nanocore | 42b627a7052e5f9bd9098680da68a392bb36855f651271c2887cc16ff1b8a055

General

Target

42b627a7052e5f9bd9098680da68a392bb36855f651271c2887cc16ff1b8a055.exe
Size

451KB
MD5

649b7a148db72f16480342ceff77ed3a
SHA1

ef0eedf317dd47d1046092424f9ca61a1dd1bbed
SHA256

42b627a7052e5f9bd9098680da68a392bb36855f651271c2887cc16ff1b8a055
SHA512

6d3db1e0b8312d610fedc1d2e43790f583634483d64d64fdff0173d2c22889616299a087cfce0a39f41a4530eba7e0b07029b49126b38aa1b73275859d307df3
SSDEEP

12288:EGJGDs15INdOiU+poVESpGb9bWjWRnSo52nYqQw:EGKsnI/JT+VESE5bEzoGmw

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

neoncorex.duckdns.org:2022

Mutex

39dcee1b-ef73-4d3f-85a3-0a94551eac95

Attributes

activate_away_mode
true
backup_connection_host
neoncorex.duckdns.org
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2021-11-21T01:20:38.920982636Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
true
connect_delay
4000
connection_port
2022
default_group
2022LOGS
enable_debug_mode
true
gc_threshold
1.0485798e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
39dcee1b-ef73-4d3f-85a3-0a94551eac95
mutex_timeout
5000
prevent_system_sleep
true
primary_connection_host
neoncorex.duckdns.org
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Executes dropped EXE 2 IoCs

Processes:

mdfoi.exemdfoi.exe

pid process

1272 mdfoi.exe
1248 mdfoi.exe
Loads dropped DLL 2 IoCs

Processes:

42b627a7052e5f9bd9098680da68a392bb36855f651271c2887cc16ff1b8a055.exemdfoi.exe

pid process

2028 42b627a7052e5f9bd9098680da68a392bb36855f651271c2887cc16ff1b8a055.exe
1272 mdfoi.exe

pid	process
1272	mdfoi.exe
1248	mdfoi.exe

pid	process
2028	42b627a7052e5f9bd9098680da68a392bb36855f651271c2887cc16ff1b8a055.exe
1272	mdfoi.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

mdfoi.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\gqyfdivnojbg = "C:\\Users\\Admin\\AppData\\Roaming\\gtig\\qqdpqsubfj.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\mdfoi.exe\" C:\\Users\\Admin\\AppData\\Local\\Temp"	mdfoi.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

mdfoi.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mdfoi.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

mdfoi.exe

description pid process target process

PID 1272 set thread context of 1248 1272 mdfoi.exe mdfoi.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

mdfoi.exe

pid process

1248 mdfoi.exe
1248 mdfoi.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

mdfoi.exe

pid process

1248 mdfoi.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

mdfoi.exe

pid process

1272 mdfoi.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

mdfoi.exe

description pid process

Token: SeDebugPrivilege 1248 mdfoi.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mdfoi.exe

description	pid	process	target process
PID 1272 set thread context of 1248	1272	mdfoi.exe	mdfoi.exe

pid	process
1248	mdfoi.exe
1248	mdfoi.exe

pid	process
1248	mdfoi.exe

pid	process
1272	mdfoi.exe

description	pid	process
Token: SeDebugPrivilege	1248	mdfoi.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

42b627a7052e5f9bd9098680da68a392bb36855f651271c2887cc16ff1b8a055.exemdfoi.exe

description	pid	process	target process
PID 2028 wrote to memory of 1272	2028	42b627a7052e5f9bd9098680da68a392bb36855f651271c2887cc16ff1b8a055.exe	mdfoi.exe
PID 2028 wrote to memory of 1272	2028	42b627a7052e5f9bd9098680da68a392bb36855f651271c2887cc16ff1b8a055.exe	mdfoi.exe
PID 2028 wrote to memory of 1272	2028	42b627a7052e5f9bd9098680da68a392bb36855f651271c2887cc16ff1b8a055.exe	mdfoi.exe
PID 2028 wrote to memory of 1272	2028	42b627a7052e5f9bd9098680da68a392bb36855f651271c2887cc16ff1b8a055.exe	mdfoi.exe
PID 1272 wrote to memory of 1248	1272	mdfoi.exe	mdfoi.exe
PID 1272 wrote to memory of 1248	1272	mdfoi.exe	mdfoi.exe
PID 1272 wrote to memory of 1248	1272	mdfoi.exe	mdfoi.exe
PID 1272 wrote to memory of 1248	1272	mdfoi.exe	mdfoi.exe
PID 1272 wrote to memory of 1248	1272	mdfoi.exe	mdfoi.exe

C:\Users\Admin\AppData\Local\Temp\42b627a7052e5f9bd9098680da68a392bb36855f651271c2887cc16ff1b8a055.exe
"C:\Users\Admin\AppData\Local\Temp\42b627a7052e5f9bd9098680da68a392bb36855f651271c2887cc16ff1b8a055.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028

C:\Users\Admin\AppData\Local\Temp\mdfoi.exe
"C:\Users\Admin\AppData\Local\Temp\mdfoi.exe" C:\Users\Admin\AppData\Local\Temp\zgcmj.z
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1272

C:\Users\Admin\AppData\Local\Temp\mdfoi.exe
"C:\Users\Admin\AppData\Local\Temp\mdfoi.exe" C:\Users\Admin\AppData\Local\Temp\zgcmj.z
3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1248

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ixqitozy.dyu
Filesize
280KB

MD5
9e9bf8493a2897ffe1d04dcca26e544b

SHA1
b03bad0497cdfeb08f604dcc297444677c9c77d7

SHA256
4096f9325c8f7a2f654d5d1733d50bb91ac87c3ac79c39080326a7fb7d9e4a6d

SHA512
8ca78c03927222dfe42b656e483958469c96b7618453830b3688578ea82285b452e135f896deb62f7a3675d788e040781d75b0b6af44755458c732b1c3dc2364

Download Submit
C:\Users\Admin\AppData\Local\Temp\mdfoi.exe
Filesize
332KB

MD5
1c219256e5594c86f7bae720102515c1

SHA1
db68f27956d9420acdb0055c40fd36ecc981308a

SHA256
09609c5613e5790e27c9ba8e4b735442c8ab5d0ca5c8770dc1c0268310e9026d

SHA512
8f109576df8453cc4e6fcdff999c9e6d181b28fc8615038184d2ec9fc3d7068047c607118ab3316b9695675d8b9ec95e24b20eb5c958d84ad9bdfc9146a6d9b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\mdfoi.exe
Filesize
332KB

MD5
1c219256e5594c86f7bae720102515c1

SHA1
db68f27956d9420acdb0055c40fd36ecc981308a

SHA256
09609c5613e5790e27c9ba8e4b735442c8ab5d0ca5c8770dc1c0268310e9026d

SHA512
8f109576df8453cc4e6fcdff999c9e6d181b28fc8615038184d2ec9fc3d7068047c607118ab3316b9695675d8b9ec95e24b20eb5c958d84ad9bdfc9146a6d9b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\mdfoi.exe
Filesize
332KB

MD5
1c219256e5594c86f7bae720102515c1

SHA1
db68f27956d9420acdb0055c40fd36ecc981308a

SHA256
09609c5613e5790e27c9ba8e4b735442c8ab5d0ca5c8770dc1c0268310e9026d

SHA512
8f109576df8453cc4e6fcdff999c9e6d181b28fc8615038184d2ec9fc3d7068047c607118ab3316b9695675d8b9ec95e24b20eb5c958d84ad9bdfc9146a6d9b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\zgcmj.z
Filesize
7KB

MD5
89766bcb772d2382f358df140e15a9da

SHA1
0ed2da3f38136245140faf2e8aa331f52dee5529

SHA256
c31d282a2aafe9480069f1e89908d40a32cfd0823218905bcf6b5a5444c46223

SHA512
ee755641a357441c7f0a7b03c718020afb48d636642924c9b0d063f5d355da2df37d54fef7dc2f8eda2358b23d5e6cb9ae3cc06a43e847c5119e9cc62a1cc907

Download Submit
\Users\Admin\AppData\Local\Temp\mdfoi.exe
Filesize
332KB

MD5
1c219256e5594c86f7bae720102515c1

SHA1
db68f27956d9420acdb0055c40fd36ecc981308a

SHA256
09609c5613e5790e27c9ba8e4b735442c8ab5d0ca5c8770dc1c0268310e9026d

SHA512
8f109576df8453cc4e6fcdff999c9e6d181b28fc8615038184d2ec9fc3d7068047c607118ab3316b9695675d8b9ec95e24b20eb5c958d84ad9bdfc9146a6d9b2

Download Submit
\Users\Admin\AppData\Local\Temp\mdfoi.exe
Filesize
332KB

MD5
1c219256e5594c86f7bae720102515c1

SHA1
db68f27956d9420acdb0055c40fd36ecc981308a

SHA256
09609c5613e5790e27c9ba8e4b735442c8ab5d0ca5c8770dc1c0268310e9026d

SHA512
8f109576df8453cc4e6fcdff999c9e6d181b28fc8615038184d2ec9fc3d7068047c607118ab3316b9695675d8b9ec95e24b20eb5c958d84ad9bdfc9146a6d9b2

Download Submit
memory/1248-63-0x0000000000401896-mapping.dmp

Download
memory/1248-66-0x0000000000830000-0x0000000000868000-memory.dmp

Filesize
224KB

Download
memory/1248-67-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1248-68-0x0000000002100000-0x000000000210A000-memory.dmp

Filesize
40KB

Download
memory/1248-69-0x0000000004640000-0x000000000465E000-memory.dmp

Filesize
120KB

Download
memory/1248-70-0x0000000004A80000-0x0000000004A8A000-memory.dmp

Filesize
40KB

Download
memory/1272-56-0x0000000000000000-mapping.dmp

Download
memory/2028-54-0x0000000076651000-0x0000000076653000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing