nanocore | 96b0f5deac71ac49ff7c41baf84f279dd918fbf16ed9283f7e9870dd29956085

General

Target

Bank Report.exe
Size

944KB
MD5

b77ff86a8ae8dde9138ddc5f991b67e3
SHA1

d8f69066737b8625a3ff4f7a465b404add960b69
SHA256

96b0f5deac71ac49ff7c41baf84f279dd918fbf16ed9283f7e9870dd29956085
SHA512

1fee324dfbc4db3ee985235a96284ad9edbf5643c46f5affd9434d2080e29cd67f5f5c30bb2088dbc71e64474e8bc91b44133f3219a6f49bffaa4eeec9d49585
SSDEEP

12288:jPprXT9vE50LpDSSVsPwMM2bbouANl8X7BIXVpQWsNTADQjL9QWi8pVrc1NfpHs8:coDx2zMibNsleXzTRjJQJ8phcO

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

kamzy2022.ddns.net:7600

194.55.186.150:7600

Mutex

9cfc376c-59e4-461b-8735-e43978cd6016

Attributes

activate_away_mode
true
backup_connection_host
194.55.186.150
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2022-09-10T20:51:10.905424736Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
7600
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
9cfc376c-59e4-461b-8735-e43978cd6016
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
kamzy2022.ddns.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Bank Report.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NTFS Monitor = "C:\\Program Files (x86)\\NTFS Monitor\\ntfsmon.exe"	Bank Report.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Bank Report.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Bank Report.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Bank Report.exe

description pid process target process

PID 2044 set thread context of 1396 2044 Bank Report.exe Bank Report.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Bank Report.exe

description	pid	process	target process
PID 2044 set thread context of 1396	2044	Bank Report.exe	Bank Report.exe

Drops file in Program Files directory 2 IoCs

Processes:

Bank Report.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\NTFS Monitor\ntfsmon.exe	Bank Report.exe
File created	C:\Program Files (x86)\NTFS Monitor\ntfsmon.exe	Bank Report.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1572 schtasks.exe
780 schtasks.exe

pid	process
1572	schtasks.exe
780	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

Bank Report.exeBank Report.exe

pid	process
2044	Bank Report.exe
2044	Bank Report.exe
2044	Bank Report.exe
2044	Bank Report.exe
1396	Bank Report.exe
1396	Bank Report.exe
1396	Bank Report.exe
1396	Bank Report.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Bank Report.exe

pid process

1396 Bank Report.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Bank Report.exeBank Report.exe

description pid process

Token: SeDebugPrivilege 2044 Bank Report.exe
Token: SeDebugPrivilege 1396 Bank Report.exe

pid	process
1396	Bank Report.exe

description	pid	process
Token: SeDebugPrivilege	2044	Bank Report.exe
Token: SeDebugPrivilege	1396	Bank Report.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

Bank Report.exeBank Report.exe

description	pid	process	target process
PID 2044 wrote to memory of 1360	2044	Bank Report.exe	Bank Report.exe
PID 2044 wrote to memory of 1360	2044	Bank Report.exe	Bank Report.exe
PID 2044 wrote to memory of 1360	2044	Bank Report.exe	Bank Report.exe
PID 2044 wrote to memory of 1360	2044	Bank Report.exe	Bank Report.exe
PID 2044 wrote to memory of 1776	2044	Bank Report.exe	Bank Report.exe
PID 2044 wrote to memory of 1776	2044	Bank Report.exe	Bank Report.exe
PID 2044 wrote to memory of 1776	2044	Bank Report.exe	Bank Report.exe
PID 2044 wrote to memory of 1776	2044	Bank Report.exe	Bank Report.exe
PID 2044 wrote to memory of 1264	2044	Bank Report.exe	Bank Report.exe
PID 2044 wrote to memory of 1264	2044	Bank Report.exe	Bank Report.exe
PID 2044 wrote to memory of 1264	2044	Bank Report.exe	Bank Report.exe
PID 2044 wrote to memory of 1264	2044	Bank Report.exe	Bank Report.exe
PID 2044 wrote to memory of 1404	2044	Bank Report.exe	Bank Report.exe
PID 2044 wrote to memory of 1404	2044	Bank Report.exe	Bank Report.exe
PID 2044 wrote to memory of 1404	2044	Bank Report.exe	Bank Report.exe
PID 2044 wrote to memory of 1404	2044	Bank Report.exe	Bank Report.exe
PID 2044 wrote to memory of 1396	2044	Bank Report.exe	Bank Report.exe
PID 2044 wrote to memory of 1396	2044	Bank Report.exe	Bank Report.exe
PID 2044 wrote to memory of 1396	2044	Bank Report.exe	Bank Report.exe
PID 2044 wrote to memory of 1396	2044	Bank Report.exe	Bank Report.exe
PID 2044 wrote to memory of 1396	2044	Bank Report.exe	Bank Report.exe
PID 2044 wrote to memory of 1396	2044	Bank Report.exe	Bank Report.exe
PID 2044 wrote to memory of 1396	2044	Bank Report.exe	Bank Report.exe
PID 2044 wrote to memory of 1396	2044	Bank Report.exe	Bank Report.exe
PID 2044 wrote to memory of 1396	2044	Bank Report.exe	Bank Report.exe
PID 1396 wrote to memory of 1572	1396	Bank Report.exe	schtasks.exe
PID 1396 wrote to memory of 1572	1396	Bank Report.exe	schtasks.exe
PID 1396 wrote to memory of 1572	1396	Bank Report.exe	schtasks.exe
PID 1396 wrote to memory of 1572	1396	Bank Report.exe	schtasks.exe
PID 1396 wrote to memory of 780	1396	Bank Report.exe	schtasks.exe
PID 1396 wrote to memory of 780	1396	Bank Report.exe	schtasks.exe
PID 1396 wrote to memory of 780	1396	Bank Report.exe	schtasks.exe
PID 1396 wrote to memory of 780	1396	Bank Report.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\Bank Report.exe
"C:\Users\Admin\AppData\Local\Temp\Bank Report.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044

C:\Users\Admin\AppData\Local\Temp\Bank Report.exe
"{path}"
2⤵
PID:1360

C:\Users\Admin\AppData\Local\Temp\Bank Report.exe
"{path}"
2⤵
PID:1776

C:\Users\Admin\AppData\Local\Temp\Bank Report.exe
"{path}"
2⤵
PID:1264

C:\Users\Admin\AppData\Local\Temp\Bank Report.exe
"{path}"
2⤵
PID:1404

C:\Users\Admin\AppData\Local\Temp\Bank Report.exe
"{path}"
2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1396

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "NTFS Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmp63F2.tmp"
3⤵
- Creates scheduled task(s)
PID:1572

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "NTFS Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp98C8.tmp"
3⤵
- Creates scheduled task(s)
PID:780

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp63F2.tmp
Filesize
1KB

MD5
cd04c8570e996d042fd64004c0694074

SHA1
a481173753a6c9e61a3a41d5e05f98e9ea723de4

SHA256
05ed64abfe7ba34e3567a84f99db27e627e12d8b4e98a70c75bffd0d073670ad

SHA512
8d36b4bda117255aa12eab2addd457c401563e46480d11bf574abee351a9e8dfb47cab901cfbbf76fac0dfe1b52ad588d88a0548cdd3efbb8c58428b9f31f2a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp98C8.tmp
Filesize
1KB

MD5
981e126601526eaa5b0ad45c496c4465

SHA1
d610d6a21a8420cc73fcd3e54ddae75a5897b28b

SHA256
11ae277dfa39e7038b782ca6557339e7fe88533fe83705c356a1500a1402d527

SHA512
a59fb704d931ccb7e1ec1a7b98e24ccd8708be529066c6de4b673098cdebef539f7f50d9e051c43954b5a8e7f810862b3a4ede170f131e080dadc3e763ed4bdb

Download Submit
memory/780-74-0x0000000000000000-mapping.dmp

Download
memory/1396-63-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1396-62-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1396-76-0x0000000000570000-0x000000000057A000-memory.dmp

Filesize
40KB

Download
memory/1396-60-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1396-77-0x0000000000680000-0x000000000069E000-memory.dmp

Filesize
120KB

Download
memory/1396-90-0x0000000004290000-0x00000000042A4000-memory.dmp

Filesize
80KB

Download
memory/1396-65-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1396-66-0x000000000041E792-mapping.dmp

Download
memory/1396-70-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1396-68-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1396-89-0x00000000042F0000-0x000000000431E000-memory.dmp

Filesize
184KB

Download
memory/1396-78-0x00000000006A0000-0x00000000006AA000-memory.dmp

Filesize
40KB

Download
memory/1396-88-0x0000000004230000-0x000000000423E000-memory.dmp

Filesize
56KB

Download
memory/1396-87-0x0000000004220000-0x0000000004234000-memory.dmp

Filesize
80KB

Download
memory/1396-59-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1396-86-0x0000000002190000-0x00000000021A0000-memory.dmp

Filesize
64KB

Download
memory/1396-85-0x0000000002180000-0x0000000002194000-memory.dmp

Filesize
80KB

Download
memory/1396-79-0x0000000000A50000-0x0000000000A62000-memory.dmp

Filesize
72KB

Download
memory/1396-80-0x0000000002010000-0x000000000202A000-memory.dmp

Filesize
104KB

Download
memory/1396-81-0x0000000002030000-0x000000000203E000-memory.dmp

Filesize
56KB

Download
memory/1396-82-0x0000000002040000-0x0000000002052000-memory.dmp

Filesize
72KB

Download
memory/1396-83-0x0000000002060000-0x000000000206C000-memory.dmp

Filesize
48KB

Download
memory/1396-84-0x0000000002070000-0x000000000207E000-memory.dmp

Filesize
56KB

Download
memory/1572-72-0x0000000000000000-mapping.dmp

Download
memory/2044-57-0x0000000005BE0000-0x0000000005C68000-memory.dmp

Filesize
544KB

Download
memory/2044-58-0x0000000004C90000-0x0000000004CCA000-memory.dmp

Filesize
232KB

Download
memory/2044-55-0x0000000075501000-0x0000000075503000-memory.dmp

Filesize
8KB

Download
memory/2044-56-0x0000000000390000-0x00000000003A2000-memory.dmp

Filesize
72KB

Download
memory/2044-54-0x0000000000070000-0x0000000000162000-memory.dmp

Filesize
968KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads