nanocore | e3349de58511c7211afb99fb2a84322b78d6c1cad075655cad938ac3e36b2be4

Analysis

max time kernel
154s
max time network
163s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06-12-2022 02:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Variant.Jaik.107269.14963.14248.exe
Size

333KB
MD5

f60ddb063158118801e8bc835266ea7e
SHA1

4ccbee5a06c414a0cb8eac6d7122ecfcee1664e8
SHA256

e3349de58511c7211afb99fb2a84322b78d6c1cad075655cad938ac3e36b2be4
SHA512

33e1608f1206b02beb1c26e10ea4464eaf63f5de4e69eecc86bc7f069a9e4e92ad6d4115f5126a0adcbf4e6e9cbf287f69de4c5a7d7f75a5e928d683927b4953
SSDEEP

6144:NBn0TUrq5HDcPhznpItqrsLOXh04vnZWSDHso6Rzodfq6RiSAlfzV:ET2SAPnxrsyXhnZdDHso6podfQBlfR

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

albertsamco76.ddns.net:7480

79.134.225.71:7480

Mutex

595ac7be-87a8-4935-8bed-199af086cae8

Attributes

activate_away_mode
true
backup_connection_host
79.134.225.71
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2022-07-15T18:29:52.126272236Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
5000
connection_port
7480
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
595ac7be-87a8-4935-8bed-199af086cae8
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
albertsamco76.ddns.net
primary_dns_server
8.8.8.8
request_elevation
false
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Executes dropped EXE 2 IoCs

pid	Process
664	hzeuuxn.exe
1364	hzeuuxn.exe

Loads dropped DLL 2 IoCs

pid	Process
1072	SecuriteInfo.com.Variant.Jaik.107269.14963.14248.exe
664	hzeuuxn.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SCSI Service = "C:\\Program Files (x86)\\SCSI Service\\scsisvc.exe"	hzeuuxn.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	hzeuuxn.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 664 set thread context of 1364	664	hzeuuxn.exe	28

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\SCSI Service\scsisvc.exe	hzeuuxn.exe
File opened for modification	C:\Program Files (x86)\SCSI Service\scsisvc.exe	hzeuuxn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1192	schtasks.exe
2044	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1364	hzeuuxn.exe
1364	hzeuuxn.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1364	hzeuuxn.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
664	hzeuuxn.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1364	hzeuuxn.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1072 wrote to memory of 664	1072	SecuriteInfo.com.Variant.Jaik.107269.14963.14248.exe	27
PID 1072 wrote to memory of 664	1072	SecuriteInfo.com.Variant.Jaik.107269.14963.14248.exe	27
PID 1072 wrote to memory of 664	1072	SecuriteInfo.com.Variant.Jaik.107269.14963.14248.exe	27
PID 1072 wrote to memory of 664	1072	SecuriteInfo.com.Variant.Jaik.107269.14963.14248.exe	27
PID 664 wrote to memory of 1364	664	hzeuuxn.exe	28
PID 664 wrote to memory of 1364	664	hzeuuxn.exe	28
PID 664 wrote to memory of 1364	664	hzeuuxn.exe	28
PID 664 wrote to memory of 1364	664	hzeuuxn.exe	28
PID 664 wrote to memory of 1364	664	hzeuuxn.exe	28
PID 1364 wrote to memory of 1192	1364	hzeuuxn.exe	29
PID 1364 wrote to memory of 1192	1364	hzeuuxn.exe	29
PID 1364 wrote to memory of 1192	1364	hzeuuxn.exe	29
PID 1364 wrote to memory of 1192	1364	hzeuuxn.exe	29
PID 1364 wrote to memory of 2044	1364	hzeuuxn.exe	31
PID 1364 wrote to memory of 2044	1364	hzeuuxn.exe	31
PID 1364 wrote to memory of 2044	1364	hzeuuxn.exe	31
PID 1364 wrote to memory of 2044	1364	hzeuuxn.exe	31

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Jaik.107269.14963.14248.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Jaik.107269.14963.14248.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1072
- C:\Users\Admin\AppData\Local\Temp\hzeuuxn.exe
  "C:\Users\Admin\AppData\Local\Temp\hzeuuxn.exe" C:\Users\Admin\AppData\Local\Temp\fwbjwtfkqen.uqk
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:664
- - C:\Users\Admin\AppData\Local\Temp\hzeuuxn.exe
    "C:\Users\Admin\AppData\Local\Temp\hzeuuxn.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1364
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /create /f /tn "SCSI Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp4AF6.tmp"
      4⤵
      Creates scheduled task(s)
      PID:1192
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /create /f /tn "SCSI Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp4D09.tmp"
      4⤵
      Creates scheduled task(s)
      PID:2044

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fwbjwtfkqen.uqk

Filesize
5KB

MD5
08875b77581bfdffb421974fdcd91db6

SHA1
c511c0e14034f4187395b3d0d5c635c0f4327419

SHA256
2336f9c11b1666a84ee2f441b14d8a3a72280d6e14e097c495fd38bcd84b3b25

SHA512
c4e8e5f8b957787fe9eea80acbbe6b89b2736b7e50d79a3b18b84b6d7dd2a0b921ee21219d30c2e52eb0cb8264accaab35362c5224871ad9873fe00a05d6fcda

Download Submit
C:\Users\Admin\AppData\Local\Temp\hzeuuxn.exe

Filesize
13KB

MD5
d8dd6afef3fad2c4601acfe8de308988

SHA1
be3c3f4c82b8e1d9791de91a6afb56b1eb282a3c

SHA256
5076d195545d7e1e2a76322858ff8f2938efd073f85f07cc6fb6d0817fb13a77

SHA512
007e0c731766d6958f90e5f04dfc1492eb787df83e04f8ab233b8e458d4e8d39bea5cbd10ef5baa63dd13b95cb6bb7169d543468abf6b9ef5a781ee5dfc5278a

Download Submit
C:\Users\Admin\AppData\Local\Temp\hzeuuxn.exe

Filesize
13KB

MD5
d8dd6afef3fad2c4601acfe8de308988

SHA1
be3c3f4c82b8e1d9791de91a6afb56b1eb282a3c

SHA256
5076d195545d7e1e2a76322858ff8f2938efd073f85f07cc6fb6d0817fb13a77

SHA512
007e0c731766d6958f90e5f04dfc1492eb787df83e04f8ab233b8e458d4e8d39bea5cbd10ef5baa63dd13b95cb6bb7169d543468abf6b9ef5a781ee5dfc5278a

Download Submit
C:\Users\Admin\AppData\Local\Temp\hzeuuxn.exe

Filesize
13KB

MD5
d8dd6afef3fad2c4601acfe8de308988

SHA1
be3c3f4c82b8e1d9791de91a6afb56b1eb282a3c

SHA256
5076d195545d7e1e2a76322858ff8f2938efd073f85f07cc6fb6d0817fb13a77

SHA512
007e0c731766d6958f90e5f04dfc1492eb787df83e04f8ab233b8e458d4e8d39bea5cbd10ef5baa63dd13b95cb6bb7169d543468abf6b9ef5a781ee5dfc5278a

Download Submit
C:\Users\Admin\AppData\Local\Temp\lahlkxvksg.uz

Filesize
281KB

MD5
10ac85c858fdf8eaa7d2b877f7b844db

SHA1
fef49be1242834cc83ceede136b780f45d02e4ba

SHA256
0cbc09c9b12e4508cb043f382392b73d63f39457af21e3232935d01664314977

SHA512
ff94ff8d8abee6751ce79fe9b09e150add3b0761129785812a5b94bb3a1fb114c64385c7f29b48a4dca241fcc71ad555b2b654039ec427c9ddef548f6fc41e57

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4AF6.tmp

Filesize
1KB

MD5
3a1a90a554de66ea61438aaeab76cad2

SHA1
2000d734321bbdfd56c13bd4f7dc5017328131b5

SHA256
d2fbdc8ec019bc26c6c70ed6a09cf30a5bca679c492faf727e988cd2c413da8a

SHA512
f25345da6ffe6ff1a0b6981169a3f289cf3f0640c09f429263ac586c5b117316527231510fbbc524b171d05f0ac4471a0c27e9e6e37c2cb5fcaf334232ecaf6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4D09.tmp

Filesize
1KB

MD5
4e71faa3a77029484cfaba423d96618f

SHA1
9c837d050bb43d69dc608af809c292e13bca4718

SHA256
c470f45efd2e7c4c5b88534a18965a78dce0f8e154d3e45a9d5569ad0e334bdb

SHA512
6d014de41352f2b0b494d94cd58188791e81d4e53578d0722110b6827793b735e19c614877f25c61b26233dea1b5f1998ba1240bdc8fa04c87b7e64a4ca15fe0

Download Submit
\Users\Admin\AppData\Local\Temp\hzeuuxn.exe

Filesize
13KB

MD5
d8dd6afef3fad2c4601acfe8de308988

SHA1
be3c3f4c82b8e1d9791de91a6afb56b1eb282a3c

SHA256
5076d195545d7e1e2a76322858ff8f2938efd073f85f07cc6fb6d0817fb13a77

SHA512
007e0c731766d6958f90e5f04dfc1492eb787df83e04f8ab233b8e458d4e8d39bea5cbd10ef5baa63dd13b95cb6bb7169d543468abf6b9ef5a781ee5dfc5278a

Download Submit
\Users\Admin\AppData\Local\Temp\hzeuuxn.exe

Filesize
13KB

MD5
d8dd6afef3fad2c4601acfe8de308988

SHA1
be3c3f4c82b8e1d9791de91a6afb56b1eb282a3c

SHA256
5076d195545d7e1e2a76322858ff8f2938efd073f85f07cc6fb6d0817fb13a77

SHA512
007e0c731766d6958f90e5f04dfc1492eb787df83e04f8ab233b8e458d4e8d39bea5cbd10ef5baa63dd13b95cb6bb7169d543468abf6b9ef5a781ee5dfc5278a

Download Submit
memory/664-56-0x0000000000000000-mapping.dmp

Download
memory/1072-54-0x0000000074C91000-0x0000000074C93000-memory.dmp

Filesize
8KB

Download
memory/1192-66-0x0000000000000000-mapping.dmp

Download
memory/1364-62-0x0000000000401896-mapping.dmp

Download
memory/1364-67-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1364-65-0x0000000000320000-0x000000000035A000-memory.dmp

Filesize
232KB

Download
memory/1364-71-0x0000000000920000-0x000000000092A000-memory.dmp

Filesize
40KB

Download
memory/1364-72-0x0000000001F20000-0x0000000001F3E000-memory.dmp

Filesize
120KB

Download
memory/1364-73-0x0000000000930000-0x000000000093A000-memory.dmp

Filesize
40KB

Download
memory/2044-69-0x0000000000000000-mapping.dmp

Download