d82.exe
1780	ee3594cc88a44e60adc7c5ed81ae95732a93e0a31ad0490ae5b3548ebaae8d82.exe
1780	ee3594cc88a44e60adc7c5ed81ae95732a93e0a31ad0490ae5b3548ebaae8d82.exe
1780	ee3594cc88a44e60adc7c5ed81ae95732a93e0a31ad0490ae5b3548ebaae8d82.exe
1780	ee3594cc88a44e60adc7c5ed81ae95732a93e0a31ad0490ae5b3548ebaae8d82.exe
1780	ee3594cc88a44e60adc7c5ed81ae95732a93e0a31ad0490ae5b3548ebaae8d82.exe
1780	ee3594cc88a44e60adc7c5ed81ae95732a93e0a31ad0490ae5b3548ebaae8d82.exe
1780	ee3594cc88a44e60adc7c5ed81ae95732a93e0a31ad0490ae5b3548ebaae8d82.exe
1780	ee3594cc88a44e60adc7c5ed81ae95732a93e0a31ad0490ae5b3548ebaae8d82.exe
1780	ee3594cc88a44e60adc7c5ed81ae95732a93e0a31ad0490ae5b3548ebaae8d82.exe
1780	ee3594cc88a44e60adc7c5ed81ae95732a93e0a31ad0490ae5b3548ebaae8d82.exe
1780	ee3594cc88a44e60adc7c5ed81ae95732a93e0a31ad0490ae5b3548ebaae8d82.exe
1780	ee3594cc88a44e60adc7c5ed81ae95732a93e0a31ad0490ae5b3548ebaae8d82.exe
1780	ee3594cc88a44e60adc7c5ed81ae95732a93e0a31ad0490ae5b3548ebaae8d82.exe
1780	ee3594cc88a44e60adc7c5ed81ae95732a93e0a31ad0490ae5b3548ebaae8d82.exe
1780	ee3594cc88a44e60adc7c5ed81ae95732a93e0a31ad0490ae5b3548ebaae8d82.exe
1780	ee3594cc88a44e60adc7c5ed81ae95732a93e0a31ad0490ae5b3548ebaae8d82.exe
1780	ee3594cc88a44e60adc7c5ed81ae95732a93e0a31ad0490ae5b3548ebaae8d82.exe
1780	ee3594cc88a44e60adc7c5ed81ae95732a93e0a31ad0490ae5b3548ebaae8d82.exe
1780	ee3594cc88a44e60adc7c5ed81ae95732a93e0a31ad0490ae5b3548ebaae8d82.exe
1780	ee3594cc88a44e60adc7c5ed81ae95732a93e0a31ad0490ae5b3548ebaae8d82.exe
1780	ee3594cc88a44e60adc7c5ed81ae95732a93e0a31ad0490ae5b3548ebaae8d82.exe
1780	ee3594cc88a44e60adc7c5ed81ae95732a93e0a31ad0490ae5b3548ebaae8d82.exe
1780	ee3594cc88a44e60adc7c5ed81ae95732a93e0a31ad0490ae5b3548ebaae8d82.exe
1780	ee3594cc88a44e60adc7c5ed81ae95732a93e0a31ad0490ae5b3548ebaae8d82.exe
1780	ee3594cc88a44e60adc7c5ed81ae95732a93e0a31ad0490ae5b3548ebaae8d82.exe
1780	ee3594cc88a44e60adc7c5ed81ae95732a93e0a31ad0490ae5b3548ebaae8d82.exe
1780	ee3594cc88a44e60adc7c5ed81ae95732a93e0a31ad0490ae5b3548ebaae8d82.exe
1780	ee3594cc88a44e60adc7c5ed81ae95732a93e0a31ad0490ae5b3548ebaae8d82.exe
1780	ee3594cc88a44e60adc7c5ed81ae95732a93e0a31ad0490ae5b3548ebaae8d82.exe
1780	ee3594cc88a44e60adc7c5ed81ae95732a93e0a31ad0490ae5b3548ebaae8d82.exe
1780	ee3594cc88a44e60adc7c5ed81ae95732a93e0a31ad0490ae5b3548ebaae8d82.exe
1780	ee3594cc88a44e60adc7c5ed81ae95732a93e0a31ad0490ae5b3548ebaae8d82.exe
1780	ee3594cc88a44e60adc7c5ed81ae95732a93e0a31ad0490ae5b3548ebaae8d82.exe
1780	ee3594cc88a44e60adc7c5ed81ae95732a93e0a31ad0490ae5b3548ebaae8d82.exe
1780	ee3594cc88a44e60adc7c5ed81ae95732a93e0a31ad0490ae5b3548ebaae8d82.exe
1780	ee3594cc88a44e60adc7c5ed81ae95732a93e0a31ad0490ae5b3548ebaae8d82.exe
1780	ee3594cc88a44e60adc7c5ed81ae95732a93e0a31ad0490ae5b3548ebaae8d82.exe
1780	ee3594cc88a44e60adc7c5ed81ae95732a93e0a31ad0490ae5b3548ebaae8d82.exe
1780	ee3594cc88a44e60adc7c5ed81ae95732a93e0a31ad0490ae5b3548ebaae8d82.exe
1780	ee3594cc88a44e60adc7c5ed81ae95732a93e0a31ad0490ae5b3548ebaae8d82.exe
1780	ee3594cc88a44e60adc7c5ed81ae95732a93e0a31ad0490ae5b3548ebaae8d82.exe
1780	ee3594cc88a44e60adc7c5ed81ae95732a93e0a31ad0490ae5b3548ebaae8d82.exe
1780	ee3594cc88a44e60adc7c5ed81ae95732a93e0a31ad0490ae5b3548ebaae8d82.exe
1780	ee3594cc88a44e60adc7c5ed81ae95732a93e0a31ad0490ae5b3548ebaae8d82.exe
1780	ee3594cc88a44e60adc7c5ed81ae95732a93e0a31ad0490ae5b3548ebaae8d82.exe
1780	ee3594cc88a44e60adc7c5ed81ae95732a93e0a31ad0490ae5b3548ebaae8d82.exe
1780	ee3594cc88a44e60adc7c5ed81ae95732a93e0a31ad0490ae5b3548ebaae8d82.exe
1780	ee3594cc88a44e60adc7c5ed81ae95732a93e0a31ad0490ae5b3548ebaae8d82.exe
1780	ee3594cc88a44e60adc7c5ed81ae95732a93e0a31ad0490ae5b3548ebaae8d82.exe
1780	ee3594cc88a44e60adc7c5ed81ae95732a93e0a31ad0490ae5b3548ebaae8d82.exe
1780	ee3594cc88a44e60adc7c5ed81ae95732a93e0a31ad0490ae5b3548ebaae8d82.exe
1780	ee3594cc88a44e60adc7c5ed81ae95732a93e0a31ad0490ae5b3548ebaae8d82.exe
1780	ee3594cc88a44e60adc7c5ed81ae95732a93e0a31ad0490ae5b3548ebaae8d82.exe
1780	ee3594cc88a44e60adc7c5ed81ae95732a93e0a31ad0490ae5b3548ebaae8d82.exe
1780	ee3594cc88a44e60adc7c5ed81ae95732a93e0a31ad0490ae5b3548ebaae8d82.exe
1780	ee3594cc88a44e60adc7c5ed81ae95732a93e0a31ad0490ae5b3548ebaae8d82.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1200	vbc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1200	vbc.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1792	ee3594cc88a44e60adc7c5ed81ae95732a93e0a31ad0490ae5b3548ebaae8d82.exe
1792	ee3594cc88a44e60adc7c5ed81ae95732a93e0a31ad0490ae5b3548ebaae8d82.exe
1792	ee3594cc88a44e60adc7c5ed81ae95732a93e0a31ad0490ae5b3548ebaae8d82.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1792	ee3594cc88a44e60adc7c5ed81ae95732a93e0a31ad0490ae5b3548ebaae8d82.exe
1792	ee3594cc88a44e60adc7c5ed81ae95732a93e0a31ad0490ae5b3548ebaae8d82.exe
1792	ee3594cc88a44e60adc7c5ed81ae95732a93e0a31ad0490ae5b3548ebaae8d82.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1792 wrote to memory of 1780	1792	ee3594cc88a44e60adc7c5ed81ae95732a93e0a31ad0490ae5b3548ebaae8d82.exe	28
PID 1792 wrote to memory of 1780	1792	ee3594cc88a44e60adc7c5ed81ae95732a93e0a31ad0490ae5b3548ebaae8d82.exe	28
PID 1792 wrote to memory of 1780	1792	ee3594cc88a44e60adc7c5ed81ae95732a93e0a31ad0490ae5b3548ebaae8d82.exe	28
PID 1792 wrote to memory of 1780	1792	ee3594cc88a44e60adc7c5ed81ae95732a93e0a31ad0490ae5b3548ebaae8d82.exe	28
PID 1780 wrote to memory of 1200	1780	ee3594cc88a44e60adc7c5ed81ae95732a93e0a31ad0490ae5b3548ebaae8d82.exe	29
PID 1780 wrote to memory of 1200	1780	ee3594cc88a44e60adc7c5ed81ae95732a93e0a31ad0490ae5b3548ebaae8d82.exe	29
PID 1780 wrote to memory of 1200	1780	ee3594cc88a44e60adc7c5ed81ae95732a93e0a31ad0490ae5b3548ebaae8d82.exe	29
PID 1780 wrote to memory of 1200	1780	ee3594cc88a44e60adc7c5ed81ae95732a93e0a31ad0490ae5b3548ebaae8d82.exe	29
PID 1780 wrote to memory of 1200	1780	ee3594cc88a44e60adc7c5ed81ae95732a93e0a31ad0490ae5b3548ebaae8d82.exe	29
PID 1780 wrote to memory of 1200	1780	ee3594cc88a44e60adc7c5ed81ae95732a93e0a31ad0490ae5b3548ebaae8d82.exe	29

C:\Users\Admin\AppData\Local\Temp\ee3594cc88a44e60adc7c5ed81ae95732a93e0a31ad0490ae5b3548ebaae8d82.exe
"C:\Users\Admin\AppData\Local\Temp\ee3594cc88a44e60adc7c5ed81ae95732a93e0a31ad0490ae5b3548ebaae8d82.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1792
- C:\Users\Admin\AppData\Local\Temp\ee3594cc88a44e60adc7c5ed81ae95732a93e0a31ad0490ae5b3548ebaae8d82.exe
  C:\Users\Admin\AppData\Local\Temp\ee3594cc88a44e60adc7c5ed81ae95732a93e0a31ad0490ae5b3548ebaae8d82.exe /AutoIt3ExecuteScript "C:\Users\Admin\AppData\Local\Temp\c" "C:\Users\Admin\AppData\Local\Temp\ee3594cc88a44e60adc7c5ed81ae95732a93e0a31ad0490ae5b3548ebaae8d82.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1780
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:1200

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c

Filesize
18KB

MD5
9c5502b2e2982351cc8641c920df8590

SHA1
7c531c6ee6c66fb84957cc0fa0dd3caa3649e0c4

SHA256
89851a264d07fde3beb1d3142d304c36814ecc54fdc3895bc4cfc80c51c7571d

SHA512
4752822933d5a3fa00fb4c44078872a8652f86e524c772389e460aeb5a522d8311bfa63d5c30c235eae18b50b67898319d3ccb46e62d0083f85cdc6b99640ec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\incl1

Filesize
12KB

MD5
31fd40fd1891ede7259c8eaca4debcb9

SHA1
5e79575a985ba6f98c4b876f84b1355de61aed55

SHA256
dc9d156617c01507ebbd09a44a336bd75801ba2ac5ee6240884084e5536b7b01

SHA512
6655a831bdb041dcc8c026ec27abb80494e847b8ffdf813a99955c6dcb144ac5916827f3ac1e8b0012e87e88e8cb311cd3f2905072d7e8fe3eca079507d82b6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\incl2

Filesize
209KB

MD5
b0ceb81cb48d7a9e7f38d9ae3fa312c4

SHA1
fd5e78daa4f147c83efc736795b0e5f324ee3ab2

SHA256
8113ad55663776e41e5eca0615337302fde040e3c5ca22e8fe98fe5d2ab45997

SHA512
a22aebb72a0ec0b6211f68354dba5a81b069bf9961d9840d17ffd07c91c69e0d60b489a572155af19756d2df16bc346b70c8ce6e4a95cea46e52b46b518692af

Download Submit
memory/1200-65-0x00000000000C0000-0x00000000000FA000-memory.dmp

Filesize
232KB

Download
memory/1200-60-0x00000000000C0000-0x00000000000FA000-memory.dmp

Filesize
232KB

Download
memory/1200-62-0x00000000000C0000-0x00000000000FA000-memory.dmp

Filesize
232KB

Download
memory/1200-67-0x00000000000C0000-0x00000000000FA000-memory.dmp

Filesize
232KB

Download
memory/1200-69-0x0000000000660000-0x000000000066A000-memory.dmp

Filesize
40KB

Download
memory/1200-70-0x0000000000670000-0x000000000067C000-memory.dmp

Filesize
48KB

Download
memory/1200-71-0x00000000006D0000-0x00000000006EE000-memory.dmp

Filesize
120KB

Download
memory/1200-72-0x0000000000680000-0x000000000068A000-memory.dmp

Filesize
40KB

Download
memory/1200-73-0x0000000004B05000-0x0000000004B16000-memory.dmp

Filesize
68KB

Download
memory/1200-74-0x0000000004B05000-0x0000000004B16000-memory.dmp

Filesize
68KB

Download
memory/1792-54-0x0000000076321000-0x0000000076323000-memory.dmp

Filesize
8KB

Download