nanocore | 40e577ca71fd8988f110b0ed2246f5925ceec3a9e74b016e4a75c535bd3b6bb8

Analysis

max time kernel
136s
max time network
150s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
29/12/2022, 09:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

img~93873367RMEITTANCE.exe
Size

829KB
MD5

5aa6bc4b571229b3bd29b963b7133f78
SHA1

c913a50765f1d17a6d8dd7bd95d99154ece01ad1
SHA256

40e577ca71fd8988f110b0ed2246f5925ceec3a9e74b016e4a75c535bd3b6bb8
SHA512

94b826a118f22d44871708734e1f2bf7a519c8e39d058e534f650bf0cc6c523217f59c6194ef460014107c49f8c7da011d5f736416399cafaa09044ef3b2128f
SSDEEP

24576:yu1rGaMnFvJBk0SnRQuWwLlW/rCrEk0pIhHb5ulZ:LJ8Fvrk0SnGulpW/455i

Score

10^/10

nanocore keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

2630.hopto.org:2630

91.193.75.133:2630

Mutex

7c547113-53a3-436c-bb1a-b75a32aa99cb

Attributes

activate_away_mode
true
backup_connection_host
91.193.75.133
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2022-09-02T23:01:29.097059336Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
2630
default_group
2630
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
7c547113-53a3-436c-bb1a-b75a32aa99cb
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
2630.hopto.org
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DDP Subsystem = "C:\\Program Files (x86)\\DDP Subsystem\\ddpss.exe"	RegSvcs.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1692 set thread context of 1792	1692	img~93873367RMEITTANCE.exe	33

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\DDP Subsystem\ddpss.exe	RegSvcs.exe
File opened for modification	C:\Program Files (x86)\DDP Subsystem\ddpss.exe	RegSvcs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1100	schtasks.exe
1416	schtasks.exe
1344	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1692	img~93873367RMEITTANCE.exe
1692	img~93873367RMEITTANCE.exe
1692	img~93873367RMEITTANCE.exe
1692	img~93873367RMEITTANCE.exe
1692	img~93873367RMEITTANCE.exe
1692	img~93873367RMEITTANCE.exe
1692	img~93873367RMEITTANCE.exe
1504	powershell.exe
1792	RegSvcs.exe
1792	RegSvcs.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1792	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1692	img~93873367RMEITTANCE.exe
Token: SeDebugPrivilege	1504	powershell.exe
Token: SeDebugPrivilege	1792	RegSvcs.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 1692 wrote to memory of 1504	1692	img~93873367RMEITTANCE.exe	28
PID 1692 wrote to memory of 1504	1692	img~93873367RMEITTANCE.exe	28
PID 1692 wrote to memory of 1504	1692	img~93873367RMEITTANCE.exe	28
PID 1692 wrote to memory of 1504	1692	img~93873367RMEITTANCE.exe	28
PID 1692 wrote to memory of 1100	1692	img~93873367RMEITTANCE.exe	30
PID 1692 wrote to memory of 1100	1692	img~93873367RMEITTANCE.exe	30
PID 1692 wrote to memory of 1100	1692	img~93873367RMEITTANCE.exe	30
PID 1692 wrote to memory of 1100	1692	img~93873367RMEITTANCE.exe	30
PID 1692 wrote to memory of 1268	1692	img~93873367RMEITTANCE.exe	32
PID 1692 wrote to memory of 1268	1692	img~93873367RMEITTANCE.exe	32
PID 1692 wrote to memory of 1268	1692	img~93873367RMEITTANCE.exe	32
PID 1692 wrote to memory of 1268	1692	img~93873367RMEITTANCE.exe	32
PID 1692 wrote to memory of 1268	1692	img~93873367RMEITTANCE.exe	32
PID 1692 wrote to memory of 1268	1692	img~93873367RMEITTANCE.exe	32
PID 1692 wrote to memory of 1268	1692	img~93873367RMEITTANCE.exe	32
PID 1692 wrote to memory of 1792	1692	img~93873367RMEITTANCE.exe	33
PID 1692 wrote to memory of 1792	1692	img~93873367RMEITTANCE.exe	33
PID 1692 wrote to memory of 1792	1692	img~93873367RMEITTANCE.exe	33
PID 1692 wrote to memory of 1792	1692	img~93873367RMEITTANCE.exe	33
PID 1692 wrote to memory of 1792	1692	img~93873367RMEITTANCE.exe	33
PID 1692 wrote to memory of 1792	1692	img~93873367RMEITTANCE.exe	33
PID 1692 wrote to memory of 1792	1692	img~93873367RMEITTANCE.exe	33
PID 1692 wrote to memory of 1792	1692	img~93873367RMEITTANCE.exe	33
PID 1692 wrote to memory of 1792	1692	img~93873367RMEITTANCE.exe	33
PID 1692 wrote to memory of 1792	1692	img~93873367RMEITTANCE.exe	33
PID 1692 wrote to memory of 1792	1692	img~93873367RMEITTANCE.exe	33
PID 1692 wrote to memory of 1792	1692	img~93873367RMEITTANCE.exe	33
PID 1792 wrote to memory of 1416	1792	RegSvcs.exe	34
PID 1792 wrote to memory of 1416	1792	RegSvcs.exe	34
PID 1792 wrote to memory of 1416	1792	RegSvcs.exe	34
PID 1792 wrote to memory of 1416	1792	RegSvcs.exe	34
PID 1792 wrote to memory of 1344	1792	RegSvcs.exe	36
PID 1792 wrote to memory of 1344	1792	RegSvcs.exe	36
PID 1792 wrote to memory of 1344	1792	RegSvcs.exe	36
PID 1792 wrote to memory of 1344	1792	RegSvcs.exe	36

C:\Users\Admin\AppData\Local\Temp\img~93873367RMEITTANCE.exe
"C:\Users\Admin\AppData\Local\Temp\img~93873367RMEITTANCE.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1692
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\YdwSod.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1504
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YdwSod" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC38E.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1100
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  PID:1268
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1792
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /create /f /tn "DDP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmpC8EB.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:1416
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /create /f /tn "DDP Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpC988.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:1344

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpC38E.tmp

Filesize
1KB

MD5
39381eb1670942b0d15b595221fcc39e

SHA1
48d56b440821680ad3c64654699d341010c96dc3

SHA256
b4d8d31f558510690059597d0a7fc947bbc4eb8fad3cad9511942a46b346ff6b

SHA512
97a22c2c952befe62d724c6c8cd2baab64adeae878cb8193d090a7671c6d3dc89fd4bfa41383a7c15c38d7189665dfb9513086d4b4defb09bb8272296b153499

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC8EB.tmp

Filesize
1KB

MD5
8cad1b41587ced0f1e74396794f31d58

SHA1
11054bf74fcf5e8e412768035e4dae43aa7b710f

SHA256
3086d914f6b23268f8a12cb1a05516cd5465c2577e1d1e449f1b45c8e5e8f83c

SHA512
99c2ef89029de51a866df932841684b7fc912df21e10e2dd0d09e400203bbdc6cba6319a31780b7bf8b286d2cea8ea3fc7d084348bf2f002ab4f5a34218ccbef

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC988.tmp

Filesize
1KB

MD5
8e2d5fba24ae8a54087d8e6cadc188c1

SHA1
548555025543b4773b8f36301f5fa5003e1c85dc

SHA256
f8a3739cca23897792b42a11a21adcce745201fa19f8d84ec66a6e0c5e519759

SHA512
9246583d7b08152cd73dc40254013e1ae4b8c93603dbb1f4e6b82624e14b134c59de6c8039b588f14075602768a388121e985f886322ae5fb9ec2eee94d4ea3d

Download Submit
memory/1504-84-0x000000006F150000-0x000000006F6FB000-memory.dmp

Filesize
5.7MB

Download
memory/1692-54-0x0000000000170000-0x0000000000246000-memory.dmp

Filesize
856KB

Download
memory/1692-57-0x0000000000650000-0x000000000065A000-memory.dmp

Filesize
40KB

Download
memory/1692-63-0x0000000005E60000-0x0000000005EB2000-memory.dmp

Filesize
328KB

Download
memory/1692-58-0x0000000007D30000-0x0000000007DBC000-memory.dmp

Filesize
560KB

Download
memory/1692-55-0x00000000763A1000-0x00000000763A3000-memory.dmp

Filesize
8KB

Download
memory/1692-56-0x00000000005E0000-0x00000000005F0000-memory.dmp

Filesize
64KB

Download
memory/1792-64-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1792-73-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1792-75-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1792-70-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1792-68-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1792-67-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1792-81-0x00000000004A0000-0x00000000004AA000-memory.dmp

Filesize
40KB

Download
memory/1792-82-0x0000000000650000-0x000000000066E000-memory.dmp

Filesize
120KB

Download
memory/1792-83-0x0000000000670000-0x000000000067A000-memory.dmp

Filesize
40KB

Download
memory/1792-65-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1792-85-0x0000000004CF5000-0x0000000004D06000-memory.dmp

Filesize
68KB

Download