nanocore | 62ef85b80d921282ea82b900e2d2663d75e433470a3236146adeddabd3ac6a38

General

Target

18cd96c07ff82aa2d322d0e66426734b.exe
Size

336KB
MD5

18cd96c07ff82aa2d322d0e66426734b
SHA1

83feb91f4a28e5b3c01fa2b86d9cbf9926ad6583
SHA256

62ef85b80d921282ea82b900e2d2663d75e433470a3236146adeddabd3ac6a38
SHA512

e1a8f585e5ebc80d501f614c65e63f1d24829169cc3af6d41fd154ce35b0b7f89c56c3b7cc9d598448b77c7d5465596d76f3a96771fcc284f154a51241dde319
SSDEEP

6144:oECmDimAbetPUu/femoEv7a48wn87QMH3xXjqdzUgSpIFaJ7LqwIrF3:Jivy2MfL8wNM4vaJfqwIJ

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

nasim1.duckdns.org:22102

winter-dew-56140.pktriot.net:22102

Mutex

aaf67717-0374-4dd5-b84e-fb1bb826519c

Attributes

activate_away_mode
true
backup_connection_host
winter-dew-56140.pktriot.net
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2022-09-09T21:16:41.136666036Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
22102
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
aaf67717-0374-4dd5-b84e-fb1bb826519c
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
nasim1.duckdns.org
primary_dns_server
8.8.8.8
request_elevation
false
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Executes dropped EXE 1 IoCs

Processes:

test.exe

pid process

948 test.exe
Loads dropped DLL 2 IoCs

Processes:

18cd96c07ff82aa2d322d0e66426734b.exe

pid process

1652 18cd96c07ff82aa2d322d0e66426734b.exe
1652 18cd96c07ff82aa2d322d0e66426734b.exe

pid	process
948	test.exe

pid	process
1652	18cd96c07ff82aa2d322d0e66426734b.exe
1652	18cd96c07ff82aa2d322d0e66426734b.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

test.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NTFS Monitor = "C:\\Program Files (x86)\\NTFS Monitor\\ntfsmon.exe"	test.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

test.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA test.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	test.exe

Drops file in Program Files directory 2 IoCs

Processes:

test.exe

description	ioc	process
File created	C:\Program Files (x86)\NTFS Monitor\ntfsmon.exe	test.exe
File opened for modification	C:\Program Files (x86)\NTFS Monitor\ntfsmon.exe	test.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

740 schtasks.exe
580 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

test.exe

pid process

948 test.exe
948 test.exe
948 test.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

test.exe

pid process

948 test.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

18cd96c07ff82aa2d322d0e66426734b.exetest.exe

description pid process

Token: SeDebugPrivilege 1652 18cd96c07ff82aa2d322d0e66426734b.exe
Token: SeDebugPrivilege 948 test.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

DllHost.exe

pid process

1512 DllHost.exe

pid	process
740	schtasks.exe
580	schtasks.exe

pid	process
948	test.exe
948	test.exe
948	test.exe

pid	process
948	test.exe

description	pid	process
Token: SeDebugPrivilege	1652	18cd96c07ff82aa2d322d0e66426734b.exe
Token: SeDebugPrivilege	948	test.exe

pid	process
1512	DllHost.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

18cd96c07ff82aa2d322d0e66426734b.exetest.exe

description	pid	process	target process
PID 1652 wrote to memory of 948	1652	18cd96c07ff82aa2d322d0e66426734b.exe	test.exe
PID 1652 wrote to memory of 948	1652	18cd96c07ff82aa2d322d0e66426734b.exe	test.exe
PID 1652 wrote to memory of 948	1652	18cd96c07ff82aa2d322d0e66426734b.exe	test.exe
PID 1652 wrote to memory of 948	1652	18cd96c07ff82aa2d322d0e66426734b.exe	test.exe
PID 948 wrote to memory of 580	948	test.exe	schtasks.exe
PID 948 wrote to memory of 580	948	test.exe	schtasks.exe
PID 948 wrote to memory of 580	948	test.exe	schtasks.exe
PID 948 wrote to memory of 580	948	test.exe	schtasks.exe
PID 948 wrote to memory of 740	948	test.exe	schtasks.exe
PID 948 wrote to memory of 740	948	test.exe	schtasks.exe
PID 948 wrote to memory of 740	948	test.exe	schtasks.exe
PID 948 wrote to memory of 740	948	test.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\18cd96c07ff82aa2d322d0e66426734b.exe
"C:\Users\Admin\AppData\Local\Temp\18cd96c07ff82aa2d322d0e66426734b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1652

C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:948

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "NTFS Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmp7AF.tmp"
3⤵
- Creates scheduled task(s)
PID:580

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "NTFS Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp3268.tmp"
3⤵
- Creates scheduled task(s)
PID:740

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1512

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\salary.png
Filesize
26KB

MD5
b88420e659e03bbc7ded3fa1b242195a

SHA1
67fff491240927e7ee6bde83a7a660b3e666bb5b

SHA256
e6b4706c75cf50021bfa7a9ce3a6945c79e72f06d0b7de4e71299f5d003bad31

SHA512
f9ab477a19787f18e11b67191cb1996a403c7cfe4670cd3f6f7702015c797c123cb79b3736b1b177481de6e8a2019923872a11d055d016701d9b1a4fc4bcf72c

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.exe
Filesize
203KB

MD5
5106b627ddc082155764efe6d0b56882

SHA1
b6040cbf5a9751b830322d5972be98c125792e0c

SHA256
c756bc7453a57b22def34496d8902b23f4976d8a4f2f3c539607e06130644384

SHA512
e2fe5cb3cfb7183ff8c44b4e15db8e458f86c4665e729d8711fc08cb15ffcd1d4d8c19e28d4575068f792647cd23579e664b0693570188b81fa8853c03b0d094

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.exe
Filesize
203KB

MD5
5106b627ddc082155764efe6d0b56882

SHA1
b6040cbf5a9751b830322d5972be98c125792e0c

SHA256
c756bc7453a57b22def34496d8902b23f4976d8a4f2f3c539607e06130644384

SHA512
e2fe5cb3cfb7183ff8c44b4e15db8e458f86c4665e729d8711fc08cb15ffcd1d4d8c19e28d4575068f792647cd23579e664b0693570188b81fa8853c03b0d094

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7AF.tmp
Filesize
1KB

MD5
daa959fa3888b5436fb93b6796bc803b

SHA1
43b8b749c623daede8374165806b8354655fa06c

SHA256
da87a4088b0f1dce79ca8128c8275cb6eaf527e571c68a6fb3a0b56576d38344

SHA512
aba76a0d311ad0466c64aac0d8f6ed483d2006dc0f14ac78af6af33b9db920a3735fa9478bb6fc5535f4b5eb9621479ec6f8172e05089c27872016ae08f896f0

Download Submit
\Users\Admin\AppData\Local\Temp\test.exe
Filesize
203KB

MD5
5106b627ddc082155764efe6d0b56882

SHA1
b6040cbf5a9751b830322d5972be98c125792e0c

SHA256
c756bc7453a57b22def34496d8902b23f4976d8a4f2f3c539607e06130644384

SHA512
e2fe5cb3cfb7183ff8c44b4e15db8e458f86c4665e729d8711fc08cb15ffcd1d4d8c19e28d4575068f792647cd23579e664b0693570188b81fa8853c03b0d094

Download Submit
\Users\Admin\AppData\Local\Temp\test.exe
Filesize
203KB

MD5
5106b627ddc082155764efe6d0b56882

SHA1
b6040cbf5a9751b830322d5972be98c125792e0c

SHA256
c756bc7453a57b22def34496d8902b23f4976d8a4f2f3c539607e06130644384

SHA512
e2fe5cb3cfb7183ff8c44b4e15db8e458f86c4665e729d8711fc08cb15ffcd1d4d8c19e28d4575068f792647cd23579e664b0693570188b81fa8853c03b0d094

Download Submit
memory/580-64-0x0000000000000000-mapping.dmp

Download
memory/740-67-0x0000000000000000-mapping.dmp

Download
memory/948-58-0x0000000000000000-mapping.dmp

Download
memory/948-65-0x000000006F4B0000-0x000000006FA5B000-memory.dmp

Filesize
5.7MB

Download
memory/948-68-0x000000006F4B0000-0x000000006FA5B000-memory.dmp

Filesize
5.7MB

Download
memory/1652-54-0x0000000000DA0000-0x0000000000DAE000-memory.dmp

Filesize
56KB

Download
memory/1652-55-0x0000000076041000-0x0000000076043000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads