nanocore | e3349de58511c7211afb99fb2a84322b78d6c1cad075655cad938ac3e36b2be4

General

Target

SecuriteInfo.com.Variant.Jaik.107269.14963.14248.exe
Size

333KB
MD5

f60ddb063158118801e8bc835266ea7e
SHA1

4ccbee5a06c414a0cb8eac6d7122ecfcee1664e8
SHA256

e3349de58511c7211afb99fb2a84322b78d6c1cad075655cad938ac3e36b2be4
SHA512

33e1608f1206b02beb1c26e10ea4464eaf63f5de4e69eecc86bc7f069a9e4e92ad6d4115f5126a0adcbf4e6e9cbf287f69de4c5a7d7f75a5e928d683927b4953
SSDEEP

6144:NBn0TUrq5HDcPhznpItqrsLOXh04vnZWSDHso6Rzodfq6RiSAlfzV:ET2SAPnxrsyXhnZdDHso6podfQBlfR

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

albertsamco76.ddns.net:7480

79.134.225.71:7480

Mutex

595ac7be-87a8-4935-8bed-199af086cae8

Attributes

activate_away_mode
true
backup_connection_host
79.134.225.71
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2022-07-15T18:29:52.126272236Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
5000
connection_port
7480
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
595ac7be-87a8-4935-8bed-199af086cae8
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
albertsamco76.ddns.net
primary_dns_server
8.8.8.8
request_elevation
false
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Executes dropped EXE 2 IoCs

Processes:

hzeuuxn.exehzeuuxn.exe

pid process

4144 hzeuuxn.exe
1996 hzeuuxn.exe

pid	process
4144	hzeuuxn.exe
1996	hzeuuxn.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

hzeuuxn.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DDP Host = "C:\\Program Files (x86)\\DDP Host\\ddphost.exe"	hzeuuxn.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

hzeuuxn.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA hzeuuxn.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

hzeuuxn.exe

description pid process target process

PID 4144 set thread context of 1996 4144 hzeuuxn.exe hzeuuxn.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	hzeuuxn.exe

description	pid	process	target process
PID 4144 set thread context of 1996	4144	hzeuuxn.exe	hzeuuxn.exe

Drops file in Program Files directory 2 IoCs

Processes:

hzeuuxn.exe

description	ioc	process
File created	C:\Program Files (x86)\DDP Host\ddphost.exe	hzeuuxn.exe
File opened for modification	C:\Program Files (x86)\DDP Host\ddphost.exe	hzeuuxn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1436 schtasks.exe
628 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

hzeuuxn.exe

pid process

1996 hzeuuxn.exe
1996 hzeuuxn.exe
1996 hzeuuxn.exe
1996 hzeuuxn.exe
1996 hzeuuxn.exe
1996 hzeuuxn.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

hzeuuxn.exe

pid process

1996 hzeuuxn.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

hzeuuxn.exe

pid process

4144 hzeuuxn.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

hzeuuxn.exe

description pid process

Token: SeDebugPrivilege 1996 hzeuuxn.exe

pid	process
1436	schtasks.exe
628	schtasks.exe

pid	process
1996	hzeuuxn.exe
1996	hzeuuxn.exe
1996	hzeuuxn.exe
1996	hzeuuxn.exe
1996	hzeuuxn.exe
1996	hzeuuxn.exe

pid	process
1996	hzeuuxn.exe

pid	process
4144	hzeuuxn.exe

description	pid	process
Token: SeDebugPrivilege	1996	hzeuuxn.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

SecuriteInfo.com.Variant.Jaik.107269.14963.14248.exehzeuuxn.exehzeuuxn.exe

description	pid	process	target process
PID 1252 wrote to memory of 4144	1252	SecuriteInfo.com.Variant.Jaik.107269.14963.14248.exe	hzeuuxn.exe
PID 1252 wrote to memory of 4144	1252	SecuriteInfo.com.Variant.Jaik.107269.14963.14248.exe	hzeuuxn.exe
PID 1252 wrote to memory of 4144	1252	SecuriteInfo.com.Variant.Jaik.107269.14963.14248.exe	hzeuuxn.exe
PID 4144 wrote to memory of 1996	4144	hzeuuxn.exe	hzeuuxn.exe
PID 4144 wrote to memory of 1996	4144	hzeuuxn.exe	hzeuuxn.exe
PID 4144 wrote to memory of 1996	4144	hzeuuxn.exe	hzeuuxn.exe
PID 4144 wrote to memory of 1996	4144	hzeuuxn.exe	hzeuuxn.exe
PID 1996 wrote to memory of 1436	1996	hzeuuxn.exe	schtasks.exe
PID 1996 wrote to memory of 1436	1996	hzeuuxn.exe	schtasks.exe
PID 1996 wrote to memory of 1436	1996	hzeuuxn.exe	schtasks.exe
PID 1996 wrote to memory of 628	1996	hzeuuxn.exe	schtasks.exe
PID 1996 wrote to memory of 628	1996	hzeuuxn.exe	schtasks.exe
PID 1996 wrote to memory of 628	1996	hzeuuxn.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Jaik.107269.14963.14248.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Jaik.107269.14963.14248.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1252

C:\Users\Admin\AppData\Local\Temp\hzeuuxn.exe
"C:\Users\Admin\AppData\Local\Temp\hzeuuxn.exe" C:\Users\Admin\AppData\Local\Temp\fwbjwtfkqen.uqk
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4144

C:\Users\Admin\AppData\Local\Temp\hzeuuxn.exe
"C:\Users\Admin\AppData\Local\Temp\hzeuuxn.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DDP Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmpA993.tmp"
4⤵
- Creates scheduled task(s)
PID:1436

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DDP Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpAA6F.tmp"
4⤵
- Creates scheduled task(s)
PID:628

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fwbjwtfkqen.uqk
Filesize
5KB

MD5
08875b77581bfdffb421974fdcd91db6

SHA1
c511c0e14034f4187395b3d0d5c635c0f4327419

SHA256
2336f9c11b1666a84ee2f441b14d8a3a72280d6e14e097c495fd38bcd84b3b25

SHA512
c4e8e5f8b957787fe9eea80acbbe6b89b2736b7e50d79a3b18b84b6d7dd2a0b921ee21219d30c2e52eb0cb8264accaab35362c5224871ad9873fe00a05d6fcda

Download Submit
C:\Users\Admin\AppData\Local\Temp\hzeuuxn.exe
Filesize
13KB

MD5
d8dd6afef3fad2c4601acfe8de308988

SHA1
be3c3f4c82b8e1d9791de91a6afb56b1eb282a3c

SHA256
5076d195545d7e1e2a76322858ff8f2938efd073f85f07cc6fb6d0817fb13a77

SHA512
007e0c731766d6958f90e5f04dfc1492eb787df83e04f8ab233b8e458d4e8d39bea5cbd10ef5baa63dd13b95cb6bb7169d543468abf6b9ef5a781ee5dfc5278a

Download Submit
C:\Users\Admin\AppData\Local\Temp\hzeuuxn.exe
Filesize
13KB

MD5
d8dd6afef3fad2c4601acfe8de308988

SHA1
be3c3f4c82b8e1d9791de91a6afb56b1eb282a3c

SHA256
5076d195545d7e1e2a76322858ff8f2938efd073f85f07cc6fb6d0817fb13a77

SHA512
007e0c731766d6958f90e5f04dfc1492eb787df83e04f8ab233b8e458d4e8d39bea5cbd10ef5baa63dd13b95cb6bb7169d543468abf6b9ef5a781ee5dfc5278a

Download Submit
C:\Users\Admin\AppData\Local\Temp\hzeuuxn.exe
Filesize
13KB

MD5
d8dd6afef3fad2c4601acfe8de308988

SHA1
be3c3f4c82b8e1d9791de91a6afb56b1eb282a3c

SHA256
5076d195545d7e1e2a76322858ff8f2938efd073f85f07cc6fb6d0817fb13a77

SHA512
007e0c731766d6958f90e5f04dfc1492eb787df83e04f8ab233b8e458d4e8d39bea5cbd10ef5baa63dd13b95cb6bb7169d543468abf6b9ef5a781ee5dfc5278a

Download Submit
C:\Users\Admin\AppData\Local\Temp\lahlkxvksg.uz
Filesize
281KB

MD5
10ac85c858fdf8eaa7d2b877f7b844db

SHA1
fef49be1242834cc83ceede136b780f45d02e4ba

SHA256
0cbc09c9b12e4508cb043f382392b73d63f39457af21e3232935d01664314977

SHA512
ff94ff8d8abee6751ce79fe9b09e150add3b0761129785812a5b94bb3a1fb114c64385c7f29b48a4dca241fcc71ad555b2b654039ec427c9ddef548f6fc41e57

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA993.tmp
Filesize
1KB

MD5
3a1a90a554de66ea61438aaeab76cad2

SHA1
2000d734321bbdfd56c13bd4f7dc5017328131b5

SHA256
d2fbdc8ec019bc26c6c70ed6a09cf30a5bca679c492faf727e988cd2c413da8a

SHA512
f25345da6ffe6ff1a0b6981169a3f289cf3f0640c09f429263ac586c5b117316527231510fbbc524b171d05f0ac4471a0c27e9e6e37c2cb5fcaf334232ecaf6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAA6F.tmp
Filesize
1KB

MD5
2271642ca970891700e3f48439739ed8

SHA1
cd472df2349f7db9e1e460d0ee28acd97b8a8793

SHA256
7aba66abbcb0b13455609174db23aed495a9adbef0e0acd28baa9c92445eda68

SHA512
4669a4ef8ec28cdb852ffc1401576b1bf9a9d837797d7d92bc88c18b3097404f36854e50167b309706fef400cabc43c876569ce2797ba85eb169a2783b8fe807

Download Submit
memory/628-146-0x0000000000000000-mapping.dmp

Download
memory/1436-144-0x0000000000000000-mapping.dmp

Download
memory/1996-141-0x0000000005410000-0x00000000054AC000-memory.dmp

Filesize
624KB

Download
memory/1996-142-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1996-143-0x0000000002E00000-0x0000000002E0A000-memory.dmp

Filesize
40KB

Download
memory/1996-140-0x0000000002D30000-0x0000000002DC2000-memory.dmp

Filesize
584KB

Download
memory/1996-139-0x0000000005AC0000-0x0000000006064000-memory.dmp

Filesize
5.6MB

Download
memory/1996-137-0x0000000000000000-mapping.dmp

Download
memory/4144-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads